Merge branch 'ds/test-read-graph'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "repository.h"
3 #include "config.h"
4 #include "lockfile.h"
5 #include "pack.h"
6 #include "refs.h"
7 #include "pkt-line.h"
8 #include "sideband.h"
9 #include "run-command.h"
10 #include "exec-cmd.h"
11 #include "commit.h"
12 #include "object.h"
13 #include "remote.h"
14 #include "connect.h"
15 #include "string-list.h"
16 #include "sha1-array.h"
17 #include "connected.h"
18 #include "argv-array.h"
19 #include "version.h"
20 #include "tag.h"
21 #include "gpg-interface.h"
22 #include "sigchain.h"
23 #include "fsck.h"
24 #include "tmp-objdir.h"
25 #include "oidset.h"
26 #include "packfile.h"
27 #include "object-store.h"
28 #include "protocol.h"
29 #include "commit-reach.h"
30
31 static const char * const receive_pack_usage[] = {
32         N_("git receive-pack <git-dir>"),
33         NULL
34 };
35
36 enum deny_action {
37         DENY_UNCONFIGURED,
38         DENY_IGNORE,
39         DENY_WARN,
40         DENY_REFUSE,
41         DENY_UPDATE_INSTEAD
42 };
43
44 static int deny_deletes;
45 static int deny_non_fast_forwards;
46 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
47 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
48 static int receive_fsck_objects = -1;
49 static int transfer_fsck_objects = -1;
50 static struct strbuf fsck_msg_types = STRBUF_INIT;
51 static int receive_unpack_limit = -1;
52 static int transfer_unpack_limit = -1;
53 static int advertise_atomic_push = 1;
54 static int advertise_push_options;
55 static int unpack_limit = 100;
56 static off_t max_input_size;
57 static int report_status;
58 static int use_sideband;
59 static int use_atomic;
60 static int use_push_options;
61 static int quiet;
62 static int prefer_ofs_delta = 1;
63 static int auto_update_server_info;
64 static int auto_gc = 1;
65 static int reject_thin;
66 static int stateless_rpc;
67 static const char *service_dir;
68 static const char *head_name;
69 static void *head_name_to_free;
70 static int sent_capabilities;
71 static int shallow_update;
72 static const char *alt_shallow_file;
73 static struct strbuf push_cert = STRBUF_INIT;
74 static struct object_id push_cert_oid;
75 static struct signature_check sigcheck;
76 static const char *push_cert_nonce;
77 static const char *cert_nonce_seed;
78
79 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
80 static const char *NONCE_BAD = "BAD";
81 static const char *NONCE_MISSING = "MISSING";
82 static const char *NONCE_OK = "OK";
83 static const char *NONCE_SLOP = "SLOP";
84 static const char *nonce_status;
85 static long nonce_stamp_slop;
86 static timestamp_t nonce_stamp_slop_limit;
87 static struct ref_transaction *transaction;
88
89 static enum {
90         KEEPALIVE_NEVER = 0,
91         KEEPALIVE_AFTER_NUL,
92         KEEPALIVE_ALWAYS
93 } use_keepalive;
94 static int keepalive_in_sec = 5;
95
96 static struct tmp_objdir *tmp_objdir;
97
98 static enum deny_action parse_deny_action(const char *var, const char *value)
99 {
100         if (value) {
101                 if (!strcasecmp(value, "ignore"))
102                         return DENY_IGNORE;
103                 if (!strcasecmp(value, "warn"))
104                         return DENY_WARN;
105                 if (!strcasecmp(value, "refuse"))
106                         return DENY_REFUSE;
107                 if (!strcasecmp(value, "updateinstead"))
108                         return DENY_UPDATE_INSTEAD;
109         }
110         if (git_config_bool(var, value))
111                 return DENY_REFUSE;
112         return DENY_IGNORE;
113 }
114
115 static int receive_pack_config(const char *var, const char *value, void *cb)
116 {
117         int status = parse_hide_refs_config(var, value, "receive");
118
119         if (status)
120                 return status;
121
122         if (strcmp(var, "receive.denydeletes") == 0) {
123                 deny_deletes = git_config_bool(var, value);
124                 return 0;
125         }
126
127         if (strcmp(var, "receive.denynonfastforwards") == 0) {
128                 deny_non_fast_forwards = git_config_bool(var, value);
129                 return 0;
130         }
131
132         if (strcmp(var, "receive.unpacklimit") == 0) {
133                 receive_unpack_limit = git_config_int(var, value);
134                 return 0;
135         }
136
137         if (strcmp(var, "transfer.unpacklimit") == 0) {
138                 transfer_unpack_limit = git_config_int(var, value);
139                 return 0;
140         }
141
142         if (strcmp(var, "receive.fsck.skiplist") == 0) {
143                 const char *path;
144
145                 if (git_config_pathname(&path, var, value))
146                         return 1;
147                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
148                         fsck_msg_types.len ? ',' : '=', path);
149                 free((char *)path);
150                 return 0;
151         }
152
153         if (skip_prefix(var, "receive.fsck.", &var)) {
154                 if (is_valid_msg_type(var, value))
155                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
156                                 fsck_msg_types.len ? ',' : '=', var, value);
157                 else
158                         warning("Skipping unknown msg id '%s'", var);
159                 return 0;
160         }
161
162         if (strcmp(var, "receive.fsckobjects") == 0) {
163                 receive_fsck_objects = git_config_bool(var, value);
164                 return 0;
165         }
166
167         if (strcmp(var, "transfer.fsckobjects") == 0) {
168                 transfer_fsck_objects = git_config_bool(var, value);
169                 return 0;
170         }
171
172         if (!strcmp(var, "receive.denycurrentbranch")) {
173                 deny_current_branch = parse_deny_action(var, value);
174                 return 0;
175         }
176
177         if (strcmp(var, "receive.denydeletecurrent") == 0) {
178                 deny_delete_current = parse_deny_action(var, value);
179                 return 0;
180         }
181
182         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
183                 prefer_ofs_delta = git_config_bool(var, value);
184                 return 0;
185         }
186
187         if (strcmp(var, "receive.updateserverinfo") == 0) {
188                 auto_update_server_info = git_config_bool(var, value);
189                 return 0;
190         }
191
192         if (strcmp(var, "receive.autogc") == 0) {
193                 auto_gc = git_config_bool(var, value);
194                 return 0;
195         }
196
197         if (strcmp(var, "receive.shallowupdate") == 0) {
198                 shallow_update = git_config_bool(var, value);
199                 return 0;
200         }
201
202         if (strcmp(var, "receive.certnonceseed") == 0)
203                 return git_config_string(&cert_nonce_seed, var, value);
204
205         if (strcmp(var, "receive.certnonceslop") == 0) {
206                 nonce_stamp_slop_limit = git_config_ulong(var, value);
207                 return 0;
208         }
209
210         if (strcmp(var, "receive.advertiseatomic") == 0) {
211                 advertise_atomic_push = git_config_bool(var, value);
212                 return 0;
213         }
214
215         if (strcmp(var, "receive.advertisepushoptions") == 0) {
216                 advertise_push_options = git_config_bool(var, value);
217                 return 0;
218         }
219
220         if (strcmp(var, "receive.keepalive") == 0) {
221                 keepalive_in_sec = git_config_int(var, value);
222                 return 0;
223         }
224
225         if (strcmp(var, "receive.maxinputsize") == 0) {
226                 max_input_size = git_config_int64(var, value);
227                 return 0;
228         }
229
230         return git_default_config(var, value, cb);
231 }
232
233 static void show_ref(const char *path, const struct object_id *oid)
234 {
235         if (sent_capabilities) {
236                 packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
237         } else {
238                 struct strbuf cap = STRBUF_INIT;
239
240                 strbuf_addstr(&cap,
241                               "report-status delete-refs side-band-64k quiet");
242                 if (advertise_atomic_push)
243                         strbuf_addstr(&cap, " atomic");
244                 if (prefer_ofs_delta)
245                         strbuf_addstr(&cap, " ofs-delta");
246                 if (push_cert_nonce)
247                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
248                 if (advertise_push_options)
249                         strbuf_addstr(&cap, " push-options");
250                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
251                 packet_write_fmt(1, "%s %s%c%s\n",
252                              oid_to_hex(oid), path, 0, cap.buf);
253                 strbuf_release(&cap);
254                 sent_capabilities = 1;
255         }
256 }
257
258 static int show_ref_cb(const char *path_full, const struct object_id *oid,
259                        int flag, void *data)
260 {
261         struct oidset *seen = data;
262         const char *path = strip_namespace(path_full);
263
264         if (ref_is_hidden(path, path_full))
265                 return 0;
266
267         /*
268          * Advertise refs outside our current namespace as ".have"
269          * refs, so that the client can use them to minimize data
270          * transfer but will otherwise ignore them.
271          */
272         if (!path) {
273                 if (oidset_insert(seen, oid))
274                         return 0;
275                 path = ".have";
276         } else {
277                 oidset_insert(seen, oid);
278         }
279         show_ref(path, oid);
280         return 0;
281 }
282
283 static void show_one_alternate_ref(const struct object_id *oid,
284                                    void *data)
285 {
286         struct oidset *seen = data;
287
288         if (oidset_insert(seen, oid))
289                 return;
290
291         show_ref(".have", oid);
292 }
293
294 static void write_head_info(void)
295 {
296         static struct oidset seen = OIDSET_INIT;
297
298         for_each_ref(show_ref_cb, &seen);
299         for_each_alternate_ref(show_one_alternate_ref, &seen);
300         oidset_clear(&seen);
301         if (!sent_capabilities)
302                 show_ref("capabilities^{}", &null_oid);
303
304         advertise_shallow_grafts(1);
305
306         /* EOF */
307         packet_flush(1);
308 }
309
310 struct command {
311         struct command *next;
312         const char *error_string;
313         unsigned int skip_update:1,
314                      did_not_exist:1;
315         int index;
316         struct object_id old_oid;
317         struct object_id new_oid;
318         char ref_name[FLEX_ARRAY]; /* more */
319 };
320
321 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
322 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
323
324 static void report_message(const char *prefix, const char *err, va_list params)
325 {
326         int sz;
327         char msg[4096];
328
329         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
330         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
331         if (sz > (sizeof(msg) - 1))
332                 sz = sizeof(msg) - 1;
333         msg[sz++] = '\n';
334
335         if (use_sideband)
336                 send_sideband(1, 2, msg, sz, use_sideband);
337         else
338                 xwrite(2, msg, sz);
339 }
340
341 static void rp_warning(const char *err, ...)
342 {
343         va_list params;
344         va_start(params, err);
345         report_message("warning: ", err, params);
346         va_end(params);
347 }
348
349 static void rp_error(const char *err, ...)
350 {
351         va_list params;
352         va_start(params, err);
353         report_message("error: ", err, params);
354         va_end(params);
355 }
356
357 static int copy_to_sideband(int in, int out, void *arg)
358 {
359         char data[128];
360         int keepalive_active = 0;
361
362         if (keepalive_in_sec <= 0)
363                 use_keepalive = KEEPALIVE_NEVER;
364         if (use_keepalive == KEEPALIVE_ALWAYS)
365                 keepalive_active = 1;
366
367         while (1) {
368                 ssize_t sz;
369
370                 if (keepalive_active) {
371                         struct pollfd pfd;
372                         int ret;
373
374                         pfd.fd = in;
375                         pfd.events = POLLIN;
376                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
377
378                         if (ret < 0) {
379                                 if (errno == EINTR)
380                                         continue;
381                                 else
382                                         break;
383                         } else if (ret == 0) {
384                                 /* no data; send a keepalive packet */
385                                 static const char buf[] = "0005\1";
386                                 write_or_die(1, buf, sizeof(buf) - 1);
387                                 continue;
388                         } /* else there is actual data to read */
389                 }
390
391                 sz = xread(in, data, sizeof(data));
392                 if (sz <= 0)
393                         break;
394
395                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
396                         const char *p = memchr(data, '\0', sz);
397                         if (p) {
398                                 /*
399                                  * The NUL tells us to start sending keepalives. Make
400                                  * sure we send any other data we read along
401                                  * with it.
402                                  */
403                                 keepalive_active = 1;
404                                 send_sideband(1, 2, data, p - data, use_sideband);
405                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
406                                 continue;
407                         }
408                 }
409
410                 /*
411                  * Either we're not looking for a NUL signal, or we didn't see
412                  * it yet; just pass along the data.
413                  */
414                 send_sideband(1, 2, data, sz, use_sideband);
415         }
416         close(in);
417         return 0;
418 }
419
420 static void hmac(unsigned char *out,
421                       const char *key_in, size_t key_len,
422                       const char *text, size_t text_len)
423 {
424         unsigned char key[GIT_MAX_BLKSZ];
425         unsigned char k_ipad[GIT_MAX_BLKSZ];
426         unsigned char k_opad[GIT_MAX_BLKSZ];
427         int i;
428         git_hash_ctx ctx;
429
430         /* RFC 2104 2. (1) */
431         memset(key, '\0', GIT_MAX_BLKSZ);
432         if (the_hash_algo->blksz < key_len) {
433                 the_hash_algo->init_fn(&ctx);
434                 the_hash_algo->update_fn(&ctx, key_in, key_len);
435                 the_hash_algo->final_fn(key, &ctx);
436         } else {
437                 memcpy(key, key_in, key_len);
438         }
439
440         /* RFC 2104 2. (2) & (5) */
441         for (i = 0; i < sizeof(key); i++) {
442                 k_ipad[i] = key[i] ^ 0x36;
443                 k_opad[i] = key[i] ^ 0x5c;
444         }
445
446         /* RFC 2104 2. (3) & (4) */
447         the_hash_algo->init_fn(&ctx);
448         the_hash_algo->update_fn(&ctx, k_ipad, sizeof(k_ipad));
449         the_hash_algo->update_fn(&ctx, text, text_len);
450         the_hash_algo->final_fn(out, &ctx);
451
452         /* RFC 2104 2. (6) & (7) */
453         the_hash_algo->init_fn(&ctx);
454         the_hash_algo->update_fn(&ctx, k_opad, sizeof(k_opad));
455         the_hash_algo->update_fn(&ctx, out, the_hash_algo->rawsz);
456         the_hash_algo->final_fn(out, &ctx);
457 }
458
459 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
460 {
461         struct strbuf buf = STRBUF_INIT;
462         unsigned char hash[GIT_MAX_RAWSZ];
463
464         strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
465         hmac(hash, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));
466         strbuf_release(&buf);
467
468         /* RFC 2104 5. HMAC-SHA1-80 */
469         strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, (int)the_hash_algo->hexsz, hash_to_hex(hash));
470         return strbuf_detach(&buf, NULL);
471 }
472
473 /*
474  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
475  * after dropping "_commit" from its name and possibly moving it out
476  * of commit.c
477  */
478 static char *find_header(const char *msg, size_t len, const char *key,
479                          const char **next_line)
480 {
481         int key_len = strlen(key);
482         const char *line = msg;
483
484         while (line && line < msg + len) {
485                 const char *eol = strchrnul(line, '\n');
486
487                 if ((msg + len <= eol) || line == eol)
488                         return NULL;
489                 if (line + key_len < eol &&
490                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
491                         int offset = key_len + 1;
492                         if (next_line)
493                                 *next_line = *eol ? eol + 1 : eol;
494                         return xmemdupz(line + offset, (eol - line) - offset);
495                 }
496                 line = *eol ? eol + 1 : NULL;
497         }
498         return NULL;
499 }
500
501 static const char *check_nonce(const char *buf, size_t len)
502 {
503         char *nonce = find_header(buf, len, "nonce", NULL);
504         timestamp_t stamp, ostamp;
505         char *bohmac, *expect = NULL;
506         const char *retval = NONCE_BAD;
507
508         if (!nonce) {
509                 retval = NONCE_MISSING;
510                 goto leave;
511         } else if (!push_cert_nonce) {
512                 retval = NONCE_UNSOLICITED;
513                 goto leave;
514         } else if (!strcmp(push_cert_nonce, nonce)) {
515                 retval = NONCE_OK;
516                 goto leave;
517         }
518
519         if (!stateless_rpc) {
520                 /* returned nonce MUST match what we gave out earlier */
521                 retval = NONCE_BAD;
522                 goto leave;
523         }
524
525         /*
526          * In stateless mode, we may be receiving a nonce issued by
527          * another instance of the server that serving the same
528          * repository, and the timestamps may not match, but the
529          * nonce-seed and dir should match, so we can recompute and
530          * report the time slop.
531          *
532          * In addition, when a nonce issued by another instance has
533          * timestamp within receive.certnonceslop seconds, we pretend
534          * as if we issued that nonce when reporting to the hook.
535          */
536
537         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
538         if (*nonce <= '0' || '9' < *nonce) {
539                 retval = NONCE_BAD;
540                 goto leave;
541         }
542         stamp = parse_timestamp(nonce, &bohmac, 10);
543         if (bohmac == nonce || bohmac[0] != '-') {
544                 retval = NONCE_BAD;
545                 goto leave;
546         }
547
548         expect = prepare_push_cert_nonce(service_dir, stamp);
549         if (strcmp(expect, nonce)) {
550                 /* Not what we would have signed earlier */
551                 retval = NONCE_BAD;
552                 goto leave;
553         }
554
555         /*
556          * By how many seconds is this nonce stale?  Negative value
557          * would mean it was issued by another server with its clock
558          * skewed in the future.
559          */
560         ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
561         nonce_stamp_slop = (long)ostamp - (long)stamp;
562
563         if (nonce_stamp_slop_limit &&
564             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
565                 /*
566                  * Pretend as if the received nonce (which passes the
567                  * HMAC check, so it is not a forged by third-party)
568                  * is what we issued.
569                  */
570                 free((void *)push_cert_nonce);
571                 push_cert_nonce = xstrdup(nonce);
572                 retval = NONCE_OK;
573         } else {
574                 retval = NONCE_SLOP;
575         }
576
577 leave:
578         free(nonce);
579         free(expect);
580         return retval;
581 }
582
583 /*
584  * Return 1 if there is no push_cert or if the push options in push_cert are
585  * the same as those in the argument; 0 otherwise.
586  */
587 static int check_cert_push_options(const struct string_list *push_options)
588 {
589         const char *buf = push_cert.buf;
590         int len = push_cert.len;
591
592         char *option;
593         const char *next_line;
594         int options_seen = 0;
595
596         int retval = 1;
597
598         if (!len)
599                 return 1;
600
601         while ((option = find_header(buf, len, "push-option", &next_line))) {
602                 len -= (next_line - buf);
603                 buf = next_line;
604                 options_seen++;
605                 if (options_seen > push_options->nr
606                     || strcmp(option,
607                               push_options->items[options_seen - 1].string)) {
608                         retval = 0;
609                         goto leave;
610                 }
611                 free(option);
612         }
613
614         if (options_seen != push_options->nr)
615                 retval = 0;
616
617 leave:
618         free(option);
619         return retval;
620 }
621
622 static void prepare_push_cert_sha1(struct child_process *proc)
623 {
624         static int already_done;
625
626         if (!push_cert.len)
627                 return;
628
629         if (!already_done) {
630                 int bogs /* beginning_of_gpg_sig */;
631
632                 already_done = 1;
633                 if (write_object_file(push_cert.buf, push_cert.len, "blob",
634                                       &push_cert_oid))
635                         oidclr(&push_cert_oid);
636
637                 memset(&sigcheck, '\0', sizeof(sigcheck));
638
639                 bogs = parse_signature(push_cert.buf, push_cert.len);
640                 check_signature(push_cert.buf, bogs, push_cert.buf + bogs,
641                                 push_cert.len - bogs, &sigcheck);
642
643                 nonce_status = check_nonce(push_cert.buf, bogs);
644         }
645         if (!is_null_oid(&push_cert_oid)) {
646                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
647                                  oid_to_hex(&push_cert_oid));
648                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
649                                  sigcheck.signer ? sigcheck.signer : "");
650                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
651                                  sigcheck.key ? sigcheck.key : "");
652                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
653                                  sigcheck.result);
654                 if (push_cert_nonce) {
655                         argv_array_pushf(&proc->env_array,
656                                          "GIT_PUSH_CERT_NONCE=%s",
657                                          push_cert_nonce);
658                         argv_array_pushf(&proc->env_array,
659                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
660                                          nonce_status);
661                         if (nonce_status == NONCE_SLOP)
662                                 argv_array_pushf(&proc->env_array,
663                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
664                                                  nonce_stamp_slop);
665                 }
666         }
667 }
668
669 struct receive_hook_feed_state {
670         struct command *cmd;
671         int skip_broken;
672         struct strbuf buf;
673         const struct string_list *push_options;
674 };
675
676 typedef int (*feed_fn)(void *, const char **, size_t *);
677 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
678                              struct receive_hook_feed_state *feed_state)
679 {
680         struct child_process proc = CHILD_PROCESS_INIT;
681         struct async muxer;
682         const char *argv[2];
683         int code;
684
685         argv[0] = find_hook(hook_name);
686         if (!argv[0])
687                 return 0;
688
689         argv[1] = NULL;
690
691         proc.argv = argv;
692         proc.in = -1;
693         proc.stdout_to_stderr = 1;
694         proc.trace2_hook_name = hook_name;
695
696         if (feed_state->push_options) {
697                 int i;
698                 for (i = 0; i < feed_state->push_options->nr; i++)
699                         argv_array_pushf(&proc.env_array,
700                                 "GIT_PUSH_OPTION_%d=%s", i,
701                                 feed_state->push_options->items[i].string);
702                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
703                                  feed_state->push_options->nr);
704         } else
705                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
706
707         if (tmp_objdir)
708                 argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
709
710         if (use_sideband) {
711                 memset(&muxer, 0, sizeof(muxer));
712                 muxer.proc = copy_to_sideband;
713                 muxer.in = -1;
714                 code = start_async(&muxer);
715                 if (code)
716                         return code;
717                 proc.err = muxer.in;
718         }
719
720         prepare_push_cert_sha1(&proc);
721
722         code = start_command(&proc);
723         if (code) {
724                 if (use_sideband)
725                         finish_async(&muxer);
726                 return code;
727         }
728
729         sigchain_push(SIGPIPE, SIG_IGN);
730
731         while (1) {
732                 const char *buf;
733                 size_t n;
734                 if (feed(feed_state, &buf, &n))
735                         break;
736                 if (write_in_full(proc.in, buf, n) < 0)
737                         break;
738         }
739         close(proc.in);
740         if (use_sideband)
741                 finish_async(&muxer);
742
743         sigchain_pop(SIGPIPE);
744
745         return finish_command(&proc);
746 }
747
748 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
749 {
750         struct receive_hook_feed_state *state = state_;
751         struct command *cmd = state->cmd;
752
753         while (cmd &&
754                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
755                 cmd = cmd->next;
756         if (!cmd)
757                 return -1; /* EOF */
758         strbuf_reset(&state->buf);
759         strbuf_addf(&state->buf, "%s %s %s\n",
760                     oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
761                     cmd->ref_name);
762         state->cmd = cmd->next;
763         if (bufp) {
764                 *bufp = state->buf.buf;
765                 *sizep = state->buf.len;
766         }
767         return 0;
768 }
769
770 static int run_receive_hook(struct command *commands,
771                             const char *hook_name,
772                             int skip_broken,
773                             const struct string_list *push_options)
774 {
775         struct receive_hook_feed_state state;
776         int status;
777
778         strbuf_init(&state.buf, 0);
779         state.cmd = commands;
780         state.skip_broken = skip_broken;
781         if (feed_receive_hook(&state, NULL, NULL))
782                 return 0;
783         state.cmd = commands;
784         state.push_options = push_options;
785         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
786         strbuf_release(&state.buf);
787         return status;
788 }
789
790 static int run_update_hook(struct command *cmd)
791 {
792         const char *argv[5];
793         struct child_process proc = CHILD_PROCESS_INIT;
794         int code;
795
796         argv[0] = find_hook("update");
797         if (!argv[0])
798                 return 0;
799
800         argv[1] = cmd->ref_name;
801         argv[2] = oid_to_hex(&cmd->old_oid);
802         argv[3] = oid_to_hex(&cmd->new_oid);
803         argv[4] = NULL;
804
805         proc.no_stdin = 1;
806         proc.stdout_to_stderr = 1;
807         proc.err = use_sideband ? -1 : 0;
808         proc.argv = argv;
809         proc.trace2_hook_name = "update";
810
811         code = start_command(&proc);
812         if (code)
813                 return code;
814         if (use_sideband)
815                 copy_to_sideband(proc.err, -1, NULL);
816         return finish_command(&proc);
817 }
818
819 static int is_ref_checked_out(const char *ref)
820 {
821         if (is_bare_repository())
822                 return 0;
823
824         if (!head_name)
825                 return 0;
826         return !strcmp(head_name, ref);
827 }
828
829 static char *refuse_unconfigured_deny_msg =
830         N_("By default, updating the current branch in a non-bare repository\n"
831            "is denied, because it will make the index and work tree inconsistent\n"
832            "with what you pushed, and will require 'git reset --hard' to match\n"
833            "the work tree to HEAD.\n"
834            "\n"
835            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
836            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
837            "its current branch; however, this is not recommended unless you\n"
838            "arranged to update its work tree to match what you pushed in some\n"
839            "other way.\n"
840            "\n"
841            "To squelch this message and still keep the default behaviour, set\n"
842            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
843
844 static void refuse_unconfigured_deny(void)
845 {
846         rp_error("%s", _(refuse_unconfigured_deny_msg));
847 }
848
849 static char *refuse_unconfigured_deny_delete_current_msg =
850         N_("By default, deleting the current branch is denied, because the next\n"
851            "'git clone' won't result in any file checked out, causing confusion.\n"
852            "\n"
853            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
854            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
855            "current branch, with or without a warning message.\n"
856            "\n"
857            "To squelch this message, you can set it to 'refuse'.");
858
859 static void refuse_unconfigured_deny_delete_current(void)
860 {
861         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
862 }
863
864 static int command_singleton_iterator(void *cb_data, struct object_id *oid);
865 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
866 {
867         struct lock_file shallow_lock = LOCK_INIT;
868         struct oid_array extra = OID_ARRAY_INIT;
869         struct check_connected_options opt = CHECK_CONNECTED_INIT;
870         uint32_t mask = 1 << (cmd->index % 32);
871         int i;
872
873         trace_printf_key(&trace_shallow,
874                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
875         for (i = 0; i < si->shallow->nr; i++)
876                 if (si->used_shallow[i] &&
877                     (si->used_shallow[i][cmd->index / 32] & mask) &&
878                     !delayed_reachability_test(si, i))
879                         oid_array_append(&extra, &si->shallow->oid[i]);
880
881         opt.env = tmp_objdir_env(tmp_objdir);
882         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
883         if (check_connected(command_singleton_iterator, cmd, &opt)) {
884                 rollback_lock_file(&shallow_lock);
885                 oid_array_clear(&extra);
886                 return -1;
887         }
888
889         commit_lock_file(&shallow_lock);
890
891         /*
892          * Make sure setup_alternate_shallow() for the next ref does
893          * not lose these new roots..
894          */
895         for (i = 0; i < extra.nr; i++)
896                 register_shallow(the_repository, &extra.oid[i]);
897
898         si->shallow_ref[cmd->index] = 0;
899         oid_array_clear(&extra);
900         return 0;
901 }
902
903 /*
904  * NEEDSWORK: we should consolidate various implementions of "are we
905  * on an unborn branch?" test into one, and make the unified one more
906  * robust. !get_sha1() based check used here and elsewhere would not
907  * allow us to tell an unborn branch from corrupt ref, for example.
908  * For the purpose of fixing "deploy-to-update does not work when
909  * pushing into an empty repository" issue, this should suffice for
910  * now.
911  */
912 static int head_has_history(void)
913 {
914         struct object_id oid;
915
916         return !get_oid("HEAD", &oid);
917 }
918
919 static const char *push_to_deploy(unsigned char *sha1,
920                                   struct argv_array *env,
921                                   const char *work_tree)
922 {
923         const char *update_refresh[] = {
924                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
925         };
926         const char *diff_files[] = {
927                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
928         };
929         const char *diff_index[] = {
930                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
931                 NULL, "--", NULL
932         };
933         const char *read_tree[] = {
934                 "read-tree", "-u", "-m", NULL, NULL
935         };
936         struct child_process child = CHILD_PROCESS_INIT;
937
938         child.argv = update_refresh;
939         child.env = env->argv;
940         child.dir = work_tree;
941         child.no_stdin = 1;
942         child.stdout_to_stderr = 1;
943         child.git_cmd = 1;
944         if (run_command(&child))
945                 return "Up-to-date check failed";
946
947         /* run_command() does not clean up completely; reinitialize */
948         child_process_init(&child);
949         child.argv = diff_files;
950         child.env = env->argv;
951         child.dir = work_tree;
952         child.no_stdin = 1;
953         child.stdout_to_stderr = 1;
954         child.git_cmd = 1;
955         if (run_command(&child))
956                 return "Working directory has unstaged changes";
957
958         /* diff-index with either HEAD or an empty tree */
959         diff_index[4] = head_has_history() ? "HEAD" : empty_tree_oid_hex();
960
961         child_process_init(&child);
962         child.argv = diff_index;
963         child.env = env->argv;
964         child.no_stdin = 1;
965         child.no_stdout = 1;
966         child.stdout_to_stderr = 0;
967         child.git_cmd = 1;
968         if (run_command(&child))
969                 return "Working directory has staged changes";
970
971         read_tree[3] = hash_to_hex(sha1);
972         child_process_init(&child);
973         child.argv = read_tree;
974         child.env = env->argv;
975         child.dir = work_tree;
976         child.no_stdin = 1;
977         child.no_stdout = 1;
978         child.stdout_to_stderr = 0;
979         child.git_cmd = 1;
980         if (run_command(&child))
981                 return "Could not update working tree to new HEAD";
982
983         return NULL;
984 }
985
986 static const char *push_to_checkout_hook = "push-to-checkout";
987
988 static const char *push_to_checkout(unsigned char *hash,
989                                     struct argv_array *env,
990                                     const char *work_tree)
991 {
992         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
993         if (run_hook_le(env->argv, push_to_checkout_hook,
994                         hash_to_hex(hash), NULL))
995                 return "push-to-checkout hook declined";
996         else
997                 return NULL;
998 }
999
1000 static const char *update_worktree(unsigned char *sha1)
1001 {
1002         const char *retval;
1003         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1004         struct argv_array env = ARGV_ARRAY_INIT;
1005
1006         if (is_bare_repository())
1007                 return "denyCurrentBranch = updateInstead needs a worktree";
1008
1009         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1010
1011         if (!find_hook(push_to_checkout_hook))
1012                 retval = push_to_deploy(sha1, &env, work_tree);
1013         else
1014                 retval = push_to_checkout(sha1, &env, work_tree);
1015
1016         argv_array_clear(&env);
1017         return retval;
1018 }
1019
1020 static const char *update(struct command *cmd, struct shallow_info *si)
1021 {
1022         const char *name = cmd->ref_name;
1023         struct strbuf namespaced_name_buf = STRBUF_INIT;
1024         static char *namespaced_name;
1025         const char *ret;
1026         struct object_id *old_oid = &cmd->old_oid;
1027         struct object_id *new_oid = &cmd->new_oid;
1028         int do_update_worktree = 0;
1029
1030         /* only refs/... are allowed */
1031         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1032                 rp_error("refusing to create funny ref '%s' remotely", name);
1033                 return "funny refname";
1034         }
1035
1036         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1037         free(namespaced_name);
1038         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1039
1040         if (is_ref_checked_out(namespaced_name)) {
1041                 switch (deny_current_branch) {
1042                 case DENY_IGNORE:
1043                         break;
1044                 case DENY_WARN:
1045                         rp_warning("updating the current branch");
1046                         break;
1047                 case DENY_REFUSE:
1048                 case DENY_UNCONFIGURED:
1049                         rp_error("refusing to update checked out branch: %s", name);
1050                         if (deny_current_branch == DENY_UNCONFIGURED)
1051                                 refuse_unconfigured_deny();
1052                         return "branch is currently checked out";
1053                 case DENY_UPDATE_INSTEAD:
1054                         /* pass -- let other checks intervene first */
1055                         do_update_worktree = 1;
1056                         break;
1057                 }
1058         }
1059
1060         if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1061                 error("unpack should have generated %s, "
1062                       "but I can't find it!", oid_to_hex(new_oid));
1063                 return "bad pack";
1064         }
1065
1066         if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1067                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1068                         rp_error("denying ref deletion for %s", name);
1069                         return "deletion prohibited";
1070                 }
1071
1072                 if (head_name && !strcmp(namespaced_name, head_name)) {
1073                         switch (deny_delete_current) {
1074                         case DENY_IGNORE:
1075                                 break;
1076                         case DENY_WARN:
1077                                 rp_warning("deleting the current branch");
1078                                 break;
1079                         case DENY_REFUSE:
1080                         case DENY_UNCONFIGURED:
1081                         case DENY_UPDATE_INSTEAD:
1082                                 if (deny_delete_current == DENY_UNCONFIGURED)
1083                                         refuse_unconfigured_deny_delete_current();
1084                                 rp_error("refusing to delete the current branch: %s", name);
1085                                 return "deletion of the current branch prohibited";
1086                         default:
1087                                 return "Invalid denyDeleteCurrent setting";
1088                         }
1089                 }
1090         }
1091
1092         if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1093             !is_null_oid(old_oid) &&
1094             starts_with(name, "refs/heads/")) {
1095                 struct object *old_object, *new_object;
1096                 struct commit *old_commit, *new_commit;
1097
1098                 old_object = parse_object(the_repository, old_oid);
1099                 new_object = parse_object(the_repository, new_oid);
1100
1101                 if (!old_object || !new_object ||
1102                     old_object->type != OBJ_COMMIT ||
1103                     new_object->type != OBJ_COMMIT) {
1104                         error("bad sha1 objects for %s", name);
1105                         return "bad ref";
1106                 }
1107                 old_commit = (struct commit *)old_object;
1108                 new_commit = (struct commit *)new_object;
1109                 if (!in_merge_bases(old_commit, new_commit)) {
1110                         rp_error("denying non-fast-forward %s"
1111                                  " (you should pull first)", name);
1112                         return "non-fast-forward";
1113                 }
1114         }
1115         if (run_update_hook(cmd)) {
1116                 rp_error("hook declined to update %s", name);
1117                 return "hook declined";
1118         }
1119
1120         if (do_update_worktree) {
1121                 ret = update_worktree(new_oid->hash);
1122                 if (ret)
1123                         return ret;
1124         }
1125
1126         if (is_null_oid(new_oid)) {
1127                 struct strbuf err = STRBUF_INIT;
1128                 if (!parse_object(the_repository, old_oid)) {
1129                         old_oid = NULL;
1130                         if (ref_exists(name)) {
1131                                 rp_warning("Allowing deletion of corrupt ref.");
1132                         } else {
1133                                 rp_warning("Deleting a non-existent ref.");
1134                                 cmd->did_not_exist = 1;
1135                         }
1136                 }
1137                 if (ref_transaction_delete(transaction,
1138                                            namespaced_name,
1139                                            old_oid,
1140                                            0, "push", &err)) {
1141                         rp_error("%s", err.buf);
1142                         strbuf_release(&err);
1143                         return "failed to delete";
1144                 }
1145                 strbuf_release(&err);
1146                 return NULL; /* good */
1147         }
1148         else {
1149                 struct strbuf err = STRBUF_INIT;
1150                 if (shallow_update && si->shallow_ref[cmd->index] &&
1151                     update_shallow_ref(cmd, si))
1152                         return "shallow error";
1153
1154                 if (ref_transaction_update(transaction,
1155                                            namespaced_name,
1156                                            new_oid, old_oid,
1157                                            0, "push",
1158                                            &err)) {
1159                         rp_error("%s", err.buf);
1160                         strbuf_release(&err);
1161
1162                         return "failed to update ref";
1163                 }
1164                 strbuf_release(&err);
1165
1166                 return NULL; /* good */
1167         }
1168 }
1169
1170 static void run_update_post_hook(struct command *commands)
1171 {
1172         struct command *cmd;
1173         struct child_process proc = CHILD_PROCESS_INIT;
1174         const char *hook;
1175
1176         hook = find_hook("post-update");
1177         if (!hook)
1178                 return;
1179
1180         for (cmd = commands; cmd; cmd = cmd->next) {
1181                 if (cmd->error_string || cmd->did_not_exist)
1182                         continue;
1183                 if (!proc.args.argc)
1184                         argv_array_push(&proc.args, hook);
1185                 argv_array_push(&proc.args, cmd->ref_name);
1186         }
1187         if (!proc.args.argc)
1188                 return;
1189
1190         proc.no_stdin = 1;
1191         proc.stdout_to_stderr = 1;
1192         proc.err = use_sideband ? -1 : 0;
1193         proc.trace2_hook_name = "post-update";
1194
1195         if (!start_command(&proc)) {
1196                 if (use_sideband)
1197                         copy_to_sideband(proc.err, -1, NULL);
1198                 finish_command(&proc);
1199         }
1200 }
1201
1202 static void check_aliased_update_internal(struct command *cmd,
1203                                           struct string_list *list,
1204                                           const char *dst_name, int flag)
1205 {
1206         struct string_list_item *item;
1207         struct command *dst_cmd;
1208
1209         if (!(flag & REF_ISSYMREF))
1210                 return;
1211
1212         if (!dst_name) {
1213                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1214                 cmd->skip_update = 1;
1215                 cmd->error_string = "broken symref";
1216                 return;
1217         }
1218         dst_name = strip_namespace(dst_name);
1219
1220         if ((item = string_list_lookup(list, dst_name)) == NULL)
1221                 return;
1222
1223         cmd->skip_update = 1;
1224
1225         dst_cmd = (struct command *) item->util;
1226
1227         if (oideq(&cmd->old_oid, &dst_cmd->old_oid) &&
1228             oideq(&cmd->new_oid, &dst_cmd->new_oid))
1229                 return;
1230
1231         dst_cmd->skip_update = 1;
1232
1233         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1234                  " its target '%s' (%s..%s)",
1235                  cmd->ref_name,
1236                  find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1237                  find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1238                  dst_cmd->ref_name,
1239                  find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1240                  find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1241
1242         cmd->error_string = dst_cmd->error_string =
1243                 "inconsistent aliased update";
1244 }
1245
1246 static void check_aliased_update(struct command *cmd, struct string_list *list)
1247 {
1248         struct strbuf buf = STRBUF_INIT;
1249         const char *dst_name;
1250         int flag;
1251
1252         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1253         dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1254         check_aliased_update_internal(cmd, list, dst_name, flag);
1255         strbuf_release(&buf);
1256 }
1257
1258 static void check_aliased_updates(struct command *commands)
1259 {
1260         struct command *cmd;
1261         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1262
1263         for (cmd = commands; cmd; cmd = cmd->next) {
1264                 struct string_list_item *item =
1265                         string_list_append(&ref_list, cmd->ref_name);
1266                 item->util = (void *)cmd;
1267         }
1268         string_list_sort(&ref_list);
1269
1270         for (cmd = commands; cmd; cmd = cmd->next) {
1271                 if (!cmd->error_string)
1272                         check_aliased_update(cmd, &ref_list);
1273         }
1274
1275         string_list_clear(&ref_list, 0);
1276 }
1277
1278 static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1279 {
1280         struct command **cmd_list = cb_data;
1281         struct command *cmd = *cmd_list;
1282
1283         if (!cmd || is_null_oid(&cmd->new_oid))
1284                 return -1; /* end of list */
1285         *cmd_list = NULL; /* this returns only one */
1286         oidcpy(oid, &cmd->new_oid);
1287         return 0;
1288 }
1289
1290 static void set_connectivity_errors(struct command *commands,
1291                                     struct shallow_info *si)
1292 {
1293         struct command *cmd;
1294
1295         for (cmd = commands; cmd; cmd = cmd->next) {
1296                 struct command *singleton = cmd;
1297                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1298
1299                 if (shallow_update && si->shallow_ref[cmd->index])
1300                         /* to be checked in update_shallow_ref() */
1301                         continue;
1302
1303                 opt.env = tmp_objdir_env(tmp_objdir);
1304                 if (!check_connected(command_singleton_iterator, &singleton,
1305                                      &opt))
1306                         continue;
1307
1308                 cmd->error_string = "missing necessary objects";
1309         }
1310 }
1311
1312 struct iterate_data {
1313         struct command *cmds;
1314         struct shallow_info *si;
1315 };
1316
1317 static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1318 {
1319         struct iterate_data *data = cb_data;
1320         struct command **cmd_list = &data->cmds;
1321         struct command *cmd = *cmd_list;
1322
1323         for (; cmd; cmd = cmd->next) {
1324                 if (shallow_update && data->si->shallow_ref[cmd->index])
1325                         /* to be checked in update_shallow_ref() */
1326                         continue;
1327                 if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1328                         oidcpy(oid, &cmd->new_oid);
1329                         *cmd_list = cmd->next;
1330                         return 0;
1331                 }
1332         }
1333         *cmd_list = NULL;
1334         return -1; /* end of list */
1335 }
1336
1337 static void reject_updates_to_hidden(struct command *commands)
1338 {
1339         struct strbuf refname_full = STRBUF_INIT;
1340         size_t prefix_len;
1341         struct command *cmd;
1342
1343         strbuf_addstr(&refname_full, get_git_namespace());
1344         prefix_len = refname_full.len;
1345
1346         for (cmd = commands; cmd; cmd = cmd->next) {
1347                 if (cmd->error_string)
1348                         continue;
1349
1350                 strbuf_setlen(&refname_full, prefix_len);
1351                 strbuf_addstr(&refname_full, cmd->ref_name);
1352
1353                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1354                         continue;
1355                 if (is_null_oid(&cmd->new_oid))
1356                         cmd->error_string = "deny deleting a hidden ref";
1357                 else
1358                         cmd->error_string = "deny updating a hidden ref";
1359         }
1360
1361         strbuf_release(&refname_full);
1362 }
1363
1364 static int should_process_cmd(struct command *cmd)
1365 {
1366         return !cmd->error_string && !cmd->skip_update;
1367 }
1368
1369 static void warn_if_skipped_connectivity_check(struct command *commands,
1370                                                struct shallow_info *si)
1371 {
1372         struct command *cmd;
1373         int checked_connectivity = 1;
1374
1375         for (cmd = commands; cmd; cmd = cmd->next) {
1376                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1377                         error("BUG: connectivity check has not been run on ref %s",
1378                               cmd->ref_name);
1379                         checked_connectivity = 0;
1380                 }
1381         }
1382         if (!checked_connectivity)
1383                 BUG("connectivity check skipped???");
1384 }
1385
1386 static void execute_commands_non_atomic(struct command *commands,
1387                                         struct shallow_info *si)
1388 {
1389         struct command *cmd;
1390         struct strbuf err = STRBUF_INIT;
1391
1392         for (cmd = commands; cmd; cmd = cmd->next) {
1393                 if (!should_process_cmd(cmd))
1394                         continue;
1395
1396                 transaction = ref_transaction_begin(&err);
1397                 if (!transaction) {
1398                         rp_error("%s", err.buf);
1399                         strbuf_reset(&err);
1400                         cmd->error_string = "transaction failed to start";
1401                         continue;
1402                 }
1403
1404                 cmd->error_string = update(cmd, si);
1405
1406                 if (!cmd->error_string
1407                     && ref_transaction_commit(transaction, &err)) {
1408                         rp_error("%s", err.buf);
1409                         strbuf_reset(&err);
1410                         cmd->error_string = "failed to update ref";
1411                 }
1412                 ref_transaction_free(transaction);
1413         }
1414         strbuf_release(&err);
1415 }
1416
1417 static void execute_commands_atomic(struct command *commands,
1418                                         struct shallow_info *si)
1419 {
1420         struct command *cmd;
1421         struct strbuf err = STRBUF_INIT;
1422         const char *reported_error = "atomic push failure";
1423
1424         transaction = ref_transaction_begin(&err);
1425         if (!transaction) {
1426                 rp_error("%s", err.buf);
1427                 strbuf_reset(&err);
1428                 reported_error = "transaction failed to start";
1429                 goto failure;
1430         }
1431
1432         for (cmd = commands; cmd; cmd = cmd->next) {
1433                 if (!should_process_cmd(cmd))
1434                         continue;
1435
1436                 cmd->error_string = update(cmd, si);
1437
1438                 if (cmd->error_string)
1439                         goto failure;
1440         }
1441
1442         if (ref_transaction_commit(transaction, &err)) {
1443                 rp_error("%s", err.buf);
1444                 reported_error = "atomic transaction failed";
1445                 goto failure;
1446         }
1447         goto cleanup;
1448
1449 failure:
1450         for (cmd = commands; cmd; cmd = cmd->next)
1451                 if (!cmd->error_string)
1452                         cmd->error_string = reported_error;
1453
1454 cleanup:
1455         ref_transaction_free(transaction);
1456         strbuf_release(&err);
1457 }
1458
1459 static void execute_commands(struct command *commands,
1460                              const char *unpacker_error,
1461                              struct shallow_info *si,
1462                              const struct string_list *push_options)
1463 {
1464         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1465         struct command *cmd;
1466         struct iterate_data data;
1467         struct async muxer;
1468         int err_fd = 0;
1469
1470         if (unpacker_error) {
1471                 for (cmd = commands; cmd; cmd = cmd->next)
1472                         cmd->error_string = "unpacker error";
1473                 return;
1474         }
1475
1476         if (use_sideband) {
1477                 memset(&muxer, 0, sizeof(muxer));
1478                 muxer.proc = copy_to_sideband;
1479                 muxer.in = -1;
1480                 if (!start_async(&muxer))
1481                         err_fd = muxer.in;
1482                 /* ...else, continue without relaying sideband */
1483         }
1484
1485         data.cmds = commands;
1486         data.si = si;
1487         opt.err_fd = err_fd;
1488         opt.progress = err_fd && !quiet;
1489         opt.env = tmp_objdir_env(tmp_objdir);
1490         if (check_connected(iterate_receive_command_list, &data, &opt))
1491                 set_connectivity_errors(commands, si);
1492
1493         if (use_sideband)
1494                 finish_async(&muxer);
1495
1496         reject_updates_to_hidden(commands);
1497
1498         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1499                 for (cmd = commands; cmd; cmd = cmd->next) {
1500                         if (!cmd->error_string)
1501                                 cmd->error_string = "pre-receive hook declined";
1502                 }
1503                 return;
1504         }
1505
1506         /*
1507          * Now we'll start writing out refs, which means the objects need
1508          * to be in their final positions so that other processes can see them.
1509          */
1510         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1511                 for (cmd = commands; cmd; cmd = cmd->next) {
1512                         if (!cmd->error_string)
1513                                 cmd->error_string = "unable to migrate objects to permanent storage";
1514                 }
1515                 return;
1516         }
1517         tmp_objdir = NULL;
1518
1519         check_aliased_updates(commands);
1520
1521         free(head_name_to_free);
1522         head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1523
1524         if (use_atomic)
1525                 execute_commands_atomic(commands, si);
1526         else
1527                 execute_commands_non_atomic(commands, si);
1528
1529         if (shallow_update)
1530                 warn_if_skipped_connectivity_check(commands, si);
1531 }
1532
1533 static struct command **queue_command(struct command **tail,
1534                                       const char *line,
1535                                       int linelen)
1536 {
1537         struct object_id old_oid, new_oid;
1538         struct command *cmd;
1539         const char *refname;
1540         int reflen;
1541         const char *p;
1542
1543         if (parse_oid_hex(line, &old_oid, &p) ||
1544             *p++ != ' ' ||
1545             parse_oid_hex(p, &new_oid, &p) ||
1546             *p++ != ' ')
1547                 die("protocol error: expected old/new/ref, got '%s'", line);
1548
1549         refname = p;
1550         reflen = linelen - (p - line);
1551         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1552         oidcpy(&cmd->old_oid, &old_oid);
1553         oidcpy(&cmd->new_oid, &new_oid);
1554         *tail = cmd;
1555         return &cmd->next;
1556 }
1557
1558 static void queue_commands_from_cert(struct command **tail,
1559                                      struct strbuf *push_cert)
1560 {
1561         const char *boc, *eoc;
1562
1563         if (*tail)
1564                 die("protocol error: got both push certificate and unsigned commands");
1565
1566         boc = strstr(push_cert->buf, "\n\n");
1567         if (!boc)
1568                 die("malformed push certificate %.*s", 100, push_cert->buf);
1569         else
1570                 boc += 2;
1571         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1572
1573         while (boc < eoc) {
1574                 const char *eol = memchr(boc, '\n', eoc - boc);
1575                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1576                 boc = eol ? eol + 1 : eoc;
1577         }
1578 }
1579
1580 static struct command *read_head_info(struct packet_reader *reader,
1581                                       struct oid_array *shallow)
1582 {
1583         struct command *commands = NULL;
1584         struct command **p = &commands;
1585         for (;;) {
1586                 int linelen;
1587
1588                 if (packet_reader_read(reader) != PACKET_READ_NORMAL)
1589                         break;
1590
1591                 if (reader->pktlen > 8 && starts_with(reader->line, "shallow ")) {
1592                         struct object_id oid;
1593                         if (get_oid_hex(reader->line + 8, &oid))
1594                                 die("protocol error: expected shallow sha, got '%s'",
1595                                     reader->line + 8);
1596                         oid_array_append(shallow, &oid);
1597                         continue;
1598                 }
1599
1600                 linelen = strlen(reader->line);
1601                 if (linelen < reader->pktlen) {
1602                         const char *feature_list = reader->line + linelen + 1;
1603                         if (parse_feature_request(feature_list, "report-status"))
1604                                 report_status = 1;
1605                         if (parse_feature_request(feature_list, "side-band-64k"))
1606                                 use_sideband = LARGE_PACKET_MAX;
1607                         if (parse_feature_request(feature_list, "quiet"))
1608                                 quiet = 1;
1609                         if (advertise_atomic_push
1610                             && parse_feature_request(feature_list, "atomic"))
1611                                 use_atomic = 1;
1612                         if (advertise_push_options
1613                             && parse_feature_request(feature_list, "push-options"))
1614                                 use_push_options = 1;
1615                 }
1616
1617                 if (!strcmp(reader->line, "push-cert")) {
1618                         int true_flush = 0;
1619                         int saved_options = reader->options;
1620                         reader->options &= ~PACKET_READ_CHOMP_NEWLINE;
1621
1622                         for (;;) {
1623                                 packet_reader_read(reader);
1624                                 if (reader->status == PACKET_READ_FLUSH) {
1625                                         true_flush = 1;
1626                                         break;
1627                                 }
1628                                 if (reader->status != PACKET_READ_NORMAL) {
1629                                         die("protocol error: got an unexpected packet");
1630                                 }
1631                                 if (!strcmp(reader->line, "push-cert-end\n"))
1632                                         break; /* end of cert */
1633                                 strbuf_addstr(&push_cert, reader->line);
1634                         }
1635                         reader->options = saved_options;
1636
1637                         if (true_flush)
1638                                 break;
1639                         continue;
1640                 }
1641
1642                 p = queue_command(p, reader->line, linelen);
1643         }
1644
1645         if (push_cert.len)
1646                 queue_commands_from_cert(p, &push_cert);
1647
1648         return commands;
1649 }
1650
1651 static void read_push_options(struct packet_reader *reader,
1652                               struct string_list *options)
1653 {
1654         while (1) {
1655                 if (packet_reader_read(reader) != PACKET_READ_NORMAL)
1656                         break;
1657
1658                 string_list_append(options, reader->line);
1659         }
1660 }
1661
1662 static const char *parse_pack_header(struct pack_header *hdr)
1663 {
1664         switch (read_pack_header(0, hdr)) {
1665         case PH_ERROR_EOF:
1666                 return "eof before pack header was fully read";
1667
1668         case PH_ERROR_PACK_SIGNATURE:
1669                 return "protocol error (pack signature mismatch detected)";
1670
1671         case PH_ERROR_PROTOCOL:
1672                 return "protocol error (pack version unsupported)";
1673
1674         default:
1675                 return "unknown error in parse_pack_header";
1676
1677         case 0:
1678                 return NULL;
1679         }
1680 }
1681
1682 static const char *pack_lockfile;
1683
1684 static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1685 {
1686         argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1687                         ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1688 }
1689
1690 static const char *unpack(int err_fd, struct shallow_info *si)
1691 {
1692         struct pack_header hdr;
1693         const char *hdr_err;
1694         int status;
1695         struct child_process child = CHILD_PROCESS_INIT;
1696         int fsck_objects = (receive_fsck_objects >= 0
1697                             ? receive_fsck_objects
1698                             : transfer_fsck_objects >= 0
1699                             ? transfer_fsck_objects
1700                             : 0);
1701
1702         hdr_err = parse_pack_header(&hdr);
1703         if (hdr_err) {
1704                 if (err_fd > 0)
1705                         close(err_fd);
1706                 return hdr_err;
1707         }
1708
1709         if (si->nr_ours || si->nr_theirs) {
1710                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1711                 argv_array_push(&child.args, "--shallow-file");
1712                 argv_array_push(&child.args, alt_shallow_file);
1713         }
1714
1715         tmp_objdir = tmp_objdir_create();
1716         if (!tmp_objdir) {
1717                 if (err_fd > 0)
1718                         close(err_fd);
1719                 return "unable to create temporary object directory";
1720         }
1721         child.env = tmp_objdir_env(tmp_objdir);
1722
1723         /*
1724          * Normally we just pass the tmp_objdir environment to the child
1725          * processes that do the heavy lifting, but we may need to see these
1726          * objects ourselves to set up shallow information.
1727          */
1728         tmp_objdir_add_as_alternate(tmp_objdir);
1729
1730         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1731                 argv_array_push(&child.args, "unpack-objects");
1732                 push_header_arg(&child.args, &hdr);
1733                 if (quiet)
1734                         argv_array_push(&child.args, "-q");
1735                 if (fsck_objects)
1736                         argv_array_pushf(&child.args, "--strict%s",
1737                                 fsck_msg_types.buf);
1738                 if (max_input_size)
1739                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1740                                 (uintmax_t)max_input_size);
1741                 child.no_stdout = 1;
1742                 child.err = err_fd;
1743                 child.git_cmd = 1;
1744                 status = run_command(&child);
1745                 if (status)
1746                         return "unpack-objects abnormal exit";
1747         } else {
1748                 char hostname[HOST_NAME_MAX + 1];
1749
1750                 argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1751                 push_header_arg(&child.args, &hdr);
1752
1753                 if (xgethostname(hostname, sizeof(hostname)))
1754                         xsnprintf(hostname, sizeof(hostname), "localhost");
1755                 argv_array_pushf(&child.args,
1756                                  "--keep=receive-pack %"PRIuMAX" on %s",
1757                                  (uintmax_t)getpid(),
1758                                  hostname);
1759
1760                 if (!quiet && err_fd)
1761                         argv_array_push(&child.args, "--show-resolving-progress");
1762                 if (use_sideband)
1763                         argv_array_push(&child.args, "--report-end-of-input");
1764                 if (fsck_objects)
1765                         argv_array_pushf(&child.args, "--strict%s",
1766                                 fsck_msg_types.buf);
1767                 if (!reject_thin)
1768                         argv_array_push(&child.args, "--fix-thin");
1769                 if (max_input_size)
1770                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1771                                 (uintmax_t)max_input_size);
1772                 child.out = -1;
1773                 child.err = err_fd;
1774                 child.git_cmd = 1;
1775                 status = start_command(&child);
1776                 if (status)
1777                         return "index-pack fork failed";
1778                 pack_lockfile = index_pack_lockfile(child.out);
1779                 close(child.out);
1780                 status = finish_command(&child);
1781                 if (status)
1782                         return "index-pack abnormal exit";
1783                 reprepare_packed_git(the_repository);
1784         }
1785         return NULL;
1786 }
1787
1788 static const char *unpack_with_sideband(struct shallow_info *si)
1789 {
1790         struct async muxer;
1791         const char *ret;
1792
1793         if (!use_sideband)
1794                 return unpack(0, si);
1795
1796         use_keepalive = KEEPALIVE_AFTER_NUL;
1797         memset(&muxer, 0, sizeof(muxer));
1798         muxer.proc = copy_to_sideband;
1799         muxer.in = -1;
1800         if (start_async(&muxer))
1801                 return NULL;
1802
1803         ret = unpack(muxer.in, si);
1804
1805         finish_async(&muxer);
1806         return ret;
1807 }
1808
1809 static void prepare_shallow_update(struct shallow_info *si)
1810 {
1811         int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1812
1813         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1814         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1815
1816         si->need_reachability_test =
1817                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1818         si->reachable =
1819                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1820         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1821
1822         for (i = 0; i < si->nr_ours; i++)
1823                 si->need_reachability_test[si->ours[i]] = 1;
1824
1825         for (i = 0; i < si->shallow->nr; i++) {
1826                 if (!si->used_shallow[i])
1827                         continue;
1828                 for (j = 0; j < bitmap_size; j++) {
1829                         if (!si->used_shallow[i][j])
1830                                 continue;
1831                         si->need_reachability_test[i]++;
1832                         for (k = 0; k < 32; k++)
1833                                 if (si->used_shallow[i][j] & (1U << k))
1834                                         si->shallow_ref[j * 32 + k]++;
1835                 }
1836
1837                 /*
1838                  * true for those associated with some refs and belong
1839                  * in "ours" list aka "step 7 not done yet"
1840                  */
1841                 si->need_reachability_test[i] =
1842                         si->need_reachability_test[i] > 1;
1843         }
1844
1845         /*
1846          * keep hooks happy by forcing a temporary shallow file via
1847          * env variable because we can't add --shallow-file to every
1848          * command. check_connected() will be done with
1849          * true .git/shallow though.
1850          */
1851         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1852 }
1853
1854 static void update_shallow_info(struct command *commands,
1855                                 struct shallow_info *si,
1856                                 struct oid_array *ref)
1857 {
1858         struct command *cmd;
1859         int *ref_status;
1860         remove_nonexistent_theirs_shallow(si);
1861         if (!si->nr_ours && !si->nr_theirs) {
1862                 shallow_update = 0;
1863                 return;
1864         }
1865
1866         for (cmd = commands; cmd; cmd = cmd->next) {
1867                 if (is_null_oid(&cmd->new_oid))
1868                         continue;
1869                 oid_array_append(ref, &cmd->new_oid);
1870                 cmd->index = ref->nr - 1;
1871         }
1872         si->ref = ref;
1873
1874         if (shallow_update) {
1875                 prepare_shallow_update(si);
1876                 return;
1877         }
1878
1879         ALLOC_ARRAY(ref_status, ref->nr);
1880         assign_shallow_commits_to_refs(si, NULL, ref_status);
1881         for (cmd = commands; cmd; cmd = cmd->next) {
1882                 if (is_null_oid(&cmd->new_oid))
1883                         continue;
1884                 if (ref_status[cmd->index]) {
1885                         cmd->error_string = "shallow update not allowed";
1886                         cmd->skip_update = 1;
1887                 }
1888         }
1889         free(ref_status);
1890 }
1891
1892 static void report(struct command *commands, const char *unpack_status)
1893 {
1894         struct command *cmd;
1895         struct strbuf buf = STRBUF_INIT;
1896
1897         packet_buf_write(&buf, "unpack %s\n",
1898                          unpack_status ? unpack_status : "ok");
1899         for (cmd = commands; cmd; cmd = cmd->next) {
1900                 if (!cmd->error_string)
1901                         packet_buf_write(&buf, "ok %s\n",
1902                                          cmd->ref_name);
1903                 else
1904                         packet_buf_write(&buf, "ng %s %s\n",
1905                                          cmd->ref_name, cmd->error_string);
1906         }
1907         packet_buf_flush(&buf);
1908
1909         if (use_sideband)
1910                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1911         else
1912                 write_or_die(1, buf.buf, buf.len);
1913         strbuf_release(&buf);
1914 }
1915
1916 static int delete_only(struct command *commands)
1917 {
1918         struct command *cmd;
1919         for (cmd = commands; cmd; cmd = cmd->next) {
1920                 if (!is_null_oid(&cmd->new_oid))
1921                         return 0;
1922         }
1923         return 1;
1924 }
1925
1926 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1927 {
1928         int advertise_refs = 0;
1929         struct command *commands;
1930         struct oid_array shallow = OID_ARRAY_INIT;
1931         struct oid_array ref = OID_ARRAY_INIT;
1932         struct shallow_info si;
1933         struct packet_reader reader;
1934
1935         struct option options[] = {
1936                 OPT__QUIET(&quiet, N_("quiet")),
1937                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1938                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1939                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1940                 OPT_END()
1941         };
1942
1943         packet_trace_identity("receive-pack");
1944
1945         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1946
1947         if (argc > 1)
1948                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1949         if (argc == 0)
1950                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1951
1952         service_dir = argv[0];
1953
1954         setup_path();
1955
1956         if (!enter_repo(service_dir, 0))
1957                 die("'%s' does not appear to be a git repository", service_dir);
1958
1959         git_config(receive_pack_config, NULL);
1960         if (cert_nonce_seed)
1961                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1962
1963         if (0 <= transfer_unpack_limit)
1964                 unpack_limit = transfer_unpack_limit;
1965         else if (0 <= receive_unpack_limit)
1966                 unpack_limit = receive_unpack_limit;
1967
1968         switch (determine_protocol_version_server()) {
1969         case protocol_v2:
1970                 /*
1971                  * push support for protocol v2 has not been implemented yet,
1972                  * so ignore the request to use v2 and fallback to using v0.
1973                  */
1974                 break;
1975         case protocol_v1:
1976                 /*
1977                  * v1 is just the original protocol with a version string,
1978                  * so just fall through after writing the version string.
1979                  */
1980                 if (advertise_refs || !stateless_rpc)
1981                         packet_write_fmt(1, "version 1\n");
1982
1983                 /* fallthrough */
1984         case protocol_v0:
1985                 break;
1986         case protocol_unknown_version:
1987                 BUG("unknown protocol version");
1988         }
1989
1990         if (advertise_refs || !stateless_rpc) {
1991                 write_head_info();
1992         }
1993         if (advertise_refs)
1994                 return 0;
1995
1996         packet_reader_init(&reader, 0, NULL, 0,
1997                            PACKET_READ_CHOMP_NEWLINE |
1998                            PACKET_READ_DIE_ON_ERR_PACKET);
1999
2000         if ((commands = read_head_info(&reader, &shallow)) != NULL) {
2001                 const char *unpack_status = NULL;
2002                 struct string_list push_options = STRING_LIST_INIT_DUP;
2003
2004                 if (use_push_options)
2005                         read_push_options(&reader, &push_options);
2006                 if (!check_cert_push_options(&push_options)) {
2007                         struct command *cmd;
2008                         for (cmd = commands; cmd; cmd = cmd->next)
2009                                 cmd->error_string = "inconsistent push options";
2010                 }
2011
2012                 prepare_shallow_info(&si, &shallow);
2013                 if (!si.nr_ours && !si.nr_theirs)
2014                         shallow_update = 0;
2015                 if (!delete_only(commands)) {
2016                         unpack_status = unpack_with_sideband(&si);
2017                         update_shallow_info(commands, &si, &ref);
2018                 }
2019                 use_keepalive = KEEPALIVE_ALWAYS;
2020                 execute_commands(commands, unpack_status, &si,
2021                                  &push_options);
2022                 if (pack_lockfile)
2023                         unlink_or_warn(pack_lockfile);
2024                 if (report_status)
2025                         report(commands, unpack_status);
2026                 run_receive_hook(commands, "post-receive", 1,
2027                                  &push_options);
2028                 run_update_post_hook(commands);
2029                 string_list_clear(&push_options, 0);
2030                 if (auto_gc) {
2031                         const char *argv_gc_auto[] = {
2032                                 "gc", "--auto", "--quiet", NULL,
2033                         };
2034                         struct child_process proc = CHILD_PROCESS_INIT;
2035
2036                         proc.no_stdin = 1;
2037                         proc.stdout_to_stderr = 1;
2038                         proc.err = use_sideband ? -1 : 0;
2039                         proc.git_cmd = 1;
2040                         proc.argv = argv_gc_auto;
2041
2042                         close_object_store(the_repository->objects);
2043                         if (!start_command(&proc)) {
2044                                 if (use_sideband)
2045                                         copy_to_sideband(proc.err, -1, NULL);
2046                                 finish_command(&proc);
2047                         }
2048                 }
2049                 if (auto_update_server_info)
2050                         update_server_info(0);
2051                 clear_shallow_info(&si);
2052         }
2053         if (use_sideband)
2054                 packet_flush(1);
2055         oid_array_clear(&shallow);
2056         oid_array_clear(&ref);
2057         free((void *)push_cert_nonce);
2058         return 0;
2059 }