Merge branch 'jk/log-missing-default-HEAD'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "lockfile.h"
3 #include "pack.h"
4 #include "refs.h"
5 #include "pkt-line.h"
6 #include "sideband.h"
7 #include "run-command.h"
8 #include "exec_cmd.h"
9 #include "commit.h"
10 #include "object.h"
11 #include "remote.h"
12 #include "connect.h"
13 #include "transport.h"
14 #include "string-list.h"
15 #include "sha1-array.h"
16 #include "connected.h"
17 #include "argv-array.h"
18 #include "version.h"
19 #include "tag.h"
20 #include "gpg-interface.h"
21 #include "sigchain.h"
22 #include "fsck.h"
23
24 static const char receive_pack_usage[] = "git receive-pack <git-dir>";
25
26 enum deny_action {
27         DENY_UNCONFIGURED,
28         DENY_IGNORE,
29         DENY_WARN,
30         DENY_REFUSE,
31         DENY_UPDATE_INSTEAD
32 };
33
34 static int deny_deletes;
35 static int deny_non_fast_forwards;
36 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
37 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
38 static int receive_fsck_objects = -1;
39 static int transfer_fsck_objects = -1;
40 static struct strbuf fsck_msg_types = STRBUF_INIT;
41 static int receive_unpack_limit = -1;
42 static int transfer_unpack_limit = -1;
43 static int advertise_atomic_push = 1;
44 static int unpack_limit = 100;
45 static int report_status;
46 static int use_sideband;
47 static int use_atomic;
48 static int quiet;
49 static int prefer_ofs_delta = 1;
50 static int auto_update_server_info;
51 static int auto_gc = 1;
52 static int fix_thin = 1;
53 static int stateless_rpc;
54 static const char *service_dir;
55 static const char *head_name;
56 static void *head_name_to_free;
57 static int sent_capabilities;
58 static int shallow_update;
59 static const char *alt_shallow_file;
60 static struct strbuf push_cert = STRBUF_INIT;
61 static unsigned char push_cert_sha1[20];
62 static struct signature_check sigcheck;
63 static const char *push_cert_nonce;
64 static const char *cert_nonce_seed;
65
66 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
67 static const char *NONCE_BAD = "BAD";
68 static const char *NONCE_MISSING = "MISSING";
69 static const char *NONCE_OK = "OK";
70 static const char *NONCE_SLOP = "SLOP";
71 static const char *nonce_status;
72 static long nonce_stamp_slop;
73 static unsigned long nonce_stamp_slop_limit;
74 static struct ref_transaction *transaction;
75
76 static enum deny_action parse_deny_action(const char *var, const char *value)
77 {
78         if (value) {
79                 if (!strcasecmp(value, "ignore"))
80                         return DENY_IGNORE;
81                 if (!strcasecmp(value, "warn"))
82                         return DENY_WARN;
83                 if (!strcasecmp(value, "refuse"))
84                         return DENY_REFUSE;
85                 if (!strcasecmp(value, "updateinstead"))
86                         return DENY_UPDATE_INSTEAD;
87         }
88         if (git_config_bool(var, value))
89                 return DENY_REFUSE;
90         return DENY_IGNORE;
91 }
92
93 static int receive_pack_config(const char *var, const char *value, void *cb)
94 {
95         int status = parse_hide_refs_config(var, value, "receive");
96
97         if (status)
98                 return status;
99
100         if (strcmp(var, "receive.denydeletes") == 0) {
101                 deny_deletes = git_config_bool(var, value);
102                 return 0;
103         }
104
105         if (strcmp(var, "receive.denynonfastforwards") == 0) {
106                 deny_non_fast_forwards = git_config_bool(var, value);
107                 return 0;
108         }
109
110         if (strcmp(var, "receive.unpacklimit") == 0) {
111                 receive_unpack_limit = git_config_int(var, value);
112                 return 0;
113         }
114
115         if (strcmp(var, "transfer.unpacklimit") == 0) {
116                 transfer_unpack_limit = git_config_int(var, value);
117                 return 0;
118         }
119
120         if (strcmp(var, "receive.fsck.skiplist") == 0) {
121                 const char *path;
122
123                 if (git_config_pathname(&path, var, value))
124                         return 1;
125                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
126                         fsck_msg_types.len ? ',' : '=', path);
127                 free((char *)path);
128                 return 0;
129         }
130
131         if (skip_prefix(var, "receive.fsck.", &var)) {
132                 if (is_valid_msg_type(var, value))
133                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
134                                 fsck_msg_types.len ? ',' : '=', var, value);
135                 else
136                         warning("Skipping unknown msg id '%s'", var);
137                 return 0;
138         }
139
140         if (strcmp(var, "receive.fsckobjects") == 0) {
141                 receive_fsck_objects = git_config_bool(var, value);
142                 return 0;
143         }
144
145         if (strcmp(var, "transfer.fsckobjects") == 0) {
146                 transfer_fsck_objects = git_config_bool(var, value);
147                 return 0;
148         }
149
150         if (!strcmp(var, "receive.denycurrentbranch")) {
151                 deny_current_branch = parse_deny_action(var, value);
152                 return 0;
153         }
154
155         if (strcmp(var, "receive.denydeletecurrent") == 0) {
156                 deny_delete_current = parse_deny_action(var, value);
157                 return 0;
158         }
159
160         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
161                 prefer_ofs_delta = git_config_bool(var, value);
162                 return 0;
163         }
164
165         if (strcmp(var, "receive.updateserverinfo") == 0) {
166                 auto_update_server_info = git_config_bool(var, value);
167                 return 0;
168         }
169
170         if (strcmp(var, "receive.autogc") == 0) {
171                 auto_gc = git_config_bool(var, value);
172                 return 0;
173         }
174
175         if (strcmp(var, "receive.shallowupdate") == 0) {
176                 shallow_update = git_config_bool(var, value);
177                 return 0;
178         }
179
180         if (strcmp(var, "receive.certnonceseed") == 0)
181                 return git_config_string(&cert_nonce_seed, var, value);
182
183         if (strcmp(var, "receive.certnonceslop") == 0) {
184                 nonce_stamp_slop_limit = git_config_ulong(var, value);
185                 return 0;
186         }
187
188         if (strcmp(var, "receive.advertiseatomic") == 0) {
189                 advertise_atomic_push = git_config_bool(var, value);
190                 return 0;
191         }
192
193         return git_default_config(var, value, cb);
194 }
195
196 static void show_ref(const char *path, const unsigned char *sha1)
197 {
198         if (ref_is_hidden(path))
199                 return;
200
201         if (sent_capabilities) {
202                 packet_write(1, "%s %s\n", sha1_to_hex(sha1), path);
203         } else {
204                 struct strbuf cap = STRBUF_INIT;
205
206                 strbuf_addstr(&cap,
207                               "report-status delete-refs side-band-64k quiet");
208                 if (advertise_atomic_push)
209                         strbuf_addstr(&cap, " atomic");
210                 if (prefer_ofs_delta)
211                         strbuf_addstr(&cap, " ofs-delta");
212                 if (push_cert_nonce)
213                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
214                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
215                 packet_write(1, "%s %s%c%s\n",
216                              sha1_to_hex(sha1), path, 0, cap.buf);
217                 strbuf_release(&cap);
218                 sent_capabilities = 1;
219         }
220 }
221
222 static int show_ref_cb(const char *path, const struct object_id *oid, int flag, void *unused)
223 {
224         path = strip_namespace(path);
225         /*
226          * Advertise refs outside our current namespace as ".have"
227          * refs, so that the client can use them to minimize data
228          * transfer but will otherwise ignore them. This happens to
229          * cover ".have" that are thrown in by add_one_alternate_ref()
230          * to mark histories that are complete in our alternates as
231          * well.
232          */
233         if (!path)
234                 path = ".have";
235         show_ref(path, oid->hash);
236         return 0;
237 }
238
239 static void show_one_alternate_sha1(const unsigned char sha1[20], void *unused)
240 {
241         show_ref(".have", sha1);
242 }
243
244 static void collect_one_alternate_ref(const struct ref *ref, void *data)
245 {
246         struct sha1_array *sa = data;
247         sha1_array_append(sa, ref->old_sha1);
248 }
249
250 static void write_head_info(void)
251 {
252         struct sha1_array sa = SHA1_ARRAY_INIT;
253
254         for_each_alternate_ref(collect_one_alternate_ref, &sa);
255         sha1_array_for_each_unique(&sa, show_one_alternate_sha1, NULL);
256         sha1_array_clear(&sa);
257         for_each_ref(show_ref_cb, NULL);
258         if (!sent_capabilities)
259                 show_ref("capabilities^{}", null_sha1);
260
261         advertise_shallow_grafts(1);
262
263         /* EOF */
264         packet_flush(1);
265 }
266
267 struct command {
268         struct command *next;
269         const char *error_string;
270         unsigned int skip_update:1,
271                      did_not_exist:1;
272         int index;
273         unsigned char old_sha1[20];
274         unsigned char new_sha1[20];
275         char ref_name[FLEX_ARRAY]; /* more */
276 };
277
278 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
279 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
280
281 static void report_message(const char *prefix, const char *err, va_list params)
282 {
283         int sz = strlen(prefix);
284         char msg[4096];
285
286         strncpy(msg, prefix, sz);
287         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
288         if (sz > (sizeof(msg) - 1))
289                 sz = sizeof(msg) - 1;
290         msg[sz++] = '\n';
291
292         if (use_sideband)
293                 send_sideband(1, 2, msg, sz, use_sideband);
294         else
295                 xwrite(2, msg, sz);
296 }
297
298 static void rp_warning(const char *err, ...)
299 {
300         va_list params;
301         va_start(params, err);
302         report_message("warning: ", err, params);
303         va_end(params);
304 }
305
306 static void rp_error(const char *err, ...)
307 {
308         va_list params;
309         va_start(params, err);
310         report_message("error: ", err, params);
311         va_end(params);
312 }
313
314 static int copy_to_sideband(int in, int out, void *arg)
315 {
316         char data[128];
317         while (1) {
318                 ssize_t sz = xread(in, data, sizeof(data));
319                 if (sz <= 0)
320                         break;
321                 send_sideband(1, 2, data, sz, use_sideband);
322         }
323         close(in);
324         return 0;
325 }
326
327 #define HMAC_BLOCK_SIZE 64
328
329 static void hmac_sha1(unsigned char *out,
330                       const char *key_in, size_t key_len,
331                       const char *text, size_t text_len)
332 {
333         unsigned char key[HMAC_BLOCK_SIZE];
334         unsigned char k_ipad[HMAC_BLOCK_SIZE];
335         unsigned char k_opad[HMAC_BLOCK_SIZE];
336         int i;
337         git_SHA_CTX ctx;
338
339         /* RFC 2104 2. (1) */
340         memset(key, '\0', HMAC_BLOCK_SIZE);
341         if (HMAC_BLOCK_SIZE < key_len) {
342                 git_SHA1_Init(&ctx);
343                 git_SHA1_Update(&ctx, key_in, key_len);
344                 git_SHA1_Final(key, &ctx);
345         } else {
346                 memcpy(key, key_in, key_len);
347         }
348
349         /* RFC 2104 2. (2) & (5) */
350         for (i = 0; i < sizeof(key); i++) {
351                 k_ipad[i] = key[i] ^ 0x36;
352                 k_opad[i] = key[i] ^ 0x5c;
353         }
354
355         /* RFC 2104 2. (3) & (4) */
356         git_SHA1_Init(&ctx);
357         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
358         git_SHA1_Update(&ctx, text, text_len);
359         git_SHA1_Final(out, &ctx);
360
361         /* RFC 2104 2. (6) & (7) */
362         git_SHA1_Init(&ctx);
363         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
364         git_SHA1_Update(&ctx, out, 20);
365         git_SHA1_Final(out, &ctx);
366 }
367
368 static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
369 {
370         struct strbuf buf = STRBUF_INIT;
371         unsigned char sha1[20];
372
373         strbuf_addf(&buf, "%s:%lu", path, stamp);
374         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
375         strbuf_release(&buf);
376
377         /* RFC 2104 5. HMAC-SHA1-80 */
378         strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
379         return strbuf_detach(&buf, NULL);
380 }
381
382 /*
383  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
384  * after dropping "_commit" from its name and possibly moving it out
385  * of commit.c
386  */
387 static char *find_header(const char *msg, size_t len, const char *key)
388 {
389         int key_len = strlen(key);
390         const char *line = msg;
391
392         while (line && line < msg + len) {
393                 const char *eol = strchrnul(line, '\n');
394
395                 if ((msg + len <= eol) || line == eol)
396                         return NULL;
397                 if (line + key_len < eol &&
398                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
399                         int offset = key_len + 1;
400                         return xmemdupz(line + offset, (eol - line) - offset);
401                 }
402                 line = *eol ? eol + 1 : NULL;
403         }
404         return NULL;
405 }
406
407 static const char *check_nonce(const char *buf, size_t len)
408 {
409         char *nonce = find_header(buf, len, "nonce");
410         unsigned long stamp, ostamp;
411         char *bohmac, *expect = NULL;
412         const char *retval = NONCE_BAD;
413
414         if (!nonce) {
415                 retval = NONCE_MISSING;
416                 goto leave;
417         } else if (!push_cert_nonce) {
418                 retval = NONCE_UNSOLICITED;
419                 goto leave;
420         } else if (!strcmp(push_cert_nonce, nonce)) {
421                 retval = NONCE_OK;
422                 goto leave;
423         }
424
425         if (!stateless_rpc) {
426                 /* returned nonce MUST match what we gave out earlier */
427                 retval = NONCE_BAD;
428                 goto leave;
429         }
430
431         /*
432          * In stateless mode, we may be receiving a nonce issued by
433          * another instance of the server that serving the same
434          * repository, and the timestamps may not match, but the
435          * nonce-seed and dir should match, so we can recompute and
436          * report the time slop.
437          *
438          * In addition, when a nonce issued by another instance has
439          * timestamp within receive.certnonceslop seconds, we pretend
440          * as if we issued that nonce when reporting to the hook.
441          */
442
443         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
444         if (*nonce <= '0' || '9' < *nonce) {
445                 retval = NONCE_BAD;
446                 goto leave;
447         }
448         stamp = strtoul(nonce, &bohmac, 10);
449         if (bohmac == nonce || bohmac[0] != '-') {
450                 retval = NONCE_BAD;
451                 goto leave;
452         }
453
454         expect = prepare_push_cert_nonce(service_dir, stamp);
455         if (strcmp(expect, nonce)) {
456                 /* Not what we would have signed earlier */
457                 retval = NONCE_BAD;
458                 goto leave;
459         }
460
461         /*
462          * By how many seconds is this nonce stale?  Negative value
463          * would mean it was issued by another server with its clock
464          * skewed in the future.
465          */
466         ostamp = strtoul(push_cert_nonce, NULL, 10);
467         nonce_stamp_slop = (long)ostamp - (long)stamp;
468
469         if (nonce_stamp_slop_limit &&
470             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
471                 /*
472                  * Pretend as if the received nonce (which passes the
473                  * HMAC check, so it is not a forged by third-party)
474                  * is what we issued.
475                  */
476                 free((void *)push_cert_nonce);
477                 push_cert_nonce = xstrdup(nonce);
478                 retval = NONCE_OK;
479         } else {
480                 retval = NONCE_SLOP;
481         }
482
483 leave:
484         free(nonce);
485         free(expect);
486         return retval;
487 }
488
489 static void prepare_push_cert_sha1(struct child_process *proc)
490 {
491         static int already_done;
492
493         if (!push_cert.len)
494                 return;
495
496         if (!already_done) {
497                 struct strbuf gpg_output = STRBUF_INIT;
498                 struct strbuf gpg_status = STRBUF_INIT;
499                 int bogs /* beginning_of_gpg_sig */;
500
501                 already_done = 1;
502                 if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
503                         hashclr(push_cert_sha1);
504
505                 memset(&sigcheck, '\0', sizeof(sigcheck));
506                 sigcheck.result = 'N';
507
508                 bogs = parse_signature(push_cert.buf, push_cert.len);
509                 if (verify_signed_buffer(push_cert.buf, bogs,
510                                          push_cert.buf + bogs, push_cert.len - bogs,
511                                          &gpg_output, &gpg_status) < 0) {
512                         ; /* error running gpg */
513                 } else {
514                         sigcheck.payload = push_cert.buf;
515                         sigcheck.gpg_output = gpg_output.buf;
516                         sigcheck.gpg_status = gpg_status.buf;
517                         parse_gpg_output(&sigcheck);
518                 }
519
520                 strbuf_release(&gpg_output);
521                 strbuf_release(&gpg_status);
522                 nonce_status = check_nonce(push_cert.buf, bogs);
523         }
524         if (!is_null_sha1(push_cert_sha1)) {
525                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
526                                  sha1_to_hex(push_cert_sha1));
527                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
528                                  sigcheck.signer ? sigcheck.signer : "");
529                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
530                                  sigcheck.key ? sigcheck.key : "");
531                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
532                                  sigcheck.result);
533                 if (push_cert_nonce) {
534                         argv_array_pushf(&proc->env_array,
535                                          "GIT_PUSH_CERT_NONCE=%s",
536                                          push_cert_nonce);
537                         argv_array_pushf(&proc->env_array,
538                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
539                                          nonce_status);
540                         if (nonce_status == NONCE_SLOP)
541                                 argv_array_pushf(&proc->env_array,
542                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
543                                                  nonce_stamp_slop);
544                 }
545         }
546 }
547
548 typedef int (*feed_fn)(void *, const char **, size_t *);
549 static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_state)
550 {
551         struct child_process proc = CHILD_PROCESS_INIT;
552         struct async muxer;
553         const char *argv[2];
554         int code;
555
556         argv[0] = find_hook(hook_name);
557         if (!argv[0])
558                 return 0;
559
560         argv[1] = NULL;
561
562         proc.argv = argv;
563         proc.in = -1;
564         proc.stdout_to_stderr = 1;
565
566         if (use_sideband) {
567                 memset(&muxer, 0, sizeof(muxer));
568                 muxer.proc = copy_to_sideband;
569                 muxer.in = -1;
570                 code = start_async(&muxer);
571                 if (code)
572                         return code;
573                 proc.err = muxer.in;
574         }
575
576         prepare_push_cert_sha1(&proc);
577
578         code = start_command(&proc);
579         if (code) {
580                 if (use_sideband)
581                         finish_async(&muxer);
582                 return code;
583         }
584
585         sigchain_push(SIGPIPE, SIG_IGN);
586
587         while (1) {
588                 const char *buf;
589                 size_t n;
590                 if (feed(feed_state, &buf, &n))
591                         break;
592                 if (write_in_full(proc.in, buf, n) != n)
593                         break;
594         }
595         close(proc.in);
596         if (use_sideband)
597                 finish_async(&muxer);
598
599         sigchain_pop(SIGPIPE);
600
601         return finish_command(&proc);
602 }
603
604 struct receive_hook_feed_state {
605         struct command *cmd;
606         int skip_broken;
607         struct strbuf buf;
608 };
609
610 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
611 {
612         struct receive_hook_feed_state *state = state_;
613         struct command *cmd = state->cmd;
614
615         while (cmd &&
616                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
617                 cmd = cmd->next;
618         if (!cmd)
619                 return -1; /* EOF */
620         strbuf_reset(&state->buf);
621         strbuf_addf(&state->buf, "%s %s %s\n",
622                     sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
623                     cmd->ref_name);
624         state->cmd = cmd->next;
625         if (bufp) {
626                 *bufp = state->buf.buf;
627                 *sizep = state->buf.len;
628         }
629         return 0;
630 }
631
632 static int run_receive_hook(struct command *commands, const char *hook_name,
633                             int skip_broken)
634 {
635         struct receive_hook_feed_state state;
636         int status;
637
638         strbuf_init(&state.buf, 0);
639         state.cmd = commands;
640         state.skip_broken = skip_broken;
641         if (feed_receive_hook(&state, NULL, NULL))
642                 return 0;
643         state.cmd = commands;
644         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
645         strbuf_release(&state.buf);
646         return status;
647 }
648
649 static int run_update_hook(struct command *cmd)
650 {
651         const char *argv[5];
652         struct child_process proc = CHILD_PROCESS_INIT;
653         int code;
654
655         argv[0] = find_hook("update");
656         if (!argv[0])
657                 return 0;
658
659         argv[1] = cmd->ref_name;
660         argv[2] = sha1_to_hex(cmd->old_sha1);
661         argv[3] = sha1_to_hex(cmd->new_sha1);
662         argv[4] = NULL;
663
664         proc.no_stdin = 1;
665         proc.stdout_to_stderr = 1;
666         proc.err = use_sideband ? -1 : 0;
667         proc.argv = argv;
668
669         code = start_command(&proc);
670         if (code)
671                 return code;
672         if (use_sideband)
673                 copy_to_sideband(proc.err, -1, NULL);
674         return finish_command(&proc);
675 }
676
677 static int is_ref_checked_out(const char *ref)
678 {
679         if (is_bare_repository())
680                 return 0;
681
682         if (!head_name)
683                 return 0;
684         return !strcmp(head_name, ref);
685 }
686
687 static char *refuse_unconfigured_deny_msg[] = {
688         "By default, updating the current branch in a non-bare repository",
689         "is denied, because it will make the index and work tree inconsistent",
690         "with what you pushed, and will require 'git reset --hard' to match",
691         "the work tree to HEAD.",
692         "",
693         "You can set 'receive.denyCurrentBranch' configuration variable to",
694         "'ignore' or 'warn' in the remote repository to allow pushing into",
695         "its current branch; however, this is not recommended unless you",
696         "arranged to update its work tree to match what you pushed in some",
697         "other way.",
698         "",
699         "To squelch this message and still keep the default behaviour, set",
700         "'receive.denyCurrentBranch' configuration variable to 'refuse'."
701 };
702
703 static void refuse_unconfigured_deny(void)
704 {
705         int i;
706         for (i = 0; i < ARRAY_SIZE(refuse_unconfigured_deny_msg); i++)
707                 rp_error("%s", refuse_unconfigured_deny_msg[i]);
708 }
709
710 static char *refuse_unconfigured_deny_delete_current_msg[] = {
711         "By default, deleting the current branch is denied, because the next",
712         "'git clone' won't result in any file checked out, causing confusion.",
713         "",
714         "You can set 'receive.denyDeleteCurrent' configuration variable to",
715         "'warn' or 'ignore' in the remote repository to allow deleting the",
716         "current branch, with or without a warning message.",
717         "",
718         "To squelch this message, you can set it to 'refuse'."
719 };
720
721 static void refuse_unconfigured_deny_delete_current(void)
722 {
723         int i;
724         for (i = 0;
725              i < ARRAY_SIZE(refuse_unconfigured_deny_delete_current_msg);
726              i++)
727                 rp_error("%s", refuse_unconfigured_deny_delete_current_msg[i]);
728 }
729
730 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
731 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
732 {
733         static struct lock_file shallow_lock;
734         struct sha1_array extra = SHA1_ARRAY_INIT;
735         const char *alt_file;
736         uint32_t mask = 1 << (cmd->index % 32);
737         int i;
738
739         trace_printf_key(&trace_shallow,
740                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
741         for (i = 0; i < si->shallow->nr; i++)
742                 if (si->used_shallow[i] &&
743                     (si->used_shallow[i][cmd->index / 32] & mask) &&
744                     !delayed_reachability_test(si, i))
745                         sha1_array_append(&extra, si->shallow->sha1[i]);
746
747         setup_alternate_shallow(&shallow_lock, &alt_file, &extra);
748         if (check_shallow_connected(command_singleton_iterator,
749                                     0, cmd, alt_file)) {
750                 rollback_lock_file(&shallow_lock);
751                 sha1_array_clear(&extra);
752                 return -1;
753         }
754
755         commit_lock_file(&shallow_lock);
756
757         /*
758          * Make sure setup_alternate_shallow() for the next ref does
759          * not lose these new roots..
760          */
761         for (i = 0; i < extra.nr; i++)
762                 register_shallow(extra.sha1[i]);
763
764         si->shallow_ref[cmd->index] = 0;
765         sha1_array_clear(&extra);
766         return 0;
767 }
768
769 /*
770  * NEEDSWORK: we should consolidate various implementions of "are we
771  * on an unborn branch?" test into one, and make the unified one more
772  * robust. !get_sha1() based check used here and elsewhere would not
773  * allow us to tell an unborn branch from corrupt ref, for example.
774  * For the purpose of fixing "deploy-to-update does not work when
775  * pushing into an empty repository" issue, this should suffice for
776  * now.
777  */
778 static int head_has_history(void)
779 {
780         unsigned char sha1[20];
781
782         return !get_sha1("HEAD", sha1);
783 }
784
785 static const char *push_to_deploy(unsigned char *sha1,
786                                   struct argv_array *env,
787                                   const char *work_tree)
788 {
789         const char *update_refresh[] = {
790                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
791         };
792         const char *diff_files[] = {
793                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
794         };
795         const char *diff_index[] = {
796                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
797                 NULL, "--", NULL
798         };
799         const char *read_tree[] = {
800                 "read-tree", "-u", "-m", NULL, NULL
801         };
802         struct child_process child = CHILD_PROCESS_INIT;
803
804         child.argv = update_refresh;
805         child.env = env->argv;
806         child.dir = work_tree;
807         child.no_stdin = 1;
808         child.stdout_to_stderr = 1;
809         child.git_cmd = 1;
810         if (run_command(&child))
811                 return "Up-to-date check failed";
812
813         /* run_command() does not clean up completely; reinitialize */
814         child_process_init(&child);
815         child.argv = diff_files;
816         child.env = env->argv;
817         child.dir = work_tree;
818         child.no_stdin = 1;
819         child.stdout_to_stderr = 1;
820         child.git_cmd = 1;
821         if (run_command(&child))
822                 return "Working directory has unstaged changes";
823
824         /* diff-index with either HEAD or an empty tree */
825         diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
826
827         child_process_init(&child);
828         child.argv = diff_index;
829         child.env = env->argv;
830         child.no_stdin = 1;
831         child.no_stdout = 1;
832         child.stdout_to_stderr = 0;
833         child.git_cmd = 1;
834         if (run_command(&child))
835                 return "Working directory has staged changes";
836
837         read_tree[3] = sha1_to_hex(sha1);
838         child_process_init(&child);
839         child.argv = read_tree;
840         child.env = env->argv;
841         child.dir = work_tree;
842         child.no_stdin = 1;
843         child.no_stdout = 1;
844         child.stdout_to_stderr = 0;
845         child.git_cmd = 1;
846         if (run_command(&child))
847                 return "Could not update working tree to new HEAD";
848
849         return NULL;
850 }
851
852 static const char *push_to_checkout_hook = "push-to-checkout";
853
854 static const char *push_to_checkout(unsigned char *sha1,
855                                     struct argv_array *env,
856                                     const char *work_tree)
857 {
858         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
859         if (run_hook_le(env->argv, push_to_checkout_hook,
860                         sha1_to_hex(sha1), NULL))
861                 return "push-to-checkout hook declined";
862         else
863                 return NULL;
864 }
865
866 static const char *update_worktree(unsigned char *sha1)
867 {
868         const char *retval;
869         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
870         struct argv_array env = ARGV_ARRAY_INIT;
871
872         if (is_bare_repository())
873                 return "denyCurrentBranch = updateInstead needs a worktree";
874
875         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
876
877         if (!find_hook(push_to_checkout_hook))
878                 retval = push_to_deploy(sha1, &env, work_tree);
879         else
880                 retval = push_to_checkout(sha1, &env, work_tree);
881
882         argv_array_clear(&env);
883         return retval;
884 }
885
886 static const char *update(struct command *cmd, struct shallow_info *si)
887 {
888         const char *name = cmd->ref_name;
889         struct strbuf namespaced_name_buf = STRBUF_INIT;
890         const char *namespaced_name, *ret;
891         unsigned char *old_sha1 = cmd->old_sha1;
892         unsigned char *new_sha1 = cmd->new_sha1;
893
894         /* only refs/... are allowed */
895         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
896                 rp_error("refusing to create funny ref '%s' remotely", name);
897                 return "funny refname";
898         }
899
900         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
901         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
902
903         if (is_ref_checked_out(namespaced_name)) {
904                 switch (deny_current_branch) {
905                 case DENY_IGNORE:
906                         break;
907                 case DENY_WARN:
908                         rp_warning("updating the current branch");
909                         break;
910                 case DENY_REFUSE:
911                 case DENY_UNCONFIGURED:
912                         rp_error("refusing to update checked out branch: %s", name);
913                         if (deny_current_branch == DENY_UNCONFIGURED)
914                                 refuse_unconfigured_deny();
915                         return "branch is currently checked out";
916                 case DENY_UPDATE_INSTEAD:
917                         ret = update_worktree(new_sha1);
918                         if (ret)
919                                 return ret;
920                         break;
921                 }
922         }
923
924         if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
925                 error("unpack should have generated %s, "
926                       "but I can't find it!", sha1_to_hex(new_sha1));
927                 return "bad pack";
928         }
929
930         if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
931                 if (deny_deletes && starts_with(name, "refs/heads/")) {
932                         rp_error("denying ref deletion for %s", name);
933                         return "deletion prohibited";
934                 }
935
936                 if (head_name && !strcmp(namespaced_name, head_name)) {
937                         switch (deny_delete_current) {
938                         case DENY_IGNORE:
939                                 break;
940                         case DENY_WARN:
941                                 rp_warning("deleting the current branch");
942                                 break;
943                         case DENY_REFUSE:
944                         case DENY_UNCONFIGURED:
945                         case DENY_UPDATE_INSTEAD:
946                                 if (deny_delete_current == DENY_UNCONFIGURED)
947                                         refuse_unconfigured_deny_delete_current();
948                                 rp_error("refusing to delete the current branch: %s", name);
949                                 return "deletion of the current branch prohibited";
950                         default:
951                                 return "Invalid denyDeleteCurrent setting";
952                         }
953                 }
954         }
955
956         if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
957             !is_null_sha1(old_sha1) &&
958             starts_with(name, "refs/heads/")) {
959                 struct object *old_object, *new_object;
960                 struct commit *old_commit, *new_commit;
961
962                 old_object = parse_object(old_sha1);
963                 new_object = parse_object(new_sha1);
964
965                 if (!old_object || !new_object ||
966                     old_object->type != OBJ_COMMIT ||
967                     new_object->type != OBJ_COMMIT) {
968                         error("bad sha1 objects for %s", name);
969                         return "bad ref";
970                 }
971                 old_commit = (struct commit *)old_object;
972                 new_commit = (struct commit *)new_object;
973                 if (!in_merge_bases(old_commit, new_commit)) {
974                         rp_error("denying non-fast-forward %s"
975                                  " (you should pull first)", name);
976                         return "non-fast-forward";
977                 }
978         }
979         if (run_update_hook(cmd)) {
980                 rp_error("hook declined to update %s", name);
981                 return "hook declined";
982         }
983
984         if (is_null_sha1(new_sha1)) {
985                 struct strbuf err = STRBUF_INIT;
986                 if (!parse_object(old_sha1)) {
987                         old_sha1 = NULL;
988                         if (ref_exists(name)) {
989                                 rp_warning("Allowing deletion of corrupt ref.");
990                         } else {
991                                 rp_warning("Deleting a non-existent ref.");
992                                 cmd->did_not_exist = 1;
993                         }
994                 }
995                 if (ref_transaction_delete(transaction,
996                                            namespaced_name,
997                                            old_sha1,
998                                            0, "push", &err)) {
999                         rp_error("%s", err.buf);
1000                         strbuf_release(&err);
1001                         return "failed to delete";
1002                 }
1003                 strbuf_release(&err);
1004                 return NULL; /* good */
1005         }
1006         else {
1007                 struct strbuf err = STRBUF_INIT;
1008                 if (shallow_update && si->shallow_ref[cmd->index] &&
1009                     update_shallow_ref(cmd, si))
1010                         return "shallow error";
1011
1012                 if (ref_transaction_update(transaction,
1013                                            namespaced_name,
1014                                            new_sha1, old_sha1,
1015                                            0, "push",
1016                                            &err)) {
1017                         rp_error("%s", err.buf);
1018                         strbuf_release(&err);
1019
1020                         return "failed to update ref";
1021                 }
1022                 strbuf_release(&err);
1023
1024                 return NULL; /* good */
1025         }
1026 }
1027
1028 static void run_update_post_hook(struct command *commands)
1029 {
1030         struct command *cmd;
1031         int argc;
1032         const char **argv;
1033         struct child_process proc = CHILD_PROCESS_INIT;
1034         const char *hook;
1035
1036         hook = find_hook("post-update");
1037         for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1038                 if (cmd->error_string || cmd->did_not_exist)
1039                         continue;
1040                 argc++;
1041         }
1042         if (!argc || !hook)
1043                 return;
1044
1045         argv = xmalloc(sizeof(*argv) * (2 + argc));
1046         argv[0] = hook;
1047
1048         for (argc = 1, cmd = commands; cmd; cmd = cmd->next) {
1049                 if (cmd->error_string || cmd->did_not_exist)
1050                         continue;
1051                 argv[argc] = xstrdup(cmd->ref_name);
1052                 argc++;
1053         }
1054         argv[argc] = NULL;
1055
1056         proc.no_stdin = 1;
1057         proc.stdout_to_stderr = 1;
1058         proc.err = use_sideband ? -1 : 0;
1059         proc.argv = argv;
1060
1061         if (!start_command(&proc)) {
1062                 if (use_sideband)
1063                         copy_to_sideband(proc.err, -1, NULL);
1064                 finish_command(&proc);
1065         }
1066 }
1067
1068 static void check_aliased_update(struct command *cmd, struct string_list *list)
1069 {
1070         struct strbuf buf = STRBUF_INIT;
1071         const char *dst_name;
1072         struct string_list_item *item;
1073         struct command *dst_cmd;
1074         unsigned char sha1[20];
1075         char cmd_oldh[41], cmd_newh[41], dst_oldh[41], dst_newh[41];
1076         int flag;
1077
1078         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1079         dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1080         strbuf_release(&buf);
1081
1082         if (!(flag & REF_ISSYMREF))
1083                 return;
1084
1085         dst_name = strip_namespace(dst_name);
1086         if (!dst_name) {
1087                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1088                 cmd->skip_update = 1;
1089                 cmd->error_string = "broken symref";
1090                 return;
1091         }
1092
1093         if ((item = string_list_lookup(list, dst_name)) == NULL)
1094                 return;
1095
1096         cmd->skip_update = 1;
1097
1098         dst_cmd = (struct command *) item->util;
1099
1100         if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1101             !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1102                 return;
1103
1104         dst_cmd->skip_update = 1;
1105
1106         strcpy(cmd_oldh, find_unique_abbrev(cmd->old_sha1, DEFAULT_ABBREV));
1107         strcpy(cmd_newh, find_unique_abbrev(cmd->new_sha1, DEFAULT_ABBREV));
1108         strcpy(dst_oldh, find_unique_abbrev(dst_cmd->old_sha1, DEFAULT_ABBREV));
1109         strcpy(dst_newh, find_unique_abbrev(dst_cmd->new_sha1, DEFAULT_ABBREV));
1110         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1111                  " its target '%s' (%s..%s)",
1112                  cmd->ref_name, cmd_oldh, cmd_newh,
1113                  dst_cmd->ref_name, dst_oldh, dst_newh);
1114
1115         cmd->error_string = dst_cmd->error_string =
1116                 "inconsistent aliased update";
1117 }
1118
1119 static void check_aliased_updates(struct command *commands)
1120 {
1121         struct command *cmd;
1122         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1123
1124         for (cmd = commands; cmd; cmd = cmd->next) {
1125                 struct string_list_item *item =
1126                         string_list_append(&ref_list, cmd->ref_name);
1127                 item->util = (void *)cmd;
1128         }
1129         string_list_sort(&ref_list);
1130
1131         for (cmd = commands; cmd; cmd = cmd->next) {
1132                 if (!cmd->error_string)
1133                         check_aliased_update(cmd, &ref_list);
1134         }
1135
1136         string_list_clear(&ref_list, 0);
1137 }
1138
1139 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1140 {
1141         struct command **cmd_list = cb_data;
1142         struct command *cmd = *cmd_list;
1143
1144         if (!cmd || is_null_sha1(cmd->new_sha1))
1145                 return -1; /* end of list */
1146         *cmd_list = NULL; /* this returns only one */
1147         hashcpy(sha1, cmd->new_sha1);
1148         return 0;
1149 }
1150
1151 static void set_connectivity_errors(struct command *commands,
1152                                     struct shallow_info *si)
1153 {
1154         struct command *cmd;
1155
1156         for (cmd = commands; cmd; cmd = cmd->next) {
1157                 struct command *singleton = cmd;
1158                 if (shallow_update && si->shallow_ref[cmd->index])
1159                         /* to be checked in update_shallow_ref() */
1160                         continue;
1161                 if (!check_everything_connected(command_singleton_iterator,
1162                                                 0, &singleton))
1163                         continue;
1164                 cmd->error_string = "missing necessary objects";
1165         }
1166 }
1167
1168 struct iterate_data {
1169         struct command *cmds;
1170         struct shallow_info *si;
1171 };
1172
1173 static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1174 {
1175         struct iterate_data *data = cb_data;
1176         struct command **cmd_list = &data->cmds;
1177         struct command *cmd = *cmd_list;
1178
1179         for (; cmd; cmd = cmd->next) {
1180                 if (shallow_update && data->si->shallow_ref[cmd->index])
1181                         /* to be checked in update_shallow_ref() */
1182                         continue;
1183                 if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1184                         hashcpy(sha1, cmd->new_sha1);
1185                         *cmd_list = cmd->next;
1186                         return 0;
1187                 }
1188         }
1189         *cmd_list = NULL;
1190         return -1; /* end of list */
1191 }
1192
1193 static void reject_updates_to_hidden(struct command *commands)
1194 {
1195         struct command *cmd;
1196
1197         for (cmd = commands; cmd; cmd = cmd->next) {
1198                 if (cmd->error_string || !ref_is_hidden(cmd->ref_name))
1199                         continue;
1200                 if (is_null_sha1(cmd->new_sha1))
1201                         cmd->error_string = "deny deleting a hidden ref";
1202                 else
1203                         cmd->error_string = "deny updating a hidden ref";
1204         }
1205 }
1206
1207 static int should_process_cmd(struct command *cmd)
1208 {
1209         return !cmd->error_string && !cmd->skip_update;
1210 }
1211
1212 static void warn_if_skipped_connectivity_check(struct command *commands,
1213                                                struct shallow_info *si)
1214 {
1215         struct command *cmd;
1216         int checked_connectivity = 1;
1217
1218         for (cmd = commands; cmd; cmd = cmd->next) {
1219                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1220                         error("BUG: connectivity check has not been run on ref %s",
1221                               cmd->ref_name);
1222                         checked_connectivity = 0;
1223                 }
1224         }
1225         if (!checked_connectivity)
1226                 die("BUG: connectivity check skipped???");
1227 }
1228
1229 static void execute_commands_non_atomic(struct command *commands,
1230                                         struct shallow_info *si)
1231 {
1232         struct command *cmd;
1233         struct strbuf err = STRBUF_INIT;
1234
1235         for (cmd = commands; cmd; cmd = cmd->next) {
1236                 if (!should_process_cmd(cmd))
1237                         continue;
1238
1239                 transaction = ref_transaction_begin(&err);
1240                 if (!transaction) {
1241                         rp_error("%s", err.buf);
1242                         strbuf_reset(&err);
1243                         cmd->error_string = "transaction failed to start";
1244                         continue;
1245                 }
1246
1247                 cmd->error_string = update(cmd, si);
1248
1249                 if (!cmd->error_string
1250                     && ref_transaction_commit(transaction, &err)) {
1251                         rp_error("%s", err.buf);
1252                         strbuf_reset(&err);
1253                         cmd->error_string = "failed to update ref";
1254                 }
1255                 ref_transaction_free(transaction);
1256         }
1257         strbuf_release(&err);
1258 }
1259
1260 static void execute_commands_atomic(struct command *commands,
1261                                         struct shallow_info *si)
1262 {
1263         struct command *cmd;
1264         struct strbuf err = STRBUF_INIT;
1265         const char *reported_error = "atomic push failure";
1266
1267         transaction = ref_transaction_begin(&err);
1268         if (!transaction) {
1269                 rp_error("%s", err.buf);
1270                 strbuf_reset(&err);
1271                 reported_error = "transaction failed to start";
1272                 goto failure;
1273         }
1274
1275         for (cmd = commands; cmd; cmd = cmd->next) {
1276                 if (!should_process_cmd(cmd))
1277                         continue;
1278
1279                 cmd->error_string = update(cmd, si);
1280
1281                 if (cmd->error_string)
1282                         goto failure;
1283         }
1284
1285         if (ref_transaction_commit(transaction, &err)) {
1286                 rp_error("%s", err.buf);
1287                 reported_error = "atomic transaction failed";
1288                 goto failure;
1289         }
1290         goto cleanup;
1291
1292 failure:
1293         for (cmd = commands; cmd; cmd = cmd->next)
1294                 if (!cmd->error_string)
1295                         cmd->error_string = reported_error;
1296
1297 cleanup:
1298         ref_transaction_free(transaction);
1299         strbuf_release(&err);
1300 }
1301
1302 static void execute_commands(struct command *commands,
1303                              const char *unpacker_error,
1304                              struct shallow_info *si)
1305 {
1306         struct command *cmd;
1307         unsigned char sha1[20];
1308         struct iterate_data data;
1309
1310         if (unpacker_error) {
1311                 for (cmd = commands; cmd; cmd = cmd->next)
1312                         cmd->error_string = "unpacker error";
1313                 return;
1314         }
1315
1316         data.cmds = commands;
1317         data.si = si;
1318         if (check_everything_connected(iterate_receive_command_list, 0, &data))
1319                 set_connectivity_errors(commands, si);
1320
1321         reject_updates_to_hidden(commands);
1322
1323         if (run_receive_hook(commands, "pre-receive", 0)) {
1324                 for (cmd = commands; cmd; cmd = cmd->next) {
1325                         if (!cmd->error_string)
1326                                 cmd->error_string = "pre-receive hook declined";
1327                 }
1328                 return;
1329         }
1330
1331         check_aliased_updates(commands);
1332
1333         free(head_name_to_free);
1334         head_name = head_name_to_free = resolve_refdup("HEAD", 0, sha1, NULL);
1335
1336         if (use_atomic)
1337                 execute_commands_atomic(commands, si);
1338         else
1339                 execute_commands_non_atomic(commands, si);
1340
1341         if (shallow_update)
1342                 warn_if_skipped_connectivity_check(commands, si);
1343 }
1344
1345 static struct command **queue_command(struct command **tail,
1346                                       const char *line,
1347                                       int linelen)
1348 {
1349         unsigned char old_sha1[20], new_sha1[20];
1350         struct command *cmd;
1351         const char *refname;
1352         int reflen;
1353
1354         if (linelen < 83 ||
1355             line[40] != ' ' ||
1356             line[81] != ' ' ||
1357             get_sha1_hex(line, old_sha1) ||
1358             get_sha1_hex(line + 41, new_sha1))
1359                 die("protocol error: expected old/new/ref, got '%s'", line);
1360
1361         refname = line + 82;
1362         reflen = linelen - 82;
1363         cmd = xcalloc(1, sizeof(struct command) + reflen + 1);
1364         hashcpy(cmd->old_sha1, old_sha1);
1365         hashcpy(cmd->new_sha1, new_sha1);
1366         memcpy(cmd->ref_name, refname, reflen);
1367         cmd->ref_name[reflen] = '\0';
1368         *tail = cmd;
1369         return &cmd->next;
1370 }
1371
1372 static void queue_commands_from_cert(struct command **tail,
1373                                      struct strbuf *push_cert)
1374 {
1375         const char *boc, *eoc;
1376
1377         if (*tail)
1378                 die("protocol error: got both push certificate and unsigned commands");
1379
1380         boc = strstr(push_cert->buf, "\n\n");
1381         if (!boc)
1382                 die("malformed push certificate %.*s", 100, push_cert->buf);
1383         else
1384                 boc += 2;
1385         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1386
1387         while (boc < eoc) {
1388                 const char *eol = memchr(boc, '\n', eoc - boc);
1389                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1390                 boc = eol ? eol + 1 : eoc;
1391         }
1392 }
1393
1394 static struct command *read_head_info(struct sha1_array *shallow)
1395 {
1396         struct command *commands = NULL;
1397         struct command **p = &commands;
1398         for (;;) {
1399                 char *line;
1400                 int len, linelen;
1401
1402                 line = packet_read_line(0, &len);
1403                 if (!line)
1404                         break;
1405
1406                 if (len == 48 && starts_with(line, "shallow ")) {
1407                         unsigned char sha1[20];
1408                         if (get_sha1_hex(line + 8, sha1))
1409                                 die("protocol error: expected shallow sha, got '%s'",
1410                                     line + 8);
1411                         sha1_array_append(shallow, sha1);
1412                         continue;
1413                 }
1414
1415                 linelen = strlen(line);
1416                 if (linelen < len) {
1417                         const char *feature_list = line + linelen + 1;
1418                         if (parse_feature_request(feature_list, "report-status"))
1419                                 report_status = 1;
1420                         if (parse_feature_request(feature_list, "side-band-64k"))
1421                                 use_sideband = LARGE_PACKET_MAX;
1422                         if (parse_feature_request(feature_list, "quiet"))
1423                                 quiet = 1;
1424                         if (advertise_atomic_push
1425                             && parse_feature_request(feature_list, "atomic"))
1426                                 use_atomic = 1;
1427                 }
1428
1429                 if (!strcmp(line, "push-cert")) {
1430                         int true_flush = 0;
1431                         char certbuf[1024];
1432
1433                         for (;;) {
1434                                 len = packet_read(0, NULL, NULL,
1435                                                   certbuf, sizeof(certbuf), 0);
1436                                 if (!len) {
1437                                         true_flush = 1;
1438                                         break;
1439                                 }
1440                                 if (!strcmp(certbuf, "push-cert-end\n"))
1441                                         break; /* end of cert */
1442                                 strbuf_addstr(&push_cert, certbuf);
1443                         }
1444
1445                         if (true_flush)
1446                                 break;
1447                         continue;
1448                 }
1449
1450                 p = queue_command(p, line, linelen);
1451         }
1452
1453         if (push_cert.len)
1454                 queue_commands_from_cert(p, &push_cert);
1455
1456         return commands;
1457 }
1458
1459 static const char *parse_pack_header(struct pack_header *hdr)
1460 {
1461         switch (read_pack_header(0, hdr)) {
1462         case PH_ERROR_EOF:
1463                 return "eof before pack header was fully read";
1464
1465         case PH_ERROR_PACK_SIGNATURE:
1466                 return "protocol error (pack signature mismatch detected)";
1467
1468         case PH_ERROR_PROTOCOL:
1469                 return "protocol error (pack version unsupported)";
1470
1471         default:
1472                 return "unknown error in parse_pack_header";
1473
1474         case 0:
1475                 return NULL;
1476         }
1477 }
1478
1479 static const char *pack_lockfile;
1480
1481 static const char *unpack(int err_fd, struct shallow_info *si)
1482 {
1483         struct pack_header hdr;
1484         const char *hdr_err;
1485         int status;
1486         char hdr_arg[38];
1487         struct child_process child = CHILD_PROCESS_INIT;
1488         int fsck_objects = (receive_fsck_objects >= 0
1489                             ? receive_fsck_objects
1490                             : transfer_fsck_objects >= 0
1491                             ? transfer_fsck_objects
1492                             : 0);
1493
1494         hdr_err = parse_pack_header(&hdr);
1495         if (hdr_err) {
1496                 if (err_fd > 0)
1497                         close(err_fd);
1498                 return hdr_err;
1499         }
1500         snprintf(hdr_arg, sizeof(hdr_arg),
1501                         "--pack_header=%"PRIu32",%"PRIu32,
1502                         ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1503
1504         if (si->nr_ours || si->nr_theirs) {
1505                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1506                 argv_array_push(&child.args, "--shallow-file");
1507                 argv_array_push(&child.args, alt_shallow_file);
1508         }
1509
1510         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1511                 argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1512                 if (quiet)
1513                         argv_array_push(&child.args, "-q");
1514                 if (fsck_objects)
1515                         argv_array_pushf(&child.args, "--strict%s",
1516                                 fsck_msg_types.buf);
1517                 child.no_stdout = 1;
1518                 child.err = err_fd;
1519                 child.git_cmd = 1;
1520                 status = run_command(&child);
1521                 if (status)
1522                         return "unpack-objects abnormal exit";
1523         } else {
1524                 int s;
1525                 char keep_arg[256];
1526
1527                 s = sprintf(keep_arg, "--keep=receive-pack %"PRIuMAX" on ", (uintmax_t) getpid());
1528                 if (gethostname(keep_arg + s, sizeof(keep_arg) - s))
1529                         strcpy(keep_arg + s, "localhost");
1530
1531                 argv_array_pushl(&child.args, "index-pack",
1532                                  "--stdin", hdr_arg, keep_arg, NULL);
1533                 if (fsck_objects)
1534                         argv_array_pushf(&child.args, "--strict%s",
1535                                 fsck_msg_types.buf);
1536                 if (fix_thin)
1537                         argv_array_push(&child.args, "--fix-thin");
1538                 child.out = -1;
1539                 child.err = err_fd;
1540                 child.git_cmd = 1;
1541                 status = start_command(&child);
1542                 if (status)
1543                         return "index-pack fork failed";
1544                 pack_lockfile = index_pack_lockfile(child.out);
1545                 close(child.out);
1546                 status = finish_command(&child);
1547                 if (status)
1548                         return "index-pack abnormal exit";
1549                 reprepare_packed_git();
1550         }
1551         return NULL;
1552 }
1553
1554 static const char *unpack_with_sideband(struct shallow_info *si)
1555 {
1556         struct async muxer;
1557         const char *ret;
1558
1559         if (!use_sideband)
1560                 return unpack(0, si);
1561
1562         memset(&muxer, 0, sizeof(muxer));
1563         muxer.proc = copy_to_sideband;
1564         muxer.in = -1;
1565         if (start_async(&muxer))
1566                 return NULL;
1567
1568         ret = unpack(muxer.in, si);
1569
1570         finish_async(&muxer);
1571         return ret;
1572 }
1573
1574 static void prepare_shallow_update(struct command *commands,
1575                                    struct shallow_info *si)
1576 {
1577         int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1578
1579         si->used_shallow = xmalloc(sizeof(*si->used_shallow) *
1580                                    si->shallow->nr);
1581         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1582
1583         si->need_reachability_test =
1584                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1585         si->reachable =
1586                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1587         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1588
1589         for (i = 0; i < si->nr_ours; i++)
1590                 si->need_reachability_test[si->ours[i]] = 1;
1591
1592         for (i = 0; i < si->shallow->nr; i++) {
1593                 if (!si->used_shallow[i])
1594                         continue;
1595                 for (j = 0; j < bitmap_size; j++) {
1596                         if (!si->used_shallow[i][j])
1597                                 continue;
1598                         si->need_reachability_test[i]++;
1599                         for (k = 0; k < 32; k++)
1600                                 if (si->used_shallow[i][j] & (1 << k))
1601                                         si->shallow_ref[j * 32 + k]++;
1602                 }
1603
1604                 /*
1605                  * true for those associated with some refs and belong
1606                  * in "ours" list aka "step 7 not done yet"
1607                  */
1608                 si->need_reachability_test[i] =
1609                         si->need_reachability_test[i] > 1;
1610         }
1611
1612         /*
1613          * keep hooks happy by forcing a temporary shallow file via
1614          * env variable because we can't add --shallow-file to every
1615          * command. check_everything_connected() will be done with
1616          * true .git/shallow though.
1617          */
1618         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1619 }
1620
1621 static void update_shallow_info(struct command *commands,
1622                                 struct shallow_info *si,
1623                                 struct sha1_array *ref)
1624 {
1625         struct command *cmd;
1626         int *ref_status;
1627         remove_nonexistent_theirs_shallow(si);
1628         if (!si->nr_ours && !si->nr_theirs) {
1629                 shallow_update = 0;
1630                 return;
1631         }
1632
1633         for (cmd = commands; cmd; cmd = cmd->next) {
1634                 if (is_null_sha1(cmd->new_sha1))
1635                         continue;
1636                 sha1_array_append(ref, cmd->new_sha1);
1637                 cmd->index = ref->nr - 1;
1638         }
1639         si->ref = ref;
1640
1641         if (shallow_update) {
1642                 prepare_shallow_update(commands, si);
1643                 return;
1644         }
1645
1646         ref_status = xmalloc(sizeof(*ref_status) * ref->nr);
1647         assign_shallow_commits_to_refs(si, NULL, ref_status);
1648         for (cmd = commands; cmd; cmd = cmd->next) {
1649                 if (is_null_sha1(cmd->new_sha1))
1650                         continue;
1651                 if (ref_status[cmd->index]) {
1652                         cmd->error_string = "shallow update not allowed";
1653                         cmd->skip_update = 1;
1654                 }
1655         }
1656         free(ref_status);
1657 }
1658
1659 static void report(struct command *commands, const char *unpack_status)
1660 {
1661         struct command *cmd;
1662         struct strbuf buf = STRBUF_INIT;
1663
1664         packet_buf_write(&buf, "unpack %s\n",
1665                          unpack_status ? unpack_status : "ok");
1666         for (cmd = commands; cmd; cmd = cmd->next) {
1667                 if (!cmd->error_string)
1668                         packet_buf_write(&buf, "ok %s\n",
1669                                          cmd->ref_name);
1670                 else
1671                         packet_buf_write(&buf, "ng %s %s\n",
1672                                          cmd->ref_name, cmd->error_string);
1673         }
1674         packet_buf_flush(&buf);
1675
1676         if (use_sideband)
1677                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1678         else
1679                 write_or_die(1, buf.buf, buf.len);
1680         strbuf_release(&buf);
1681 }
1682
1683 static int delete_only(struct command *commands)
1684 {
1685         struct command *cmd;
1686         for (cmd = commands; cmd; cmd = cmd->next) {
1687                 if (!is_null_sha1(cmd->new_sha1))
1688                         return 0;
1689         }
1690         return 1;
1691 }
1692
1693 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1694 {
1695         int advertise_refs = 0;
1696         int i;
1697         struct command *commands;
1698         struct sha1_array shallow = SHA1_ARRAY_INIT;
1699         struct sha1_array ref = SHA1_ARRAY_INIT;
1700         struct shallow_info si;
1701
1702         packet_trace_identity("receive-pack");
1703
1704         argv++;
1705         for (i = 1; i < argc; i++) {
1706                 const char *arg = *argv++;
1707
1708                 if (*arg == '-') {
1709                         if (!strcmp(arg, "--quiet")) {
1710                                 quiet = 1;
1711                                 continue;
1712                         }
1713
1714                         if (!strcmp(arg, "--advertise-refs")) {
1715                                 advertise_refs = 1;
1716                                 continue;
1717                         }
1718                         if (!strcmp(arg, "--stateless-rpc")) {
1719                                 stateless_rpc = 1;
1720                                 continue;
1721                         }
1722                         if (!strcmp(arg, "--reject-thin-pack-for-testing")) {
1723                                 fix_thin = 0;
1724                                 continue;
1725                         }
1726
1727                         usage(receive_pack_usage);
1728                 }
1729                 if (service_dir)
1730                         usage(receive_pack_usage);
1731                 service_dir = arg;
1732         }
1733         if (!service_dir)
1734                 usage(receive_pack_usage);
1735
1736         setup_path();
1737
1738         if (!enter_repo(service_dir, 0))
1739                 die("'%s' does not appear to be a git repository", service_dir);
1740
1741         git_config(receive_pack_config, NULL);
1742         if (cert_nonce_seed)
1743                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1744
1745         if (0 <= transfer_unpack_limit)
1746                 unpack_limit = transfer_unpack_limit;
1747         else if (0 <= receive_unpack_limit)
1748                 unpack_limit = receive_unpack_limit;
1749
1750         if (advertise_refs || !stateless_rpc) {
1751                 write_head_info();
1752         }
1753         if (advertise_refs)
1754                 return 0;
1755
1756         if ((commands = read_head_info(&shallow)) != NULL) {
1757                 const char *unpack_status = NULL;
1758
1759                 prepare_shallow_info(&si, &shallow);
1760                 if (!si.nr_ours && !si.nr_theirs)
1761                         shallow_update = 0;
1762                 if (!delete_only(commands)) {
1763                         unpack_status = unpack_with_sideband(&si);
1764                         update_shallow_info(commands, &si, &ref);
1765                 }
1766                 execute_commands(commands, unpack_status, &si);
1767                 if (pack_lockfile)
1768                         unlink_or_warn(pack_lockfile);
1769                 if (report_status)
1770                         report(commands, unpack_status);
1771                 run_receive_hook(commands, "post-receive", 1);
1772                 run_update_post_hook(commands);
1773                 if (auto_gc) {
1774                         const char *argv_gc_auto[] = {
1775                                 "gc", "--auto", "--quiet", NULL,
1776                         };
1777                         int opt = RUN_GIT_CMD | RUN_COMMAND_STDOUT_TO_STDERR;
1778                         run_command_v_opt(argv_gc_auto, opt);
1779                 }
1780                 if (auto_update_server_info)
1781                         update_server_info(0);
1782                 clear_shallow_info(&si);
1783         }
1784         if (use_sideband)
1785                 packet_flush(1);
1786         sha1_array_clear(&shallow);
1787         sha1_array_clear(&ref);
1788         free((void *)push_cert_nonce);
1789         return 0;
1790 }