Merge branch 'jk/fallthrough'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "config.h"
3 #include "lockfile.h"
4 #include "pack.h"
5 #include "refs.h"
6 #include "pkt-line.h"
7 #include "sideband.h"
8 #include "run-command.h"
9 #include "exec_cmd.h"
10 #include "commit.h"
11 #include "object.h"
12 #include "remote.h"
13 #include "connect.h"
14 #include "transport.h"
15 #include "string-list.h"
16 #include "sha1-array.h"
17 #include "connected.h"
18 #include "argv-array.h"
19 #include "version.h"
20 #include "tag.h"
21 #include "gpg-interface.h"
22 #include "sigchain.h"
23 #include "fsck.h"
24 #include "tmp-objdir.h"
25 #include "oidset.h"
26 #include "packfile.h"
27
28 static const char * const receive_pack_usage[] = {
29         N_("git receive-pack <git-dir>"),
30         NULL
31 };
32
33 enum deny_action {
34         DENY_UNCONFIGURED,
35         DENY_IGNORE,
36         DENY_WARN,
37         DENY_REFUSE,
38         DENY_UPDATE_INSTEAD
39 };
40
41 static int deny_deletes;
42 static int deny_non_fast_forwards;
43 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
44 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
45 static int receive_fsck_objects = -1;
46 static int transfer_fsck_objects = -1;
47 static struct strbuf fsck_msg_types = STRBUF_INIT;
48 static int receive_unpack_limit = -1;
49 static int transfer_unpack_limit = -1;
50 static int advertise_atomic_push = 1;
51 static int advertise_push_options;
52 static int unpack_limit = 100;
53 static off_t max_input_size;
54 static int report_status;
55 static int use_sideband;
56 static int use_atomic;
57 static int use_push_options;
58 static int quiet;
59 static int prefer_ofs_delta = 1;
60 static int auto_update_server_info;
61 static int auto_gc = 1;
62 static int reject_thin;
63 static int stateless_rpc;
64 static const char *service_dir;
65 static const char *head_name;
66 static void *head_name_to_free;
67 static int sent_capabilities;
68 static int shallow_update;
69 static const char *alt_shallow_file;
70 static struct strbuf push_cert = STRBUF_INIT;
71 static unsigned char push_cert_sha1[20];
72 static struct signature_check sigcheck;
73 static const char *push_cert_nonce;
74 static const char *cert_nonce_seed;
75
76 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
77 static const char *NONCE_BAD = "BAD";
78 static const char *NONCE_MISSING = "MISSING";
79 static const char *NONCE_OK = "OK";
80 static const char *NONCE_SLOP = "SLOP";
81 static const char *nonce_status;
82 static long nonce_stamp_slop;
83 static timestamp_t nonce_stamp_slop_limit;
84 static struct ref_transaction *transaction;
85
86 static enum {
87         KEEPALIVE_NEVER = 0,
88         KEEPALIVE_AFTER_NUL,
89         KEEPALIVE_ALWAYS
90 } use_keepalive;
91 static int keepalive_in_sec = 5;
92
93 static struct tmp_objdir *tmp_objdir;
94
95 static enum deny_action parse_deny_action(const char *var, const char *value)
96 {
97         if (value) {
98                 if (!strcasecmp(value, "ignore"))
99                         return DENY_IGNORE;
100                 if (!strcasecmp(value, "warn"))
101                         return DENY_WARN;
102                 if (!strcasecmp(value, "refuse"))
103                         return DENY_REFUSE;
104                 if (!strcasecmp(value, "updateinstead"))
105                         return DENY_UPDATE_INSTEAD;
106         }
107         if (git_config_bool(var, value))
108                 return DENY_REFUSE;
109         return DENY_IGNORE;
110 }
111
112 static int receive_pack_config(const char *var, const char *value, void *cb)
113 {
114         int status = parse_hide_refs_config(var, value, "receive");
115
116         if (status)
117                 return status;
118
119         if (strcmp(var, "receive.denydeletes") == 0) {
120                 deny_deletes = git_config_bool(var, value);
121                 return 0;
122         }
123
124         if (strcmp(var, "receive.denynonfastforwards") == 0) {
125                 deny_non_fast_forwards = git_config_bool(var, value);
126                 return 0;
127         }
128
129         if (strcmp(var, "receive.unpacklimit") == 0) {
130                 receive_unpack_limit = git_config_int(var, value);
131                 return 0;
132         }
133
134         if (strcmp(var, "transfer.unpacklimit") == 0) {
135                 transfer_unpack_limit = git_config_int(var, value);
136                 return 0;
137         }
138
139         if (strcmp(var, "receive.fsck.skiplist") == 0) {
140                 const char *path;
141
142                 if (git_config_pathname(&path, var, value))
143                         return 1;
144                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
145                         fsck_msg_types.len ? ',' : '=', path);
146                 free((char *)path);
147                 return 0;
148         }
149
150         if (skip_prefix(var, "receive.fsck.", &var)) {
151                 if (is_valid_msg_type(var, value))
152                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
153                                 fsck_msg_types.len ? ',' : '=', var, value);
154                 else
155                         warning("Skipping unknown msg id '%s'", var);
156                 return 0;
157         }
158
159         if (strcmp(var, "receive.fsckobjects") == 0) {
160                 receive_fsck_objects = git_config_bool(var, value);
161                 return 0;
162         }
163
164         if (strcmp(var, "transfer.fsckobjects") == 0) {
165                 transfer_fsck_objects = git_config_bool(var, value);
166                 return 0;
167         }
168
169         if (!strcmp(var, "receive.denycurrentbranch")) {
170                 deny_current_branch = parse_deny_action(var, value);
171                 return 0;
172         }
173
174         if (strcmp(var, "receive.denydeletecurrent") == 0) {
175                 deny_delete_current = parse_deny_action(var, value);
176                 return 0;
177         }
178
179         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
180                 prefer_ofs_delta = git_config_bool(var, value);
181                 return 0;
182         }
183
184         if (strcmp(var, "receive.updateserverinfo") == 0) {
185                 auto_update_server_info = git_config_bool(var, value);
186                 return 0;
187         }
188
189         if (strcmp(var, "receive.autogc") == 0) {
190                 auto_gc = git_config_bool(var, value);
191                 return 0;
192         }
193
194         if (strcmp(var, "receive.shallowupdate") == 0) {
195                 shallow_update = git_config_bool(var, value);
196                 return 0;
197         }
198
199         if (strcmp(var, "receive.certnonceseed") == 0)
200                 return git_config_string(&cert_nonce_seed, var, value);
201
202         if (strcmp(var, "receive.certnonceslop") == 0) {
203                 nonce_stamp_slop_limit = git_config_ulong(var, value);
204                 return 0;
205         }
206
207         if (strcmp(var, "receive.advertiseatomic") == 0) {
208                 advertise_atomic_push = git_config_bool(var, value);
209                 return 0;
210         }
211
212         if (strcmp(var, "receive.advertisepushoptions") == 0) {
213                 advertise_push_options = git_config_bool(var, value);
214                 return 0;
215         }
216
217         if (strcmp(var, "receive.keepalive") == 0) {
218                 keepalive_in_sec = git_config_int(var, value);
219                 return 0;
220         }
221
222         if (strcmp(var, "receive.maxinputsize") == 0) {
223                 max_input_size = git_config_int64(var, value);
224                 return 0;
225         }
226
227         return git_default_config(var, value, cb);
228 }
229
230 static void show_ref(const char *path, const struct object_id *oid)
231 {
232         if (sent_capabilities) {
233                 packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
234         } else {
235                 struct strbuf cap = STRBUF_INIT;
236
237                 strbuf_addstr(&cap,
238                               "report-status delete-refs side-band-64k quiet");
239                 if (advertise_atomic_push)
240                         strbuf_addstr(&cap, " atomic");
241                 if (prefer_ofs_delta)
242                         strbuf_addstr(&cap, " ofs-delta");
243                 if (push_cert_nonce)
244                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
245                 if (advertise_push_options)
246                         strbuf_addstr(&cap, " push-options");
247                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
248                 packet_write_fmt(1, "%s %s%c%s\n",
249                              oid_to_hex(oid), path, 0, cap.buf);
250                 strbuf_release(&cap);
251                 sent_capabilities = 1;
252         }
253 }
254
255 static int show_ref_cb(const char *path_full, const struct object_id *oid,
256                        int flag, void *data)
257 {
258         struct oidset *seen = data;
259         const char *path = strip_namespace(path_full);
260
261         if (ref_is_hidden(path, path_full))
262                 return 0;
263
264         /*
265          * Advertise refs outside our current namespace as ".have"
266          * refs, so that the client can use them to minimize data
267          * transfer but will otherwise ignore them.
268          */
269         if (!path) {
270                 if (oidset_insert(seen, oid))
271                         return 0;
272                 path = ".have";
273         } else {
274                 oidset_insert(seen, oid);
275         }
276         show_ref(path, oid);
277         return 0;
278 }
279
280 static void show_one_alternate_ref(const char *refname,
281                                    const struct object_id *oid,
282                                    void *data)
283 {
284         struct oidset *seen = data;
285
286         if (oidset_insert(seen, oid))
287                 return;
288
289         show_ref(".have", oid);
290 }
291
292 static void write_head_info(void)
293 {
294         static struct oidset seen = OIDSET_INIT;
295
296         for_each_ref(show_ref_cb, &seen);
297         for_each_alternate_ref(show_one_alternate_ref, &seen);
298         oidset_clear(&seen);
299         if (!sent_capabilities)
300                 show_ref("capabilities^{}", &null_oid);
301
302         advertise_shallow_grafts(1);
303
304         /* EOF */
305         packet_flush(1);
306 }
307
308 struct command {
309         struct command *next;
310         const char *error_string;
311         unsigned int skip_update:1,
312                      did_not_exist:1;
313         int index;
314         struct object_id old_oid;
315         struct object_id new_oid;
316         char ref_name[FLEX_ARRAY]; /* more */
317 };
318
319 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
320 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
321
322 static void report_message(const char *prefix, const char *err, va_list params)
323 {
324         int sz;
325         char msg[4096];
326
327         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
328         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
329         if (sz > (sizeof(msg) - 1))
330                 sz = sizeof(msg) - 1;
331         msg[sz++] = '\n';
332
333         if (use_sideband)
334                 send_sideband(1, 2, msg, sz, use_sideband);
335         else
336                 xwrite(2, msg, sz);
337 }
338
339 static void rp_warning(const char *err, ...)
340 {
341         va_list params;
342         va_start(params, err);
343         report_message("warning: ", err, params);
344         va_end(params);
345 }
346
347 static void rp_error(const char *err, ...)
348 {
349         va_list params;
350         va_start(params, err);
351         report_message("error: ", err, params);
352         va_end(params);
353 }
354
355 static int copy_to_sideband(int in, int out, void *arg)
356 {
357         char data[128];
358         int keepalive_active = 0;
359
360         if (keepalive_in_sec <= 0)
361                 use_keepalive = KEEPALIVE_NEVER;
362         if (use_keepalive == KEEPALIVE_ALWAYS)
363                 keepalive_active = 1;
364
365         while (1) {
366                 ssize_t sz;
367
368                 if (keepalive_active) {
369                         struct pollfd pfd;
370                         int ret;
371
372                         pfd.fd = in;
373                         pfd.events = POLLIN;
374                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
375
376                         if (ret < 0) {
377                                 if (errno == EINTR)
378                                         continue;
379                                 else
380                                         break;
381                         } else if (ret == 0) {
382                                 /* no data; send a keepalive packet */
383                                 static const char buf[] = "0005\1";
384                                 write_or_die(1, buf, sizeof(buf) - 1);
385                                 continue;
386                         } /* else there is actual data to read */
387                 }
388
389                 sz = xread(in, data, sizeof(data));
390                 if (sz <= 0)
391                         break;
392
393                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
394                         const char *p = memchr(data, '\0', sz);
395                         if (p) {
396                                 /*
397                                  * The NUL tells us to start sending keepalives. Make
398                                  * sure we send any other data we read along
399                                  * with it.
400                                  */
401                                 keepalive_active = 1;
402                                 send_sideband(1, 2, data, p - data, use_sideband);
403                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
404                                 continue;
405                         }
406                 }
407
408                 /*
409                  * Either we're not looking for a NUL signal, or we didn't see
410                  * it yet; just pass along the data.
411                  */
412                 send_sideband(1, 2, data, sz, use_sideband);
413         }
414         close(in);
415         return 0;
416 }
417
418 #define HMAC_BLOCK_SIZE 64
419
420 static void hmac_sha1(unsigned char *out,
421                       const char *key_in, size_t key_len,
422                       const char *text, size_t text_len)
423 {
424         unsigned char key[HMAC_BLOCK_SIZE];
425         unsigned char k_ipad[HMAC_BLOCK_SIZE];
426         unsigned char k_opad[HMAC_BLOCK_SIZE];
427         int i;
428         git_SHA_CTX ctx;
429
430         /* RFC 2104 2. (1) */
431         memset(key, '\0', HMAC_BLOCK_SIZE);
432         if (HMAC_BLOCK_SIZE < key_len) {
433                 git_SHA1_Init(&ctx);
434                 git_SHA1_Update(&ctx, key_in, key_len);
435                 git_SHA1_Final(key, &ctx);
436         } else {
437                 memcpy(key, key_in, key_len);
438         }
439
440         /* RFC 2104 2. (2) & (5) */
441         for (i = 0; i < sizeof(key); i++) {
442                 k_ipad[i] = key[i] ^ 0x36;
443                 k_opad[i] = key[i] ^ 0x5c;
444         }
445
446         /* RFC 2104 2. (3) & (4) */
447         git_SHA1_Init(&ctx);
448         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
449         git_SHA1_Update(&ctx, text, text_len);
450         git_SHA1_Final(out, &ctx);
451
452         /* RFC 2104 2. (6) & (7) */
453         git_SHA1_Init(&ctx);
454         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
455         git_SHA1_Update(&ctx, out, 20);
456         git_SHA1_Final(out, &ctx);
457 }
458
459 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
460 {
461         struct strbuf buf = STRBUF_INIT;
462         unsigned char sha1[20];
463
464         strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
465         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
466         strbuf_release(&buf);
467
468         /* RFC 2104 5. HMAC-SHA1-80 */
469         strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, 20, sha1_to_hex(sha1));
470         return strbuf_detach(&buf, NULL);
471 }
472
473 /*
474  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
475  * after dropping "_commit" from its name and possibly moving it out
476  * of commit.c
477  */
478 static char *find_header(const char *msg, size_t len, const char *key,
479                          const char **next_line)
480 {
481         int key_len = strlen(key);
482         const char *line = msg;
483
484         while (line && line < msg + len) {
485                 const char *eol = strchrnul(line, '\n');
486
487                 if ((msg + len <= eol) || line == eol)
488                         return NULL;
489                 if (line + key_len < eol &&
490                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
491                         int offset = key_len + 1;
492                         if (next_line)
493                                 *next_line = *eol ? eol + 1 : eol;
494                         return xmemdupz(line + offset, (eol - line) - offset);
495                 }
496                 line = *eol ? eol + 1 : NULL;
497         }
498         return NULL;
499 }
500
501 static const char *check_nonce(const char *buf, size_t len)
502 {
503         char *nonce = find_header(buf, len, "nonce", NULL);
504         timestamp_t stamp, ostamp;
505         char *bohmac, *expect = NULL;
506         const char *retval = NONCE_BAD;
507
508         if (!nonce) {
509                 retval = NONCE_MISSING;
510                 goto leave;
511         } else if (!push_cert_nonce) {
512                 retval = NONCE_UNSOLICITED;
513                 goto leave;
514         } else if (!strcmp(push_cert_nonce, nonce)) {
515                 retval = NONCE_OK;
516                 goto leave;
517         }
518
519         if (!stateless_rpc) {
520                 /* returned nonce MUST match what we gave out earlier */
521                 retval = NONCE_BAD;
522                 goto leave;
523         }
524
525         /*
526          * In stateless mode, we may be receiving a nonce issued by
527          * another instance of the server that serving the same
528          * repository, and the timestamps may not match, but the
529          * nonce-seed and dir should match, so we can recompute and
530          * report the time slop.
531          *
532          * In addition, when a nonce issued by another instance has
533          * timestamp within receive.certnonceslop seconds, we pretend
534          * as if we issued that nonce when reporting to the hook.
535          */
536
537         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
538         if (*nonce <= '0' || '9' < *nonce) {
539                 retval = NONCE_BAD;
540                 goto leave;
541         }
542         stamp = parse_timestamp(nonce, &bohmac, 10);
543         if (bohmac == nonce || bohmac[0] != '-') {
544                 retval = NONCE_BAD;
545                 goto leave;
546         }
547
548         expect = prepare_push_cert_nonce(service_dir, stamp);
549         if (strcmp(expect, nonce)) {
550                 /* Not what we would have signed earlier */
551                 retval = NONCE_BAD;
552                 goto leave;
553         }
554
555         /*
556          * By how many seconds is this nonce stale?  Negative value
557          * would mean it was issued by another server with its clock
558          * skewed in the future.
559          */
560         ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
561         nonce_stamp_slop = (long)ostamp - (long)stamp;
562
563         if (nonce_stamp_slop_limit &&
564             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
565                 /*
566                  * Pretend as if the received nonce (which passes the
567                  * HMAC check, so it is not a forged by third-party)
568                  * is what we issued.
569                  */
570                 free((void *)push_cert_nonce);
571                 push_cert_nonce = xstrdup(nonce);
572                 retval = NONCE_OK;
573         } else {
574                 retval = NONCE_SLOP;
575         }
576
577 leave:
578         free(nonce);
579         free(expect);
580         return retval;
581 }
582
583 /*
584  * Return 1 if there is no push_cert or if the push options in push_cert are
585  * the same as those in the argument; 0 otherwise.
586  */
587 static int check_cert_push_options(const struct string_list *push_options)
588 {
589         const char *buf = push_cert.buf;
590         int len = push_cert.len;
591
592         char *option;
593         const char *next_line;
594         int options_seen = 0;
595
596         int retval = 1;
597
598         if (!len)
599                 return 1;
600
601         while ((option = find_header(buf, len, "push-option", &next_line))) {
602                 len -= (next_line - buf);
603                 buf = next_line;
604                 options_seen++;
605                 if (options_seen > push_options->nr
606                     || strcmp(option,
607                               push_options->items[options_seen - 1].string)) {
608                         retval = 0;
609                         goto leave;
610                 }
611                 free(option);
612         }
613
614         if (options_seen != push_options->nr)
615                 retval = 0;
616
617 leave:
618         free(option);
619         return retval;
620 }
621
622 static void prepare_push_cert_sha1(struct child_process *proc)
623 {
624         static int already_done;
625
626         if (!push_cert.len)
627                 return;
628
629         if (!already_done) {
630                 struct strbuf gpg_output = STRBUF_INIT;
631                 struct strbuf gpg_status = STRBUF_INIT;
632                 int bogs /* beginning_of_gpg_sig */;
633
634                 already_done = 1;
635                 if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
636                         hashclr(push_cert_sha1);
637
638                 memset(&sigcheck, '\0', sizeof(sigcheck));
639                 sigcheck.result = 'N';
640
641                 bogs = parse_signature(push_cert.buf, push_cert.len);
642                 if (verify_signed_buffer(push_cert.buf, bogs,
643                                          push_cert.buf + bogs, push_cert.len - bogs,
644                                          &gpg_output, &gpg_status) < 0) {
645                         ; /* error running gpg */
646                 } else {
647                         sigcheck.payload = push_cert.buf;
648                         sigcheck.gpg_output = gpg_output.buf;
649                         sigcheck.gpg_status = gpg_status.buf;
650                         parse_gpg_output(&sigcheck);
651                 }
652
653                 strbuf_release(&gpg_output);
654                 strbuf_release(&gpg_status);
655                 nonce_status = check_nonce(push_cert.buf, bogs);
656         }
657         if (!is_null_sha1(push_cert_sha1)) {
658                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
659                                  sha1_to_hex(push_cert_sha1));
660                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
661                                  sigcheck.signer ? sigcheck.signer : "");
662                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
663                                  sigcheck.key ? sigcheck.key : "");
664                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
665                                  sigcheck.result);
666                 if (push_cert_nonce) {
667                         argv_array_pushf(&proc->env_array,
668                                          "GIT_PUSH_CERT_NONCE=%s",
669                                          push_cert_nonce);
670                         argv_array_pushf(&proc->env_array,
671                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
672                                          nonce_status);
673                         if (nonce_status == NONCE_SLOP)
674                                 argv_array_pushf(&proc->env_array,
675                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
676                                                  nonce_stamp_slop);
677                 }
678         }
679 }
680
681 struct receive_hook_feed_state {
682         struct command *cmd;
683         int skip_broken;
684         struct strbuf buf;
685         const struct string_list *push_options;
686 };
687
688 typedef int (*feed_fn)(void *, const char **, size_t *);
689 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
690                              struct receive_hook_feed_state *feed_state)
691 {
692         struct child_process proc = CHILD_PROCESS_INIT;
693         struct async muxer;
694         const char *argv[2];
695         int code;
696
697         argv[0] = find_hook(hook_name);
698         if (!argv[0])
699                 return 0;
700
701         argv[1] = NULL;
702
703         proc.argv = argv;
704         proc.in = -1;
705         proc.stdout_to_stderr = 1;
706         if (feed_state->push_options) {
707                 int i;
708                 for (i = 0; i < feed_state->push_options->nr; i++)
709                         argv_array_pushf(&proc.env_array,
710                                 "GIT_PUSH_OPTION_%d=%s", i,
711                                 feed_state->push_options->items[i].string);
712                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
713                                  feed_state->push_options->nr);
714         } else
715                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
716
717         if (tmp_objdir)
718                 argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
719
720         if (use_sideband) {
721                 memset(&muxer, 0, sizeof(muxer));
722                 muxer.proc = copy_to_sideband;
723                 muxer.in = -1;
724                 code = start_async(&muxer);
725                 if (code)
726                         return code;
727                 proc.err = muxer.in;
728         }
729
730         prepare_push_cert_sha1(&proc);
731
732         code = start_command(&proc);
733         if (code) {
734                 if (use_sideband)
735                         finish_async(&muxer);
736                 return code;
737         }
738
739         sigchain_push(SIGPIPE, SIG_IGN);
740
741         while (1) {
742                 const char *buf;
743                 size_t n;
744                 if (feed(feed_state, &buf, &n))
745                         break;
746                 if (write_in_full(proc.in, buf, n) < 0)
747                         break;
748         }
749         close(proc.in);
750         if (use_sideband)
751                 finish_async(&muxer);
752
753         sigchain_pop(SIGPIPE);
754
755         return finish_command(&proc);
756 }
757
758 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
759 {
760         struct receive_hook_feed_state *state = state_;
761         struct command *cmd = state->cmd;
762
763         while (cmd &&
764                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
765                 cmd = cmd->next;
766         if (!cmd)
767                 return -1; /* EOF */
768         strbuf_reset(&state->buf);
769         strbuf_addf(&state->buf, "%s %s %s\n",
770                     oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
771                     cmd->ref_name);
772         state->cmd = cmd->next;
773         if (bufp) {
774                 *bufp = state->buf.buf;
775                 *sizep = state->buf.len;
776         }
777         return 0;
778 }
779
780 static int run_receive_hook(struct command *commands,
781                             const char *hook_name,
782                             int skip_broken,
783                             const struct string_list *push_options)
784 {
785         struct receive_hook_feed_state state;
786         int status;
787
788         strbuf_init(&state.buf, 0);
789         state.cmd = commands;
790         state.skip_broken = skip_broken;
791         if (feed_receive_hook(&state, NULL, NULL))
792                 return 0;
793         state.cmd = commands;
794         state.push_options = push_options;
795         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
796         strbuf_release(&state.buf);
797         return status;
798 }
799
800 static int run_update_hook(struct command *cmd)
801 {
802         const char *argv[5];
803         struct child_process proc = CHILD_PROCESS_INIT;
804         int code;
805
806         argv[0] = find_hook("update");
807         if (!argv[0])
808                 return 0;
809
810         argv[1] = cmd->ref_name;
811         argv[2] = oid_to_hex(&cmd->old_oid);
812         argv[3] = oid_to_hex(&cmd->new_oid);
813         argv[4] = NULL;
814
815         proc.no_stdin = 1;
816         proc.stdout_to_stderr = 1;
817         proc.err = use_sideband ? -1 : 0;
818         proc.argv = argv;
819
820         code = start_command(&proc);
821         if (code)
822                 return code;
823         if (use_sideband)
824                 copy_to_sideband(proc.err, -1, NULL);
825         return finish_command(&proc);
826 }
827
828 static int is_ref_checked_out(const char *ref)
829 {
830         if (is_bare_repository())
831                 return 0;
832
833         if (!head_name)
834                 return 0;
835         return !strcmp(head_name, ref);
836 }
837
838 static char *refuse_unconfigured_deny_msg =
839         N_("By default, updating the current branch in a non-bare repository\n"
840            "is denied, because it will make the index and work tree inconsistent\n"
841            "with what you pushed, and will require 'git reset --hard' to match\n"
842            "the work tree to HEAD.\n"
843            "\n"
844            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
845            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
846            "its current branch; however, this is not recommended unless you\n"
847            "arranged to update its work tree to match what you pushed in some\n"
848            "other way.\n"
849            "\n"
850            "To squelch this message and still keep the default behaviour, set\n"
851            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
852
853 static void refuse_unconfigured_deny(void)
854 {
855         rp_error("%s", _(refuse_unconfigured_deny_msg));
856 }
857
858 static char *refuse_unconfigured_deny_delete_current_msg =
859         N_("By default, deleting the current branch is denied, because the next\n"
860            "'git clone' won't result in any file checked out, causing confusion.\n"
861            "\n"
862            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
863            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
864            "current branch, with or without a warning message.\n"
865            "\n"
866            "To squelch this message, you can set it to 'refuse'.");
867
868 static void refuse_unconfigured_deny_delete_current(void)
869 {
870         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
871 }
872
873 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
874 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
875 {
876         static struct lock_file shallow_lock;
877         struct oid_array extra = OID_ARRAY_INIT;
878         struct check_connected_options opt = CHECK_CONNECTED_INIT;
879         uint32_t mask = 1 << (cmd->index % 32);
880         int i;
881
882         trace_printf_key(&trace_shallow,
883                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
884         for (i = 0; i < si->shallow->nr; i++)
885                 if (si->used_shallow[i] &&
886                     (si->used_shallow[i][cmd->index / 32] & mask) &&
887                     !delayed_reachability_test(si, i))
888                         oid_array_append(&extra, &si->shallow->oid[i]);
889
890         opt.env = tmp_objdir_env(tmp_objdir);
891         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
892         if (check_connected(command_singleton_iterator, cmd, &opt)) {
893                 rollback_lock_file(&shallow_lock);
894                 oid_array_clear(&extra);
895                 return -1;
896         }
897
898         commit_lock_file(&shallow_lock);
899
900         /*
901          * Make sure setup_alternate_shallow() for the next ref does
902          * not lose these new roots..
903          */
904         for (i = 0; i < extra.nr; i++)
905                 register_shallow(&extra.oid[i]);
906
907         si->shallow_ref[cmd->index] = 0;
908         oid_array_clear(&extra);
909         return 0;
910 }
911
912 /*
913  * NEEDSWORK: we should consolidate various implementions of "are we
914  * on an unborn branch?" test into one, and make the unified one more
915  * robust. !get_sha1() based check used here and elsewhere would not
916  * allow us to tell an unborn branch from corrupt ref, for example.
917  * For the purpose of fixing "deploy-to-update does not work when
918  * pushing into an empty repository" issue, this should suffice for
919  * now.
920  */
921 static int head_has_history(void)
922 {
923         struct object_id oid;
924
925         return !get_oid("HEAD", &oid);
926 }
927
928 static const char *push_to_deploy(unsigned char *sha1,
929                                   struct argv_array *env,
930                                   const char *work_tree)
931 {
932         const char *update_refresh[] = {
933                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
934         };
935         const char *diff_files[] = {
936                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
937         };
938         const char *diff_index[] = {
939                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
940                 NULL, "--", NULL
941         };
942         const char *read_tree[] = {
943                 "read-tree", "-u", "-m", NULL, NULL
944         };
945         struct child_process child = CHILD_PROCESS_INIT;
946
947         child.argv = update_refresh;
948         child.env = env->argv;
949         child.dir = work_tree;
950         child.no_stdin = 1;
951         child.stdout_to_stderr = 1;
952         child.git_cmd = 1;
953         if (run_command(&child))
954                 return "Up-to-date check failed";
955
956         /* run_command() does not clean up completely; reinitialize */
957         child_process_init(&child);
958         child.argv = diff_files;
959         child.env = env->argv;
960         child.dir = work_tree;
961         child.no_stdin = 1;
962         child.stdout_to_stderr = 1;
963         child.git_cmd = 1;
964         if (run_command(&child))
965                 return "Working directory has unstaged changes";
966
967         /* diff-index with either HEAD or an empty tree */
968         diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
969
970         child_process_init(&child);
971         child.argv = diff_index;
972         child.env = env->argv;
973         child.no_stdin = 1;
974         child.no_stdout = 1;
975         child.stdout_to_stderr = 0;
976         child.git_cmd = 1;
977         if (run_command(&child))
978                 return "Working directory has staged changes";
979
980         read_tree[3] = sha1_to_hex(sha1);
981         child_process_init(&child);
982         child.argv = read_tree;
983         child.env = env->argv;
984         child.dir = work_tree;
985         child.no_stdin = 1;
986         child.no_stdout = 1;
987         child.stdout_to_stderr = 0;
988         child.git_cmd = 1;
989         if (run_command(&child))
990                 return "Could not update working tree to new HEAD";
991
992         return NULL;
993 }
994
995 static const char *push_to_checkout_hook = "push-to-checkout";
996
997 static const char *push_to_checkout(unsigned char *sha1,
998                                     struct argv_array *env,
999                                     const char *work_tree)
1000 {
1001         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
1002         if (run_hook_le(env->argv, push_to_checkout_hook,
1003                         sha1_to_hex(sha1), NULL))
1004                 return "push-to-checkout hook declined";
1005         else
1006                 return NULL;
1007 }
1008
1009 static const char *update_worktree(unsigned char *sha1)
1010 {
1011         const char *retval;
1012         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1013         struct argv_array env = ARGV_ARRAY_INIT;
1014
1015         if (is_bare_repository())
1016                 return "denyCurrentBranch = updateInstead needs a worktree";
1017
1018         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1019
1020         if (!find_hook(push_to_checkout_hook))
1021                 retval = push_to_deploy(sha1, &env, work_tree);
1022         else
1023                 retval = push_to_checkout(sha1, &env, work_tree);
1024
1025         argv_array_clear(&env);
1026         return retval;
1027 }
1028
1029 static const char *update(struct command *cmd, struct shallow_info *si)
1030 {
1031         const char *name = cmd->ref_name;
1032         struct strbuf namespaced_name_buf = STRBUF_INIT;
1033         static char *namespaced_name;
1034         const char *ret;
1035         struct object_id *old_oid = &cmd->old_oid;
1036         struct object_id *new_oid = &cmd->new_oid;
1037
1038         /* only refs/... are allowed */
1039         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1040                 rp_error("refusing to create funny ref '%s' remotely", name);
1041                 return "funny refname";
1042         }
1043
1044         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1045         free(namespaced_name);
1046         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1047
1048         if (is_ref_checked_out(namespaced_name)) {
1049                 switch (deny_current_branch) {
1050                 case DENY_IGNORE:
1051                         break;
1052                 case DENY_WARN:
1053                         rp_warning("updating the current branch");
1054                         break;
1055                 case DENY_REFUSE:
1056                 case DENY_UNCONFIGURED:
1057                         rp_error("refusing to update checked out branch: %s", name);
1058                         if (deny_current_branch == DENY_UNCONFIGURED)
1059                                 refuse_unconfigured_deny();
1060                         return "branch is currently checked out";
1061                 case DENY_UPDATE_INSTEAD:
1062                         ret = update_worktree(new_oid->hash);
1063                         if (ret)
1064                                 return ret;
1065                         break;
1066                 }
1067         }
1068
1069         if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1070                 error("unpack should have generated %s, "
1071                       "but I can't find it!", oid_to_hex(new_oid));
1072                 return "bad pack";
1073         }
1074
1075         if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1076                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1077                         rp_error("denying ref deletion for %s", name);
1078                         return "deletion prohibited";
1079                 }
1080
1081                 if (head_name && !strcmp(namespaced_name, head_name)) {
1082                         switch (deny_delete_current) {
1083                         case DENY_IGNORE:
1084                                 break;
1085                         case DENY_WARN:
1086                                 rp_warning("deleting the current branch");
1087                                 break;
1088                         case DENY_REFUSE:
1089                         case DENY_UNCONFIGURED:
1090                         case DENY_UPDATE_INSTEAD:
1091                                 if (deny_delete_current == DENY_UNCONFIGURED)
1092                                         refuse_unconfigured_deny_delete_current();
1093                                 rp_error("refusing to delete the current branch: %s", name);
1094                                 return "deletion of the current branch prohibited";
1095                         default:
1096                                 return "Invalid denyDeleteCurrent setting";
1097                         }
1098                 }
1099         }
1100
1101         if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1102             !is_null_oid(old_oid) &&
1103             starts_with(name, "refs/heads/")) {
1104                 struct object *old_object, *new_object;
1105                 struct commit *old_commit, *new_commit;
1106
1107                 old_object = parse_object(old_oid);
1108                 new_object = parse_object(new_oid);
1109
1110                 if (!old_object || !new_object ||
1111                     old_object->type != OBJ_COMMIT ||
1112                     new_object->type != OBJ_COMMIT) {
1113                         error("bad sha1 objects for %s", name);
1114                         return "bad ref";
1115                 }
1116                 old_commit = (struct commit *)old_object;
1117                 new_commit = (struct commit *)new_object;
1118                 if (!in_merge_bases(old_commit, new_commit)) {
1119                         rp_error("denying non-fast-forward %s"
1120                                  " (you should pull first)", name);
1121                         return "non-fast-forward";
1122                 }
1123         }
1124         if (run_update_hook(cmd)) {
1125                 rp_error("hook declined to update %s", name);
1126                 return "hook declined";
1127         }
1128
1129         if (is_null_oid(new_oid)) {
1130                 struct strbuf err = STRBUF_INIT;
1131                 if (!parse_object(old_oid)) {
1132                         old_oid = NULL;
1133                         if (ref_exists(name)) {
1134                                 rp_warning("Allowing deletion of corrupt ref.");
1135                         } else {
1136                                 rp_warning("Deleting a non-existent ref.");
1137                                 cmd->did_not_exist = 1;
1138                         }
1139                 }
1140                 if (ref_transaction_delete(transaction,
1141                                            namespaced_name,
1142                                            old_oid ? old_oid->hash : NULL,
1143                                            0, "push", &err)) {
1144                         rp_error("%s", err.buf);
1145                         strbuf_release(&err);
1146                         return "failed to delete";
1147                 }
1148                 strbuf_release(&err);
1149                 return NULL; /* good */
1150         }
1151         else {
1152                 struct strbuf err = STRBUF_INIT;
1153                 if (shallow_update && si->shallow_ref[cmd->index] &&
1154                     update_shallow_ref(cmd, si))
1155                         return "shallow error";
1156
1157                 if (ref_transaction_update(transaction,
1158                                            namespaced_name,
1159                                            new_oid->hash, old_oid->hash,
1160                                            0, "push",
1161                                            &err)) {
1162                         rp_error("%s", err.buf);
1163                         strbuf_release(&err);
1164
1165                         return "failed to update ref";
1166                 }
1167                 strbuf_release(&err);
1168
1169                 return NULL; /* good */
1170         }
1171 }
1172
1173 static void run_update_post_hook(struct command *commands)
1174 {
1175         struct command *cmd;
1176         struct child_process proc = CHILD_PROCESS_INIT;
1177         const char *hook;
1178
1179         hook = find_hook("post-update");
1180         if (!hook)
1181                 return;
1182
1183         for (cmd = commands; cmd; cmd = cmd->next) {
1184                 if (cmd->error_string || cmd->did_not_exist)
1185                         continue;
1186                 if (!proc.args.argc)
1187                         argv_array_push(&proc.args, hook);
1188                 argv_array_push(&proc.args, cmd->ref_name);
1189         }
1190         if (!proc.args.argc)
1191                 return;
1192
1193         proc.no_stdin = 1;
1194         proc.stdout_to_stderr = 1;
1195         proc.err = use_sideband ? -1 : 0;
1196
1197         if (!start_command(&proc)) {
1198                 if (use_sideband)
1199                         copy_to_sideband(proc.err, -1, NULL);
1200                 finish_command(&proc);
1201         }
1202 }
1203
1204 static void check_aliased_update(struct command *cmd, struct string_list *list)
1205 {
1206         struct strbuf buf = STRBUF_INIT;
1207         const char *dst_name;
1208         struct string_list_item *item;
1209         struct command *dst_cmd;
1210         unsigned char sha1[GIT_MAX_RAWSZ];
1211         int flag;
1212
1213         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1214         dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1215         strbuf_release(&buf);
1216
1217         if (!(flag & REF_ISSYMREF))
1218                 return;
1219
1220         if (!dst_name) {
1221                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1222                 cmd->skip_update = 1;
1223                 cmd->error_string = "broken symref";
1224                 return;
1225         }
1226         dst_name = strip_namespace(dst_name);
1227
1228         if ((item = string_list_lookup(list, dst_name)) == NULL)
1229                 return;
1230
1231         cmd->skip_update = 1;
1232
1233         dst_cmd = (struct command *) item->util;
1234
1235         if (!oidcmp(&cmd->old_oid, &dst_cmd->old_oid) &&
1236             !oidcmp(&cmd->new_oid, &dst_cmd->new_oid))
1237                 return;
1238
1239         dst_cmd->skip_update = 1;
1240
1241         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1242                  " its target '%s' (%s..%s)",
1243                  cmd->ref_name,
1244                  find_unique_abbrev(cmd->old_oid.hash, DEFAULT_ABBREV),
1245                  find_unique_abbrev(cmd->new_oid.hash, DEFAULT_ABBREV),
1246                  dst_cmd->ref_name,
1247                  find_unique_abbrev(dst_cmd->old_oid.hash, DEFAULT_ABBREV),
1248                  find_unique_abbrev(dst_cmd->new_oid.hash, DEFAULT_ABBREV));
1249
1250         cmd->error_string = dst_cmd->error_string =
1251                 "inconsistent aliased update";
1252 }
1253
1254 static void check_aliased_updates(struct command *commands)
1255 {
1256         struct command *cmd;
1257         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1258
1259         for (cmd = commands; cmd; cmd = cmd->next) {
1260                 struct string_list_item *item =
1261                         string_list_append(&ref_list, cmd->ref_name);
1262                 item->util = (void *)cmd;
1263         }
1264         string_list_sort(&ref_list);
1265
1266         for (cmd = commands; cmd; cmd = cmd->next) {
1267                 if (!cmd->error_string)
1268                         check_aliased_update(cmd, &ref_list);
1269         }
1270
1271         string_list_clear(&ref_list, 0);
1272 }
1273
1274 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1275 {
1276         struct command **cmd_list = cb_data;
1277         struct command *cmd = *cmd_list;
1278
1279         if (!cmd || is_null_oid(&cmd->new_oid))
1280                 return -1; /* end of list */
1281         *cmd_list = NULL; /* this returns only one */
1282         hashcpy(sha1, cmd->new_oid.hash);
1283         return 0;
1284 }
1285
1286 static void set_connectivity_errors(struct command *commands,
1287                                     struct shallow_info *si)
1288 {
1289         struct command *cmd;
1290
1291         for (cmd = commands; cmd; cmd = cmd->next) {
1292                 struct command *singleton = cmd;
1293                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1294
1295                 if (shallow_update && si->shallow_ref[cmd->index])
1296                         /* to be checked in update_shallow_ref() */
1297                         continue;
1298
1299                 opt.env = tmp_objdir_env(tmp_objdir);
1300                 if (!check_connected(command_singleton_iterator, &singleton,
1301                                      &opt))
1302                         continue;
1303
1304                 cmd->error_string = "missing necessary objects";
1305         }
1306 }
1307
1308 struct iterate_data {
1309         struct command *cmds;
1310         struct shallow_info *si;
1311 };
1312
1313 static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1314 {
1315         struct iterate_data *data = cb_data;
1316         struct command **cmd_list = &data->cmds;
1317         struct command *cmd = *cmd_list;
1318
1319         for (; cmd; cmd = cmd->next) {
1320                 if (shallow_update && data->si->shallow_ref[cmd->index])
1321                         /* to be checked in update_shallow_ref() */
1322                         continue;
1323                 if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1324                         hashcpy(sha1, cmd->new_oid.hash);
1325                         *cmd_list = cmd->next;
1326                         return 0;
1327                 }
1328         }
1329         *cmd_list = NULL;
1330         return -1; /* end of list */
1331 }
1332
1333 static void reject_updates_to_hidden(struct command *commands)
1334 {
1335         struct strbuf refname_full = STRBUF_INIT;
1336         size_t prefix_len;
1337         struct command *cmd;
1338
1339         strbuf_addstr(&refname_full, get_git_namespace());
1340         prefix_len = refname_full.len;
1341
1342         for (cmd = commands; cmd; cmd = cmd->next) {
1343                 if (cmd->error_string)
1344                         continue;
1345
1346                 strbuf_setlen(&refname_full, prefix_len);
1347                 strbuf_addstr(&refname_full, cmd->ref_name);
1348
1349                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1350                         continue;
1351                 if (is_null_oid(&cmd->new_oid))
1352                         cmd->error_string = "deny deleting a hidden ref";
1353                 else
1354                         cmd->error_string = "deny updating a hidden ref";
1355         }
1356
1357         strbuf_release(&refname_full);
1358 }
1359
1360 static int should_process_cmd(struct command *cmd)
1361 {
1362         return !cmd->error_string && !cmd->skip_update;
1363 }
1364
1365 static void warn_if_skipped_connectivity_check(struct command *commands,
1366                                                struct shallow_info *si)
1367 {
1368         struct command *cmd;
1369         int checked_connectivity = 1;
1370
1371         for (cmd = commands; cmd; cmd = cmd->next) {
1372                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1373                         error("BUG: connectivity check has not been run on ref %s",
1374                               cmd->ref_name);
1375                         checked_connectivity = 0;
1376                 }
1377         }
1378         if (!checked_connectivity)
1379                 die("BUG: connectivity check skipped???");
1380 }
1381
1382 static void execute_commands_non_atomic(struct command *commands,
1383                                         struct shallow_info *si)
1384 {
1385         struct command *cmd;
1386         struct strbuf err = STRBUF_INIT;
1387
1388         for (cmd = commands; cmd; cmd = cmd->next) {
1389                 if (!should_process_cmd(cmd))
1390                         continue;
1391
1392                 transaction = ref_transaction_begin(&err);
1393                 if (!transaction) {
1394                         rp_error("%s", err.buf);
1395                         strbuf_reset(&err);
1396                         cmd->error_string = "transaction failed to start";
1397                         continue;
1398                 }
1399
1400                 cmd->error_string = update(cmd, si);
1401
1402                 if (!cmd->error_string
1403                     && ref_transaction_commit(transaction, &err)) {
1404                         rp_error("%s", err.buf);
1405                         strbuf_reset(&err);
1406                         cmd->error_string = "failed to update ref";
1407                 }
1408                 ref_transaction_free(transaction);
1409         }
1410         strbuf_release(&err);
1411 }
1412
1413 static void execute_commands_atomic(struct command *commands,
1414                                         struct shallow_info *si)
1415 {
1416         struct command *cmd;
1417         struct strbuf err = STRBUF_INIT;
1418         const char *reported_error = "atomic push failure";
1419
1420         transaction = ref_transaction_begin(&err);
1421         if (!transaction) {
1422                 rp_error("%s", err.buf);
1423                 strbuf_reset(&err);
1424                 reported_error = "transaction failed to start";
1425                 goto failure;
1426         }
1427
1428         for (cmd = commands; cmd; cmd = cmd->next) {
1429                 if (!should_process_cmd(cmd))
1430                         continue;
1431
1432                 cmd->error_string = update(cmd, si);
1433
1434                 if (cmd->error_string)
1435                         goto failure;
1436         }
1437
1438         if (ref_transaction_commit(transaction, &err)) {
1439                 rp_error("%s", err.buf);
1440                 reported_error = "atomic transaction failed";
1441                 goto failure;
1442         }
1443         goto cleanup;
1444
1445 failure:
1446         for (cmd = commands; cmd; cmd = cmd->next)
1447                 if (!cmd->error_string)
1448                         cmd->error_string = reported_error;
1449
1450 cleanup:
1451         ref_transaction_free(transaction);
1452         strbuf_release(&err);
1453 }
1454
1455 static void execute_commands(struct command *commands,
1456                              const char *unpacker_error,
1457                              struct shallow_info *si,
1458                              const struct string_list *push_options)
1459 {
1460         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1461         struct command *cmd;
1462         struct object_id oid;
1463         struct iterate_data data;
1464         struct async muxer;
1465         int err_fd = 0;
1466
1467         if (unpacker_error) {
1468                 for (cmd = commands; cmd; cmd = cmd->next)
1469                         cmd->error_string = "unpacker error";
1470                 return;
1471         }
1472
1473         if (use_sideband) {
1474                 memset(&muxer, 0, sizeof(muxer));
1475                 muxer.proc = copy_to_sideband;
1476                 muxer.in = -1;
1477                 if (!start_async(&muxer))
1478                         err_fd = muxer.in;
1479                 /* ...else, continue without relaying sideband */
1480         }
1481
1482         data.cmds = commands;
1483         data.si = si;
1484         opt.err_fd = err_fd;
1485         opt.progress = err_fd && !quiet;
1486         opt.env = tmp_objdir_env(tmp_objdir);
1487         if (check_connected(iterate_receive_command_list, &data, &opt))
1488                 set_connectivity_errors(commands, si);
1489
1490         if (use_sideband)
1491                 finish_async(&muxer);
1492
1493         reject_updates_to_hidden(commands);
1494
1495         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1496                 for (cmd = commands; cmd; cmd = cmd->next) {
1497                         if (!cmd->error_string)
1498                                 cmd->error_string = "pre-receive hook declined";
1499                 }
1500                 return;
1501         }
1502
1503         /*
1504          * Now we'll start writing out refs, which means the objects need
1505          * to be in their final positions so that other processes can see them.
1506          */
1507         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1508                 for (cmd = commands; cmd; cmd = cmd->next) {
1509                         if (!cmd->error_string)
1510                                 cmd->error_string = "unable to migrate objects to permanent storage";
1511                 }
1512                 return;
1513         }
1514         tmp_objdir = NULL;
1515
1516         check_aliased_updates(commands);
1517
1518         free(head_name_to_free);
1519         head_name = head_name_to_free = resolve_refdup("HEAD", 0, oid.hash, NULL);
1520
1521         if (use_atomic)
1522                 execute_commands_atomic(commands, si);
1523         else
1524                 execute_commands_non_atomic(commands, si);
1525
1526         if (shallow_update)
1527                 warn_if_skipped_connectivity_check(commands, si);
1528 }
1529
1530 static struct command **queue_command(struct command **tail,
1531                                       const char *line,
1532                                       int linelen)
1533 {
1534         struct object_id old_oid, new_oid;
1535         struct command *cmd;
1536         const char *refname;
1537         int reflen;
1538         const char *p;
1539
1540         if (parse_oid_hex(line, &old_oid, &p) ||
1541             *p++ != ' ' ||
1542             parse_oid_hex(p, &new_oid, &p) ||
1543             *p++ != ' ')
1544                 die("protocol error: expected old/new/ref, got '%s'", line);
1545
1546         refname = p;
1547         reflen = linelen - (p - line);
1548         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1549         oidcpy(&cmd->old_oid, &old_oid);
1550         oidcpy(&cmd->new_oid, &new_oid);
1551         *tail = cmd;
1552         return &cmd->next;
1553 }
1554
1555 static void queue_commands_from_cert(struct command **tail,
1556                                      struct strbuf *push_cert)
1557 {
1558         const char *boc, *eoc;
1559
1560         if (*tail)
1561                 die("protocol error: got both push certificate and unsigned commands");
1562
1563         boc = strstr(push_cert->buf, "\n\n");
1564         if (!boc)
1565                 die("malformed push certificate %.*s", 100, push_cert->buf);
1566         else
1567                 boc += 2;
1568         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1569
1570         while (boc < eoc) {
1571                 const char *eol = memchr(boc, '\n', eoc - boc);
1572                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1573                 boc = eol ? eol + 1 : eoc;
1574         }
1575 }
1576
1577 static struct command *read_head_info(struct oid_array *shallow)
1578 {
1579         struct command *commands = NULL;
1580         struct command **p = &commands;
1581         for (;;) {
1582                 char *line;
1583                 int len, linelen;
1584
1585                 line = packet_read_line(0, &len);
1586                 if (!line)
1587                         break;
1588
1589                 if (len > 8 && starts_with(line, "shallow ")) {
1590                         struct object_id oid;
1591                         if (get_oid_hex(line + 8, &oid))
1592                                 die("protocol error: expected shallow sha, got '%s'",
1593                                     line + 8);
1594                         oid_array_append(shallow, &oid);
1595                         continue;
1596                 }
1597
1598                 linelen = strlen(line);
1599                 if (linelen < len) {
1600                         const char *feature_list = line + linelen + 1;
1601                         if (parse_feature_request(feature_list, "report-status"))
1602                                 report_status = 1;
1603                         if (parse_feature_request(feature_list, "side-band-64k"))
1604                                 use_sideband = LARGE_PACKET_MAX;
1605                         if (parse_feature_request(feature_list, "quiet"))
1606                                 quiet = 1;
1607                         if (advertise_atomic_push
1608                             && parse_feature_request(feature_list, "atomic"))
1609                                 use_atomic = 1;
1610                         if (advertise_push_options
1611                             && parse_feature_request(feature_list, "push-options"))
1612                                 use_push_options = 1;
1613                 }
1614
1615                 if (!strcmp(line, "push-cert")) {
1616                         int true_flush = 0;
1617                         char certbuf[1024];
1618
1619                         for (;;) {
1620                                 len = packet_read(0, NULL, NULL,
1621                                                   certbuf, sizeof(certbuf), 0);
1622                                 if (!len) {
1623                                         true_flush = 1;
1624                                         break;
1625                                 }
1626                                 if (!strcmp(certbuf, "push-cert-end\n"))
1627                                         break; /* end of cert */
1628                                 strbuf_addstr(&push_cert, certbuf);
1629                         }
1630
1631                         if (true_flush)
1632                                 break;
1633                         continue;
1634                 }
1635
1636                 p = queue_command(p, line, linelen);
1637         }
1638
1639         if (push_cert.len)
1640                 queue_commands_from_cert(p, &push_cert);
1641
1642         return commands;
1643 }
1644
1645 static void read_push_options(struct string_list *options)
1646 {
1647         while (1) {
1648                 char *line;
1649                 int len;
1650
1651                 line = packet_read_line(0, &len);
1652
1653                 if (!line)
1654                         break;
1655
1656                 string_list_append(options, line);
1657         }
1658 }
1659
1660 static const char *parse_pack_header(struct pack_header *hdr)
1661 {
1662         switch (read_pack_header(0, hdr)) {
1663         case PH_ERROR_EOF:
1664                 return "eof before pack header was fully read";
1665
1666         case PH_ERROR_PACK_SIGNATURE:
1667                 return "protocol error (pack signature mismatch detected)";
1668
1669         case PH_ERROR_PROTOCOL:
1670                 return "protocol error (pack version unsupported)";
1671
1672         default:
1673                 return "unknown error in parse_pack_header";
1674
1675         case 0:
1676                 return NULL;
1677         }
1678 }
1679
1680 static const char *pack_lockfile;
1681
1682 static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1683 {
1684         argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1685                         ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1686 }
1687
1688 static const char *unpack(int err_fd, struct shallow_info *si)
1689 {
1690         struct pack_header hdr;
1691         const char *hdr_err;
1692         int status;
1693         struct child_process child = CHILD_PROCESS_INIT;
1694         int fsck_objects = (receive_fsck_objects >= 0
1695                             ? receive_fsck_objects
1696                             : transfer_fsck_objects >= 0
1697                             ? transfer_fsck_objects
1698                             : 0);
1699
1700         hdr_err = parse_pack_header(&hdr);
1701         if (hdr_err) {
1702                 if (err_fd > 0)
1703                         close(err_fd);
1704                 return hdr_err;
1705         }
1706
1707         if (si->nr_ours || si->nr_theirs) {
1708                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1709                 argv_array_push(&child.args, "--shallow-file");
1710                 argv_array_push(&child.args, alt_shallow_file);
1711         }
1712
1713         tmp_objdir = tmp_objdir_create();
1714         if (!tmp_objdir) {
1715                 if (err_fd > 0)
1716                         close(err_fd);
1717                 return "unable to create temporary object directory";
1718         }
1719         child.env = tmp_objdir_env(tmp_objdir);
1720
1721         /*
1722          * Normally we just pass the tmp_objdir environment to the child
1723          * processes that do the heavy lifting, but we may need to see these
1724          * objects ourselves to set up shallow information.
1725          */
1726         tmp_objdir_add_as_alternate(tmp_objdir);
1727
1728         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1729                 argv_array_push(&child.args, "unpack-objects");
1730                 push_header_arg(&child.args, &hdr);
1731                 if (quiet)
1732                         argv_array_push(&child.args, "-q");
1733                 if (fsck_objects)
1734                         argv_array_pushf(&child.args, "--strict%s",
1735                                 fsck_msg_types.buf);
1736                 if (max_input_size)
1737                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1738                                 (uintmax_t)max_input_size);
1739                 child.no_stdout = 1;
1740                 child.err = err_fd;
1741                 child.git_cmd = 1;
1742                 status = run_command(&child);
1743                 if (status)
1744                         return "unpack-objects abnormal exit";
1745         } else {
1746                 char hostname[HOST_NAME_MAX + 1];
1747
1748                 argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1749                 push_header_arg(&child.args, &hdr);
1750
1751                 if (xgethostname(hostname, sizeof(hostname)))
1752                         xsnprintf(hostname, sizeof(hostname), "localhost");
1753                 argv_array_pushf(&child.args,
1754                                  "--keep=receive-pack %"PRIuMAX" on %s",
1755                                  (uintmax_t)getpid(),
1756                                  hostname);
1757
1758                 if (!quiet && err_fd)
1759                         argv_array_push(&child.args, "--show-resolving-progress");
1760                 if (use_sideband)
1761                         argv_array_push(&child.args, "--report-end-of-input");
1762                 if (fsck_objects)
1763                         argv_array_pushf(&child.args, "--strict%s",
1764                                 fsck_msg_types.buf);
1765                 if (!reject_thin)
1766                         argv_array_push(&child.args, "--fix-thin");
1767                 if (max_input_size)
1768                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1769                                 (uintmax_t)max_input_size);
1770                 child.out = -1;
1771                 child.err = err_fd;
1772                 child.git_cmd = 1;
1773                 status = start_command(&child);
1774                 if (status)
1775                         return "index-pack fork failed";
1776                 pack_lockfile = index_pack_lockfile(child.out);
1777                 close(child.out);
1778                 status = finish_command(&child);
1779                 if (status)
1780                         return "index-pack abnormal exit";
1781                 reprepare_packed_git();
1782         }
1783         return NULL;
1784 }
1785
1786 static const char *unpack_with_sideband(struct shallow_info *si)
1787 {
1788         struct async muxer;
1789         const char *ret;
1790
1791         if (!use_sideband)
1792                 return unpack(0, si);
1793
1794         use_keepalive = KEEPALIVE_AFTER_NUL;
1795         memset(&muxer, 0, sizeof(muxer));
1796         muxer.proc = copy_to_sideband;
1797         muxer.in = -1;
1798         if (start_async(&muxer))
1799                 return NULL;
1800
1801         ret = unpack(muxer.in, si);
1802
1803         finish_async(&muxer);
1804         return ret;
1805 }
1806
1807 static void prepare_shallow_update(struct command *commands,
1808                                    struct shallow_info *si)
1809 {
1810         int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1811
1812         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1813         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1814
1815         si->need_reachability_test =
1816                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1817         si->reachable =
1818                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1819         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1820
1821         for (i = 0; i < si->nr_ours; i++)
1822                 si->need_reachability_test[si->ours[i]] = 1;
1823
1824         for (i = 0; i < si->shallow->nr; i++) {
1825                 if (!si->used_shallow[i])
1826                         continue;
1827                 for (j = 0; j < bitmap_size; j++) {
1828                         if (!si->used_shallow[i][j])
1829                                 continue;
1830                         si->need_reachability_test[i]++;
1831                         for (k = 0; k < 32; k++)
1832                                 if (si->used_shallow[i][j] & (1U << k))
1833                                         si->shallow_ref[j * 32 + k]++;
1834                 }
1835
1836                 /*
1837                  * true for those associated with some refs and belong
1838                  * in "ours" list aka "step 7 not done yet"
1839                  */
1840                 si->need_reachability_test[i] =
1841                         si->need_reachability_test[i] > 1;
1842         }
1843
1844         /*
1845          * keep hooks happy by forcing a temporary shallow file via
1846          * env variable because we can't add --shallow-file to every
1847          * command. check_everything_connected() will be done with
1848          * true .git/shallow though.
1849          */
1850         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1851 }
1852
1853 static void update_shallow_info(struct command *commands,
1854                                 struct shallow_info *si,
1855                                 struct oid_array *ref)
1856 {
1857         struct command *cmd;
1858         int *ref_status;
1859         remove_nonexistent_theirs_shallow(si);
1860         if (!si->nr_ours && !si->nr_theirs) {
1861                 shallow_update = 0;
1862                 return;
1863         }
1864
1865         for (cmd = commands; cmd; cmd = cmd->next) {
1866                 if (is_null_oid(&cmd->new_oid))
1867                         continue;
1868                 oid_array_append(ref, &cmd->new_oid);
1869                 cmd->index = ref->nr - 1;
1870         }
1871         si->ref = ref;
1872
1873         if (shallow_update) {
1874                 prepare_shallow_update(commands, si);
1875                 return;
1876         }
1877
1878         ALLOC_ARRAY(ref_status, ref->nr);
1879         assign_shallow_commits_to_refs(si, NULL, ref_status);
1880         for (cmd = commands; cmd; cmd = cmd->next) {
1881                 if (is_null_oid(&cmd->new_oid))
1882                         continue;
1883                 if (ref_status[cmd->index]) {
1884                         cmd->error_string = "shallow update not allowed";
1885                         cmd->skip_update = 1;
1886                 }
1887         }
1888         free(ref_status);
1889 }
1890
1891 static void report(struct command *commands, const char *unpack_status)
1892 {
1893         struct command *cmd;
1894         struct strbuf buf = STRBUF_INIT;
1895
1896         packet_buf_write(&buf, "unpack %s\n",
1897                          unpack_status ? unpack_status : "ok");
1898         for (cmd = commands; cmd; cmd = cmd->next) {
1899                 if (!cmd->error_string)
1900                         packet_buf_write(&buf, "ok %s\n",
1901                                          cmd->ref_name);
1902                 else
1903                         packet_buf_write(&buf, "ng %s %s\n",
1904                                          cmd->ref_name, cmd->error_string);
1905         }
1906         packet_buf_flush(&buf);
1907
1908         if (use_sideband)
1909                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1910         else
1911                 write_or_die(1, buf.buf, buf.len);
1912         strbuf_release(&buf);
1913 }
1914
1915 static int delete_only(struct command *commands)
1916 {
1917         struct command *cmd;
1918         for (cmd = commands; cmd; cmd = cmd->next) {
1919                 if (!is_null_oid(&cmd->new_oid))
1920                         return 0;
1921         }
1922         return 1;
1923 }
1924
1925 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1926 {
1927         int advertise_refs = 0;
1928         struct command *commands;
1929         struct oid_array shallow = OID_ARRAY_INIT;
1930         struct oid_array ref = OID_ARRAY_INIT;
1931         struct shallow_info si;
1932
1933         struct option options[] = {
1934                 OPT__QUIET(&quiet, N_("quiet")),
1935                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1936                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1937                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1938                 OPT_END()
1939         };
1940
1941         packet_trace_identity("receive-pack");
1942
1943         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1944
1945         if (argc > 1)
1946                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1947         if (argc == 0)
1948                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1949
1950         service_dir = argv[0];
1951
1952         setup_path();
1953
1954         if (!enter_repo(service_dir, 0))
1955                 die("'%s' does not appear to be a git repository", service_dir);
1956
1957         git_config(receive_pack_config, NULL);
1958         if (cert_nonce_seed)
1959                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1960
1961         if (0 <= transfer_unpack_limit)
1962                 unpack_limit = transfer_unpack_limit;
1963         else if (0 <= receive_unpack_limit)
1964                 unpack_limit = receive_unpack_limit;
1965
1966         if (advertise_refs || !stateless_rpc) {
1967                 write_head_info();
1968         }
1969         if (advertise_refs)
1970                 return 0;
1971
1972         if ((commands = read_head_info(&shallow)) != NULL) {
1973                 const char *unpack_status = NULL;
1974                 struct string_list push_options = STRING_LIST_INIT_DUP;
1975
1976                 if (use_push_options)
1977                         read_push_options(&push_options);
1978                 if (!check_cert_push_options(&push_options)) {
1979                         struct command *cmd;
1980                         for (cmd = commands; cmd; cmd = cmd->next)
1981                                 cmd->error_string = "inconsistent push options";
1982                 }
1983
1984                 prepare_shallow_info(&si, &shallow);
1985                 if (!si.nr_ours && !si.nr_theirs)
1986                         shallow_update = 0;
1987                 if (!delete_only(commands)) {
1988                         unpack_status = unpack_with_sideband(&si);
1989                         update_shallow_info(commands, &si, &ref);
1990                 }
1991                 use_keepalive = KEEPALIVE_ALWAYS;
1992                 execute_commands(commands, unpack_status, &si,
1993                                  &push_options);
1994                 if (pack_lockfile)
1995                         unlink_or_warn(pack_lockfile);
1996                 if (report_status)
1997                         report(commands, unpack_status);
1998                 run_receive_hook(commands, "post-receive", 1,
1999                                  &push_options);
2000                 run_update_post_hook(commands);
2001                 string_list_clear(&push_options, 0);
2002                 if (auto_gc) {
2003                         const char *argv_gc_auto[] = {
2004                                 "gc", "--auto", "--quiet", NULL,
2005                         };
2006                         struct child_process proc = CHILD_PROCESS_INIT;
2007
2008                         proc.no_stdin = 1;
2009                         proc.stdout_to_stderr = 1;
2010                         proc.err = use_sideband ? -1 : 0;
2011                         proc.git_cmd = 1;
2012                         proc.argv = argv_gc_auto;
2013
2014                         close_all_packs();
2015                         if (!start_command(&proc)) {
2016                                 if (use_sideband)
2017                                         copy_to_sideband(proc.err, -1, NULL);
2018                                 finish_command(&proc);
2019                         }
2020                 }
2021                 if (auto_update_server_info)
2022                         update_server_info(0);
2023                 clear_shallow_info(&si);
2024         }
2025         if (use_sideband)
2026                 packet_flush(1);
2027         oid_array_clear(&shallow);
2028         oid_array_clear(&ref);
2029         free((void *)push_cert_nonce);
2030         return 0;
2031 }