Merge branch 'sb/t4005-modernize'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "lockfile.h"
3 #include "pack.h"
4 #include "refs.h"
5 #include "pkt-line.h"
6 #include "sideband.h"
7 #include "run-command.h"
8 #include "exec_cmd.h"
9 #include "commit.h"
10 #include "object.h"
11 #include "remote.h"
12 #include "connect.h"
13 #include "transport.h"
14 #include "string-list.h"
15 #include "sha1-array.h"
16 #include "connected.h"
17 #include "argv-array.h"
18 #include "version.h"
19 #include "tag.h"
20 #include "gpg-interface.h"
21 #include "sigchain.h"
22 #include "fsck.h"
23 #include "tmp-objdir.h"
24 #include "oidset.h"
25
26 static const char * const receive_pack_usage[] = {
27         N_("git receive-pack <git-dir>"),
28         NULL
29 };
30
31 enum deny_action {
32         DENY_UNCONFIGURED,
33         DENY_IGNORE,
34         DENY_WARN,
35         DENY_REFUSE,
36         DENY_UPDATE_INSTEAD
37 };
38
39 static int deny_deletes;
40 static int deny_non_fast_forwards;
41 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
42 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
43 static int receive_fsck_objects = -1;
44 static int transfer_fsck_objects = -1;
45 static struct strbuf fsck_msg_types = STRBUF_INIT;
46 static int receive_unpack_limit = -1;
47 static int transfer_unpack_limit = -1;
48 static int advertise_atomic_push = 1;
49 static int advertise_push_options;
50 static int unpack_limit = 100;
51 static off_t max_input_size;
52 static int report_status;
53 static int use_sideband;
54 static int use_atomic;
55 static int use_push_options;
56 static int quiet;
57 static int prefer_ofs_delta = 1;
58 static int auto_update_server_info;
59 static int auto_gc = 1;
60 static int reject_thin;
61 static int stateless_rpc;
62 static const char *service_dir;
63 static const char *head_name;
64 static void *head_name_to_free;
65 static int sent_capabilities;
66 static int shallow_update;
67 static const char *alt_shallow_file;
68 static struct strbuf push_cert = STRBUF_INIT;
69 static unsigned char push_cert_sha1[20];
70 static struct signature_check sigcheck;
71 static const char *push_cert_nonce;
72 static const char *cert_nonce_seed;
73
74 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
75 static const char *NONCE_BAD = "BAD";
76 static const char *NONCE_MISSING = "MISSING";
77 static const char *NONCE_OK = "OK";
78 static const char *NONCE_SLOP = "SLOP";
79 static const char *nonce_status;
80 static long nonce_stamp_slop;
81 static timestamp_t nonce_stamp_slop_limit;
82 static struct ref_transaction *transaction;
83
84 static enum {
85         KEEPALIVE_NEVER = 0,
86         KEEPALIVE_AFTER_NUL,
87         KEEPALIVE_ALWAYS
88 } use_keepalive;
89 static int keepalive_in_sec = 5;
90
91 static struct tmp_objdir *tmp_objdir;
92
93 static enum deny_action parse_deny_action(const char *var, const char *value)
94 {
95         if (value) {
96                 if (!strcasecmp(value, "ignore"))
97                         return DENY_IGNORE;
98                 if (!strcasecmp(value, "warn"))
99                         return DENY_WARN;
100                 if (!strcasecmp(value, "refuse"))
101                         return DENY_REFUSE;
102                 if (!strcasecmp(value, "updateinstead"))
103                         return DENY_UPDATE_INSTEAD;
104         }
105         if (git_config_bool(var, value))
106                 return DENY_REFUSE;
107         return DENY_IGNORE;
108 }
109
110 static int receive_pack_config(const char *var, const char *value, void *cb)
111 {
112         int status = parse_hide_refs_config(var, value, "receive");
113
114         if (status)
115                 return status;
116
117         if (strcmp(var, "receive.denydeletes") == 0) {
118                 deny_deletes = git_config_bool(var, value);
119                 return 0;
120         }
121
122         if (strcmp(var, "receive.denynonfastforwards") == 0) {
123                 deny_non_fast_forwards = git_config_bool(var, value);
124                 return 0;
125         }
126
127         if (strcmp(var, "receive.unpacklimit") == 0) {
128                 receive_unpack_limit = git_config_int(var, value);
129                 return 0;
130         }
131
132         if (strcmp(var, "transfer.unpacklimit") == 0) {
133                 transfer_unpack_limit = git_config_int(var, value);
134                 return 0;
135         }
136
137         if (strcmp(var, "receive.fsck.skiplist") == 0) {
138                 const char *path;
139
140                 if (git_config_pathname(&path, var, value))
141                         return 1;
142                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
143                         fsck_msg_types.len ? ',' : '=', path);
144                 free((char *)path);
145                 return 0;
146         }
147
148         if (skip_prefix(var, "receive.fsck.", &var)) {
149                 if (is_valid_msg_type(var, value))
150                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
151                                 fsck_msg_types.len ? ',' : '=', var, value);
152                 else
153                         warning("Skipping unknown msg id '%s'", var);
154                 return 0;
155         }
156
157         if (strcmp(var, "receive.fsckobjects") == 0) {
158                 receive_fsck_objects = git_config_bool(var, value);
159                 return 0;
160         }
161
162         if (strcmp(var, "transfer.fsckobjects") == 0) {
163                 transfer_fsck_objects = git_config_bool(var, value);
164                 return 0;
165         }
166
167         if (!strcmp(var, "receive.denycurrentbranch")) {
168                 deny_current_branch = parse_deny_action(var, value);
169                 return 0;
170         }
171
172         if (strcmp(var, "receive.denydeletecurrent") == 0) {
173                 deny_delete_current = parse_deny_action(var, value);
174                 return 0;
175         }
176
177         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
178                 prefer_ofs_delta = git_config_bool(var, value);
179                 return 0;
180         }
181
182         if (strcmp(var, "receive.updateserverinfo") == 0) {
183                 auto_update_server_info = git_config_bool(var, value);
184                 return 0;
185         }
186
187         if (strcmp(var, "receive.autogc") == 0) {
188                 auto_gc = git_config_bool(var, value);
189                 return 0;
190         }
191
192         if (strcmp(var, "receive.shallowupdate") == 0) {
193                 shallow_update = git_config_bool(var, value);
194                 return 0;
195         }
196
197         if (strcmp(var, "receive.certnonceseed") == 0)
198                 return git_config_string(&cert_nonce_seed, var, value);
199
200         if (strcmp(var, "receive.certnonceslop") == 0) {
201                 nonce_stamp_slop_limit = git_config_ulong(var, value);
202                 return 0;
203         }
204
205         if (strcmp(var, "receive.advertiseatomic") == 0) {
206                 advertise_atomic_push = git_config_bool(var, value);
207                 return 0;
208         }
209
210         if (strcmp(var, "receive.advertisepushoptions") == 0) {
211                 advertise_push_options = git_config_bool(var, value);
212                 return 0;
213         }
214
215         if (strcmp(var, "receive.keepalive") == 0) {
216                 keepalive_in_sec = git_config_int(var, value);
217                 return 0;
218         }
219
220         if (strcmp(var, "receive.maxinputsize") == 0) {
221                 max_input_size = git_config_int64(var, value);
222                 return 0;
223         }
224
225         return git_default_config(var, value, cb);
226 }
227
228 static void show_ref(const char *path, const struct object_id *oid)
229 {
230         if (sent_capabilities) {
231                 packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
232         } else {
233                 struct strbuf cap = STRBUF_INIT;
234
235                 strbuf_addstr(&cap,
236                               "report-status delete-refs side-band-64k quiet");
237                 if (advertise_atomic_push)
238                         strbuf_addstr(&cap, " atomic");
239                 if (prefer_ofs_delta)
240                         strbuf_addstr(&cap, " ofs-delta");
241                 if (push_cert_nonce)
242                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
243                 if (advertise_push_options)
244                         strbuf_addstr(&cap, " push-options");
245                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
246                 packet_write_fmt(1, "%s %s%c%s\n",
247                              oid_to_hex(oid), path, 0, cap.buf);
248                 strbuf_release(&cap);
249                 sent_capabilities = 1;
250         }
251 }
252
253 static int show_ref_cb(const char *path_full, const struct object_id *oid,
254                        int flag, void *data)
255 {
256         struct oidset *seen = data;
257         const char *path = strip_namespace(path_full);
258
259         if (ref_is_hidden(path, path_full))
260                 return 0;
261
262         /*
263          * Advertise refs outside our current namespace as ".have"
264          * refs, so that the client can use them to minimize data
265          * transfer but will otherwise ignore them.
266          */
267         if (!path) {
268                 if (oidset_insert(seen, oid))
269                         return 0;
270                 path = ".have";
271         } else {
272                 oidset_insert(seen, oid);
273         }
274         show_ref(path, oid);
275         return 0;
276 }
277
278 static void show_one_alternate_ref(const char *refname,
279                                    const struct object_id *oid,
280                                    void *data)
281 {
282         struct oidset *seen = data;
283
284         if (oidset_insert(seen, oid))
285                 return;
286
287         show_ref(".have", oid);
288 }
289
290 static void write_head_info(void)
291 {
292         static struct oidset seen = OIDSET_INIT;
293
294         for_each_ref(show_ref_cb, &seen);
295         for_each_alternate_ref(show_one_alternate_ref, &seen);
296         oidset_clear(&seen);
297         if (!sent_capabilities)
298                 show_ref("capabilities^{}", &null_oid);
299
300         advertise_shallow_grafts(1);
301
302         /* EOF */
303         packet_flush(1);
304 }
305
306 struct command {
307         struct command *next;
308         const char *error_string;
309         unsigned int skip_update:1,
310                      did_not_exist:1;
311         int index;
312         struct object_id old_oid;
313         struct object_id new_oid;
314         char ref_name[FLEX_ARRAY]; /* more */
315 };
316
317 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
318 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
319
320 static void report_message(const char *prefix, const char *err, va_list params)
321 {
322         int sz;
323         char msg[4096];
324
325         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
326         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
327         if (sz > (sizeof(msg) - 1))
328                 sz = sizeof(msg) - 1;
329         msg[sz++] = '\n';
330
331         if (use_sideband)
332                 send_sideband(1, 2, msg, sz, use_sideband);
333         else
334                 xwrite(2, msg, sz);
335 }
336
337 static void rp_warning(const char *err, ...)
338 {
339         va_list params;
340         va_start(params, err);
341         report_message("warning: ", err, params);
342         va_end(params);
343 }
344
345 static void rp_error(const char *err, ...)
346 {
347         va_list params;
348         va_start(params, err);
349         report_message("error: ", err, params);
350         va_end(params);
351 }
352
353 static int copy_to_sideband(int in, int out, void *arg)
354 {
355         char data[128];
356         int keepalive_active = 0;
357
358         if (keepalive_in_sec <= 0)
359                 use_keepalive = KEEPALIVE_NEVER;
360         if (use_keepalive == KEEPALIVE_ALWAYS)
361                 keepalive_active = 1;
362
363         while (1) {
364                 ssize_t sz;
365
366                 if (keepalive_active) {
367                         struct pollfd pfd;
368                         int ret;
369
370                         pfd.fd = in;
371                         pfd.events = POLLIN;
372                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
373
374                         if (ret < 0) {
375                                 if (errno == EINTR)
376                                         continue;
377                                 else
378                                         break;
379                         } else if (ret == 0) {
380                                 /* no data; send a keepalive packet */
381                                 static const char buf[] = "0005\1";
382                                 write_or_die(1, buf, sizeof(buf) - 1);
383                                 continue;
384                         } /* else there is actual data to read */
385                 }
386
387                 sz = xread(in, data, sizeof(data));
388                 if (sz <= 0)
389                         break;
390
391                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
392                         const char *p = memchr(data, '\0', sz);
393                         if (p) {
394                                 /*
395                                  * The NUL tells us to start sending keepalives. Make
396                                  * sure we send any other data we read along
397                                  * with it.
398                                  */
399                                 keepalive_active = 1;
400                                 send_sideband(1, 2, data, p - data, use_sideband);
401                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
402                                 continue;
403                         }
404                 }
405
406                 /*
407                  * Either we're not looking for a NUL signal, or we didn't see
408                  * it yet; just pass along the data.
409                  */
410                 send_sideband(1, 2, data, sz, use_sideband);
411         }
412         close(in);
413         return 0;
414 }
415
416 #define HMAC_BLOCK_SIZE 64
417
418 static void hmac_sha1(unsigned char *out,
419                       const char *key_in, size_t key_len,
420                       const char *text, size_t text_len)
421 {
422         unsigned char key[HMAC_BLOCK_SIZE];
423         unsigned char k_ipad[HMAC_BLOCK_SIZE];
424         unsigned char k_opad[HMAC_BLOCK_SIZE];
425         int i;
426         git_SHA_CTX ctx;
427
428         /* RFC 2104 2. (1) */
429         memset(key, '\0', HMAC_BLOCK_SIZE);
430         if (HMAC_BLOCK_SIZE < key_len) {
431                 git_SHA1_Init(&ctx);
432                 git_SHA1_Update(&ctx, key_in, key_len);
433                 git_SHA1_Final(key, &ctx);
434         } else {
435                 memcpy(key, key_in, key_len);
436         }
437
438         /* RFC 2104 2. (2) & (5) */
439         for (i = 0; i < sizeof(key); i++) {
440                 k_ipad[i] = key[i] ^ 0x36;
441                 k_opad[i] = key[i] ^ 0x5c;
442         }
443
444         /* RFC 2104 2. (3) & (4) */
445         git_SHA1_Init(&ctx);
446         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
447         git_SHA1_Update(&ctx, text, text_len);
448         git_SHA1_Final(out, &ctx);
449
450         /* RFC 2104 2. (6) & (7) */
451         git_SHA1_Init(&ctx);
452         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
453         git_SHA1_Update(&ctx, out, 20);
454         git_SHA1_Final(out, &ctx);
455 }
456
457 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
458 {
459         struct strbuf buf = STRBUF_INIT;
460         unsigned char sha1[20];
461
462         strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
463         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
464         strbuf_release(&buf);
465
466         /* RFC 2104 5. HMAC-SHA1-80 */
467         strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, 20, sha1_to_hex(sha1));
468         return strbuf_detach(&buf, NULL);
469 }
470
471 /*
472  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
473  * after dropping "_commit" from its name and possibly moving it out
474  * of commit.c
475  */
476 static char *find_header(const char *msg, size_t len, const char *key,
477                          const char **next_line)
478 {
479         int key_len = strlen(key);
480         const char *line = msg;
481
482         while (line && line < msg + len) {
483                 const char *eol = strchrnul(line, '\n');
484
485                 if ((msg + len <= eol) || line == eol)
486                         return NULL;
487                 if (line + key_len < eol &&
488                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
489                         int offset = key_len + 1;
490                         if (next_line)
491                                 *next_line = *eol ? eol + 1 : eol;
492                         return xmemdupz(line + offset, (eol - line) - offset);
493                 }
494                 line = *eol ? eol + 1 : NULL;
495         }
496         return NULL;
497 }
498
499 static const char *check_nonce(const char *buf, size_t len)
500 {
501         char *nonce = find_header(buf, len, "nonce", NULL);
502         timestamp_t stamp, ostamp;
503         char *bohmac, *expect = NULL;
504         const char *retval = NONCE_BAD;
505
506         if (!nonce) {
507                 retval = NONCE_MISSING;
508                 goto leave;
509         } else if (!push_cert_nonce) {
510                 retval = NONCE_UNSOLICITED;
511                 goto leave;
512         } else if (!strcmp(push_cert_nonce, nonce)) {
513                 retval = NONCE_OK;
514                 goto leave;
515         }
516
517         if (!stateless_rpc) {
518                 /* returned nonce MUST match what we gave out earlier */
519                 retval = NONCE_BAD;
520                 goto leave;
521         }
522
523         /*
524          * In stateless mode, we may be receiving a nonce issued by
525          * another instance of the server that serving the same
526          * repository, and the timestamps may not match, but the
527          * nonce-seed and dir should match, so we can recompute and
528          * report the time slop.
529          *
530          * In addition, when a nonce issued by another instance has
531          * timestamp within receive.certnonceslop seconds, we pretend
532          * as if we issued that nonce when reporting to the hook.
533          */
534
535         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
536         if (*nonce <= '0' || '9' < *nonce) {
537                 retval = NONCE_BAD;
538                 goto leave;
539         }
540         stamp = parse_timestamp(nonce, &bohmac, 10);
541         if (bohmac == nonce || bohmac[0] != '-') {
542                 retval = NONCE_BAD;
543                 goto leave;
544         }
545
546         expect = prepare_push_cert_nonce(service_dir, stamp);
547         if (strcmp(expect, nonce)) {
548                 /* Not what we would have signed earlier */
549                 retval = NONCE_BAD;
550                 goto leave;
551         }
552
553         /*
554          * By how many seconds is this nonce stale?  Negative value
555          * would mean it was issued by another server with its clock
556          * skewed in the future.
557          */
558         ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
559         nonce_stamp_slop = (long)ostamp - (long)stamp;
560
561         if (nonce_stamp_slop_limit &&
562             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
563                 /*
564                  * Pretend as if the received nonce (which passes the
565                  * HMAC check, so it is not a forged by third-party)
566                  * is what we issued.
567                  */
568                 free((void *)push_cert_nonce);
569                 push_cert_nonce = xstrdup(nonce);
570                 retval = NONCE_OK;
571         } else {
572                 retval = NONCE_SLOP;
573         }
574
575 leave:
576         free(nonce);
577         free(expect);
578         return retval;
579 }
580
581 /*
582  * Return 1 if there is no push_cert or if the push options in push_cert are
583  * the same as those in the argument; 0 otherwise.
584  */
585 static int check_cert_push_options(const struct string_list *push_options)
586 {
587         const char *buf = push_cert.buf;
588         int len = push_cert.len;
589
590         char *option;
591         const char *next_line;
592         int options_seen = 0;
593
594         int retval = 1;
595
596         if (!len)
597                 return 1;
598
599         while ((option = find_header(buf, len, "push-option", &next_line))) {
600                 len -= (next_line - buf);
601                 buf = next_line;
602                 options_seen++;
603                 if (options_seen > push_options->nr
604                     || strcmp(option,
605                               push_options->items[options_seen - 1].string)) {
606                         retval = 0;
607                         goto leave;
608                 }
609                 free(option);
610         }
611
612         if (options_seen != push_options->nr)
613                 retval = 0;
614
615 leave:
616         free(option);
617         return retval;
618 }
619
620 static void prepare_push_cert_sha1(struct child_process *proc)
621 {
622         static int already_done;
623
624         if (!push_cert.len)
625                 return;
626
627         if (!already_done) {
628                 struct strbuf gpg_output = STRBUF_INIT;
629                 struct strbuf gpg_status = STRBUF_INIT;
630                 int bogs /* beginning_of_gpg_sig */;
631
632                 already_done = 1;
633                 if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
634                         hashclr(push_cert_sha1);
635
636                 memset(&sigcheck, '\0', sizeof(sigcheck));
637                 sigcheck.result = 'N';
638
639                 bogs = parse_signature(push_cert.buf, push_cert.len);
640                 if (verify_signed_buffer(push_cert.buf, bogs,
641                                          push_cert.buf + bogs, push_cert.len - bogs,
642                                          &gpg_output, &gpg_status) < 0) {
643                         ; /* error running gpg */
644                 } else {
645                         sigcheck.payload = push_cert.buf;
646                         sigcheck.gpg_output = gpg_output.buf;
647                         sigcheck.gpg_status = gpg_status.buf;
648                         parse_gpg_output(&sigcheck);
649                 }
650
651                 strbuf_release(&gpg_output);
652                 strbuf_release(&gpg_status);
653                 nonce_status = check_nonce(push_cert.buf, bogs);
654         }
655         if (!is_null_sha1(push_cert_sha1)) {
656                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
657                                  sha1_to_hex(push_cert_sha1));
658                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
659                                  sigcheck.signer ? sigcheck.signer : "");
660                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
661                                  sigcheck.key ? sigcheck.key : "");
662                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
663                                  sigcheck.result);
664                 if (push_cert_nonce) {
665                         argv_array_pushf(&proc->env_array,
666                                          "GIT_PUSH_CERT_NONCE=%s",
667                                          push_cert_nonce);
668                         argv_array_pushf(&proc->env_array,
669                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
670                                          nonce_status);
671                         if (nonce_status == NONCE_SLOP)
672                                 argv_array_pushf(&proc->env_array,
673                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
674                                                  nonce_stamp_slop);
675                 }
676         }
677 }
678
679 struct receive_hook_feed_state {
680         struct command *cmd;
681         int skip_broken;
682         struct strbuf buf;
683         const struct string_list *push_options;
684 };
685
686 typedef int (*feed_fn)(void *, const char **, size_t *);
687 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
688                              struct receive_hook_feed_state *feed_state)
689 {
690         struct child_process proc = CHILD_PROCESS_INIT;
691         struct async muxer;
692         const char *argv[2];
693         int code;
694
695         argv[0] = find_hook(hook_name);
696         if (!argv[0])
697                 return 0;
698
699         argv[1] = NULL;
700
701         proc.argv = argv;
702         proc.in = -1;
703         proc.stdout_to_stderr = 1;
704         if (feed_state->push_options) {
705                 int i;
706                 for (i = 0; i < feed_state->push_options->nr; i++)
707                         argv_array_pushf(&proc.env_array,
708                                 "GIT_PUSH_OPTION_%d=%s", i,
709                                 feed_state->push_options->items[i].string);
710                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
711                                  feed_state->push_options->nr);
712         } else
713                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
714
715         if (tmp_objdir)
716                 argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
717
718         if (use_sideband) {
719                 memset(&muxer, 0, sizeof(muxer));
720                 muxer.proc = copy_to_sideband;
721                 muxer.in = -1;
722                 code = start_async(&muxer);
723                 if (code)
724                         return code;
725                 proc.err = muxer.in;
726         }
727
728         prepare_push_cert_sha1(&proc);
729
730         code = start_command(&proc);
731         if (code) {
732                 if (use_sideband)
733                         finish_async(&muxer);
734                 return code;
735         }
736
737         sigchain_push(SIGPIPE, SIG_IGN);
738
739         while (1) {
740                 const char *buf;
741                 size_t n;
742                 if (feed(feed_state, &buf, &n))
743                         break;
744                 if (write_in_full(proc.in, buf, n) != n)
745                         break;
746         }
747         close(proc.in);
748         if (use_sideband)
749                 finish_async(&muxer);
750
751         sigchain_pop(SIGPIPE);
752
753         return finish_command(&proc);
754 }
755
756 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
757 {
758         struct receive_hook_feed_state *state = state_;
759         struct command *cmd = state->cmd;
760
761         while (cmd &&
762                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
763                 cmd = cmd->next;
764         if (!cmd)
765                 return -1; /* EOF */
766         strbuf_reset(&state->buf);
767         strbuf_addf(&state->buf, "%s %s %s\n",
768                     oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
769                     cmd->ref_name);
770         state->cmd = cmd->next;
771         if (bufp) {
772                 *bufp = state->buf.buf;
773                 *sizep = state->buf.len;
774         }
775         return 0;
776 }
777
778 static int run_receive_hook(struct command *commands,
779                             const char *hook_name,
780                             int skip_broken,
781                             const struct string_list *push_options)
782 {
783         struct receive_hook_feed_state state;
784         int status;
785
786         strbuf_init(&state.buf, 0);
787         state.cmd = commands;
788         state.skip_broken = skip_broken;
789         if (feed_receive_hook(&state, NULL, NULL))
790                 return 0;
791         state.cmd = commands;
792         state.push_options = push_options;
793         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
794         strbuf_release(&state.buf);
795         return status;
796 }
797
798 static int run_update_hook(struct command *cmd)
799 {
800         const char *argv[5];
801         struct child_process proc = CHILD_PROCESS_INIT;
802         int code;
803
804         argv[0] = find_hook("update");
805         if (!argv[0])
806                 return 0;
807
808         argv[1] = cmd->ref_name;
809         argv[2] = oid_to_hex(&cmd->old_oid);
810         argv[3] = oid_to_hex(&cmd->new_oid);
811         argv[4] = NULL;
812
813         proc.no_stdin = 1;
814         proc.stdout_to_stderr = 1;
815         proc.err = use_sideband ? -1 : 0;
816         proc.argv = argv;
817
818         code = start_command(&proc);
819         if (code)
820                 return code;
821         if (use_sideband)
822                 copy_to_sideband(proc.err, -1, NULL);
823         return finish_command(&proc);
824 }
825
826 static int is_ref_checked_out(const char *ref)
827 {
828         if (is_bare_repository())
829                 return 0;
830
831         if (!head_name)
832                 return 0;
833         return !strcmp(head_name, ref);
834 }
835
836 static char *refuse_unconfigured_deny_msg =
837         N_("By default, updating the current branch in a non-bare repository\n"
838            "is denied, because it will make the index and work tree inconsistent\n"
839            "with what you pushed, and will require 'git reset --hard' to match\n"
840            "the work tree to HEAD.\n"
841            "\n"
842            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
843            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
844            "its current branch; however, this is not recommended unless you\n"
845            "arranged to update its work tree to match what you pushed in some\n"
846            "other way.\n"
847            "\n"
848            "To squelch this message and still keep the default behaviour, set\n"
849            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
850
851 static void refuse_unconfigured_deny(void)
852 {
853         rp_error("%s", _(refuse_unconfigured_deny_msg));
854 }
855
856 static char *refuse_unconfigured_deny_delete_current_msg =
857         N_("By default, deleting the current branch is denied, because the next\n"
858            "'git clone' won't result in any file checked out, causing confusion.\n"
859            "\n"
860            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
861            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
862            "current branch, with or without a warning message.\n"
863            "\n"
864            "To squelch this message, you can set it to 'refuse'.");
865
866 static void refuse_unconfigured_deny_delete_current(void)
867 {
868         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
869 }
870
871 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
872 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
873 {
874         static struct lock_file shallow_lock;
875         struct oid_array extra = OID_ARRAY_INIT;
876         struct check_connected_options opt = CHECK_CONNECTED_INIT;
877         uint32_t mask = 1 << (cmd->index % 32);
878         int i;
879
880         trace_printf_key(&trace_shallow,
881                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
882         for (i = 0; i < si->shallow->nr; i++)
883                 if (si->used_shallow[i] &&
884                     (si->used_shallow[i][cmd->index / 32] & mask) &&
885                     !delayed_reachability_test(si, i))
886                         oid_array_append(&extra, &si->shallow->oid[i]);
887
888         opt.env = tmp_objdir_env(tmp_objdir);
889         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
890         if (check_connected(command_singleton_iterator, cmd, &opt)) {
891                 rollback_lock_file(&shallow_lock);
892                 oid_array_clear(&extra);
893                 return -1;
894         }
895
896         commit_lock_file(&shallow_lock);
897
898         /*
899          * Make sure setup_alternate_shallow() for the next ref does
900          * not lose these new roots..
901          */
902         for (i = 0; i < extra.nr; i++)
903                 register_shallow(&extra.oid[i]);
904
905         si->shallow_ref[cmd->index] = 0;
906         oid_array_clear(&extra);
907         return 0;
908 }
909
910 /*
911  * NEEDSWORK: we should consolidate various implementions of "are we
912  * on an unborn branch?" test into one, and make the unified one more
913  * robust. !get_sha1() based check used here and elsewhere would not
914  * allow us to tell an unborn branch from corrupt ref, for example.
915  * For the purpose of fixing "deploy-to-update does not work when
916  * pushing into an empty repository" issue, this should suffice for
917  * now.
918  */
919 static int head_has_history(void)
920 {
921         unsigned char sha1[20];
922
923         return !get_sha1("HEAD", sha1);
924 }
925
926 static const char *push_to_deploy(unsigned char *sha1,
927                                   struct argv_array *env,
928                                   const char *work_tree)
929 {
930         const char *update_refresh[] = {
931                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
932         };
933         const char *diff_files[] = {
934                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
935         };
936         const char *diff_index[] = {
937                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
938                 NULL, "--", NULL
939         };
940         const char *read_tree[] = {
941                 "read-tree", "-u", "-m", NULL, NULL
942         };
943         struct child_process child = CHILD_PROCESS_INIT;
944
945         child.argv = update_refresh;
946         child.env = env->argv;
947         child.dir = work_tree;
948         child.no_stdin = 1;
949         child.stdout_to_stderr = 1;
950         child.git_cmd = 1;
951         if (run_command(&child))
952                 return "Up-to-date check failed";
953
954         /* run_command() does not clean up completely; reinitialize */
955         child_process_init(&child);
956         child.argv = diff_files;
957         child.env = env->argv;
958         child.dir = work_tree;
959         child.no_stdin = 1;
960         child.stdout_to_stderr = 1;
961         child.git_cmd = 1;
962         if (run_command(&child))
963                 return "Working directory has unstaged changes";
964
965         /* diff-index with either HEAD or an empty tree */
966         diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
967
968         child_process_init(&child);
969         child.argv = diff_index;
970         child.env = env->argv;
971         child.no_stdin = 1;
972         child.no_stdout = 1;
973         child.stdout_to_stderr = 0;
974         child.git_cmd = 1;
975         if (run_command(&child))
976                 return "Working directory has staged changes";
977
978         read_tree[3] = sha1_to_hex(sha1);
979         child_process_init(&child);
980         child.argv = read_tree;
981         child.env = env->argv;
982         child.dir = work_tree;
983         child.no_stdin = 1;
984         child.no_stdout = 1;
985         child.stdout_to_stderr = 0;
986         child.git_cmd = 1;
987         if (run_command(&child))
988                 return "Could not update working tree to new HEAD";
989
990         return NULL;
991 }
992
993 static const char *push_to_checkout_hook = "push-to-checkout";
994
995 static const char *push_to_checkout(unsigned char *sha1,
996                                     struct argv_array *env,
997                                     const char *work_tree)
998 {
999         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
1000         if (run_hook_le(env->argv, push_to_checkout_hook,
1001                         sha1_to_hex(sha1), NULL))
1002                 return "push-to-checkout hook declined";
1003         else
1004                 return NULL;
1005 }
1006
1007 static const char *update_worktree(unsigned char *sha1)
1008 {
1009         const char *retval;
1010         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1011         struct argv_array env = ARGV_ARRAY_INIT;
1012
1013         if (is_bare_repository())
1014                 return "denyCurrentBranch = updateInstead needs a worktree";
1015
1016         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1017
1018         if (!find_hook(push_to_checkout_hook))
1019                 retval = push_to_deploy(sha1, &env, work_tree);
1020         else
1021                 retval = push_to_checkout(sha1, &env, work_tree);
1022
1023         argv_array_clear(&env);
1024         return retval;
1025 }
1026
1027 static const char *update(struct command *cmd, struct shallow_info *si)
1028 {
1029         const char *name = cmd->ref_name;
1030         struct strbuf namespaced_name_buf = STRBUF_INIT;
1031         static char *namespaced_name;
1032         const char *ret;
1033         struct object_id *old_oid = &cmd->old_oid;
1034         struct object_id *new_oid = &cmd->new_oid;
1035
1036         /* only refs/... are allowed */
1037         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1038                 rp_error("refusing to create funny ref '%s' remotely", name);
1039                 return "funny refname";
1040         }
1041
1042         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1043         free(namespaced_name);
1044         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1045
1046         if (is_ref_checked_out(namespaced_name)) {
1047                 switch (deny_current_branch) {
1048                 case DENY_IGNORE:
1049                         break;
1050                 case DENY_WARN:
1051                         rp_warning("updating the current branch");
1052                         break;
1053                 case DENY_REFUSE:
1054                 case DENY_UNCONFIGURED:
1055                         rp_error("refusing to update checked out branch: %s", name);
1056                         if (deny_current_branch == DENY_UNCONFIGURED)
1057                                 refuse_unconfigured_deny();
1058                         return "branch is currently checked out";
1059                 case DENY_UPDATE_INSTEAD:
1060                         ret = update_worktree(new_oid->hash);
1061                         if (ret)
1062                                 return ret;
1063                         break;
1064                 }
1065         }
1066
1067         if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1068                 error("unpack should have generated %s, "
1069                       "but I can't find it!", oid_to_hex(new_oid));
1070                 return "bad pack";
1071         }
1072
1073         if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1074                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1075                         rp_error("denying ref deletion for %s", name);
1076                         return "deletion prohibited";
1077                 }
1078
1079                 if (head_name && !strcmp(namespaced_name, head_name)) {
1080                         switch (deny_delete_current) {
1081                         case DENY_IGNORE:
1082                                 break;
1083                         case DENY_WARN:
1084                                 rp_warning("deleting the current branch");
1085                                 break;
1086                         case DENY_REFUSE:
1087                         case DENY_UNCONFIGURED:
1088                         case DENY_UPDATE_INSTEAD:
1089                                 if (deny_delete_current == DENY_UNCONFIGURED)
1090                                         refuse_unconfigured_deny_delete_current();
1091                                 rp_error("refusing to delete the current branch: %s", name);
1092                                 return "deletion of the current branch prohibited";
1093                         default:
1094                                 return "Invalid denyDeleteCurrent setting";
1095                         }
1096                 }
1097         }
1098
1099         if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1100             !is_null_oid(old_oid) &&
1101             starts_with(name, "refs/heads/")) {
1102                 struct object *old_object, *new_object;
1103                 struct commit *old_commit, *new_commit;
1104
1105                 old_object = parse_object(old_oid);
1106                 new_object = parse_object(new_oid);
1107
1108                 if (!old_object || !new_object ||
1109                     old_object->type != OBJ_COMMIT ||
1110                     new_object->type != OBJ_COMMIT) {
1111                         error("bad sha1 objects for %s", name);
1112                         return "bad ref";
1113                 }
1114                 old_commit = (struct commit *)old_object;
1115                 new_commit = (struct commit *)new_object;
1116                 if (!in_merge_bases(old_commit, new_commit)) {
1117                         rp_error("denying non-fast-forward %s"
1118                                  " (you should pull first)", name);
1119                         return "non-fast-forward";
1120                 }
1121         }
1122         if (run_update_hook(cmd)) {
1123                 rp_error("hook declined to update %s", name);
1124                 return "hook declined";
1125         }
1126
1127         if (is_null_oid(new_oid)) {
1128                 struct strbuf err = STRBUF_INIT;
1129                 if (!parse_object(old_oid)) {
1130                         old_oid = NULL;
1131                         if (ref_exists(name)) {
1132                                 rp_warning("Allowing deletion of corrupt ref.");
1133                         } else {
1134                                 rp_warning("Deleting a non-existent ref.");
1135                                 cmd->did_not_exist = 1;
1136                         }
1137                 }
1138                 if (ref_transaction_delete(transaction,
1139                                            namespaced_name,
1140                                            old_oid->hash,
1141                                            0, "push", &err)) {
1142                         rp_error("%s", err.buf);
1143                         strbuf_release(&err);
1144                         return "failed to delete";
1145                 }
1146                 strbuf_release(&err);
1147                 return NULL; /* good */
1148         }
1149         else {
1150                 struct strbuf err = STRBUF_INIT;
1151                 if (shallow_update && si->shallow_ref[cmd->index] &&
1152                     update_shallow_ref(cmd, si))
1153                         return "shallow error";
1154
1155                 if (ref_transaction_update(transaction,
1156                                            namespaced_name,
1157                                            new_oid->hash, old_oid->hash,
1158                                            0, "push",
1159                                            &err)) {
1160                         rp_error("%s", err.buf);
1161                         strbuf_release(&err);
1162
1163                         return "failed to update ref";
1164                 }
1165                 strbuf_release(&err);
1166
1167                 return NULL; /* good */
1168         }
1169 }
1170
1171 static void run_update_post_hook(struct command *commands)
1172 {
1173         struct command *cmd;
1174         struct child_process proc = CHILD_PROCESS_INIT;
1175         const char *hook;
1176
1177         hook = find_hook("post-update");
1178         if (!hook)
1179                 return;
1180
1181         for (cmd = commands; cmd; cmd = cmd->next) {
1182                 if (cmd->error_string || cmd->did_not_exist)
1183                         continue;
1184                 if (!proc.args.argc)
1185                         argv_array_push(&proc.args, hook);
1186                 argv_array_push(&proc.args, cmd->ref_name);
1187         }
1188         if (!proc.args.argc)
1189                 return;
1190
1191         proc.no_stdin = 1;
1192         proc.stdout_to_stderr = 1;
1193         proc.err = use_sideband ? -1 : 0;
1194
1195         if (!start_command(&proc)) {
1196                 if (use_sideband)
1197                         copy_to_sideband(proc.err, -1, NULL);
1198                 finish_command(&proc);
1199         }
1200 }
1201
1202 static void check_aliased_update(struct command *cmd, struct string_list *list)
1203 {
1204         struct strbuf buf = STRBUF_INIT;
1205         const char *dst_name;
1206         struct string_list_item *item;
1207         struct command *dst_cmd;
1208         unsigned char sha1[GIT_MAX_RAWSZ];
1209         int flag;
1210
1211         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1212         dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1213         strbuf_release(&buf);
1214
1215         if (!(flag & REF_ISSYMREF))
1216                 return;
1217
1218         if (!dst_name) {
1219                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1220                 cmd->skip_update = 1;
1221                 cmd->error_string = "broken symref";
1222                 return;
1223         }
1224         dst_name = strip_namespace(dst_name);
1225
1226         if ((item = string_list_lookup(list, dst_name)) == NULL)
1227                 return;
1228
1229         cmd->skip_update = 1;
1230
1231         dst_cmd = (struct command *) item->util;
1232
1233         if (!oidcmp(&cmd->old_oid, &dst_cmd->old_oid) &&
1234             !oidcmp(&cmd->new_oid, &dst_cmd->new_oid))
1235                 return;
1236
1237         dst_cmd->skip_update = 1;
1238
1239         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1240                  " its target '%s' (%s..%s)",
1241                  cmd->ref_name,
1242                  find_unique_abbrev(cmd->old_oid.hash, DEFAULT_ABBREV),
1243                  find_unique_abbrev(cmd->new_oid.hash, DEFAULT_ABBREV),
1244                  dst_cmd->ref_name,
1245                  find_unique_abbrev(dst_cmd->old_oid.hash, DEFAULT_ABBREV),
1246                  find_unique_abbrev(dst_cmd->new_oid.hash, DEFAULT_ABBREV));
1247
1248         cmd->error_string = dst_cmd->error_string =
1249                 "inconsistent aliased update";
1250 }
1251
1252 static void check_aliased_updates(struct command *commands)
1253 {
1254         struct command *cmd;
1255         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1256
1257         for (cmd = commands; cmd; cmd = cmd->next) {
1258                 struct string_list_item *item =
1259                         string_list_append(&ref_list, cmd->ref_name);
1260                 item->util = (void *)cmd;
1261         }
1262         string_list_sort(&ref_list);
1263
1264         for (cmd = commands; cmd; cmd = cmd->next) {
1265                 if (!cmd->error_string)
1266                         check_aliased_update(cmd, &ref_list);
1267         }
1268
1269         string_list_clear(&ref_list, 0);
1270 }
1271
1272 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1273 {
1274         struct command **cmd_list = cb_data;
1275         struct command *cmd = *cmd_list;
1276
1277         if (!cmd || is_null_oid(&cmd->new_oid))
1278                 return -1; /* end of list */
1279         *cmd_list = NULL; /* this returns only one */
1280         hashcpy(sha1, cmd->new_oid.hash);
1281         return 0;
1282 }
1283
1284 static void set_connectivity_errors(struct command *commands,
1285                                     struct shallow_info *si)
1286 {
1287         struct command *cmd;
1288
1289         for (cmd = commands; cmd; cmd = cmd->next) {
1290                 struct command *singleton = cmd;
1291                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1292
1293                 if (shallow_update && si->shallow_ref[cmd->index])
1294                         /* to be checked in update_shallow_ref() */
1295                         continue;
1296
1297                 opt.env = tmp_objdir_env(tmp_objdir);
1298                 if (!check_connected(command_singleton_iterator, &singleton,
1299                                      &opt))
1300                         continue;
1301
1302                 cmd->error_string = "missing necessary objects";
1303         }
1304 }
1305
1306 struct iterate_data {
1307         struct command *cmds;
1308         struct shallow_info *si;
1309 };
1310
1311 static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1312 {
1313         struct iterate_data *data = cb_data;
1314         struct command **cmd_list = &data->cmds;
1315         struct command *cmd = *cmd_list;
1316
1317         for (; cmd; cmd = cmd->next) {
1318                 if (shallow_update && data->si->shallow_ref[cmd->index])
1319                         /* to be checked in update_shallow_ref() */
1320                         continue;
1321                 if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1322                         hashcpy(sha1, cmd->new_oid.hash);
1323                         *cmd_list = cmd->next;
1324                         return 0;
1325                 }
1326         }
1327         *cmd_list = NULL;
1328         return -1; /* end of list */
1329 }
1330
1331 static void reject_updates_to_hidden(struct command *commands)
1332 {
1333         struct strbuf refname_full = STRBUF_INIT;
1334         size_t prefix_len;
1335         struct command *cmd;
1336
1337         strbuf_addstr(&refname_full, get_git_namespace());
1338         prefix_len = refname_full.len;
1339
1340         for (cmd = commands; cmd; cmd = cmd->next) {
1341                 if (cmd->error_string)
1342                         continue;
1343
1344                 strbuf_setlen(&refname_full, prefix_len);
1345                 strbuf_addstr(&refname_full, cmd->ref_name);
1346
1347                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1348                         continue;
1349                 if (is_null_oid(&cmd->new_oid))
1350                         cmd->error_string = "deny deleting a hidden ref";
1351                 else
1352                         cmd->error_string = "deny updating a hidden ref";
1353         }
1354
1355         strbuf_release(&refname_full);
1356 }
1357
1358 static int should_process_cmd(struct command *cmd)
1359 {
1360         return !cmd->error_string && !cmd->skip_update;
1361 }
1362
1363 static void warn_if_skipped_connectivity_check(struct command *commands,
1364                                                struct shallow_info *si)
1365 {
1366         struct command *cmd;
1367         int checked_connectivity = 1;
1368
1369         for (cmd = commands; cmd; cmd = cmd->next) {
1370                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1371                         error("BUG: connectivity check has not been run on ref %s",
1372                               cmd->ref_name);
1373                         checked_connectivity = 0;
1374                 }
1375         }
1376         if (!checked_connectivity)
1377                 die("BUG: connectivity check skipped???");
1378 }
1379
1380 static void execute_commands_non_atomic(struct command *commands,
1381                                         struct shallow_info *si)
1382 {
1383         struct command *cmd;
1384         struct strbuf err = STRBUF_INIT;
1385
1386         for (cmd = commands; cmd; cmd = cmd->next) {
1387                 if (!should_process_cmd(cmd))
1388                         continue;
1389
1390                 transaction = ref_transaction_begin(&err);
1391                 if (!transaction) {
1392                         rp_error("%s", err.buf);
1393                         strbuf_reset(&err);
1394                         cmd->error_string = "transaction failed to start";
1395                         continue;
1396                 }
1397
1398                 cmd->error_string = update(cmd, si);
1399
1400                 if (!cmd->error_string
1401                     && ref_transaction_commit(transaction, &err)) {
1402                         rp_error("%s", err.buf);
1403                         strbuf_reset(&err);
1404                         cmd->error_string = "failed to update ref";
1405                 }
1406                 ref_transaction_free(transaction);
1407         }
1408         strbuf_release(&err);
1409 }
1410
1411 static void execute_commands_atomic(struct command *commands,
1412                                         struct shallow_info *si)
1413 {
1414         struct command *cmd;
1415         struct strbuf err = STRBUF_INIT;
1416         const char *reported_error = "atomic push failure";
1417
1418         transaction = ref_transaction_begin(&err);
1419         if (!transaction) {
1420                 rp_error("%s", err.buf);
1421                 strbuf_reset(&err);
1422                 reported_error = "transaction failed to start";
1423                 goto failure;
1424         }
1425
1426         for (cmd = commands; cmd; cmd = cmd->next) {
1427                 if (!should_process_cmd(cmd))
1428                         continue;
1429
1430                 cmd->error_string = update(cmd, si);
1431
1432                 if (cmd->error_string)
1433                         goto failure;
1434         }
1435
1436         if (ref_transaction_commit(transaction, &err)) {
1437                 rp_error("%s", err.buf);
1438                 reported_error = "atomic transaction failed";
1439                 goto failure;
1440         }
1441         goto cleanup;
1442
1443 failure:
1444         for (cmd = commands; cmd; cmd = cmd->next)
1445                 if (!cmd->error_string)
1446                         cmd->error_string = reported_error;
1447
1448 cleanup:
1449         ref_transaction_free(transaction);
1450         strbuf_release(&err);
1451 }
1452
1453 static void execute_commands(struct command *commands,
1454                              const char *unpacker_error,
1455                              struct shallow_info *si,
1456                              const struct string_list *push_options)
1457 {
1458         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1459         struct command *cmd;
1460         struct object_id oid;
1461         struct iterate_data data;
1462         struct async muxer;
1463         int err_fd = 0;
1464
1465         if (unpacker_error) {
1466                 for (cmd = commands; cmd; cmd = cmd->next)
1467                         cmd->error_string = "unpacker error";
1468                 return;
1469         }
1470
1471         if (use_sideband) {
1472                 memset(&muxer, 0, sizeof(muxer));
1473                 muxer.proc = copy_to_sideband;
1474                 muxer.in = -1;
1475                 if (!start_async(&muxer))
1476                         err_fd = muxer.in;
1477                 /* ...else, continue without relaying sideband */
1478         }
1479
1480         data.cmds = commands;
1481         data.si = si;
1482         opt.err_fd = err_fd;
1483         opt.progress = err_fd && !quiet;
1484         opt.env = tmp_objdir_env(tmp_objdir);
1485         if (check_connected(iterate_receive_command_list, &data, &opt))
1486                 set_connectivity_errors(commands, si);
1487
1488         if (use_sideband)
1489                 finish_async(&muxer);
1490
1491         reject_updates_to_hidden(commands);
1492
1493         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1494                 for (cmd = commands; cmd; cmd = cmd->next) {
1495                         if (!cmd->error_string)
1496                                 cmd->error_string = "pre-receive hook declined";
1497                 }
1498                 return;
1499         }
1500
1501         /*
1502          * Now we'll start writing out refs, which means the objects need
1503          * to be in their final positions so that other processes can see them.
1504          */
1505         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1506                 for (cmd = commands; cmd; cmd = cmd->next) {
1507                         if (!cmd->error_string)
1508                                 cmd->error_string = "unable to migrate objects to permanent storage";
1509                 }
1510                 return;
1511         }
1512         tmp_objdir = NULL;
1513
1514         check_aliased_updates(commands);
1515
1516         free(head_name_to_free);
1517         head_name = head_name_to_free = resolve_refdup("HEAD", 0, oid.hash, NULL);
1518
1519         if (use_atomic)
1520                 execute_commands_atomic(commands, si);
1521         else
1522                 execute_commands_non_atomic(commands, si);
1523
1524         if (shallow_update)
1525                 warn_if_skipped_connectivity_check(commands, si);
1526 }
1527
1528 static struct command **queue_command(struct command **tail,
1529                                       const char *line,
1530                                       int linelen)
1531 {
1532         struct object_id old_oid, new_oid;
1533         struct command *cmd;
1534         const char *refname;
1535         int reflen;
1536         const char *p;
1537
1538         if (parse_oid_hex(line, &old_oid, &p) ||
1539             *p++ != ' ' ||
1540             parse_oid_hex(p, &new_oid, &p) ||
1541             *p++ != ' ')
1542                 die("protocol error: expected old/new/ref, got '%s'", line);
1543
1544         refname = p;
1545         reflen = linelen - (p - line);
1546         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1547         oidcpy(&cmd->old_oid, &old_oid);
1548         oidcpy(&cmd->new_oid, &new_oid);
1549         *tail = cmd;
1550         return &cmd->next;
1551 }
1552
1553 static void queue_commands_from_cert(struct command **tail,
1554                                      struct strbuf *push_cert)
1555 {
1556         const char *boc, *eoc;
1557
1558         if (*tail)
1559                 die("protocol error: got both push certificate and unsigned commands");
1560
1561         boc = strstr(push_cert->buf, "\n\n");
1562         if (!boc)
1563                 die("malformed push certificate %.*s", 100, push_cert->buf);
1564         else
1565                 boc += 2;
1566         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1567
1568         while (boc < eoc) {
1569                 const char *eol = memchr(boc, '\n', eoc - boc);
1570                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1571                 boc = eol ? eol + 1 : eoc;
1572         }
1573 }
1574
1575 static struct command *read_head_info(struct oid_array *shallow)
1576 {
1577         struct command *commands = NULL;
1578         struct command **p = &commands;
1579         for (;;) {
1580                 char *line;
1581                 int len, linelen;
1582
1583                 line = packet_read_line(0, &len);
1584                 if (!line)
1585                         break;
1586
1587                 if (len > 8 && starts_with(line, "shallow ")) {
1588                         struct object_id oid;
1589                         if (get_oid_hex(line + 8, &oid))
1590                                 die("protocol error: expected shallow sha, got '%s'",
1591                                     line + 8);
1592                         oid_array_append(shallow, &oid);
1593                         continue;
1594                 }
1595
1596                 linelen = strlen(line);
1597                 if (linelen < len) {
1598                         const char *feature_list = line + linelen + 1;
1599                         if (parse_feature_request(feature_list, "report-status"))
1600                                 report_status = 1;
1601                         if (parse_feature_request(feature_list, "side-band-64k"))
1602                                 use_sideband = LARGE_PACKET_MAX;
1603                         if (parse_feature_request(feature_list, "quiet"))
1604                                 quiet = 1;
1605                         if (advertise_atomic_push
1606                             && parse_feature_request(feature_list, "atomic"))
1607                                 use_atomic = 1;
1608                         if (advertise_push_options
1609                             && parse_feature_request(feature_list, "push-options"))
1610                                 use_push_options = 1;
1611                 }
1612
1613                 if (!strcmp(line, "push-cert")) {
1614                         int true_flush = 0;
1615                         char certbuf[1024];
1616
1617                         for (;;) {
1618                                 len = packet_read(0, NULL, NULL,
1619                                                   certbuf, sizeof(certbuf), 0);
1620                                 if (!len) {
1621                                         true_flush = 1;
1622                                         break;
1623                                 }
1624                                 if (!strcmp(certbuf, "push-cert-end\n"))
1625                                         break; /* end of cert */
1626                                 strbuf_addstr(&push_cert, certbuf);
1627                         }
1628
1629                         if (true_flush)
1630                                 break;
1631                         continue;
1632                 }
1633
1634                 p = queue_command(p, line, linelen);
1635         }
1636
1637         if (push_cert.len)
1638                 queue_commands_from_cert(p, &push_cert);
1639
1640         return commands;
1641 }
1642
1643 static void read_push_options(struct string_list *options)
1644 {
1645         while (1) {
1646                 char *line;
1647                 int len;
1648
1649                 line = packet_read_line(0, &len);
1650
1651                 if (!line)
1652                         break;
1653
1654                 string_list_append(options, line);
1655         }
1656 }
1657
1658 static const char *parse_pack_header(struct pack_header *hdr)
1659 {
1660         switch (read_pack_header(0, hdr)) {
1661         case PH_ERROR_EOF:
1662                 return "eof before pack header was fully read";
1663
1664         case PH_ERROR_PACK_SIGNATURE:
1665                 return "protocol error (pack signature mismatch detected)";
1666
1667         case PH_ERROR_PROTOCOL:
1668                 return "protocol error (pack version unsupported)";
1669
1670         default:
1671                 return "unknown error in parse_pack_header";
1672
1673         case 0:
1674                 return NULL;
1675         }
1676 }
1677
1678 static const char *pack_lockfile;
1679
1680 static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1681 {
1682         argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1683                         ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1684 }
1685
1686 static const char *unpack(int err_fd, struct shallow_info *si)
1687 {
1688         struct pack_header hdr;
1689         const char *hdr_err;
1690         int status;
1691         struct child_process child = CHILD_PROCESS_INIT;
1692         int fsck_objects = (receive_fsck_objects >= 0
1693                             ? receive_fsck_objects
1694                             : transfer_fsck_objects >= 0
1695                             ? transfer_fsck_objects
1696                             : 0);
1697
1698         hdr_err = parse_pack_header(&hdr);
1699         if (hdr_err) {
1700                 if (err_fd > 0)
1701                         close(err_fd);
1702                 return hdr_err;
1703         }
1704
1705         if (si->nr_ours || si->nr_theirs) {
1706                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1707                 argv_array_push(&child.args, "--shallow-file");
1708                 argv_array_push(&child.args, alt_shallow_file);
1709         }
1710
1711         tmp_objdir = tmp_objdir_create();
1712         if (!tmp_objdir) {
1713                 if (err_fd > 0)
1714                         close(err_fd);
1715                 return "unable to create temporary object directory";
1716         }
1717         child.env = tmp_objdir_env(tmp_objdir);
1718
1719         /*
1720          * Normally we just pass the tmp_objdir environment to the child
1721          * processes that do the heavy lifting, but we may need to see these
1722          * objects ourselves to set up shallow information.
1723          */
1724         tmp_objdir_add_as_alternate(tmp_objdir);
1725
1726         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1727                 argv_array_push(&child.args, "unpack-objects");
1728                 push_header_arg(&child.args, &hdr);
1729                 if (quiet)
1730                         argv_array_push(&child.args, "-q");
1731                 if (fsck_objects)
1732                         argv_array_pushf(&child.args, "--strict%s",
1733                                 fsck_msg_types.buf);
1734                 if (max_input_size)
1735                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1736                                 (uintmax_t)max_input_size);
1737                 child.no_stdout = 1;
1738                 child.err = err_fd;
1739                 child.git_cmd = 1;
1740                 status = run_command(&child);
1741                 if (status)
1742                         return "unpack-objects abnormal exit";
1743         } else {
1744                 char hostname[HOST_NAME_MAX + 1];
1745
1746                 argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1747                 push_header_arg(&child.args, &hdr);
1748
1749                 if (xgethostname(hostname, sizeof(hostname)))
1750                         xsnprintf(hostname, sizeof(hostname), "localhost");
1751                 argv_array_pushf(&child.args,
1752                                  "--keep=receive-pack %"PRIuMAX" on %s",
1753                                  (uintmax_t)getpid(),
1754                                  hostname);
1755
1756                 if (!quiet && err_fd)
1757                         argv_array_push(&child.args, "--show-resolving-progress");
1758                 if (use_sideband)
1759                         argv_array_push(&child.args, "--report-end-of-input");
1760                 if (fsck_objects)
1761                         argv_array_pushf(&child.args, "--strict%s",
1762                                 fsck_msg_types.buf);
1763                 if (!reject_thin)
1764                         argv_array_push(&child.args, "--fix-thin");
1765                 if (max_input_size)
1766                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1767                                 (uintmax_t)max_input_size);
1768                 child.out = -1;
1769                 child.err = err_fd;
1770                 child.git_cmd = 1;
1771                 status = start_command(&child);
1772                 if (status)
1773                         return "index-pack fork failed";
1774                 pack_lockfile = index_pack_lockfile(child.out);
1775                 close(child.out);
1776                 status = finish_command(&child);
1777                 if (status)
1778                         return "index-pack abnormal exit";
1779                 reprepare_packed_git();
1780         }
1781         return NULL;
1782 }
1783
1784 static const char *unpack_with_sideband(struct shallow_info *si)
1785 {
1786         struct async muxer;
1787         const char *ret;
1788
1789         if (!use_sideband)
1790                 return unpack(0, si);
1791
1792         use_keepalive = KEEPALIVE_AFTER_NUL;
1793         memset(&muxer, 0, sizeof(muxer));
1794         muxer.proc = copy_to_sideband;
1795         muxer.in = -1;
1796         if (start_async(&muxer))
1797                 return NULL;
1798
1799         ret = unpack(muxer.in, si);
1800
1801         finish_async(&muxer);
1802         return ret;
1803 }
1804
1805 static void prepare_shallow_update(struct command *commands,
1806                                    struct shallow_info *si)
1807 {
1808         int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1809
1810         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1811         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1812
1813         si->need_reachability_test =
1814                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1815         si->reachable =
1816                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1817         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1818
1819         for (i = 0; i < si->nr_ours; i++)
1820                 si->need_reachability_test[si->ours[i]] = 1;
1821
1822         for (i = 0; i < si->shallow->nr; i++) {
1823                 if (!si->used_shallow[i])
1824                         continue;
1825                 for (j = 0; j < bitmap_size; j++) {
1826                         if (!si->used_shallow[i][j])
1827                                 continue;
1828                         si->need_reachability_test[i]++;
1829                         for (k = 0; k < 32; k++)
1830                                 if (si->used_shallow[i][j] & (1U << k))
1831                                         si->shallow_ref[j * 32 + k]++;
1832                 }
1833
1834                 /*
1835                  * true for those associated with some refs and belong
1836                  * in "ours" list aka "step 7 not done yet"
1837                  */
1838                 si->need_reachability_test[i] =
1839                         si->need_reachability_test[i] > 1;
1840         }
1841
1842         /*
1843          * keep hooks happy by forcing a temporary shallow file via
1844          * env variable because we can't add --shallow-file to every
1845          * command. check_everything_connected() will be done with
1846          * true .git/shallow though.
1847          */
1848         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1849 }
1850
1851 static void update_shallow_info(struct command *commands,
1852                                 struct shallow_info *si,
1853                                 struct oid_array *ref)
1854 {
1855         struct command *cmd;
1856         int *ref_status;
1857         remove_nonexistent_theirs_shallow(si);
1858         if (!si->nr_ours && !si->nr_theirs) {
1859                 shallow_update = 0;
1860                 return;
1861         }
1862
1863         for (cmd = commands; cmd; cmd = cmd->next) {
1864                 if (is_null_oid(&cmd->new_oid))
1865                         continue;
1866                 oid_array_append(ref, &cmd->new_oid);
1867                 cmd->index = ref->nr - 1;
1868         }
1869         si->ref = ref;
1870
1871         if (shallow_update) {
1872                 prepare_shallow_update(commands, si);
1873                 return;
1874         }
1875
1876         ALLOC_ARRAY(ref_status, ref->nr);
1877         assign_shallow_commits_to_refs(si, NULL, ref_status);
1878         for (cmd = commands; cmd; cmd = cmd->next) {
1879                 if (is_null_oid(&cmd->new_oid))
1880                         continue;
1881                 if (ref_status[cmd->index]) {
1882                         cmd->error_string = "shallow update not allowed";
1883                         cmd->skip_update = 1;
1884                 }
1885         }
1886         free(ref_status);
1887 }
1888
1889 static void report(struct command *commands, const char *unpack_status)
1890 {
1891         struct command *cmd;
1892         struct strbuf buf = STRBUF_INIT;
1893
1894         packet_buf_write(&buf, "unpack %s\n",
1895                          unpack_status ? unpack_status : "ok");
1896         for (cmd = commands; cmd; cmd = cmd->next) {
1897                 if (!cmd->error_string)
1898                         packet_buf_write(&buf, "ok %s\n",
1899                                          cmd->ref_name);
1900                 else
1901                         packet_buf_write(&buf, "ng %s %s\n",
1902                                          cmd->ref_name, cmd->error_string);
1903         }
1904         packet_buf_flush(&buf);
1905
1906         if (use_sideband)
1907                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1908         else
1909                 write_or_die(1, buf.buf, buf.len);
1910         strbuf_release(&buf);
1911 }
1912
1913 static int delete_only(struct command *commands)
1914 {
1915         struct command *cmd;
1916         for (cmd = commands; cmd; cmd = cmd->next) {
1917                 if (!is_null_oid(&cmd->new_oid))
1918                         return 0;
1919         }
1920         return 1;
1921 }
1922
1923 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1924 {
1925         int advertise_refs = 0;
1926         struct command *commands;
1927         struct oid_array shallow = OID_ARRAY_INIT;
1928         struct oid_array ref = OID_ARRAY_INIT;
1929         struct shallow_info si;
1930
1931         struct option options[] = {
1932                 OPT__QUIET(&quiet, N_("quiet")),
1933                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1934                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1935                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1936                 OPT_END()
1937         };
1938
1939         packet_trace_identity("receive-pack");
1940
1941         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1942
1943         if (argc > 1)
1944                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1945         if (argc == 0)
1946                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1947
1948         service_dir = argv[0];
1949
1950         setup_path();
1951
1952         if (!enter_repo(service_dir, 0))
1953                 die("'%s' does not appear to be a git repository", service_dir);
1954
1955         git_config(receive_pack_config, NULL);
1956         if (cert_nonce_seed)
1957                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1958
1959         if (0 <= transfer_unpack_limit)
1960                 unpack_limit = transfer_unpack_limit;
1961         else if (0 <= receive_unpack_limit)
1962                 unpack_limit = receive_unpack_limit;
1963
1964         if (advertise_refs || !stateless_rpc) {
1965                 write_head_info();
1966         }
1967         if (advertise_refs)
1968                 return 0;
1969
1970         if ((commands = read_head_info(&shallow)) != NULL) {
1971                 const char *unpack_status = NULL;
1972                 struct string_list push_options = STRING_LIST_INIT_DUP;
1973
1974                 if (use_push_options)
1975                         read_push_options(&push_options);
1976                 if (!check_cert_push_options(&push_options)) {
1977                         struct command *cmd;
1978                         for (cmd = commands; cmd; cmd = cmd->next)
1979                                 cmd->error_string = "inconsistent push options";
1980                 }
1981
1982                 prepare_shallow_info(&si, &shallow);
1983                 if (!si.nr_ours && !si.nr_theirs)
1984                         shallow_update = 0;
1985                 if (!delete_only(commands)) {
1986                         unpack_status = unpack_with_sideband(&si);
1987                         update_shallow_info(commands, &si, &ref);
1988                 }
1989                 use_keepalive = KEEPALIVE_ALWAYS;
1990                 execute_commands(commands, unpack_status, &si,
1991                                  &push_options);
1992                 if (pack_lockfile)
1993                         unlink_or_warn(pack_lockfile);
1994                 if (report_status)
1995                         report(commands, unpack_status);
1996                 run_receive_hook(commands, "post-receive", 1,
1997                                  &push_options);
1998                 run_update_post_hook(commands);
1999                 string_list_clear(&push_options, 0);
2000                 if (auto_gc) {
2001                         const char *argv_gc_auto[] = {
2002                                 "gc", "--auto", "--quiet", NULL,
2003                         };
2004                         struct child_process proc = CHILD_PROCESS_INIT;
2005
2006                         proc.no_stdin = 1;
2007                         proc.stdout_to_stderr = 1;
2008                         proc.err = use_sideband ? -1 : 0;
2009                         proc.git_cmd = 1;
2010                         proc.argv = argv_gc_auto;
2011
2012                         close_all_packs();
2013                         if (!start_command(&proc)) {
2014                                 if (use_sideband)
2015                                         copy_to_sideband(proc.err, -1, NULL);
2016                                 finish_command(&proc);
2017                         }
2018                 }
2019                 if (auto_update_server_info)
2020                         update_server_info(0);
2021                 clear_shallow_info(&si);
2022         }
2023         if (use_sideband)
2024                 packet_flush(1);
2025         oid_array_clear(&shallow);
2026         oid_array_clear(&ref);
2027         free((void *)push_cert_nonce);
2028         return 0;
2029 }