Merge branch 'rs/nedalloc-fixlets'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "repository.h"
3 #include "config.h"
4 #include "lockfile.h"
5 #include "pack.h"
6 #include "refs.h"
7 #include "pkt-line.h"
8 #include "sideband.h"
9 #include "run-command.h"
10 #include "exec-cmd.h"
11 #include "commit.h"
12 #include "object.h"
13 #include "remote.h"
14 #include "connect.h"
15 #include "string-list.h"
16 #include "sha1-array.h"
17 #include "connected.h"
18 #include "argv-array.h"
19 #include "version.h"
20 #include "tag.h"
21 #include "gpg-interface.h"
22 #include "sigchain.h"
23 #include "fsck.h"
24 #include "tmp-objdir.h"
25 #include "oidset.h"
26 #include "packfile.h"
27 #include "object-store.h"
28 #include "protocol.h"
29 #include "commit-reach.h"
30
31 static const char * const receive_pack_usage[] = {
32         N_("git receive-pack <git-dir>"),
33         NULL
34 };
35
36 enum deny_action {
37         DENY_UNCONFIGURED,
38         DENY_IGNORE,
39         DENY_WARN,
40         DENY_REFUSE,
41         DENY_UPDATE_INSTEAD
42 };
43
44 static int deny_deletes;
45 static int deny_non_fast_forwards;
46 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
47 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
48 static int receive_fsck_objects = -1;
49 static int transfer_fsck_objects = -1;
50 static struct strbuf fsck_msg_types = STRBUF_INIT;
51 static int receive_unpack_limit = -1;
52 static int transfer_unpack_limit = -1;
53 static int advertise_atomic_push = 1;
54 static int advertise_push_options;
55 static int unpack_limit = 100;
56 static off_t max_input_size;
57 static int report_status;
58 static int use_sideband;
59 static int use_atomic;
60 static int use_push_options;
61 static int quiet;
62 static int prefer_ofs_delta = 1;
63 static int auto_update_server_info;
64 static int auto_gc = 1;
65 static int reject_thin;
66 static int stateless_rpc;
67 static const char *service_dir;
68 static const char *head_name;
69 static void *head_name_to_free;
70 static int sent_capabilities;
71 static int shallow_update;
72 static const char *alt_shallow_file;
73 static struct strbuf push_cert = STRBUF_INIT;
74 static struct object_id push_cert_oid;
75 static struct signature_check sigcheck;
76 static const char *push_cert_nonce;
77 static const char *cert_nonce_seed;
78
79 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
80 static const char *NONCE_BAD = "BAD";
81 static const char *NONCE_MISSING = "MISSING";
82 static const char *NONCE_OK = "OK";
83 static const char *NONCE_SLOP = "SLOP";
84 static const char *nonce_status;
85 static long nonce_stamp_slop;
86 static timestamp_t nonce_stamp_slop_limit;
87 static struct ref_transaction *transaction;
88
89 static enum {
90         KEEPALIVE_NEVER = 0,
91         KEEPALIVE_AFTER_NUL,
92         KEEPALIVE_ALWAYS
93 } use_keepalive;
94 static int keepalive_in_sec = 5;
95
96 static struct tmp_objdir *tmp_objdir;
97
98 static enum deny_action parse_deny_action(const char *var, const char *value)
99 {
100         if (value) {
101                 if (!strcasecmp(value, "ignore"))
102                         return DENY_IGNORE;
103                 if (!strcasecmp(value, "warn"))
104                         return DENY_WARN;
105                 if (!strcasecmp(value, "refuse"))
106                         return DENY_REFUSE;
107                 if (!strcasecmp(value, "updateinstead"))
108                         return DENY_UPDATE_INSTEAD;
109         }
110         if (git_config_bool(var, value))
111                 return DENY_REFUSE;
112         return DENY_IGNORE;
113 }
114
115 static int receive_pack_config(const char *var, const char *value, void *cb)
116 {
117         int status = parse_hide_refs_config(var, value, "receive");
118
119         if (status)
120                 return status;
121
122         if (strcmp(var, "receive.denydeletes") == 0) {
123                 deny_deletes = git_config_bool(var, value);
124                 return 0;
125         }
126
127         if (strcmp(var, "receive.denynonfastforwards") == 0) {
128                 deny_non_fast_forwards = git_config_bool(var, value);
129                 return 0;
130         }
131
132         if (strcmp(var, "receive.unpacklimit") == 0) {
133                 receive_unpack_limit = git_config_int(var, value);
134                 return 0;
135         }
136
137         if (strcmp(var, "transfer.unpacklimit") == 0) {
138                 transfer_unpack_limit = git_config_int(var, value);
139                 return 0;
140         }
141
142         if (strcmp(var, "receive.fsck.skiplist") == 0) {
143                 const char *path;
144
145                 if (git_config_pathname(&path, var, value))
146                         return 1;
147                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
148                         fsck_msg_types.len ? ',' : '=', path);
149                 free((char *)path);
150                 return 0;
151         }
152
153         if (skip_prefix(var, "receive.fsck.", &var)) {
154                 if (is_valid_msg_type(var, value))
155                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
156                                 fsck_msg_types.len ? ',' : '=', var, value);
157                 else
158                         warning("Skipping unknown msg id '%s'", var);
159                 return 0;
160         }
161
162         if (strcmp(var, "receive.fsckobjects") == 0) {
163                 receive_fsck_objects = git_config_bool(var, value);
164                 return 0;
165         }
166
167         if (strcmp(var, "transfer.fsckobjects") == 0) {
168                 transfer_fsck_objects = git_config_bool(var, value);
169                 return 0;
170         }
171
172         if (!strcmp(var, "receive.denycurrentbranch")) {
173                 deny_current_branch = parse_deny_action(var, value);
174                 return 0;
175         }
176
177         if (strcmp(var, "receive.denydeletecurrent") == 0) {
178                 deny_delete_current = parse_deny_action(var, value);
179                 return 0;
180         }
181
182         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
183                 prefer_ofs_delta = git_config_bool(var, value);
184                 return 0;
185         }
186
187         if (strcmp(var, "receive.updateserverinfo") == 0) {
188                 auto_update_server_info = git_config_bool(var, value);
189                 return 0;
190         }
191
192         if (strcmp(var, "receive.autogc") == 0) {
193                 auto_gc = git_config_bool(var, value);
194                 return 0;
195         }
196
197         if (strcmp(var, "receive.shallowupdate") == 0) {
198                 shallow_update = git_config_bool(var, value);
199                 return 0;
200         }
201
202         if (strcmp(var, "receive.certnonceseed") == 0)
203                 return git_config_string(&cert_nonce_seed, var, value);
204
205         if (strcmp(var, "receive.certnonceslop") == 0) {
206                 nonce_stamp_slop_limit = git_config_ulong(var, value);
207                 return 0;
208         }
209
210         if (strcmp(var, "receive.advertiseatomic") == 0) {
211                 advertise_atomic_push = git_config_bool(var, value);
212                 return 0;
213         }
214
215         if (strcmp(var, "receive.advertisepushoptions") == 0) {
216                 advertise_push_options = git_config_bool(var, value);
217                 return 0;
218         }
219
220         if (strcmp(var, "receive.keepalive") == 0) {
221                 keepalive_in_sec = git_config_int(var, value);
222                 return 0;
223         }
224
225         if (strcmp(var, "receive.maxinputsize") == 0) {
226                 max_input_size = git_config_int64(var, value);
227                 return 0;
228         }
229
230         return git_default_config(var, value, cb);
231 }
232
233 static void show_ref(const char *path, const struct object_id *oid)
234 {
235         if (sent_capabilities) {
236                 packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
237         } else {
238                 struct strbuf cap = STRBUF_INIT;
239
240                 strbuf_addstr(&cap,
241                               "report-status delete-refs side-band-64k quiet");
242                 if (advertise_atomic_push)
243                         strbuf_addstr(&cap, " atomic");
244                 if (prefer_ofs_delta)
245                         strbuf_addstr(&cap, " ofs-delta");
246                 if (push_cert_nonce)
247                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
248                 if (advertise_push_options)
249                         strbuf_addstr(&cap, " push-options");
250                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
251                 packet_write_fmt(1, "%s %s%c%s\n",
252                              oid_to_hex(oid), path, 0, cap.buf);
253                 strbuf_release(&cap);
254                 sent_capabilities = 1;
255         }
256 }
257
258 static int show_ref_cb(const char *path_full, const struct object_id *oid,
259                        int flag, void *data)
260 {
261         struct oidset *seen = data;
262         const char *path = strip_namespace(path_full);
263
264         if (ref_is_hidden(path, path_full))
265                 return 0;
266
267         /*
268          * Advertise refs outside our current namespace as ".have"
269          * refs, so that the client can use them to minimize data
270          * transfer but will otherwise ignore them.
271          */
272         if (!path) {
273                 if (oidset_insert(seen, oid))
274                         return 0;
275                 path = ".have";
276         } else {
277                 oidset_insert(seen, oid);
278         }
279         show_ref(path, oid);
280         return 0;
281 }
282
283 static void show_one_alternate_ref(const struct object_id *oid,
284                                    void *data)
285 {
286         struct oidset *seen = data;
287
288         if (oidset_insert(seen, oid))
289                 return;
290
291         show_ref(".have", oid);
292 }
293
294 static void write_head_info(void)
295 {
296         static struct oidset seen = OIDSET_INIT;
297
298         for_each_ref(show_ref_cb, &seen);
299         for_each_alternate_ref(show_one_alternate_ref, &seen);
300         oidset_clear(&seen);
301         if (!sent_capabilities)
302                 show_ref("capabilities^{}", &null_oid);
303
304         advertise_shallow_grafts(1);
305
306         /* EOF */
307         packet_flush(1);
308 }
309
310 struct command {
311         struct command *next;
312         const char *error_string;
313         unsigned int skip_update:1,
314                      did_not_exist:1;
315         int index;
316         struct object_id old_oid;
317         struct object_id new_oid;
318         char ref_name[FLEX_ARRAY]; /* more */
319 };
320
321 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
322 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
323
324 static void report_message(const char *prefix, const char *err, va_list params)
325 {
326         int sz;
327         char msg[4096];
328
329         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
330         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
331         if (sz > (sizeof(msg) - 1))
332                 sz = sizeof(msg) - 1;
333         msg[sz++] = '\n';
334
335         if (use_sideband)
336                 send_sideband(1, 2, msg, sz, use_sideband);
337         else
338                 xwrite(2, msg, sz);
339 }
340
341 static void rp_warning(const char *err, ...)
342 {
343         va_list params;
344         va_start(params, err);
345         report_message("warning: ", err, params);
346         va_end(params);
347 }
348
349 static void rp_error(const char *err, ...)
350 {
351         va_list params;
352         va_start(params, err);
353         report_message("error: ", err, params);
354         va_end(params);
355 }
356
357 static int copy_to_sideband(int in, int out, void *arg)
358 {
359         char data[128];
360         int keepalive_active = 0;
361
362         if (keepalive_in_sec <= 0)
363                 use_keepalive = KEEPALIVE_NEVER;
364         if (use_keepalive == KEEPALIVE_ALWAYS)
365                 keepalive_active = 1;
366
367         while (1) {
368                 ssize_t sz;
369
370                 if (keepalive_active) {
371                         struct pollfd pfd;
372                         int ret;
373
374                         pfd.fd = in;
375                         pfd.events = POLLIN;
376                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
377
378                         if (ret < 0) {
379                                 if (errno == EINTR)
380                                         continue;
381                                 else
382                                         break;
383                         } else if (ret == 0) {
384                                 /* no data; send a keepalive packet */
385                                 static const char buf[] = "0005\1";
386                                 write_or_die(1, buf, sizeof(buf) - 1);
387                                 continue;
388                         } /* else there is actual data to read */
389                 }
390
391                 sz = xread(in, data, sizeof(data));
392                 if (sz <= 0)
393                         break;
394
395                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
396                         const char *p = memchr(data, '\0', sz);
397                         if (p) {
398                                 /*
399                                  * The NUL tells us to start sending keepalives. Make
400                                  * sure we send any other data we read along
401                                  * with it.
402                                  */
403                                 keepalive_active = 1;
404                                 send_sideband(1, 2, data, p - data, use_sideband);
405                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
406                                 continue;
407                         }
408                 }
409
410                 /*
411                  * Either we're not looking for a NUL signal, or we didn't see
412                  * it yet; just pass along the data.
413                  */
414                 send_sideband(1, 2, data, sz, use_sideband);
415         }
416         close(in);
417         return 0;
418 }
419
420 #define HMAC_BLOCK_SIZE 64
421
422 static void hmac_sha1(unsigned char *out,
423                       const char *key_in, size_t key_len,
424                       const char *text, size_t text_len)
425 {
426         unsigned char key[HMAC_BLOCK_SIZE];
427         unsigned char k_ipad[HMAC_BLOCK_SIZE];
428         unsigned char k_opad[HMAC_BLOCK_SIZE];
429         int i;
430         git_SHA_CTX ctx;
431
432         /* RFC 2104 2. (1) */
433         memset(key, '\0', HMAC_BLOCK_SIZE);
434         if (HMAC_BLOCK_SIZE < key_len) {
435                 git_SHA1_Init(&ctx);
436                 git_SHA1_Update(&ctx, key_in, key_len);
437                 git_SHA1_Final(key, &ctx);
438         } else {
439                 memcpy(key, key_in, key_len);
440         }
441
442         /* RFC 2104 2. (2) & (5) */
443         for (i = 0; i < sizeof(key); i++) {
444                 k_ipad[i] = key[i] ^ 0x36;
445                 k_opad[i] = key[i] ^ 0x5c;
446         }
447
448         /* RFC 2104 2. (3) & (4) */
449         git_SHA1_Init(&ctx);
450         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
451         git_SHA1_Update(&ctx, text, text_len);
452         git_SHA1_Final(out, &ctx);
453
454         /* RFC 2104 2. (6) & (7) */
455         git_SHA1_Init(&ctx);
456         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
457         git_SHA1_Update(&ctx, out, GIT_SHA1_RAWSZ);
458         git_SHA1_Final(out, &ctx);
459 }
460
461 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
462 {
463         struct strbuf buf = STRBUF_INIT;
464         unsigned char sha1[GIT_SHA1_RAWSZ];
465
466         strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
467         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));
468         strbuf_release(&buf);
469
470         /* RFC 2104 5. HMAC-SHA1-80 */
471         strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, GIT_SHA1_HEXSZ, sha1_to_hex(sha1));
472         return strbuf_detach(&buf, NULL);
473 }
474
475 /*
476  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
477  * after dropping "_commit" from its name and possibly moving it out
478  * of commit.c
479  */
480 static char *find_header(const char *msg, size_t len, const char *key,
481                          const char **next_line)
482 {
483         int key_len = strlen(key);
484         const char *line = msg;
485
486         while (line && line < msg + len) {
487                 const char *eol = strchrnul(line, '\n');
488
489                 if ((msg + len <= eol) || line == eol)
490                         return NULL;
491                 if (line + key_len < eol &&
492                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
493                         int offset = key_len + 1;
494                         if (next_line)
495                                 *next_line = *eol ? eol + 1 : eol;
496                         return xmemdupz(line + offset, (eol - line) - offset);
497                 }
498                 line = *eol ? eol + 1 : NULL;
499         }
500         return NULL;
501 }
502
503 static const char *check_nonce(const char *buf, size_t len)
504 {
505         char *nonce = find_header(buf, len, "nonce", NULL);
506         timestamp_t stamp, ostamp;
507         char *bohmac, *expect = NULL;
508         const char *retval = NONCE_BAD;
509
510         if (!nonce) {
511                 retval = NONCE_MISSING;
512                 goto leave;
513         } else if (!push_cert_nonce) {
514                 retval = NONCE_UNSOLICITED;
515                 goto leave;
516         } else if (!strcmp(push_cert_nonce, nonce)) {
517                 retval = NONCE_OK;
518                 goto leave;
519         }
520
521         if (!stateless_rpc) {
522                 /* returned nonce MUST match what we gave out earlier */
523                 retval = NONCE_BAD;
524                 goto leave;
525         }
526
527         /*
528          * In stateless mode, we may be receiving a nonce issued by
529          * another instance of the server that serving the same
530          * repository, and the timestamps may not match, but the
531          * nonce-seed and dir should match, so we can recompute and
532          * report the time slop.
533          *
534          * In addition, when a nonce issued by another instance has
535          * timestamp within receive.certnonceslop seconds, we pretend
536          * as if we issued that nonce when reporting to the hook.
537          */
538
539         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
540         if (*nonce <= '0' || '9' < *nonce) {
541                 retval = NONCE_BAD;
542                 goto leave;
543         }
544         stamp = parse_timestamp(nonce, &bohmac, 10);
545         if (bohmac == nonce || bohmac[0] != '-') {
546                 retval = NONCE_BAD;
547                 goto leave;
548         }
549
550         expect = prepare_push_cert_nonce(service_dir, stamp);
551         if (strcmp(expect, nonce)) {
552                 /* Not what we would have signed earlier */
553                 retval = NONCE_BAD;
554                 goto leave;
555         }
556
557         /*
558          * By how many seconds is this nonce stale?  Negative value
559          * would mean it was issued by another server with its clock
560          * skewed in the future.
561          */
562         ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
563         nonce_stamp_slop = (long)ostamp - (long)stamp;
564
565         if (nonce_stamp_slop_limit &&
566             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
567                 /*
568                  * Pretend as if the received nonce (which passes the
569                  * HMAC check, so it is not a forged by third-party)
570                  * is what we issued.
571                  */
572                 free((void *)push_cert_nonce);
573                 push_cert_nonce = xstrdup(nonce);
574                 retval = NONCE_OK;
575         } else {
576                 retval = NONCE_SLOP;
577         }
578
579 leave:
580         free(nonce);
581         free(expect);
582         return retval;
583 }
584
585 /*
586  * Return 1 if there is no push_cert or if the push options in push_cert are
587  * the same as those in the argument; 0 otherwise.
588  */
589 static int check_cert_push_options(const struct string_list *push_options)
590 {
591         const char *buf = push_cert.buf;
592         int len = push_cert.len;
593
594         char *option;
595         const char *next_line;
596         int options_seen = 0;
597
598         int retval = 1;
599
600         if (!len)
601                 return 1;
602
603         while ((option = find_header(buf, len, "push-option", &next_line))) {
604                 len -= (next_line - buf);
605                 buf = next_line;
606                 options_seen++;
607                 if (options_seen > push_options->nr
608                     || strcmp(option,
609                               push_options->items[options_seen - 1].string)) {
610                         retval = 0;
611                         goto leave;
612                 }
613                 free(option);
614         }
615
616         if (options_seen != push_options->nr)
617                 retval = 0;
618
619 leave:
620         free(option);
621         return retval;
622 }
623
624 static void prepare_push_cert_sha1(struct child_process *proc)
625 {
626         static int already_done;
627
628         if (!push_cert.len)
629                 return;
630
631         if (!already_done) {
632                 int bogs /* beginning_of_gpg_sig */;
633
634                 already_done = 1;
635                 if (write_object_file(push_cert.buf, push_cert.len, "blob",
636                                       &push_cert_oid))
637                         oidclr(&push_cert_oid);
638
639                 memset(&sigcheck, '\0', sizeof(sigcheck));
640
641                 bogs = parse_signature(push_cert.buf, push_cert.len);
642                 check_signature(push_cert.buf, bogs, push_cert.buf + bogs,
643                                 push_cert.len - bogs, &sigcheck);
644
645                 nonce_status = check_nonce(push_cert.buf, bogs);
646         }
647         if (!is_null_oid(&push_cert_oid)) {
648                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
649                                  oid_to_hex(&push_cert_oid));
650                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
651                                  sigcheck.signer ? sigcheck.signer : "");
652                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
653                                  sigcheck.key ? sigcheck.key : "");
654                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
655                                  sigcheck.result);
656                 if (push_cert_nonce) {
657                         argv_array_pushf(&proc->env_array,
658                                          "GIT_PUSH_CERT_NONCE=%s",
659                                          push_cert_nonce);
660                         argv_array_pushf(&proc->env_array,
661                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
662                                          nonce_status);
663                         if (nonce_status == NONCE_SLOP)
664                                 argv_array_pushf(&proc->env_array,
665                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
666                                                  nonce_stamp_slop);
667                 }
668         }
669 }
670
671 struct receive_hook_feed_state {
672         struct command *cmd;
673         int skip_broken;
674         struct strbuf buf;
675         const struct string_list *push_options;
676 };
677
678 typedef int (*feed_fn)(void *, const char **, size_t *);
679 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
680                              struct receive_hook_feed_state *feed_state)
681 {
682         struct child_process proc = CHILD_PROCESS_INIT;
683         struct async muxer;
684         const char *argv[2];
685         int code;
686
687         argv[0] = find_hook(hook_name);
688         if (!argv[0])
689                 return 0;
690
691         argv[1] = NULL;
692
693         proc.argv = argv;
694         proc.in = -1;
695         proc.stdout_to_stderr = 1;
696         proc.trace2_hook_name = hook_name;
697
698         if (feed_state->push_options) {
699                 int i;
700                 for (i = 0; i < feed_state->push_options->nr; i++)
701                         argv_array_pushf(&proc.env_array,
702                                 "GIT_PUSH_OPTION_%d=%s", i,
703                                 feed_state->push_options->items[i].string);
704                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
705                                  feed_state->push_options->nr);
706         } else
707                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
708
709         if (tmp_objdir)
710                 argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
711
712         if (use_sideband) {
713                 memset(&muxer, 0, sizeof(muxer));
714                 muxer.proc = copy_to_sideband;
715                 muxer.in = -1;
716                 code = start_async(&muxer);
717                 if (code)
718                         return code;
719                 proc.err = muxer.in;
720         }
721
722         prepare_push_cert_sha1(&proc);
723
724         code = start_command(&proc);
725         if (code) {
726                 if (use_sideband)
727                         finish_async(&muxer);
728                 return code;
729         }
730
731         sigchain_push(SIGPIPE, SIG_IGN);
732
733         while (1) {
734                 const char *buf;
735                 size_t n;
736                 if (feed(feed_state, &buf, &n))
737                         break;
738                 if (write_in_full(proc.in, buf, n) < 0)
739                         break;
740         }
741         close(proc.in);
742         if (use_sideband)
743                 finish_async(&muxer);
744
745         sigchain_pop(SIGPIPE);
746
747         return finish_command(&proc);
748 }
749
750 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
751 {
752         struct receive_hook_feed_state *state = state_;
753         struct command *cmd = state->cmd;
754
755         while (cmd &&
756                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
757                 cmd = cmd->next;
758         if (!cmd)
759                 return -1; /* EOF */
760         strbuf_reset(&state->buf);
761         strbuf_addf(&state->buf, "%s %s %s\n",
762                     oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
763                     cmd->ref_name);
764         state->cmd = cmd->next;
765         if (bufp) {
766                 *bufp = state->buf.buf;
767                 *sizep = state->buf.len;
768         }
769         return 0;
770 }
771
772 static int run_receive_hook(struct command *commands,
773                             const char *hook_name,
774                             int skip_broken,
775                             const struct string_list *push_options)
776 {
777         struct receive_hook_feed_state state;
778         int status;
779
780         strbuf_init(&state.buf, 0);
781         state.cmd = commands;
782         state.skip_broken = skip_broken;
783         if (feed_receive_hook(&state, NULL, NULL))
784                 return 0;
785         state.cmd = commands;
786         state.push_options = push_options;
787         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
788         strbuf_release(&state.buf);
789         return status;
790 }
791
792 static int run_update_hook(struct command *cmd)
793 {
794         const char *argv[5];
795         struct child_process proc = CHILD_PROCESS_INIT;
796         int code;
797
798         argv[0] = find_hook("update");
799         if (!argv[0])
800                 return 0;
801
802         argv[1] = cmd->ref_name;
803         argv[2] = oid_to_hex(&cmd->old_oid);
804         argv[3] = oid_to_hex(&cmd->new_oid);
805         argv[4] = NULL;
806
807         proc.no_stdin = 1;
808         proc.stdout_to_stderr = 1;
809         proc.err = use_sideband ? -1 : 0;
810         proc.argv = argv;
811         proc.trace2_hook_name = "update";
812
813         code = start_command(&proc);
814         if (code)
815                 return code;
816         if (use_sideband)
817                 copy_to_sideband(proc.err, -1, NULL);
818         return finish_command(&proc);
819 }
820
821 static int is_ref_checked_out(const char *ref)
822 {
823         if (is_bare_repository())
824                 return 0;
825
826         if (!head_name)
827                 return 0;
828         return !strcmp(head_name, ref);
829 }
830
831 static char *refuse_unconfigured_deny_msg =
832         N_("By default, updating the current branch in a non-bare repository\n"
833            "is denied, because it will make the index and work tree inconsistent\n"
834            "with what you pushed, and will require 'git reset --hard' to match\n"
835            "the work tree to HEAD.\n"
836            "\n"
837            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
838            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
839            "its current branch; however, this is not recommended unless you\n"
840            "arranged to update its work tree to match what you pushed in some\n"
841            "other way.\n"
842            "\n"
843            "To squelch this message and still keep the default behaviour, set\n"
844            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
845
846 static void refuse_unconfigured_deny(void)
847 {
848         rp_error("%s", _(refuse_unconfigured_deny_msg));
849 }
850
851 static char *refuse_unconfigured_deny_delete_current_msg =
852         N_("By default, deleting the current branch is denied, because the next\n"
853            "'git clone' won't result in any file checked out, causing confusion.\n"
854            "\n"
855            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
856            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
857            "current branch, with or without a warning message.\n"
858            "\n"
859            "To squelch this message, you can set it to 'refuse'.");
860
861 static void refuse_unconfigured_deny_delete_current(void)
862 {
863         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
864 }
865
866 static int command_singleton_iterator(void *cb_data, struct object_id *oid);
867 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
868 {
869         struct lock_file shallow_lock = LOCK_INIT;
870         struct oid_array extra = OID_ARRAY_INIT;
871         struct check_connected_options opt = CHECK_CONNECTED_INIT;
872         uint32_t mask = 1 << (cmd->index % 32);
873         int i;
874
875         trace_printf_key(&trace_shallow,
876                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
877         for (i = 0; i < si->shallow->nr; i++)
878                 if (si->used_shallow[i] &&
879                     (si->used_shallow[i][cmd->index / 32] & mask) &&
880                     !delayed_reachability_test(si, i))
881                         oid_array_append(&extra, &si->shallow->oid[i]);
882
883         opt.env = tmp_objdir_env(tmp_objdir);
884         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
885         if (check_connected(command_singleton_iterator, cmd, &opt)) {
886                 rollback_lock_file(&shallow_lock);
887                 oid_array_clear(&extra);
888                 return -1;
889         }
890
891         commit_lock_file(&shallow_lock);
892
893         /*
894          * Make sure setup_alternate_shallow() for the next ref does
895          * not lose these new roots..
896          */
897         for (i = 0; i < extra.nr; i++)
898                 register_shallow(the_repository, &extra.oid[i]);
899
900         si->shallow_ref[cmd->index] = 0;
901         oid_array_clear(&extra);
902         return 0;
903 }
904
905 /*
906  * NEEDSWORK: we should consolidate various implementions of "are we
907  * on an unborn branch?" test into one, and make the unified one more
908  * robust. !get_sha1() based check used here and elsewhere would not
909  * allow us to tell an unborn branch from corrupt ref, for example.
910  * For the purpose of fixing "deploy-to-update does not work when
911  * pushing into an empty repository" issue, this should suffice for
912  * now.
913  */
914 static int head_has_history(void)
915 {
916         struct object_id oid;
917
918         return !get_oid("HEAD", &oid);
919 }
920
921 static const char *push_to_deploy(unsigned char *sha1,
922                                   struct argv_array *env,
923                                   const char *work_tree)
924 {
925         const char *update_refresh[] = {
926                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
927         };
928         const char *diff_files[] = {
929                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
930         };
931         const char *diff_index[] = {
932                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
933                 NULL, "--", NULL
934         };
935         const char *read_tree[] = {
936                 "read-tree", "-u", "-m", NULL, NULL
937         };
938         struct child_process child = CHILD_PROCESS_INIT;
939
940         child.argv = update_refresh;
941         child.env = env->argv;
942         child.dir = work_tree;
943         child.no_stdin = 1;
944         child.stdout_to_stderr = 1;
945         child.git_cmd = 1;
946         if (run_command(&child))
947                 return "Up-to-date check failed";
948
949         /* run_command() does not clean up completely; reinitialize */
950         child_process_init(&child);
951         child.argv = diff_files;
952         child.env = env->argv;
953         child.dir = work_tree;
954         child.no_stdin = 1;
955         child.stdout_to_stderr = 1;
956         child.git_cmd = 1;
957         if (run_command(&child))
958                 return "Working directory has unstaged changes";
959
960         /* diff-index with either HEAD or an empty tree */
961         diff_index[4] = head_has_history() ? "HEAD" : empty_tree_oid_hex();
962
963         child_process_init(&child);
964         child.argv = diff_index;
965         child.env = env->argv;
966         child.no_stdin = 1;
967         child.no_stdout = 1;
968         child.stdout_to_stderr = 0;
969         child.git_cmd = 1;
970         if (run_command(&child))
971                 return "Working directory has staged changes";
972
973         read_tree[3] = sha1_to_hex(sha1);
974         child_process_init(&child);
975         child.argv = read_tree;
976         child.env = env->argv;
977         child.dir = work_tree;
978         child.no_stdin = 1;
979         child.no_stdout = 1;
980         child.stdout_to_stderr = 0;
981         child.git_cmd = 1;
982         if (run_command(&child))
983                 return "Could not update working tree to new HEAD";
984
985         return NULL;
986 }
987
988 static const char *push_to_checkout_hook = "push-to-checkout";
989
990 static const char *push_to_checkout(unsigned char *sha1,
991                                     struct argv_array *env,
992                                     const char *work_tree)
993 {
994         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
995         if (run_hook_le(env->argv, push_to_checkout_hook,
996                         sha1_to_hex(sha1), NULL))
997                 return "push-to-checkout hook declined";
998         else
999                 return NULL;
1000 }
1001
1002 static const char *update_worktree(unsigned char *sha1)
1003 {
1004         const char *retval;
1005         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1006         struct argv_array env = ARGV_ARRAY_INIT;
1007
1008         if (is_bare_repository())
1009                 return "denyCurrentBranch = updateInstead needs a worktree";
1010
1011         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1012
1013         if (!find_hook(push_to_checkout_hook))
1014                 retval = push_to_deploy(sha1, &env, work_tree);
1015         else
1016                 retval = push_to_checkout(sha1, &env, work_tree);
1017
1018         argv_array_clear(&env);
1019         return retval;
1020 }
1021
1022 static const char *update(struct command *cmd, struct shallow_info *si)
1023 {
1024         const char *name = cmd->ref_name;
1025         struct strbuf namespaced_name_buf = STRBUF_INIT;
1026         static char *namespaced_name;
1027         const char *ret;
1028         struct object_id *old_oid = &cmd->old_oid;
1029         struct object_id *new_oid = &cmd->new_oid;
1030         int do_update_worktree = 0;
1031
1032         /* only refs/... are allowed */
1033         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1034                 rp_error("refusing to create funny ref '%s' remotely", name);
1035                 return "funny refname";
1036         }
1037
1038         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1039         free(namespaced_name);
1040         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1041
1042         if (is_ref_checked_out(namespaced_name)) {
1043                 switch (deny_current_branch) {
1044                 case DENY_IGNORE:
1045                         break;
1046                 case DENY_WARN:
1047                         rp_warning("updating the current branch");
1048                         break;
1049                 case DENY_REFUSE:
1050                 case DENY_UNCONFIGURED:
1051                         rp_error("refusing to update checked out branch: %s", name);
1052                         if (deny_current_branch == DENY_UNCONFIGURED)
1053                                 refuse_unconfigured_deny();
1054                         return "branch is currently checked out";
1055                 case DENY_UPDATE_INSTEAD:
1056                         /* pass -- let other checks intervene first */
1057                         do_update_worktree = 1;
1058                         break;
1059                 }
1060         }
1061
1062         if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1063                 error("unpack should have generated %s, "
1064                       "but I can't find it!", oid_to_hex(new_oid));
1065                 return "bad pack";
1066         }
1067
1068         if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1069                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1070                         rp_error("denying ref deletion for %s", name);
1071                         return "deletion prohibited";
1072                 }
1073
1074                 if (head_name && !strcmp(namespaced_name, head_name)) {
1075                         switch (deny_delete_current) {
1076                         case DENY_IGNORE:
1077                                 break;
1078                         case DENY_WARN:
1079                                 rp_warning("deleting the current branch");
1080                                 break;
1081                         case DENY_REFUSE:
1082                         case DENY_UNCONFIGURED:
1083                         case DENY_UPDATE_INSTEAD:
1084                                 if (deny_delete_current == DENY_UNCONFIGURED)
1085                                         refuse_unconfigured_deny_delete_current();
1086                                 rp_error("refusing to delete the current branch: %s", name);
1087                                 return "deletion of the current branch prohibited";
1088                         default:
1089                                 return "Invalid denyDeleteCurrent setting";
1090                         }
1091                 }
1092         }
1093
1094         if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1095             !is_null_oid(old_oid) &&
1096             starts_with(name, "refs/heads/")) {
1097                 struct object *old_object, *new_object;
1098                 struct commit *old_commit, *new_commit;
1099
1100                 old_object = parse_object(the_repository, old_oid);
1101                 new_object = parse_object(the_repository, new_oid);
1102
1103                 if (!old_object || !new_object ||
1104                     old_object->type != OBJ_COMMIT ||
1105                     new_object->type != OBJ_COMMIT) {
1106                         error("bad sha1 objects for %s", name);
1107                         return "bad ref";
1108                 }
1109                 old_commit = (struct commit *)old_object;
1110                 new_commit = (struct commit *)new_object;
1111                 if (!in_merge_bases(old_commit, new_commit)) {
1112                         rp_error("denying non-fast-forward %s"
1113                                  " (you should pull first)", name);
1114                         return "non-fast-forward";
1115                 }
1116         }
1117         if (run_update_hook(cmd)) {
1118                 rp_error("hook declined to update %s", name);
1119                 return "hook declined";
1120         }
1121
1122         if (do_update_worktree) {
1123                 ret = update_worktree(new_oid->hash);
1124                 if (ret)
1125                         return ret;
1126         }
1127
1128         if (is_null_oid(new_oid)) {
1129                 struct strbuf err = STRBUF_INIT;
1130                 if (!parse_object(the_repository, old_oid)) {
1131                         old_oid = NULL;
1132                         if (ref_exists(name)) {
1133                                 rp_warning("Allowing deletion of corrupt ref.");
1134                         } else {
1135                                 rp_warning("Deleting a non-existent ref.");
1136                                 cmd->did_not_exist = 1;
1137                         }
1138                 }
1139                 if (ref_transaction_delete(transaction,
1140                                            namespaced_name,
1141                                            old_oid,
1142                                            0, "push", &err)) {
1143                         rp_error("%s", err.buf);
1144                         strbuf_release(&err);
1145                         return "failed to delete";
1146                 }
1147                 strbuf_release(&err);
1148                 return NULL; /* good */
1149         }
1150         else {
1151                 struct strbuf err = STRBUF_INIT;
1152                 if (shallow_update && si->shallow_ref[cmd->index] &&
1153                     update_shallow_ref(cmd, si))
1154                         return "shallow error";
1155
1156                 if (ref_transaction_update(transaction,
1157                                            namespaced_name,
1158                                            new_oid, old_oid,
1159                                            0, "push",
1160                                            &err)) {
1161                         rp_error("%s", err.buf);
1162                         strbuf_release(&err);
1163
1164                         return "failed to update ref";
1165                 }
1166                 strbuf_release(&err);
1167
1168                 return NULL; /* good */
1169         }
1170 }
1171
1172 static void run_update_post_hook(struct command *commands)
1173 {
1174         struct command *cmd;
1175         struct child_process proc = CHILD_PROCESS_INIT;
1176         const char *hook;
1177
1178         hook = find_hook("post-update");
1179         if (!hook)
1180                 return;
1181
1182         for (cmd = commands; cmd; cmd = cmd->next) {
1183                 if (cmd->error_string || cmd->did_not_exist)
1184                         continue;
1185                 if (!proc.args.argc)
1186                         argv_array_push(&proc.args, hook);
1187                 argv_array_push(&proc.args, cmd->ref_name);
1188         }
1189         if (!proc.args.argc)
1190                 return;
1191
1192         proc.no_stdin = 1;
1193         proc.stdout_to_stderr = 1;
1194         proc.err = use_sideband ? -1 : 0;
1195         proc.trace2_hook_name = "post-update";
1196
1197         if (!start_command(&proc)) {
1198                 if (use_sideband)
1199                         copy_to_sideband(proc.err, -1, NULL);
1200                 finish_command(&proc);
1201         }
1202 }
1203
1204 static void check_aliased_update_internal(struct command *cmd,
1205                                           struct string_list *list,
1206                                           const char *dst_name, int flag)
1207 {
1208         struct string_list_item *item;
1209         struct command *dst_cmd;
1210
1211         if (!(flag & REF_ISSYMREF))
1212                 return;
1213
1214         if (!dst_name) {
1215                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1216                 cmd->skip_update = 1;
1217                 cmd->error_string = "broken symref";
1218                 return;
1219         }
1220         dst_name = strip_namespace(dst_name);
1221
1222         if ((item = string_list_lookup(list, dst_name)) == NULL)
1223                 return;
1224
1225         cmd->skip_update = 1;
1226
1227         dst_cmd = (struct command *) item->util;
1228
1229         if (oideq(&cmd->old_oid, &dst_cmd->old_oid) &&
1230             oideq(&cmd->new_oid, &dst_cmd->new_oid))
1231                 return;
1232
1233         dst_cmd->skip_update = 1;
1234
1235         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1236                  " its target '%s' (%s..%s)",
1237                  cmd->ref_name,
1238                  find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1239                  find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1240                  dst_cmd->ref_name,
1241                  find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1242                  find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1243
1244         cmd->error_string = dst_cmd->error_string =
1245                 "inconsistent aliased update";
1246 }
1247
1248 static void check_aliased_update(struct command *cmd, struct string_list *list)
1249 {
1250         struct strbuf buf = STRBUF_INIT;
1251         const char *dst_name;
1252         int flag;
1253
1254         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1255         dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1256         check_aliased_update_internal(cmd, list, dst_name, flag);
1257         strbuf_release(&buf);
1258 }
1259
1260 static void check_aliased_updates(struct command *commands)
1261 {
1262         struct command *cmd;
1263         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1264
1265         for (cmd = commands; cmd; cmd = cmd->next) {
1266                 struct string_list_item *item =
1267                         string_list_append(&ref_list, cmd->ref_name);
1268                 item->util = (void *)cmd;
1269         }
1270         string_list_sort(&ref_list);
1271
1272         for (cmd = commands; cmd; cmd = cmd->next) {
1273                 if (!cmd->error_string)
1274                         check_aliased_update(cmd, &ref_list);
1275         }
1276
1277         string_list_clear(&ref_list, 0);
1278 }
1279
1280 static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1281 {
1282         struct command **cmd_list = cb_data;
1283         struct command *cmd = *cmd_list;
1284
1285         if (!cmd || is_null_oid(&cmd->new_oid))
1286                 return -1; /* end of list */
1287         *cmd_list = NULL; /* this returns only one */
1288         oidcpy(oid, &cmd->new_oid);
1289         return 0;
1290 }
1291
1292 static void set_connectivity_errors(struct command *commands,
1293                                     struct shallow_info *si)
1294 {
1295         struct command *cmd;
1296
1297         for (cmd = commands; cmd; cmd = cmd->next) {
1298                 struct command *singleton = cmd;
1299                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1300
1301                 if (shallow_update && si->shallow_ref[cmd->index])
1302                         /* to be checked in update_shallow_ref() */
1303                         continue;
1304
1305                 opt.env = tmp_objdir_env(tmp_objdir);
1306                 if (!check_connected(command_singleton_iterator, &singleton,
1307                                      &opt))
1308                         continue;
1309
1310                 cmd->error_string = "missing necessary objects";
1311         }
1312 }
1313
1314 struct iterate_data {
1315         struct command *cmds;
1316         struct shallow_info *si;
1317 };
1318
1319 static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1320 {
1321         struct iterate_data *data = cb_data;
1322         struct command **cmd_list = &data->cmds;
1323         struct command *cmd = *cmd_list;
1324
1325         for (; cmd; cmd = cmd->next) {
1326                 if (shallow_update && data->si->shallow_ref[cmd->index])
1327                         /* to be checked in update_shallow_ref() */
1328                         continue;
1329                 if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1330                         oidcpy(oid, &cmd->new_oid);
1331                         *cmd_list = cmd->next;
1332                         return 0;
1333                 }
1334         }
1335         *cmd_list = NULL;
1336         return -1; /* end of list */
1337 }
1338
1339 static void reject_updates_to_hidden(struct command *commands)
1340 {
1341         struct strbuf refname_full = STRBUF_INIT;
1342         size_t prefix_len;
1343         struct command *cmd;
1344
1345         strbuf_addstr(&refname_full, get_git_namespace());
1346         prefix_len = refname_full.len;
1347
1348         for (cmd = commands; cmd; cmd = cmd->next) {
1349                 if (cmd->error_string)
1350                         continue;
1351
1352                 strbuf_setlen(&refname_full, prefix_len);
1353                 strbuf_addstr(&refname_full, cmd->ref_name);
1354
1355                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1356                         continue;
1357                 if (is_null_oid(&cmd->new_oid))
1358                         cmd->error_string = "deny deleting a hidden ref";
1359                 else
1360                         cmd->error_string = "deny updating a hidden ref";
1361         }
1362
1363         strbuf_release(&refname_full);
1364 }
1365
1366 static int should_process_cmd(struct command *cmd)
1367 {
1368         return !cmd->error_string && !cmd->skip_update;
1369 }
1370
1371 static void warn_if_skipped_connectivity_check(struct command *commands,
1372                                                struct shallow_info *si)
1373 {
1374         struct command *cmd;
1375         int checked_connectivity = 1;
1376
1377         for (cmd = commands; cmd; cmd = cmd->next) {
1378                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1379                         error("BUG: connectivity check has not been run on ref %s",
1380                               cmd->ref_name);
1381                         checked_connectivity = 0;
1382                 }
1383         }
1384         if (!checked_connectivity)
1385                 BUG("connectivity check skipped???");
1386 }
1387
1388 static void execute_commands_non_atomic(struct command *commands,
1389                                         struct shallow_info *si)
1390 {
1391         struct command *cmd;
1392         struct strbuf err = STRBUF_INIT;
1393
1394         for (cmd = commands; cmd; cmd = cmd->next) {
1395                 if (!should_process_cmd(cmd))
1396                         continue;
1397
1398                 transaction = ref_transaction_begin(&err);
1399                 if (!transaction) {
1400                         rp_error("%s", err.buf);
1401                         strbuf_reset(&err);
1402                         cmd->error_string = "transaction failed to start";
1403                         continue;
1404                 }
1405
1406                 cmd->error_string = update(cmd, si);
1407
1408                 if (!cmd->error_string
1409                     && ref_transaction_commit(transaction, &err)) {
1410                         rp_error("%s", err.buf);
1411                         strbuf_reset(&err);
1412                         cmd->error_string = "failed to update ref";
1413                 }
1414                 ref_transaction_free(transaction);
1415         }
1416         strbuf_release(&err);
1417 }
1418
1419 static void execute_commands_atomic(struct command *commands,
1420                                         struct shallow_info *si)
1421 {
1422         struct command *cmd;
1423         struct strbuf err = STRBUF_INIT;
1424         const char *reported_error = "atomic push failure";
1425
1426         transaction = ref_transaction_begin(&err);
1427         if (!transaction) {
1428                 rp_error("%s", err.buf);
1429                 strbuf_reset(&err);
1430                 reported_error = "transaction failed to start";
1431                 goto failure;
1432         }
1433
1434         for (cmd = commands; cmd; cmd = cmd->next) {
1435                 if (!should_process_cmd(cmd))
1436                         continue;
1437
1438                 cmd->error_string = update(cmd, si);
1439
1440                 if (cmd->error_string)
1441                         goto failure;
1442         }
1443
1444         if (ref_transaction_commit(transaction, &err)) {
1445                 rp_error("%s", err.buf);
1446                 reported_error = "atomic transaction failed";
1447                 goto failure;
1448         }
1449         goto cleanup;
1450
1451 failure:
1452         for (cmd = commands; cmd; cmd = cmd->next)
1453                 if (!cmd->error_string)
1454                         cmd->error_string = reported_error;
1455
1456 cleanup:
1457         ref_transaction_free(transaction);
1458         strbuf_release(&err);
1459 }
1460
1461 static void execute_commands(struct command *commands,
1462                              const char *unpacker_error,
1463                              struct shallow_info *si,
1464                              const struct string_list *push_options)
1465 {
1466         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1467         struct command *cmd;
1468         struct iterate_data data;
1469         struct async muxer;
1470         int err_fd = 0;
1471
1472         if (unpacker_error) {
1473                 for (cmd = commands; cmd; cmd = cmd->next)
1474                         cmd->error_string = "unpacker error";
1475                 return;
1476         }
1477
1478         if (use_sideband) {
1479                 memset(&muxer, 0, sizeof(muxer));
1480                 muxer.proc = copy_to_sideband;
1481                 muxer.in = -1;
1482                 if (!start_async(&muxer))
1483                         err_fd = muxer.in;
1484                 /* ...else, continue without relaying sideband */
1485         }
1486
1487         data.cmds = commands;
1488         data.si = si;
1489         opt.err_fd = err_fd;
1490         opt.progress = err_fd && !quiet;
1491         opt.env = tmp_objdir_env(tmp_objdir);
1492         if (check_connected(iterate_receive_command_list, &data, &opt))
1493                 set_connectivity_errors(commands, si);
1494
1495         if (use_sideband)
1496                 finish_async(&muxer);
1497
1498         reject_updates_to_hidden(commands);
1499
1500         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1501                 for (cmd = commands; cmd; cmd = cmd->next) {
1502                         if (!cmd->error_string)
1503                                 cmd->error_string = "pre-receive hook declined";
1504                 }
1505                 return;
1506         }
1507
1508         /*
1509          * Now we'll start writing out refs, which means the objects need
1510          * to be in their final positions so that other processes can see them.
1511          */
1512         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1513                 for (cmd = commands; cmd; cmd = cmd->next) {
1514                         if (!cmd->error_string)
1515                                 cmd->error_string = "unable to migrate objects to permanent storage";
1516                 }
1517                 return;
1518         }
1519         tmp_objdir = NULL;
1520
1521         check_aliased_updates(commands);
1522
1523         free(head_name_to_free);
1524         head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1525
1526         if (use_atomic)
1527                 execute_commands_atomic(commands, si);
1528         else
1529                 execute_commands_non_atomic(commands, si);
1530
1531         if (shallow_update)
1532                 warn_if_skipped_connectivity_check(commands, si);
1533 }
1534
1535 static struct command **queue_command(struct command **tail,
1536                                       const char *line,
1537                                       int linelen)
1538 {
1539         struct object_id old_oid, new_oid;
1540         struct command *cmd;
1541         const char *refname;
1542         int reflen;
1543         const char *p;
1544
1545         if (parse_oid_hex(line, &old_oid, &p) ||
1546             *p++ != ' ' ||
1547             parse_oid_hex(p, &new_oid, &p) ||
1548             *p++ != ' ')
1549                 die("protocol error: expected old/new/ref, got '%s'", line);
1550
1551         refname = p;
1552         reflen = linelen - (p - line);
1553         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1554         oidcpy(&cmd->old_oid, &old_oid);
1555         oidcpy(&cmd->new_oid, &new_oid);
1556         *tail = cmd;
1557         return &cmd->next;
1558 }
1559
1560 static void queue_commands_from_cert(struct command **tail,
1561                                      struct strbuf *push_cert)
1562 {
1563         const char *boc, *eoc;
1564
1565         if (*tail)
1566                 die("protocol error: got both push certificate and unsigned commands");
1567
1568         boc = strstr(push_cert->buf, "\n\n");
1569         if (!boc)
1570                 die("malformed push certificate %.*s", 100, push_cert->buf);
1571         else
1572                 boc += 2;
1573         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1574
1575         while (boc < eoc) {
1576                 const char *eol = memchr(boc, '\n', eoc - boc);
1577                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1578                 boc = eol ? eol + 1 : eoc;
1579         }
1580 }
1581
1582 static struct command *read_head_info(struct packet_reader *reader,
1583                                       struct oid_array *shallow)
1584 {
1585         struct command *commands = NULL;
1586         struct command **p = &commands;
1587         for (;;) {
1588                 int linelen;
1589
1590                 if (packet_reader_read(reader) != PACKET_READ_NORMAL)
1591                         break;
1592
1593                 if (reader->pktlen > 8 && starts_with(reader->line, "shallow ")) {
1594                         struct object_id oid;
1595                         if (get_oid_hex(reader->line + 8, &oid))
1596                                 die("protocol error: expected shallow sha, got '%s'",
1597                                     reader->line + 8);
1598                         oid_array_append(shallow, &oid);
1599                         continue;
1600                 }
1601
1602                 linelen = strlen(reader->line);
1603                 if (linelen < reader->pktlen) {
1604                         const char *feature_list = reader->line + linelen + 1;
1605                         if (parse_feature_request(feature_list, "report-status"))
1606                                 report_status = 1;
1607                         if (parse_feature_request(feature_list, "side-band-64k"))
1608                                 use_sideband = LARGE_PACKET_MAX;
1609                         if (parse_feature_request(feature_list, "quiet"))
1610                                 quiet = 1;
1611                         if (advertise_atomic_push
1612                             && parse_feature_request(feature_list, "atomic"))
1613                                 use_atomic = 1;
1614                         if (advertise_push_options
1615                             && parse_feature_request(feature_list, "push-options"))
1616                                 use_push_options = 1;
1617                 }
1618
1619                 if (!strcmp(reader->line, "push-cert")) {
1620                         int true_flush = 0;
1621                         int saved_options = reader->options;
1622                         reader->options &= ~PACKET_READ_CHOMP_NEWLINE;
1623
1624                         for (;;) {
1625                                 packet_reader_read(reader);
1626                                 if (reader->status == PACKET_READ_FLUSH) {
1627                                         true_flush = 1;
1628                                         break;
1629                                 }
1630                                 if (reader->status != PACKET_READ_NORMAL) {
1631                                         die("protocol error: got an unexpected packet");
1632                                 }
1633                                 if (!strcmp(reader->line, "push-cert-end\n"))
1634                                         break; /* end of cert */
1635                                 strbuf_addstr(&push_cert, reader->line);
1636                         }
1637                         reader->options = saved_options;
1638
1639                         if (true_flush)
1640                                 break;
1641                         continue;
1642                 }
1643
1644                 p = queue_command(p, reader->line, linelen);
1645         }
1646
1647         if (push_cert.len)
1648                 queue_commands_from_cert(p, &push_cert);
1649
1650         return commands;
1651 }
1652
1653 static void read_push_options(struct packet_reader *reader,
1654                               struct string_list *options)
1655 {
1656         while (1) {
1657                 if (packet_reader_read(reader) != PACKET_READ_NORMAL)
1658                         break;
1659
1660                 string_list_append(options, reader->line);
1661         }
1662 }
1663
1664 static const char *parse_pack_header(struct pack_header *hdr)
1665 {
1666         switch (read_pack_header(0, hdr)) {
1667         case PH_ERROR_EOF:
1668                 return "eof before pack header was fully read";
1669
1670         case PH_ERROR_PACK_SIGNATURE:
1671                 return "protocol error (pack signature mismatch detected)";
1672
1673         case PH_ERROR_PROTOCOL:
1674                 return "protocol error (pack version unsupported)";
1675
1676         default:
1677                 return "unknown error in parse_pack_header";
1678
1679         case 0:
1680                 return NULL;
1681         }
1682 }
1683
1684 static const char *pack_lockfile;
1685
1686 static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1687 {
1688         argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1689                         ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1690 }
1691
1692 static const char *unpack(int err_fd, struct shallow_info *si)
1693 {
1694         struct pack_header hdr;
1695         const char *hdr_err;
1696         int status;
1697         struct child_process child = CHILD_PROCESS_INIT;
1698         int fsck_objects = (receive_fsck_objects >= 0
1699                             ? receive_fsck_objects
1700                             : transfer_fsck_objects >= 0
1701                             ? transfer_fsck_objects
1702                             : 0);
1703
1704         hdr_err = parse_pack_header(&hdr);
1705         if (hdr_err) {
1706                 if (err_fd > 0)
1707                         close(err_fd);
1708                 return hdr_err;
1709         }
1710
1711         if (si->nr_ours || si->nr_theirs) {
1712                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1713                 argv_array_push(&child.args, "--shallow-file");
1714                 argv_array_push(&child.args, alt_shallow_file);
1715         }
1716
1717         tmp_objdir = tmp_objdir_create();
1718         if (!tmp_objdir) {
1719                 if (err_fd > 0)
1720                         close(err_fd);
1721                 return "unable to create temporary object directory";
1722         }
1723         child.env = tmp_objdir_env(tmp_objdir);
1724
1725         /*
1726          * Normally we just pass the tmp_objdir environment to the child
1727          * processes that do the heavy lifting, but we may need to see these
1728          * objects ourselves to set up shallow information.
1729          */
1730         tmp_objdir_add_as_alternate(tmp_objdir);
1731
1732         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1733                 argv_array_push(&child.args, "unpack-objects");
1734                 push_header_arg(&child.args, &hdr);
1735                 if (quiet)
1736                         argv_array_push(&child.args, "-q");
1737                 if (fsck_objects)
1738                         argv_array_pushf(&child.args, "--strict%s",
1739                                 fsck_msg_types.buf);
1740                 if (max_input_size)
1741                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1742                                 (uintmax_t)max_input_size);
1743                 child.no_stdout = 1;
1744                 child.err = err_fd;
1745                 child.git_cmd = 1;
1746                 status = run_command(&child);
1747                 if (status)
1748                         return "unpack-objects abnormal exit";
1749         } else {
1750                 char hostname[HOST_NAME_MAX + 1];
1751
1752                 argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1753                 push_header_arg(&child.args, &hdr);
1754
1755                 if (xgethostname(hostname, sizeof(hostname)))
1756                         xsnprintf(hostname, sizeof(hostname), "localhost");
1757                 argv_array_pushf(&child.args,
1758                                  "--keep=receive-pack %"PRIuMAX" on %s",
1759                                  (uintmax_t)getpid(),
1760                                  hostname);
1761
1762                 if (!quiet && err_fd)
1763                         argv_array_push(&child.args, "--show-resolving-progress");
1764                 if (use_sideband)
1765                         argv_array_push(&child.args, "--report-end-of-input");
1766                 if (fsck_objects)
1767                         argv_array_pushf(&child.args, "--strict%s",
1768                                 fsck_msg_types.buf);
1769                 if (!reject_thin)
1770                         argv_array_push(&child.args, "--fix-thin");
1771                 if (max_input_size)
1772                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1773                                 (uintmax_t)max_input_size);
1774                 child.out = -1;
1775                 child.err = err_fd;
1776                 child.git_cmd = 1;
1777                 status = start_command(&child);
1778                 if (status)
1779                         return "index-pack fork failed";
1780                 pack_lockfile = index_pack_lockfile(child.out);
1781                 close(child.out);
1782                 status = finish_command(&child);
1783                 if (status)
1784                         return "index-pack abnormal exit";
1785                 reprepare_packed_git(the_repository);
1786         }
1787         return NULL;
1788 }
1789
1790 static const char *unpack_with_sideband(struct shallow_info *si)
1791 {
1792         struct async muxer;
1793         const char *ret;
1794
1795         if (!use_sideband)
1796                 return unpack(0, si);
1797
1798         use_keepalive = KEEPALIVE_AFTER_NUL;
1799         memset(&muxer, 0, sizeof(muxer));
1800         muxer.proc = copy_to_sideband;
1801         muxer.in = -1;
1802         if (start_async(&muxer))
1803                 return NULL;
1804
1805         ret = unpack(muxer.in, si);
1806
1807         finish_async(&muxer);
1808         return ret;
1809 }
1810
1811 static void prepare_shallow_update(struct shallow_info *si)
1812 {
1813         int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1814
1815         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1816         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1817
1818         si->need_reachability_test =
1819                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1820         si->reachable =
1821                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1822         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1823
1824         for (i = 0; i < si->nr_ours; i++)
1825                 si->need_reachability_test[si->ours[i]] = 1;
1826
1827         for (i = 0; i < si->shallow->nr; i++) {
1828                 if (!si->used_shallow[i])
1829                         continue;
1830                 for (j = 0; j < bitmap_size; j++) {
1831                         if (!si->used_shallow[i][j])
1832                                 continue;
1833                         si->need_reachability_test[i]++;
1834                         for (k = 0; k < 32; k++)
1835                                 if (si->used_shallow[i][j] & (1U << k))
1836                                         si->shallow_ref[j * 32 + k]++;
1837                 }
1838
1839                 /*
1840                  * true for those associated with some refs and belong
1841                  * in "ours" list aka "step 7 not done yet"
1842                  */
1843                 si->need_reachability_test[i] =
1844                         si->need_reachability_test[i] > 1;
1845         }
1846
1847         /*
1848          * keep hooks happy by forcing a temporary shallow file via
1849          * env variable because we can't add --shallow-file to every
1850          * command. check_connected() will be done with
1851          * true .git/shallow though.
1852          */
1853         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1854 }
1855
1856 static void update_shallow_info(struct command *commands,
1857                                 struct shallow_info *si,
1858                                 struct oid_array *ref)
1859 {
1860         struct command *cmd;
1861         int *ref_status;
1862         remove_nonexistent_theirs_shallow(si);
1863         if (!si->nr_ours && !si->nr_theirs) {
1864                 shallow_update = 0;
1865                 return;
1866         }
1867
1868         for (cmd = commands; cmd; cmd = cmd->next) {
1869                 if (is_null_oid(&cmd->new_oid))
1870                         continue;
1871                 oid_array_append(ref, &cmd->new_oid);
1872                 cmd->index = ref->nr - 1;
1873         }
1874         si->ref = ref;
1875
1876         if (shallow_update) {
1877                 prepare_shallow_update(si);
1878                 return;
1879         }
1880
1881         ALLOC_ARRAY(ref_status, ref->nr);
1882         assign_shallow_commits_to_refs(si, NULL, ref_status);
1883         for (cmd = commands; cmd; cmd = cmd->next) {
1884                 if (is_null_oid(&cmd->new_oid))
1885                         continue;
1886                 if (ref_status[cmd->index]) {
1887                         cmd->error_string = "shallow update not allowed";
1888                         cmd->skip_update = 1;
1889                 }
1890         }
1891         free(ref_status);
1892 }
1893
1894 static void report(struct command *commands, const char *unpack_status)
1895 {
1896         struct command *cmd;
1897         struct strbuf buf = STRBUF_INIT;
1898
1899         packet_buf_write(&buf, "unpack %s\n",
1900                          unpack_status ? unpack_status : "ok");
1901         for (cmd = commands; cmd; cmd = cmd->next) {
1902                 if (!cmd->error_string)
1903                         packet_buf_write(&buf, "ok %s\n",
1904                                          cmd->ref_name);
1905                 else
1906                         packet_buf_write(&buf, "ng %s %s\n",
1907                                          cmd->ref_name, cmd->error_string);
1908         }
1909         packet_buf_flush(&buf);
1910
1911         if (use_sideband)
1912                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1913         else
1914                 write_or_die(1, buf.buf, buf.len);
1915         strbuf_release(&buf);
1916 }
1917
1918 static int delete_only(struct command *commands)
1919 {
1920         struct command *cmd;
1921         for (cmd = commands; cmd; cmd = cmd->next) {
1922                 if (!is_null_oid(&cmd->new_oid))
1923                         return 0;
1924         }
1925         return 1;
1926 }
1927
1928 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1929 {
1930         int advertise_refs = 0;
1931         struct command *commands;
1932         struct oid_array shallow = OID_ARRAY_INIT;
1933         struct oid_array ref = OID_ARRAY_INIT;
1934         struct shallow_info si;
1935         struct packet_reader reader;
1936
1937         struct option options[] = {
1938                 OPT__QUIET(&quiet, N_("quiet")),
1939                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1940                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1941                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1942                 OPT_END()
1943         };
1944
1945         packet_trace_identity("receive-pack");
1946
1947         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1948
1949         if (argc > 1)
1950                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1951         if (argc == 0)
1952                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1953
1954         service_dir = argv[0];
1955
1956         setup_path();
1957
1958         if (!enter_repo(service_dir, 0))
1959                 die("'%s' does not appear to be a git repository", service_dir);
1960
1961         git_config(receive_pack_config, NULL);
1962         if (cert_nonce_seed)
1963                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1964
1965         if (0 <= transfer_unpack_limit)
1966                 unpack_limit = transfer_unpack_limit;
1967         else if (0 <= receive_unpack_limit)
1968                 unpack_limit = receive_unpack_limit;
1969
1970         switch (determine_protocol_version_server()) {
1971         case protocol_v2:
1972                 /*
1973                  * push support for protocol v2 has not been implemented yet,
1974                  * so ignore the request to use v2 and fallback to using v0.
1975                  */
1976                 break;
1977         case protocol_v1:
1978                 /*
1979                  * v1 is just the original protocol with a version string,
1980                  * so just fall through after writing the version string.
1981                  */
1982                 if (advertise_refs || !stateless_rpc)
1983                         packet_write_fmt(1, "version 1\n");
1984
1985                 /* fallthrough */
1986         case protocol_v0:
1987                 break;
1988         case protocol_unknown_version:
1989                 BUG("unknown protocol version");
1990         }
1991
1992         if (advertise_refs || !stateless_rpc) {
1993                 write_head_info();
1994         }
1995         if (advertise_refs)
1996                 return 0;
1997
1998         packet_reader_init(&reader, 0, NULL, 0,
1999                            PACKET_READ_CHOMP_NEWLINE |
2000                            PACKET_READ_DIE_ON_ERR_PACKET);
2001
2002         if ((commands = read_head_info(&reader, &shallow)) != NULL) {
2003                 const char *unpack_status = NULL;
2004                 struct string_list push_options = STRING_LIST_INIT_DUP;
2005
2006                 if (use_push_options)
2007                         read_push_options(&reader, &push_options);
2008                 if (!check_cert_push_options(&push_options)) {
2009                         struct command *cmd;
2010                         for (cmd = commands; cmd; cmd = cmd->next)
2011                                 cmd->error_string = "inconsistent push options";
2012                 }
2013
2014                 prepare_shallow_info(&si, &shallow);
2015                 if (!si.nr_ours && !si.nr_theirs)
2016                         shallow_update = 0;
2017                 if (!delete_only(commands)) {
2018                         unpack_status = unpack_with_sideband(&si);
2019                         update_shallow_info(commands, &si, &ref);
2020                 }
2021                 use_keepalive = KEEPALIVE_ALWAYS;
2022                 execute_commands(commands, unpack_status, &si,
2023                                  &push_options);
2024                 if (pack_lockfile)
2025                         unlink_or_warn(pack_lockfile);
2026                 if (report_status)
2027                         report(commands, unpack_status);
2028                 run_receive_hook(commands, "post-receive", 1,
2029                                  &push_options);
2030                 run_update_post_hook(commands);
2031                 string_list_clear(&push_options, 0);
2032                 if (auto_gc) {
2033                         const char *argv_gc_auto[] = {
2034                                 "gc", "--auto", "--quiet", NULL,
2035                         };
2036                         struct child_process proc = CHILD_PROCESS_INIT;
2037
2038                         proc.no_stdin = 1;
2039                         proc.stdout_to_stderr = 1;
2040                         proc.err = use_sideband ? -1 : 0;
2041                         proc.git_cmd = 1;
2042                         proc.argv = argv_gc_auto;
2043
2044                         close_object_store(the_repository->objects);
2045                         if (!start_command(&proc)) {
2046                                 if (use_sideband)
2047                                         copy_to_sideband(proc.err, -1, NULL);
2048                                 finish_command(&proc);
2049                         }
2050                 }
2051                 if (auto_update_server_info)
2052                         update_server_info(0);
2053                 clear_shallow_info(&si);
2054         }
2055         if (use_sideband)
2056                 packet_flush(1);
2057         oid_array_clear(&shallow);
2058         oid_array_clear(&ref);
2059         free((void *)push_cert_nonce);
2060         return 0;
2061 }