Merge branch 'dl/credential-cache-socket-in-xdg-cache'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "lockfile.h"
3 #include "pack.h"
4 #include "refs.h"
5 #include "pkt-line.h"
6 #include "sideband.h"
7 #include "run-command.h"
8 #include "exec_cmd.h"
9 #include "commit.h"
10 #include "object.h"
11 #include "remote.h"
12 #include "connect.h"
13 #include "transport.h"
14 #include "string-list.h"
15 #include "sha1-array.h"
16 #include "connected.h"
17 #include "argv-array.h"
18 #include "version.h"
19 #include "tag.h"
20 #include "gpg-interface.h"
21 #include "sigchain.h"
22 #include "fsck.h"
23 #include "tmp-objdir.h"
24 #include "oidset.h"
25
26 static const char * const receive_pack_usage[] = {
27         N_("git receive-pack <git-dir>"),
28         NULL
29 };
30
31 enum deny_action {
32         DENY_UNCONFIGURED,
33         DENY_IGNORE,
34         DENY_WARN,
35         DENY_REFUSE,
36         DENY_UPDATE_INSTEAD
37 };
38
39 static int deny_deletes;
40 static int deny_non_fast_forwards;
41 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
42 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
43 static int receive_fsck_objects = -1;
44 static int transfer_fsck_objects = -1;
45 static struct strbuf fsck_msg_types = STRBUF_INIT;
46 static int receive_unpack_limit = -1;
47 static int transfer_unpack_limit = -1;
48 static int advertise_atomic_push = 1;
49 static int advertise_push_options;
50 static int unpack_limit = 100;
51 static off_t max_input_size;
52 static int report_status;
53 static int use_sideband;
54 static int use_atomic;
55 static int use_push_options;
56 static int quiet;
57 static int prefer_ofs_delta = 1;
58 static int auto_update_server_info;
59 static int auto_gc = 1;
60 static int reject_thin;
61 static int stateless_rpc;
62 static const char *service_dir;
63 static const char *head_name;
64 static void *head_name_to_free;
65 static int sent_capabilities;
66 static int shallow_update;
67 static const char *alt_shallow_file;
68 static struct strbuf push_cert = STRBUF_INIT;
69 static unsigned char push_cert_sha1[20];
70 static struct signature_check sigcheck;
71 static const char *push_cert_nonce;
72 static const char *cert_nonce_seed;
73
74 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
75 static const char *NONCE_BAD = "BAD";
76 static const char *NONCE_MISSING = "MISSING";
77 static const char *NONCE_OK = "OK";
78 static const char *NONCE_SLOP = "SLOP";
79 static const char *nonce_status;
80 static long nonce_stamp_slop;
81 static unsigned long nonce_stamp_slop_limit;
82 static struct ref_transaction *transaction;
83
84 static enum {
85         KEEPALIVE_NEVER = 0,
86         KEEPALIVE_AFTER_NUL,
87         KEEPALIVE_ALWAYS
88 } use_keepalive;
89 static int keepalive_in_sec = 5;
90
91 static struct tmp_objdir *tmp_objdir;
92
93 static enum deny_action parse_deny_action(const char *var, const char *value)
94 {
95         if (value) {
96                 if (!strcasecmp(value, "ignore"))
97                         return DENY_IGNORE;
98                 if (!strcasecmp(value, "warn"))
99                         return DENY_WARN;
100                 if (!strcasecmp(value, "refuse"))
101                         return DENY_REFUSE;
102                 if (!strcasecmp(value, "updateinstead"))
103                         return DENY_UPDATE_INSTEAD;
104         }
105         if (git_config_bool(var, value))
106                 return DENY_REFUSE;
107         return DENY_IGNORE;
108 }
109
110 static int receive_pack_config(const char *var, const char *value, void *cb)
111 {
112         int status = parse_hide_refs_config(var, value, "receive");
113
114         if (status)
115                 return status;
116
117         if (strcmp(var, "receive.denydeletes") == 0) {
118                 deny_deletes = git_config_bool(var, value);
119                 return 0;
120         }
121
122         if (strcmp(var, "receive.denynonfastforwards") == 0) {
123                 deny_non_fast_forwards = git_config_bool(var, value);
124                 return 0;
125         }
126
127         if (strcmp(var, "receive.unpacklimit") == 0) {
128                 receive_unpack_limit = git_config_int(var, value);
129                 return 0;
130         }
131
132         if (strcmp(var, "transfer.unpacklimit") == 0) {
133                 transfer_unpack_limit = git_config_int(var, value);
134                 return 0;
135         }
136
137         if (strcmp(var, "receive.fsck.skiplist") == 0) {
138                 const char *path;
139
140                 if (git_config_pathname(&path, var, value))
141                         return 1;
142                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
143                         fsck_msg_types.len ? ',' : '=', path);
144                 free((char *)path);
145                 return 0;
146         }
147
148         if (skip_prefix(var, "receive.fsck.", &var)) {
149                 if (is_valid_msg_type(var, value))
150                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
151                                 fsck_msg_types.len ? ',' : '=', var, value);
152                 else
153                         warning("Skipping unknown msg id '%s'", var);
154                 return 0;
155         }
156
157         if (strcmp(var, "receive.fsckobjects") == 0) {
158                 receive_fsck_objects = git_config_bool(var, value);
159                 return 0;
160         }
161
162         if (strcmp(var, "transfer.fsckobjects") == 0) {
163                 transfer_fsck_objects = git_config_bool(var, value);
164                 return 0;
165         }
166
167         if (!strcmp(var, "receive.denycurrentbranch")) {
168                 deny_current_branch = parse_deny_action(var, value);
169                 return 0;
170         }
171
172         if (strcmp(var, "receive.denydeletecurrent") == 0) {
173                 deny_delete_current = parse_deny_action(var, value);
174                 return 0;
175         }
176
177         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
178                 prefer_ofs_delta = git_config_bool(var, value);
179                 return 0;
180         }
181
182         if (strcmp(var, "receive.updateserverinfo") == 0) {
183                 auto_update_server_info = git_config_bool(var, value);
184                 return 0;
185         }
186
187         if (strcmp(var, "receive.autogc") == 0) {
188                 auto_gc = git_config_bool(var, value);
189                 return 0;
190         }
191
192         if (strcmp(var, "receive.shallowupdate") == 0) {
193                 shallow_update = git_config_bool(var, value);
194                 return 0;
195         }
196
197         if (strcmp(var, "receive.certnonceseed") == 0)
198                 return git_config_string(&cert_nonce_seed, var, value);
199
200         if (strcmp(var, "receive.certnonceslop") == 0) {
201                 nonce_stamp_slop_limit = git_config_ulong(var, value);
202                 return 0;
203         }
204
205         if (strcmp(var, "receive.advertiseatomic") == 0) {
206                 advertise_atomic_push = git_config_bool(var, value);
207                 return 0;
208         }
209
210         if (strcmp(var, "receive.advertisepushoptions") == 0) {
211                 advertise_push_options = git_config_bool(var, value);
212                 return 0;
213         }
214
215         if (strcmp(var, "receive.keepalive") == 0) {
216                 keepalive_in_sec = git_config_int(var, value);
217                 return 0;
218         }
219
220         if (strcmp(var, "receive.maxinputsize") == 0) {
221                 max_input_size = git_config_int64(var, value);
222                 return 0;
223         }
224
225         return git_default_config(var, value, cb);
226 }
227
228 static void show_ref(const char *path, const unsigned char *sha1)
229 {
230         if (sent_capabilities) {
231                 packet_write_fmt(1, "%s %s\n", sha1_to_hex(sha1), path);
232         } else {
233                 struct strbuf cap = STRBUF_INIT;
234
235                 strbuf_addstr(&cap,
236                               "report-status delete-refs side-band-64k quiet");
237                 if (advertise_atomic_push)
238                         strbuf_addstr(&cap, " atomic");
239                 if (prefer_ofs_delta)
240                         strbuf_addstr(&cap, " ofs-delta");
241                 if (push_cert_nonce)
242                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
243                 if (advertise_push_options)
244                         strbuf_addstr(&cap, " push-options");
245                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
246                 packet_write_fmt(1, "%s %s%c%s\n",
247                              sha1_to_hex(sha1), path, 0, cap.buf);
248                 strbuf_release(&cap);
249                 sent_capabilities = 1;
250         }
251 }
252
253 static int show_ref_cb(const char *path_full, const struct object_id *oid,
254                        int flag, void *data)
255 {
256         struct oidset *seen = data;
257         const char *path = strip_namespace(path_full);
258
259         if (ref_is_hidden(path, path_full))
260                 return 0;
261
262         /*
263          * Advertise refs outside our current namespace as ".have"
264          * refs, so that the client can use them to minimize data
265          * transfer but will otherwise ignore them.
266          */
267         if (!path) {
268                 if (oidset_insert(seen, oid))
269                         return 0;
270                 path = ".have";
271         } else {
272                 oidset_insert(seen, oid);
273         }
274         show_ref(path, oid->hash);
275         return 0;
276 }
277
278 static void show_one_alternate_ref(const char *refname,
279                                    const struct object_id *oid,
280                                    void *data)
281 {
282         struct oidset *seen = data;
283
284         if (oidset_insert(seen, oid))
285                 return;
286
287         show_ref(".have", oid->hash);
288 }
289
290 static void write_head_info(void)
291 {
292         static struct oidset seen = OIDSET_INIT;
293
294         for_each_ref(show_ref_cb, &seen);
295         for_each_alternate_ref(show_one_alternate_ref, &seen);
296         oidset_clear(&seen);
297         if (!sent_capabilities)
298                 show_ref("capabilities^{}", null_sha1);
299
300         advertise_shallow_grafts(1);
301
302         /* EOF */
303         packet_flush(1);
304 }
305
306 struct command {
307         struct command *next;
308         const char *error_string;
309         unsigned int skip_update:1,
310                      did_not_exist:1;
311         int index;
312         unsigned char old_sha1[20];
313         unsigned char new_sha1[20];
314         char ref_name[FLEX_ARRAY]; /* more */
315 };
316
317 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
318 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
319
320 static void report_message(const char *prefix, const char *err, va_list params)
321 {
322         int sz;
323         char msg[4096];
324
325         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
326         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
327         if (sz > (sizeof(msg) - 1))
328                 sz = sizeof(msg) - 1;
329         msg[sz++] = '\n';
330
331         if (use_sideband)
332                 send_sideband(1, 2, msg, sz, use_sideband);
333         else
334                 xwrite(2, msg, sz);
335 }
336
337 static void rp_warning(const char *err, ...)
338 {
339         va_list params;
340         va_start(params, err);
341         report_message("warning: ", err, params);
342         va_end(params);
343 }
344
345 static void rp_error(const char *err, ...)
346 {
347         va_list params;
348         va_start(params, err);
349         report_message("error: ", err, params);
350         va_end(params);
351 }
352
353 static int copy_to_sideband(int in, int out, void *arg)
354 {
355         char data[128];
356         int keepalive_active = 0;
357
358         if (keepalive_in_sec <= 0)
359                 use_keepalive = KEEPALIVE_NEVER;
360         if (use_keepalive == KEEPALIVE_ALWAYS)
361                 keepalive_active = 1;
362
363         while (1) {
364                 ssize_t sz;
365
366                 if (keepalive_active) {
367                         struct pollfd pfd;
368                         int ret;
369
370                         pfd.fd = in;
371                         pfd.events = POLLIN;
372                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
373
374                         if (ret < 0) {
375                                 if (errno == EINTR)
376                                         continue;
377                                 else
378                                         break;
379                         } else if (ret == 0) {
380                                 /* no data; send a keepalive packet */
381                                 static const char buf[] = "0005\1";
382                                 write_or_die(1, buf, sizeof(buf) - 1);
383                                 continue;
384                         } /* else there is actual data to read */
385                 }
386
387                 sz = xread(in, data, sizeof(data));
388                 if (sz <= 0)
389                         break;
390
391                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
392                         const char *p = memchr(data, '\0', sz);
393                         if (p) {
394                                 /*
395                                  * The NUL tells us to start sending keepalives. Make
396                                  * sure we send any other data we read along
397                                  * with it.
398                                  */
399                                 keepalive_active = 1;
400                                 send_sideband(1, 2, data, p - data, use_sideband);
401                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
402                                 continue;
403                         }
404                 }
405
406                 /*
407                  * Either we're not looking for a NUL signal, or we didn't see
408                  * it yet; just pass along the data.
409                  */
410                 send_sideband(1, 2, data, sz, use_sideband);
411         }
412         close(in);
413         return 0;
414 }
415
416 #define HMAC_BLOCK_SIZE 64
417
418 static void hmac_sha1(unsigned char *out,
419                       const char *key_in, size_t key_len,
420                       const char *text, size_t text_len)
421 {
422         unsigned char key[HMAC_BLOCK_SIZE];
423         unsigned char k_ipad[HMAC_BLOCK_SIZE];
424         unsigned char k_opad[HMAC_BLOCK_SIZE];
425         int i;
426         git_SHA_CTX ctx;
427
428         /* RFC 2104 2. (1) */
429         memset(key, '\0', HMAC_BLOCK_SIZE);
430         if (HMAC_BLOCK_SIZE < key_len) {
431                 git_SHA1_Init(&ctx);
432                 git_SHA1_Update(&ctx, key_in, key_len);
433                 git_SHA1_Final(key, &ctx);
434         } else {
435                 memcpy(key, key_in, key_len);
436         }
437
438         /* RFC 2104 2. (2) & (5) */
439         for (i = 0; i < sizeof(key); i++) {
440                 k_ipad[i] = key[i] ^ 0x36;
441                 k_opad[i] = key[i] ^ 0x5c;
442         }
443
444         /* RFC 2104 2. (3) & (4) */
445         git_SHA1_Init(&ctx);
446         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
447         git_SHA1_Update(&ctx, text, text_len);
448         git_SHA1_Final(out, &ctx);
449
450         /* RFC 2104 2. (6) & (7) */
451         git_SHA1_Init(&ctx);
452         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
453         git_SHA1_Update(&ctx, out, 20);
454         git_SHA1_Final(out, &ctx);
455 }
456
457 static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
458 {
459         struct strbuf buf = STRBUF_INIT;
460         unsigned char sha1[20];
461
462         strbuf_addf(&buf, "%s:%lu", path, stamp);
463         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
464         strbuf_release(&buf);
465
466         /* RFC 2104 5. HMAC-SHA1-80 */
467         strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
468         return strbuf_detach(&buf, NULL);
469 }
470
471 /*
472  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
473  * after dropping "_commit" from its name and possibly moving it out
474  * of commit.c
475  */
476 static char *find_header(const char *msg, size_t len, const char *key)
477 {
478         int key_len = strlen(key);
479         const char *line = msg;
480
481         while (line && line < msg + len) {
482                 const char *eol = strchrnul(line, '\n');
483
484                 if ((msg + len <= eol) || line == eol)
485                         return NULL;
486                 if (line + key_len < eol &&
487                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
488                         int offset = key_len + 1;
489                         return xmemdupz(line + offset, (eol - line) - offset);
490                 }
491                 line = *eol ? eol + 1 : NULL;
492         }
493         return NULL;
494 }
495
496 static const char *check_nonce(const char *buf, size_t len)
497 {
498         char *nonce = find_header(buf, len, "nonce");
499         unsigned long stamp, ostamp;
500         char *bohmac, *expect = NULL;
501         const char *retval = NONCE_BAD;
502
503         if (!nonce) {
504                 retval = NONCE_MISSING;
505                 goto leave;
506         } else if (!push_cert_nonce) {
507                 retval = NONCE_UNSOLICITED;
508                 goto leave;
509         } else if (!strcmp(push_cert_nonce, nonce)) {
510                 retval = NONCE_OK;
511                 goto leave;
512         }
513
514         if (!stateless_rpc) {
515                 /* returned nonce MUST match what we gave out earlier */
516                 retval = NONCE_BAD;
517                 goto leave;
518         }
519
520         /*
521          * In stateless mode, we may be receiving a nonce issued by
522          * another instance of the server that serving the same
523          * repository, and the timestamps may not match, but the
524          * nonce-seed and dir should match, so we can recompute and
525          * report the time slop.
526          *
527          * In addition, when a nonce issued by another instance has
528          * timestamp within receive.certnonceslop seconds, we pretend
529          * as if we issued that nonce when reporting to the hook.
530          */
531
532         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
533         if (*nonce <= '0' || '9' < *nonce) {
534                 retval = NONCE_BAD;
535                 goto leave;
536         }
537         stamp = strtoul(nonce, &bohmac, 10);
538         if (bohmac == nonce || bohmac[0] != '-') {
539                 retval = NONCE_BAD;
540                 goto leave;
541         }
542
543         expect = prepare_push_cert_nonce(service_dir, stamp);
544         if (strcmp(expect, nonce)) {
545                 /* Not what we would have signed earlier */
546                 retval = NONCE_BAD;
547                 goto leave;
548         }
549
550         /*
551          * By how many seconds is this nonce stale?  Negative value
552          * would mean it was issued by another server with its clock
553          * skewed in the future.
554          */
555         ostamp = strtoul(push_cert_nonce, NULL, 10);
556         nonce_stamp_slop = (long)ostamp - (long)stamp;
557
558         if (nonce_stamp_slop_limit &&
559             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
560                 /*
561                  * Pretend as if the received nonce (which passes the
562                  * HMAC check, so it is not a forged by third-party)
563                  * is what we issued.
564                  */
565                 free((void *)push_cert_nonce);
566                 push_cert_nonce = xstrdup(nonce);
567                 retval = NONCE_OK;
568         } else {
569                 retval = NONCE_SLOP;
570         }
571
572 leave:
573         free(nonce);
574         free(expect);
575         return retval;
576 }
577
578 static void prepare_push_cert_sha1(struct child_process *proc)
579 {
580         static int already_done;
581
582         if (!push_cert.len)
583                 return;
584
585         if (!already_done) {
586                 struct strbuf gpg_output = STRBUF_INIT;
587                 struct strbuf gpg_status = STRBUF_INIT;
588                 int bogs /* beginning_of_gpg_sig */;
589
590                 already_done = 1;
591                 if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
592                         hashclr(push_cert_sha1);
593
594                 memset(&sigcheck, '\0', sizeof(sigcheck));
595                 sigcheck.result = 'N';
596
597                 bogs = parse_signature(push_cert.buf, push_cert.len);
598                 if (verify_signed_buffer(push_cert.buf, bogs,
599                                          push_cert.buf + bogs, push_cert.len - bogs,
600                                          &gpg_output, &gpg_status) < 0) {
601                         ; /* error running gpg */
602                 } else {
603                         sigcheck.payload = push_cert.buf;
604                         sigcheck.gpg_output = gpg_output.buf;
605                         sigcheck.gpg_status = gpg_status.buf;
606                         parse_gpg_output(&sigcheck);
607                 }
608
609                 strbuf_release(&gpg_output);
610                 strbuf_release(&gpg_status);
611                 nonce_status = check_nonce(push_cert.buf, bogs);
612         }
613         if (!is_null_sha1(push_cert_sha1)) {
614                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
615                                  sha1_to_hex(push_cert_sha1));
616                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
617                                  sigcheck.signer ? sigcheck.signer : "");
618                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
619                                  sigcheck.key ? sigcheck.key : "");
620                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
621                                  sigcheck.result);
622                 if (push_cert_nonce) {
623                         argv_array_pushf(&proc->env_array,
624                                          "GIT_PUSH_CERT_NONCE=%s",
625                                          push_cert_nonce);
626                         argv_array_pushf(&proc->env_array,
627                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
628                                          nonce_status);
629                         if (nonce_status == NONCE_SLOP)
630                                 argv_array_pushf(&proc->env_array,
631                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
632                                                  nonce_stamp_slop);
633                 }
634         }
635 }
636
637 struct receive_hook_feed_state {
638         struct command *cmd;
639         int skip_broken;
640         struct strbuf buf;
641         const struct string_list *push_options;
642 };
643
644 typedef int (*feed_fn)(void *, const char **, size_t *);
645 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
646                              struct receive_hook_feed_state *feed_state)
647 {
648         struct child_process proc = CHILD_PROCESS_INIT;
649         struct async muxer;
650         const char *argv[2];
651         int code;
652
653         argv[0] = find_hook(hook_name);
654         if (!argv[0])
655                 return 0;
656
657         argv[1] = NULL;
658
659         proc.argv = argv;
660         proc.in = -1;
661         proc.stdout_to_stderr = 1;
662         if (feed_state->push_options) {
663                 int i;
664                 for (i = 0; i < feed_state->push_options->nr; i++)
665                         argv_array_pushf(&proc.env_array,
666                                 "GIT_PUSH_OPTION_%d=%s", i,
667                                 feed_state->push_options->items[i].string);
668                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
669                                  feed_state->push_options->nr);
670         } else
671                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
672
673         if (tmp_objdir)
674                 argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
675
676         if (use_sideband) {
677                 memset(&muxer, 0, sizeof(muxer));
678                 muxer.proc = copy_to_sideband;
679                 muxer.in = -1;
680                 code = start_async(&muxer);
681                 if (code)
682                         return code;
683                 proc.err = muxer.in;
684         }
685
686         prepare_push_cert_sha1(&proc);
687
688         code = start_command(&proc);
689         if (code) {
690                 if (use_sideband)
691                         finish_async(&muxer);
692                 return code;
693         }
694
695         sigchain_push(SIGPIPE, SIG_IGN);
696
697         while (1) {
698                 const char *buf;
699                 size_t n;
700                 if (feed(feed_state, &buf, &n))
701                         break;
702                 if (write_in_full(proc.in, buf, n) != n)
703                         break;
704         }
705         close(proc.in);
706         if (use_sideband)
707                 finish_async(&muxer);
708
709         sigchain_pop(SIGPIPE);
710
711         return finish_command(&proc);
712 }
713
714 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
715 {
716         struct receive_hook_feed_state *state = state_;
717         struct command *cmd = state->cmd;
718
719         while (cmd &&
720                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
721                 cmd = cmd->next;
722         if (!cmd)
723                 return -1; /* EOF */
724         strbuf_reset(&state->buf);
725         strbuf_addf(&state->buf, "%s %s %s\n",
726                     sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
727                     cmd->ref_name);
728         state->cmd = cmd->next;
729         if (bufp) {
730                 *bufp = state->buf.buf;
731                 *sizep = state->buf.len;
732         }
733         return 0;
734 }
735
736 static int run_receive_hook(struct command *commands,
737                             const char *hook_name,
738                             int skip_broken,
739                             const struct string_list *push_options)
740 {
741         struct receive_hook_feed_state state;
742         int status;
743
744         strbuf_init(&state.buf, 0);
745         state.cmd = commands;
746         state.skip_broken = skip_broken;
747         if (feed_receive_hook(&state, NULL, NULL))
748                 return 0;
749         state.cmd = commands;
750         state.push_options = push_options;
751         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
752         strbuf_release(&state.buf);
753         return status;
754 }
755
756 static int run_update_hook(struct command *cmd)
757 {
758         const char *argv[5];
759         struct child_process proc = CHILD_PROCESS_INIT;
760         int code;
761
762         argv[0] = find_hook("update");
763         if (!argv[0])
764                 return 0;
765
766         argv[1] = cmd->ref_name;
767         argv[2] = sha1_to_hex(cmd->old_sha1);
768         argv[3] = sha1_to_hex(cmd->new_sha1);
769         argv[4] = NULL;
770
771         proc.no_stdin = 1;
772         proc.stdout_to_stderr = 1;
773         proc.err = use_sideband ? -1 : 0;
774         proc.argv = argv;
775         proc.env = tmp_objdir_env(tmp_objdir);
776
777         code = start_command(&proc);
778         if (code)
779                 return code;
780         if (use_sideband)
781                 copy_to_sideband(proc.err, -1, NULL);
782         return finish_command(&proc);
783 }
784
785 static int is_ref_checked_out(const char *ref)
786 {
787         if (is_bare_repository())
788                 return 0;
789
790         if (!head_name)
791                 return 0;
792         return !strcmp(head_name, ref);
793 }
794
795 static char *refuse_unconfigured_deny_msg =
796         N_("By default, updating the current branch in a non-bare repository\n"
797            "is denied, because it will make the index and work tree inconsistent\n"
798            "with what you pushed, and will require 'git reset --hard' to match\n"
799            "the work tree to HEAD.\n"
800            "\n"
801            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
802            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
803            "its current branch; however, this is not recommended unless you\n"
804            "arranged to update its work tree to match what you pushed in some\n"
805            "other way.\n"
806            "\n"
807            "To squelch this message and still keep the default behaviour, set\n"
808            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
809
810 static void refuse_unconfigured_deny(void)
811 {
812         rp_error("%s", _(refuse_unconfigured_deny_msg));
813 }
814
815 static char *refuse_unconfigured_deny_delete_current_msg =
816         N_("By default, deleting the current branch is denied, because the next\n"
817            "'git clone' won't result in any file checked out, causing confusion.\n"
818            "\n"
819            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
820            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
821            "current branch, with or without a warning message.\n"
822            "\n"
823            "To squelch this message, you can set it to 'refuse'.");
824
825 static void refuse_unconfigured_deny_delete_current(void)
826 {
827         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
828 }
829
830 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
831 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
832 {
833         static struct lock_file shallow_lock;
834         struct sha1_array extra = SHA1_ARRAY_INIT;
835         struct check_connected_options opt = CHECK_CONNECTED_INIT;
836         uint32_t mask = 1 << (cmd->index % 32);
837         int i;
838
839         trace_printf_key(&trace_shallow,
840                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
841         for (i = 0; i < si->shallow->nr; i++)
842                 if (si->used_shallow[i] &&
843                     (si->used_shallow[i][cmd->index / 32] & mask) &&
844                     !delayed_reachability_test(si, i))
845                         sha1_array_append(&extra, si->shallow->sha1[i]);
846
847         opt.env = tmp_objdir_env(tmp_objdir);
848         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
849         if (check_connected(command_singleton_iterator, cmd, &opt)) {
850                 rollback_lock_file(&shallow_lock);
851                 sha1_array_clear(&extra);
852                 return -1;
853         }
854
855         commit_lock_file(&shallow_lock);
856
857         /*
858          * Make sure setup_alternate_shallow() for the next ref does
859          * not lose these new roots..
860          */
861         for (i = 0; i < extra.nr; i++)
862                 register_shallow(extra.sha1[i]);
863
864         si->shallow_ref[cmd->index] = 0;
865         sha1_array_clear(&extra);
866         return 0;
867 }
868
869 /*
870  * NEEDSWORK: we should consolidate various implementions of "are we
871  * on an unborn branch?" test into one, and make the unified one more
872  * robust. !get_sha1() based check used here and elsewhere would not
873  * allow us to tell an unborn branch from corrupt ref, for example.
874  * For the purpose of fixing "deploy-to-update does not work when
875  * pushing into an empty repository" issue, this should suffice for
876  * now.
877  */
878 static int head_has_history(void)
879 {
880         unsigned char sha1[20];
881
882         return !get_sha1("HEAD", sha1);
883 }
884
885 static const char *push_to_deploy(unsigned char *sha1,
886                                   struct argv_array *env,
887                                   const char *work_tree)
888 {
889         const char *update_refresh[] = {
890                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
891         };
892         const char *diff_files[] = {
893                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
894         };
895         const char *diff_index[] = {
896                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
897                 NULL, "--", NULL
898         };
899         const char *read_tree[] = {
900                 "read-tree", "-u", "-m", NULL, NULL
901         };
902         struct child_process child = CHILD_PROCESS_INIT;
903
904         child.argv = update_refresh;
905         child.env = env->argv;
906         child.dir = work_tree;
907         child.no_stdin = 1;
908         child.stdout_to_stderr = 1;
909         child.git_cmd = 1;
910         if (run_command(&child))
911                 return "Up-to-date check failed";
912
913         /* run_command() does not clean up completely; reinitialize */
914         child_process_init(&child);
915         child.argv = diff_files;
916         child.env = env->argv;
917         child.dir = work_tree;
918         child.no_stdin = 1;
919         child.stdout_to_stderr = 1;
920         child.git_cmd = 1;
921         if (run_command(&child))
922                 return "Working directory has unstaged changes";
923
924         /* diff-index with either HEAD or an empty tree */
925         diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
926
927         child_process_init(&child);
928         child.argv = diff_index;
929         child.env = env->argv;
930         child.no_stdin = 1;
931         child.no_stdout = 1;
932         child.stdout_to_stderr = 0;
933         child.git_cmd = 1;
934         if (run_command(&child))
935                 return "Working directory has staged changes";
936
937         read_tree[3] = sha1_to_hex(sha1);
938         child_process_init(&child);
939         child.argv = read_tree;
940         child.env = env->argv;
941         child.dir = work_tree;
942         child.no_stdin = 1;
943         child.no_stdout = 1;
944         child.stdout_to_stderr = 0;
945         child.git_cmd = 1;
946         if (run_command(&child))
947                 return "Could not update working tree to new HEAD";
948
949         return NULL;
950 }
951
952 static const char *push_to_checkout_hook = "push-to-checkout";
953
954 static const char *push_to_checkout(unsigned char *sha1,
955                                     struct argv_array *env,
956                                     const char *work_tree)
957 {
958         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
959         if (run_hook_le(env->argv, push_to_checkout_hook,
960                         sha1_to_hex(sha1), NULL))
961                 return "push-to-checkout hook declined";
962         else
963                 return NULL;
964 }
965
966 static const char *update_worktree(unsigned char *sha1)
967 {
968         const char *retval;
969         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
970         struct argv_array env = ARGV_ARRAY_INIT;
971
972         if (is_bare_repository())
973                 return "denyCurrentBranch = updateInstead needs a worktree";
974
975         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
976
977         if (!find_hook(push_to_checkout_hook))
978                 retval = push_to_deploy(sha1, &env, work_tree);
979         else
980                 retval = push_to_checkout(sha1, &env, work_tree);
981
982         argv_array_clear(&env);
983         return retval;
984 }
985
986 static const char *update(struct command *cmd, struct shallow_info *si)
987 {
988         const char *name = cmd->ref_name;
989         struct strbuf namespaced_name_buf = STRBUF_INIT;
990         const char *namespaced_name, *ret;
991         unsigned char *old_sha1 = cmd->old_sha1;
992         unsigned char *new_sha1 = cmd->new_sha1;
993
994         /* only refs/... are allowed */
995         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
996                 rp_error("refusing to create funny ref '%s' remotely", name);
997                 return "funny refname";
998         }
999
1000         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1001         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1002
1003         if (is_ref_checked_out(namespaced_name)) {
1004                 switch (deny_current_branch) {
1005                 case DENY_IGNORE:
1006                         break;
1007                 case DENY_WARN:
1008                         rp_warning("updating the current branch");
1009                         break;
1010                 case DENY_REFUSE:
1011                 case DENY_UNCONFIGURED:
1012                         rp_error("refusing to update checked out branch: %s", name);
1013                         if (deny_current_branch == DENY_UNCONFIGURED)
1014                                 refuse_unconfigured_deny();
1015                         return "branch is currently checked out";
1016                 case DENY_UPDATE_INSTEAD:
1017                         ret = update_worktree(new_sha1);
1018                         if (ret)
1019                                 return ret;
1020                         break;
1021                 }
1022         }
1023
1024         if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
1025                 error("unpack should have generated %s, "
1026                       "but I can't find it!", sha1_to_hex(new_sha1));
1027                 return "bad pack";
1028         }
1029
1030         if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
1031                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1032                         rp_error("denying ref deletion for %s", name);
1033                         return "deletion prohibited";
1034                 }
1035
1036                 if (head_name && !strcmp(namespaced_name, head_name)) {
1037                         switch (deny_delete_current) {
1038                         case DENY_IGNORE:
1039                                 break;
1040                         case DENY_WARN:
1041                                 rp_warning("deleting the current branch");
1042                                 break;
1043                         case DENY_REFUSE:
1044                         case DENY_UNCONFIGURED:
1045                         case DENY_UPDATE_INSTEAD:
1046                                 if (deny_delete_current == DENY_UNCONFIGURED)
1047                                         refuse_unconfigured_deny_delete_current();
1048                                 rp_error("refusing to delete the current branch: %s", name);
1049                                 return "deletion of the current branch prohibited";
1050                         default:
1051                                 return "Invalid denyDeleteCurrent setting";
1052                         }
1053                 }
1054         }
1055
1056         if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
1057             !is_null_sha1(old_sha1) &&
1058             starts_with(name, "refs/heads/")) {
1059                 struct object *old_object, *new_object;
1060                 struct commit *old_commit, *new_commit;
1061
1062                 old_object = parse_object(old_sha1);
1063                 new_object = parse_object(new_sha1);
1064
1065                 if (!old_object || !new_object ||
1066                     old_object->type != OBJ_COMMIT ||
1067                     new_object->type != OBJ_COMMIT) {
1068                         error("bad sha1 objects for %s", name);
1069                         return "bad ref";
1070                 }
1071                 old_commit = (struct commit *)old_object;
1072                 new_commit = (struct commit *)new_object;
1073                 if (!in_merge_bases(old_commit, new_commit)) {
1074                         rp_error("denying non-fast-forward %s"
1075                                  " (you should pull first)", name);
1076                         return "non-fast-forward";
1077                 }
1078         }
1079         if (run_update_hook(cmd)) {
1080                 rp_error("hook declined to update %s", name);
1081                 return "hook declined";
1082         }
1083
1084         if (is_null_sha1(new_sha1)) {
1085                 struct strbuf err = STRBUF_INIT;
1086                 if (!parse_object(old_sha1)) {
1087                         old_sha1 = NULL;
1088                         if (ref_exists(name)) {
1089                                 rp_warning("Allowing deletion of corrupt ref.");
1090                         } else {
1091                                 rp_warning("Deleting a non-existent ref.");
1092                                 cmd->did_not_exist = 1;
1093                         }
1094                 }
1095                 if (ref_transaction_delete(transaction,
1096                                            namespaced_name,
1097                                            old_sha1,
1098                                            0, "push", &err)) {
1099                         rp_error("%s", err.buf);
1100                         strbuf_release(&err);
1101                         return "failed to delete";
1102                 }
1103                 strbuf_release(&err);
1104                 return NULL; /* good */
1105         }
1106         else {
1107                 struct strbuf err = STRBUF_INIT;
1108                 if (shallow_update && si->shallow_ref[cmd->index] &&
1109                     update_shallow_ref(cmd, si))
1110                         return "shallow error";
1111
1112                 if (ref_transaction_update(transaction,
1113                                            namespaced_name,
1114                                            new_sha1, old_sha1,
1115                                            0, "push",
1116                                            &err)) {
1117                         rp_error("%s", err.buf);
1118                         strbuf_release(&err);
1119
1120                         return "failed to update ref";
1121                 }
1122                 strbuf_release(&err);
1123
1124                 return NULL; /* good */
1125         }
1126 }
1127
1128 static void run_update_post_hook(struct command *commands)
1129 {
1130         struct command *cmd;
1131         int argc;
1132         struct child_process proc = CHILD_PROCESS_INIT;
1133         const char *hook;
1134
1135         hook = find_hook("post-update");
1136         for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1137                 if (cmd->error_string || cmd->did_not_exist)
1138                         continue;
1139                 argc++;
1140         }
1141         if (!argc || !hook)
1142                 return;
1143
1144         argv_array_push(&proc.args, hook);
1145         for (cmd = commands; cmd; cmd = cmd->next) {
1146                 if (cmd->error_string || cmd->did_not_exist)
1147                         continue;
1148                 argv_array_push(&proc.args, cmd->ref_name);
1149         }
1150
1151         proc.no_stdin = 1;
1152         proc.stdout_to_stderr = 1;
1153         proc.err = use_sideband ? -1 : 0;
1154
1155         if (!start_command(&proc)) {
1156                 if (use_sideband)
1157                         copy_to_sideband(proc.err, -1, NULL);
1158                 finish_command(&proc);
1159         }
1160 }
1161
1162 static void check_aliased_update(struct command *cmd, struct string_list *list)
1163 {
1164         struct strbuf buf = STRBUF_INIT;
1165         const char *dst_name;
1166         struct string_list_item *item;
1167         struct command *dst_cmd;
1168         unsigned char sha1[GIT_SHA1_RAWSZ];
1169         int flag;
1170
1171         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1172         dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1173         strbuf_release(&buf);
1174
1175         if (!(flag & REF_ISSYMREF))
1176                 return;
1177
1178         if (!dst_name) {
1179                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1180                 cmd->skip_update = 1;
1181                 cmd->error_string = "broken symref";
1182                 return;
1183         }
1184         dst_name = strip_namespace(dst_name);
1185
1186         if ((item = string_list_lookup(list, dst_name)) == NULL)
1187                 return;
1188
1189         cmd->skip_update = 1;
1190
1191         dst_cmd = (struct command *) item->util;
1192
1193         if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1194             !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1195                 return;
1196
1197         dst_cmd->skip_update = 1;
1198
1199         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1200                  " its target '%s' (%s..%s)",
1201                  cmd->ref_name,
1202                  find_unique_abbrev(cmd->old_sha1, DEFAULT_ABBREV),
1203                  find_unique_abbrev(cmd->new_sha1, DEFAULT_ABBREV),
1204                  dst_cmd->ref_name,
1205                  find_unique_abbrev(dst_cmd->old_sha1, DEFAULT_ABBREV),
1206                  find_unique_abbrev(dst_cmd->new_sha1, DEFAULT_ABBREV));
1207
1208         cmd->error_string = dst_cmd->error_string =
1209                 "inconsistent aliased update";
1210 }
1211
1212 static void check_aliased_updates(struct command *commands)
1213 {
1214         struct command *cmd;
1215         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1216
1217         for (cmd = commands; cmd; cmd = cmd->next) {
1218                 struct string_list_item *item =
1219                         string_list_append(&ref_list, cmd->ref_name);
1220                 item->util = (void *)cmd;
1221         }
1222         string_list_sort(&ref_list);
1223
1224         for (cmd = commands; cmd; cmd = cmd->next) {
1225                 if (!cmd->error_string)
1226                         check_aliased_update(cmd, &ref_list);
1227         }
1228
1229         string_list_clear(&ref_list, 0);
1230 }
1231
1232 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1233 {
1234         struct command **cmd_list = cb_data;
1235         struct command *cmd = *cmd_list;
1236
1237         if (!cmd || is_null_sha1(cmd->new_sha1))
1238                 return -1; /* end of list */
1239         *cmd_list = NULL; /* this returns only one */
1240         hashcpy(sha1, cmd->new_sha1);
1241         return 0;
1242 }
1243
1244 static void set_connectivity_errors(struct command *commands,
1245                                     struct shallow_info *si)
1246 {
1247         struct command *cmd;
1248
1249         for (cmd = commands; cmd; cmd = cmd->next) {
1250                 struct command *singleton = cmd;
1251                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1252
1253                 if (shallow_update && si->shallow_ref[cmd->index])
1254                         /* to be checked in update_shallow_ref() */
1255                         continue;
1256
1257                 opt.env = tmp_objdir_env(tmp_objdir);
1258                 if (!check_connected(command_singleton_iterator, &singleton,
1259                                      &opt))
1260                         continue;
1261
1262                 cmd->error_string = "missing necessary objects";
1263         }
1264 }
1265
1266 struct iterate_data {
1267         struct command *cmds;
1268         struct shallow_info *si;
1269 };
1270
1271 static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1272 {
1273         struct iterate_data *data = cb_data;
1274         struct command **cmd_list = &data->cmds;
1275         struct command *cmd = *cmd_list;
1276
1277         for (; cmd; cmd = cmd->next) {
1278                 if (shallow_update && data->si->shallow_ref[cmd->index])
1279                         /* to be checked in update_shallow_ref() */
1280                         continue;
1281                 if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1282                         hashcpy(sha1, cmd->new_sha1);
1283                         *cmd_list = cmd->next;
1284                         return 0;
1285                 }
1286         }
1287         *cmd_list = NULL;
1288         return -1; /* end of list */
1289 }
1290
1291 static void reject_updates_to_hidden(struct command *commands)
1292 {
1293         struct strbuf refname_full = STRBUF_INIT;
1294         size_t prefix_len;
1295         struct command *cmd;
1296
1297         strbuf_addstr(&refname_full, get_git_namespace());
1298         prefix_len = refname_full.len;
1299
1300         for (cmd = commands; cmd; cmd = cmd->next) {
1301                 if (cmd->error_string)
1302                         continue;
1303
1304                 strbuf_setlen(&refname_full, prefix_len);
1305                 strbuf_addstr(&refname_full, cmd->ref_name);
1306
1307                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1308                         continue;
1309                 if (is_null_sha1(cmd->new_sha1))
1310                         cmd->error_string = "deny deleting a hidden ref";
1311                 else
1312                         cmd->error_string = "deny updating a hidden ref";
1313         }
1314
1315         strbuf_release(&refname_full);
1316 }
1317
1318 static int should_process_cmd(struct command *cmd)
1319 {
1320         return !cmd->error_string && !cmd->skip_update;
1321 }
1322
1323 static void warn_if_skipped_connectivity_check(struct command *commands,
1324                                                struct shallow_info *si)
1325 {
1326         struct command *cmd;
1327         int checked_connectivity = 1;
1328
1329         for (cmd = commands; cmd; cmd = cmd->next) {
1330                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1331                         error("BUG: connectivity check has not been run on ref %s",
1332                               cmd->ref_name);
1333                         checked_connectivity = 0;
1334                 }
1335         }
1336         if (!checked_connectivity)
1337                 die("BUG: connectivity check skipped???");
1338 }
1339
1340 static void execute_commands_non_atomic(struct command *commands,
1341                                         struct shallow_info *si)
1342 {
1343         struct command *cmd;
1344         struct strbuf err = STRBUF_INIT;
1345
1346         for (cmd = commands; cmd; cmd = cmd->next) {
1347                 if (!should_process_cmd(cmd))
1348                         continue;
1349
1350                 transaction = ref_transaction_begin(&err);
1351                 if (!transaction) {
1352                         rp_error("%s", err.buf);
1353                         strbuf_reset(&err);
1354                         cmd->error_string = "transaction failed to start";
1355                         continue;
1356                 }
1357
1358                 cmd->error_string = update(cmd, si);
1359
1360                 if (!cmd->error_string
1361                     && ref_transaction_commit(transaction, &err)) {
1362                         rp_error("%s", err.buf);
1363                         strbuf_reset(&err);
1364                         cmd->error_string = "failed to update ref";
1365                 }
1366                 ref_transaction_free(transaction);
1367         }
1368         strbuf_release(&err);
1369 }
1370
1371 static void execute_commands_atomic(struct command *commands,
1372                                         struct shallow_info *si)
1373 {
1374         struct command *cmd;
1375         struct strbuf err = STRBUF_INIT;
1376         const char *reported_error = "atomic push failure";
1377
1378         transaction = ref_transaction_begin(&err);
1379         if (!transaction) {
1380                 rp_error("%s", err.buf);
1381                 strbuf_reset(&err);
1382                 reported_error = "transaction failed to start";
1383                 goto failure;
1384         }
1385
1386         for (cmd = commands; cmd; cmd = cmd->next) {
1387                 if (!should_process_cmd(cmd))
1388                         continue;
1389
1390                 cmd->error_string = update(cmd, si);
1391
1392                 if (cmd->error_string)
1393                         goto failure;
1394         }
1395
1396         if (ref_transaction_commit(transaction, &err)) {
1397                 rp_error("%s", err.buf);
1398                 reported_error = "atomic transaction failed";
1399                 goto failure;
1400         }
1401         goto cleanup;
1402
1403 failure:
1404         for (cmd = commands; cmd; cmd = cmd->next)
1405                 if (!cmd->error_string)
1406                         cmd->error_string = reported_error;
1407
1408 cleanup:
1409         ref_transaction_free(transaction);
1410         strbuf_release(&err);
1411 }
1412
1413 static void execute_commands(struct command *commands,
1414                              const char *unpacker_error,
1415                              struct shallow_info *si,
1416                              const struct string_list *push_options)
1417 {
1418         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1419         struct command *cmd;
1420         struct object_id oid;
1421         struct iterate_data data;
1422         struct async muxer;
1423         int err_fd = 0;
1424
1425         if (unpacker_error) {
1426                 for (cmd = commands; cmd; cmd = cmd->next)
1427                         cmd->error_string = "unpacker error";
1428                 return;
1429         }
1430
1431         if (use_sideband) {
1432                 memset(&muxer, 0, sizeof(muxer));
1433                 muxer.proc = copy_to_sideband;
1434                 muxer.in = -1;
1435                 if (!start_async(&muxer))
1436                         err_fd = muxer.in;
1437                 /* ...else, continue without relaying sideband */
1438         }
1439
1440         data.cmds = commands;
1441         data.si = si;
1442         opt.err_fd = err_fd;
1443         opt.progress = err_fd && !quiet;
1444         opt.env = tmp_objdir_env(tmp_objdir);
1445         if (check_connected(iterate_receive_command_list, &data, &opt))
1446                 set_connectivity_errors(commands, si);
1447
1448         if (use_sideband)
1449                 finish_async(&muxer);
1450
1451         reject_updates_to_hidden(commands);
1452
1453         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1454                 for (cmd = commands; cmd; cmd = cmd->next) {
1455                         if (!cmd->error_string)
1456                                 cmd->error_string = "pre-receive hook declined";
1457                 }
1458                 return;
1459         }
1460
1461         /*
1462          * Now we'll start writing out refs, which means the objects need
1463          * to be in their final positions so that other processes can see them.
1464          */
1465         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1466                 for (cmd = commands; cmd; cmd = cmd->next) {
1467                         if (!cmd->error_string)
1468                                 cmd->error_string = "unable to migrate objects to permanent storage";
1469                 }
1470                 return;
1471         }
1472         tmp_objdir = NULL;
1473
1474         check_aliased_updates(commands);
1475
1476         free(head_name_to_free);
1477         head_name = head_name_to_free = resolve_refdup("HEAD", 0, oid.hash, NULL);
1478
1479         if (use_atomic)
1480                 execute_commands_atomic(commands, si);
1481         else
1482                 execute_commands_non_atomic(commands, si);
1483
1484         if (shallow_update)
1485                 warn_if_skipped_connectivity_check(commands, si);
1486 }
1487
1488 static struct command **queue_command(struct command **tail,
1489                                       const char *line,
1490                                       int linelen)
1491 {
1492         unsigned char old_sha1[20], new_sha1[20];
1493         struct command *cmd;
1494         const char *refname;
1495         int reflen;
1496
1497         if (linelen < 83 ||
1498             line[40] != ' ' ||
1499             line[81] != ' ' ||
1500             get_sha1_hex(line, old_sha1) ||
1501             get_sha1_hex(line + 41, new_sha1))
1502                 die("protocol error: expected old/new/ref, got '%s'", line);
1503
1504         refname = line + 82;
1505         reflen = linelen - 82;
1506         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1507         hashcpy(cmd->old_sha1, old_sha1);
1508         hashcpy(cmd->new_sha1, new_sha1);
1509         *tail = cmd;
1510         return &cmd->next;
1511 }
1512
1513 static void queue_commands_from_cert(struct command **tail,
1514                                      struct strbuf *push_cert)
1515 {
1516         const char *boc, *eoc;
1517
1518         if (*tail)
1519                 die("protocol error: got both push certificate and unsigned commands");
1520
1521         boc = strstr(push_cert->buf, "\n\n");
1522         if (!boc)
1523                 die("malformed push certificate %.*s", 100, push_cert->buf);
1524         else
1525                 boc += 2;
1526         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1527
1528         while (boc < eoc) {
1529                 const char *eol = memchr(boc, '\n', eoc - boc);
1530                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1531                 boc = eol ? eol + 1 : eoc;
1532         }
1533 }
1534
1535 static struct command *read_head_info(struct sha1_array *shallow)
1536 {
1537         struct command *commands = NULL;
1538         struct command **p = &commands;
1539         for (;;) {
1540                 char *line;
1541                 int len, linelen;
1542
1543                 line = packet_read_line(0, &len);
1544                 if (!line)
1545                         break;
1546
1547                 if (len == 48 && starts_with(line, "shallow ")) {
1548                         unsigned char sha1[20];
1549                         if (get_sha1_hex(line + 8, sha1))
1550                                 die("protocol error: expected shallow sha, got '%s'",
1551                                     line + 8);
1552                         sha1_array_append(shallow, sha1);
1553                         continue;
1554                 }
1555
1556                 linelen = strlen(line);
1557                 if (linelen < len) {
1558                         const char *feature_list = line + linelen + 1;
1559                         if (parse_feature_request(feature_list, "report-status"))
1560                                 report_status = 1;
1561                         if (parse_feature_request(feature_list, "side-band-64k"))
1562                                 use_sideband = LARGE_PACKET_MAX;
1563                         if (parse_feature_request(feature_list, "quiet"))
1564                                 quiet = 1;
1565                         if (advertise_atomic_push
1566                             && parse_feature_request(feature_list, "atomic"))
1567                                 use_atomic = 1;
1568                         if (advertise_push_options
1569                             && parse_feature_request(feature_list, "push-options"))
1570                                 use_push_options = 1;
1571                 }
1572
1573                 if (!strcmp(line, "push-cert")) {
1574                         int true_flush = 0;
1575                         char certbuf[1024];
1576
1577                         for (;;) {
1578                                 len = packet_read(0, NULL, NULL,
1579                                                   certbuf, sizeof(certbuf), 0);
1580                                 if (!len) {
1581                                         true_flush = 1;
1582                                         break;
1583                                 }
1584                                 if (!strcmp(certbuf, "push-cert-end\n"))
1585                                         break; /* end of cert */
1586                                 strbuf_addstr(&push_cert, certbuf);
1587                         }
1588
1589                         if (true_flush)
1590                                 break;
1591                         continue;
1592                 }
1593
1594                 p = queue_command(p, line, linelen);
1595         }
1596
1597         if (push_cert.len)
1598                 queue_commands_from_cert(p, &push_cert);
1599
1600         return commands;
1601 }
1602
1603 static void read_push_options(struct string_list *options)
1604 {
1605         while (1) {
1606                 char *line;
1607                 int len;
1608
1609                 line = packet_read_line(0, &len);
1610
1611                 if (!line)
1612                         break;
1613
1614                 string_list_append(options, line);
1615         }
1616 }
1617
1618 static const char *parse_pack_header(struct pack_header *hdr)
1619 {
1620         switch (read_pack_header(0, hdr)) {
1621         case PH_ERROR_EOF:
1622                 return "eof before pack header was fully read";
1623
1624         case PH_ERROR_PACK_SIGNATURE:
1625                 return "protocol error (pack signature mismatch detected)";
1626
1627         case PH_ERROR_PROTOCOL:
1628                 return "protocol error (pack version unsupported)";
1629
1630         default:
1631                 return "unknown error in parse_pack_header";
1632
1633         case 0:
1634                 return NULL;
1635         }
1636 }
1637
1638 static const char *pack_lockfile;
1639
1640 static const char *unpack(int err_fd, struct shallow_info *si)
1641 {
1642         struct pack_header hdr;
1643         const char *hdr_err;
1644         int status;
1645         char hdr_arg[38];
1646         struct child_process child = CHILD_PROCESS_INIT;
1647         int fsck_objects = (receive_fsck_objects >= 0
1648                             ? receive_fsck_objects
1649                             : transfer_fsck_objects >= 0
1650                             ? transfer_fsck_objects
1651                             : 0);
1652
1653         hdr_err = parse_pack_header(&hdr);
1654         if (hdr_err) {
1655                 if (err_fd > 0)
1656                         close(err_fd);
1657                 return hdr_err;
1658         }
1659         snprintf(hdr_arg, sizeof(hdr_arg),
1660                         "--pack_header=%"PRIu32",%"PRIu32,
1661                         ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1662
1663         if (si->nr_ours || si->nr_theirs) {
1664                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1665                 argv_array_push(&child.args, "--shallow-file");
1666                 argv_array_push(&child.args, alt_shallow_file);
1667         }
1668
1669         tmp_objdir = tmp_objdir_create();
1670         if (!tmp_objdir) {
1671                 if (err_fd > 0)
1672                         close(err_fd);
1673                 return "unable to create temporary object directory";
1674         }
1675         child.env = tmp_objdir_env(tmp_objdir);
1676
1677         /*
1678          * Normally we just pass the tmp_objdir environment to the child
1679          * processes that do the heavy lifting, but we may need to see these
1680          * objects ourselves to set up shallow information.
1681          */
1682         tmp_objdir_add_as_alternate(tmp_objdir);
1683
1684         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1685                 argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1686                 if (quiet)
1687                         argv_array_push(&child.args, "-q");
1688                 if (fsck_objects)
1689                         argv_array_pushf(&child.args, "--strict%s",
1690                                 fsck_msg_types.buf);
1691                 if (max_input_size)
1692                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1693                                 (uintmax_t)max_input_size);
1694                 child.no_stdout = 1;
1695                 child.err = err_fd;
1696                 child.git_cmd = 1;
1697                 status = run_command(&child);
1698                 if (status)
1699                         return "unpack-objects abnormal exit";
1700         } else {
1701                 char hostname[256];
1702
1703                 argv_array_pushl(&child.args, "index-pack",
1704                                  "--stdin", hdr_arg, NULL);
1705
1706                 if (gethostname(hostname, sizeof(hostname)))
1707                         xsnprintf(hostname, sizeof(hostname), "localhost");
1708                 argv_array_pushf(&child.args,
1709                                  "--keep=receive-pack %"PRIuMAX" on %s",
1710                                  (uintmax_t)getpid(),
1711                                  hostname);
1712
1713                 if (!quiet && err_fd)
1714                         argv_array_push(&child.args, "--show-resolving-progress");
1715                 if (use_sideband)
1716                         argv_array_push(&child.args, "--report-end-of-input");
1717                 if (fsck_objects)
1718                         argv_array_pushf(&child.args, "--strict%s",
1719                                 fsck_msg_types.buf);
1720                 if (!reject_thin)
1721                         argv_array_push(&child.args, "--fix-thin");
1722                 if (max_input_size)
1723                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1724                                 (uintmax_t)max_input_size);
1725                 child.out = -1;
1726                 child.err = err_fd;
1727                 child.git_cmd = 1;
1728                 status = start_command(&child);
1729                 if (status)
1730                         return "index-pack fork failed";
1731                 pack_lockfile = index_pack_lockfile(child.out);
1732                 close(child.out);
1733                 status = finish_command(&child);
1734                 if (status)
1735                         return "index-pack abnormal exit";
1736                 reprepare_packed_git();
1737         }
1738         return NULL;
1739 }
1740
1741 static const char *unpack_with_sideband(struct shallow_info *si)
1742 {
1743         struct async muxer;
1744         const char *ret;
1745
1746         if (!use_sideband)
1747                 return unpack(0, si);
1748
1749         use_keepalive = KEEPALIVE_AFTER_NUL;
1750         memset(&muxer, 0, sizeof(muxer));
1751         muxer.proc = copy_to_sideband;
1752         muxer.in = -1;
1753         if (start_async(&muxer))
1754                 return NULL;
1755
1756         ret = unpack(muxer.in, si);
1757
1758         finish_async(&muxer);
1759         return ret;
1760 }
1761
1762 static void prepare_shallow_update(struct command *commands,
1763                                    struct shallow_info *si)
1764 {
1765         int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1766
1767         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1768         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1769
1770         si->need_reachability_test =
1771                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1772         si->reachable =
1773                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1774         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1775
1776         for (i = 0; i < si->nr_ours; i++)
1777                 si->need_reachability_test[si->ours[i]] = 1;
1778
1779         for (i = 0; i < si->shallow->nr; i++) {
1780                 if (!si->used_shallow[i])
1781                         continue;
1782                 for (j = 0; j < bitmap_size; j++) {
1783                         if (!si->used_shallow[i][j])
1784                                 continue;
1785                         si->need_reachability_test[i]++;
1786                         for (k = 0; k < 32; k++)
1787                                 if (si->used_shallow[i][j] & (1U << k))
1788                                         si->shallow_ref[j * 32 + k]++;
1789                 }
1790
1791                 /*
1792                  * true for those associated with some refs and belong
1793                  * in "ours" list aka "step 7 not done yet"
1794                  */
1795                 si->need_reachability_test[i] =
1796                         si->need_reachability_test[i] > 1;
1797         }
1798
1799         /*
1800          * keep hooks happy by forcing a temporary shallow file via
1801          * env variable because we can't add --shallow-file to every
1802          * command. check_everything_connected() will be done with
1803          * true .git/shallow though.
1804          */
1805         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1806 }
1807
1808 static void update_shallow_info(struct command *commands,
1809                                 struct shallow_info *si,
1810                                 struct sha1_array *ref)
1811 {
1812         struct command *cmd;
1813         int *ref_status;
1814         remove_nonexistent_theirs_shallow(si);
1815         if (!si->nr_ours && !si->nr_theirs) {
1816                 shallow_update = 0;
1817                 return;
1818         }
1819
1820         for (cmd = commands; cmd; cmd = cmd->next) {
1821                 if (is_null_sha1(cmd->new_sha1))
1822                         continue;
1823                 sha1_array_append(ref, cmd->new_sha1);
1824                 cmd->index = ref->nr - 1;
1825         }
1826         si->ref = ref;
1827
1828         if (shallow_update) {
1829                 prepare_shallow_update(commands, si);
1830                 return;
1831         }
1832
1833         ALLOC_ARRAY(ref_status, ref->nr);
1834         assign_shallow_commits_to_refs(si, NULL, ref_status);
1835         for (cmd = commands; cmd; cmd = cmd->next) {
1836                 if (is_null_sha1(cmd->new_sha1))
1837                         continue;
1838                 if (ref_status[cmd->index]) {
1839                         cmd->error_string = "shallow update not allowed";
1840                         cmd->skip_update = 1;
1841                 }
1842         }
1843         free(ref_status);
1844 }
1845
1846 static void report(struct command *commands, const char *unpack_status)
1847 {
1848         struct command *cmd;
1849         struct strbuf buf = STRBUF_INIT;
1850
1851         packet_buf_write(&buf, "unpack %s\n",
1852                          unpack_status ? unpack_status : "ok");
1853         for (cmd = commands; cmd; cmd = cmd->next) {
1854                 if (!cmd->error_string)
1855                         packet_buf_write(&buf, "ok %s\n",
1856                                          cmd->ref_name);
1857                 else
1858                         packet_buf_write(&buf, "ng %s %s\n",
1859                                          cmd->ref_name, cmd->error_string);
1860         }
1861         packet_buf_flush(&buf);
1862
1863         if (use_sideband)
1864                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1865         else
1866                 write_or_die(1, buf.buf, buf.len);
1867         strbuf_release(&buf);
1868 }
1869
1870 static int delete_only(struct command *commands)
1871 {
1872         struct command *cmd;
1873         for (cmd = commands; cmd; cmd = cmd->next) {
1874                 if (!is_null_sha1(cmd->new_sha1))
1875                         return 0;
1876         }
1877         return 1;
1878 }
1879
1880 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1881 {
1882         int advertise_refs = 0;
1883         struct command *commands;
1884         struct sha1_array shallow = SHA1_ARRAY_INIT;
1885         struct sha1_array ref = SHA1_ARRAY_INIT;
1886         struct shallow_info si;
1887
1888         struct option options[] = {
1889                 OPT__QUIET(&quiet, N_("quiet")),
1890                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1891                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1892                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1893                 OPT_END()
1894         };
1895
1896         packet_trace_identity("receive-pack");
1897
1898         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1899
1900         if (argc > 1)
1901                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1902         if (argc == 0)
1903                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1904
1905         service_dir = argv[0];
1906
1907         setup_path();
1908
1909         if (!enter_repo(service_dir, 0))
1910                 die("'%s' does not appear to be a git repository", service_dir);
1911
1912         git_config(receive_pack_config, NULL);
1913         if (cert_nonce_seed)
1914                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1915
1916         if (0 <= transfer_unpack_limit)
1917                 unpack_limit = transfer_unpack_limit;
1918         else if (0 <= receive_unpack_limit)
1919                 unpack_limit = receive_unpack_limit;
1920
1921         if (advertise_refs || !stateless_rpc) {
1922                 write_head_info();
1923         }
1924         if (advertise_refs)
1925                 return 0;
1926
1927         if ((commands = read_head_info(&shallow)) != NULL) {
1928                 const char *unpack_status = NULL;
1929                 struct string_list push_options = STRING_LIST_INIT_DUP;
1930
1931                 if (use_push_options)
1932                         read_push_options(&push_options);
1933
1934                 prepare_shallow_info(&si, &shallow);
1935                 if (!si.nr_ours && !si.nr_theirs)
1936                         shallow_update = 0;
1937                 if (!delete_only(commands)) {
1938                         unpack_status = unpack_with_sideband(&si);
1939                         update_shallow_info(commands, &si, &ref);
1940                 }
1941                 use_keepalive = KEEPALIVE_ALWAYS;
1942                 execute_commands(commands, unpack_status, &si,
1943                                  &push_options);
1944                 if (pack_lockfile)
1945                         unlink_or_warn(pack_lockfile);
1946                 if (report_status)
1947                         report(commands, unpack_status);
1948                 run_receive_hook(commands, "post-receive", 1,
1949                                  &push_options);
1950                 run_update_post_hook(commands);
1951                 string_list_clear(&push_options, 0);
1952                 if (auto_gc) {
1953                         const char *argv_gc_auto[] = {
1954                                 "gc", "--auto", "--quiet", NULL,
1955                         };
1956                         struct child_process proc = CHILD_PROCESS_INIT;
1957
1958                         proc.no_stdin = 1;
1959                         proc.stdout_to_stderr = 1;
1960                         proc.err = use_sideband ? -1 : 0;
1961                         proc.git_cmd = 1;
1962                         proc.argv = argv_gc_auto;
1963
1964                         close_all_packs();
1965                         if (!start_command(&proc)) {
1966                                 if (use_sideband)
1967                                         copy_to_sideband(proc.err, -1, NULL);
1968                                 finish_command(&proc);
1969                         }
1970                 }
1971                 if (auto_update_server_info)
1972                         update_server_info(0);
1973                 clear_shallow_info(&si);
1974         }
1975         if (use_sideband)
1976                 packet_flush(1);
1977         sha1_array_clear(&shallow);
1978         sha1_array_clear(&ref);
1979         free((void *)push_cert_nonce);
1980         return 0;
1981 }