Merge branch 'va/i18n-more'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "lockfile.h"
3 #include "pack.h"
4 #include "refs.h"
5 #include "pkt-line.h"
6 #include "sideband.h"
7 #include "run-command.h"
8 #include "exec_cmd.h"
9 #include "commit.h"
10 #include "object.h"
11 #include "remote.h"
12 #include "connect.h"
13 #include "transport.h"
14 #include "string-list.h"
15 #include "sha1-array.h"
16 #include "connected.h"
17 #include "argv-array.h"
18 #include "version.h"
19 #include "tag.h"
20 #include "gpg-interface.h"
21 #include "sigchain.h"
22 #include "fsck.h"
23
24 static const char * const receive_pack_usage[] = {
25         N_("git receive-pack <git-dir>"),
26         NULL
27 };
28
29 enum deny_action {
30         DENY_UNCONFIGURED,
31         DENY_IGNORE,
32         DENY_WARN,
33         DENY_REFUSE,
34         DENY_UPDATE_INSTEAD
35 };
36
37 static int deny_deletes;
38 static int deny_non_fast_forwards;
39 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
40 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
41 static int receive_fsck_objects = -1;
42 static int transfer_fsck_objects = -1;
43 static struct strbuf fsck_msg_types = STRBUF_INIT;
44 static int receive_unpack_limit = -1;
45 static int transfer_unpack_limit = -1;
46 static int advertise_atomic_push = 1;
47 static int advertise_push_options;
48 static int unpack_limit = 100;
49 static off_t max_input_size;
50 static int report_status;
51 static int use_sideband;
52 static int use_atomic;
53 static int use_push_options;
54 static int quiet;
55 static int prefer_ofs_delta = 1;
56 static int auto_update_server_info;
57 static int auto_gc = 1;
58 static int reject_thin;
59 static int stateless_rpc;
60 static const char *service_dir;
61 static const char *head_name;
62 static void *head_name_to_free;
63 static int sent_capabilities;
64 static int shallow_update;
65 static const char *alt_shallow_file;
66 static struct strbuf push_cert = STRBUF_INIT;
67 static unsigned char push_cert_sha1[20];
68 static struct signature_check sigcheck;
69 static const char *push_cert_nonce;
70 static const char *cert_nonce_seed;
71
72 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
73 static const char *NONCE_BAD = "BAD";
74 static const char *NONCE_MISSING = "MISSING";
75 static const char *NONCE_OK = "OK";
76 static const char *NONCE_SLOP = "SLOP";
77 static const char *nonce_status;
78 static long nonce_stamp_slop;
79 static unsigned long nonce_stamp_slop_limit;
80 static struct ref_transaction *transaction;
81
82 static enum {
83         KEEPALIVE_NEVER = 0,
84         KEEPALIVE_AFTER_NUL,
85         KEEPALIVE_ALWAYS
86 } use_keepalive;
87 static int keepalive_in_sec = 5;
88
89 static enum deny_action parse_deny_action(const char *var, const char *value)
90 {
91         if (value) {
92                 if (!strcasecmp(value, "ignore"))
93                         return DENY_IGNORE;
94                 if (!strcasecmp(value, "warn"))
95                         return DENY_WARN;
96                 if (!strcasecmp(value, "refuse"))
97                         return DENY_REFUSE;
98                 if (!strcasecmp(value, "updateinstead"))
99                         return DENY_UPDATE_INSTEAD;
100         }
101         if (git_config_bool(var, value))
102                 return DENY_REFUSE;
103         return DENY_IGNORE;
104 }
105
106 static int receive_pack_config(const char *var, const char *value, void *cb)
107 {
108         int status = parse_hide_refs_config(var, value, "receive");
109
110         if (status)
111                 return status;
112
113         if (strcmp(var, "receive.denydeletes") == 0) {
114                 deny_deletes = git_config_bool(var, value);
115                 return 0;
116         }
117
118         if (strcmp(var, "receive.denynonfastforwards") == 0) {
119                 deny_non_fast_forwards = git_config_bool(var, value);
120                 return 0;
121         }
122
123         if (strcmp(var, "receive.unpacklimit") == 0) {
124                 receive_unpack_limit = git_config_int(var, value);
125                 return 0;
126         }
127
128         if (strcmp(var, "transfer.unpacklimit") == 0) {
129                 transfer_unpack_limit = git_config_int(var, value);
130                 return 0;
131         }
132
133         if (strcmp(var, "receive.fsck.skiplist") == 0) {
134                 const char *path;
135
136                 if (git_config_pathname(&path, var, value))
137                         return 1;
138                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
139                         fsck_msg_types.len ? ',' : '=', path);
140                 free((char *)path);
141                 return 0;
142         }
143
144         if (skip_prefix(var, "receive.fsck.", &var)) {
145                 if (is_valid_msg_type(var, value))
146                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
147                                 fsck_msg_types.len ? ',' : '=', var, value);
148                 else
149                         warning("Skipping unknown msg id '%s'", var);
150                 return 0;
151         }
152
153         if (strcmp(var, "receive.fsckobjects") == 0) {
154                 receive_fsck_objects = git_config_bool(var, value);
155                 return 0;
156         }
157
158         if (strcmp(var, "transfer.fsckobjects") == 0) {
159                 transfer_fsck_objects = git_config_bool(var, value);
160                 return 0;
161         }
162
163         if (!strcmp(var, "receive.denycurrentbranch")) {
164                 deny_current_branch = parse_deny_action(var, value);
165                 return 0;
166         }
167
168         if (strcmp(var, "receive.denydeletecurrent") == 0) {
169                 deny_delete_current = parse_deny_action(var, value);
170                 return 0;
171         }
172
173         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
174                 prefer_ofs_delta = git_config_bool(var, value);
175                 return 0;
176         }
177
178         if (strcmp(var, "receive.updateserverinfo") == 0) {
179                 auto_update_server_info = git_config_bool(var, value);
180                 return 0;
181         }
182
183         if (strcmp(var, "receive.autogc") == 0) {
184                 auto_gc = git_config_bool(var, value);
185                 return 0;
186         }
187
188         if (strcmp(var, "receive.shallowupdate") == 0) {
189                 shallow_update = git_config_bool(var, value);
190                 return 0;
191         }
192
193         if (strcmp(var, "receive.certnonceseed") == 0)
194                 return git_config_string(&cert_nonce_seed, var, value);
195
196         if (strcmp(var, "receive.certnonceslop") == 0) {
197                 nonce_stamp_slop_limit = git_config_ulong(var, value);
198                 return 0;
199         }
200
201         if (strcmp(var, "receive.advertiseatomic") == 0) {
202                 advertise_atomic_push = git_config_bool(var, value);
203                 return 0;
204         }
205
206         if (strcmp(var, "receive.advertisepushoptions") == 0) {
207                 advertise_push_options = git_config_bool(var, value);
208                 return 0;
209         }
210
211         if (strcmp(var, "receive.keepalive") == 0) {
212                 keepalive_in_sec = git_config_int(var, value);
213                 return 0;
214         }
215
216         if (strcmp(var, "receive.maxinputsize") == 0) {
217                 max_input_size = git_config_int64(var, value);
218                 return 0;
219         }
220
221         return git_default_config(var, value, cb);
222 }
223
224 static void show_ref(const char *path, const unsigned char *sha1)
225 {
226         if (sent_capabilities) {
227                 packet_write(1, "%s %s\n", sha1_to_hex(sha1), path);
228         } else {
229                 struct strbuf cap = STRBUF_INIT;
230
231                 strbuf_addstr(&cap,
232                               "report-status delete-refs side-band-64k quiet");
233                 if (advertise_atomic_push)
234                         strbuf_addstr(&cap, " atomic");
235                 if (prefer_ofs_delta)
236                         strbuf_addstr(&cap, " ofs-delta");
237                 if (push_cert_nonce)
238                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
239                 if (advertise_push_options)
240                         strbuf_addstr(&cap, " push-options");
241                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
242                 packet_write(1, "%s %s%c%s\n",
243                              sha1_to_hex(sha1), path, 0, cap.buf);
244                 strbuf_release(&cap);
245                 sent_capabilities = 1;
246         }
247 }
248
249 static int show_ref_cb(const char *path_full, const struct object_id *oid,
250                        int flag, void *unused)
251 {
252         const char *path = strip_namespace(path_full);
253
254         if (ref_is_hidden(path, path_full))
255                 return 0;
256
257         /*
258          * Advertise refs outside our current namespace as ".have"
259          * refs, so that the client can use them to minimize data
260          * transfer but will otherwise ignore them. This happens to
261          * cover ".have" that are thrown in by add_one_alternate_ref()
262          * to mark histories that are complete in our alternates as
263          * well.
264          */
265         if (!path)
266                 path = ".have";
267         show_ref(path, oid->hash);
268         return 0;
269 }
270
271 static void show_one_alternate_sha1(const unsigned char sha1[20], void *unused)
272 {
273         show_ref(".have", sha1);
274 }
275
276 static void collect_one_alternate_ref(const struct ref *ref, void *data)
277 {
278         struct sha1_array *sa = data;
279         sha1_array_append(sa, ref->old_oid.hash);
280 }
281
282 static void write_head_info(void)
283 {
284         struct sha1_array sa = SHA1_ARRAY_INIT;
285
286         for_each_alternate_ref(collect_one_alternate_ref, &sa);
287         sha1_array_for_each_unique(&sa, show_one_alternate_sha1, NULL);
288         sha1_array_clear(&sa);
289         for_each_ref(show_ref_cb, NULL);
290         if (!sent_capabilities)
291                 show_ref("capabilities^{}", null_sha1);
292
293         advertise_shallow_grafts(1);
294
295         /* EOF */
296         packet_flush(1);
297 }
298
299 struct command {
300         struct command *next;
301         const char *error_string;
302         unsigned int skip_update:1,
303                      did_not_exist:1;
304         int index;
305         unsigned char old_sha1[20];
306         unsigned char new_sha1[20];
307         char ref_name[FLEX_ARRAY]; /* more */
308 };
309
310 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
311 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
312
313 static void report_message(const char *prefix, const char *err, va_list params)
314 {
315         int sz;
316         char msg[4096];
317
318         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
319         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
320         if (sz > (sizeof(msg) - 1))
321                 sz = sizeof(msg) - 1;
322         msg[sz++] = '\n';
323
324         if (use_sideband)
325                 send_sideband(1, 2, msg, sz, use_sideband);
326         else
327                 xwrite(2, msg, sz);
328 }
329
330 static void rp_warning(const char *err, ...)
331 {
332         va_list params;
333         va_start(params, err);
334         report_message("warning: ", err, params);
335         va_end(params);
336 }
337
338 static void rp_error(const char *err, ...)
339 {
340         va_list params;
341         va_start(params, err);
342         report_message("error: ", err, params);
343         va_end(params);
344 }
345
346 static int copy_to_sideband(int in, int out, void *arg)
347 {
348         char data[128];
349         int keepalive_active = 0;
350
351         if (keepalive_in_sec <= 0)
352                 use_keepalive = KEEPALIVE_NEVER;
353         if (use_keepalive == KEEPALIVE_ALWAYS)
354                 keepalive_active = 1;
355
356         while (1) {
357                 ssize_t sz;
358
359                 if (keepalive_active) {
360                         struct pollfd pfd;
361                         int ret;
362
363                         pfd.fd = in;
364                         pfd.events = POLLIN;
365                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
366
367                         if (ret < 0) {
368                                 if (errno == EINTR)
369                                         continue;
370                                 else
371                                         break;
372                         } else if (ret == 0) {
373                                 /* no data; send a keepalive packet */
374                                 static const char buf[] = "0005\1";
375                                 write_or_die(1, buf, sizeof(buf) - 1);
376                                 continue;
377                         } /* else there is actual data to read */
378                 }
379
380                 sz = xread(in, data, sizeof(data));
381                 if (sz <= 0)
382                         break;
383
384                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
385                         const char *p = memchr(data, '\0', sz);
386                         if (p) {
387                                 /*
388                                  * The NUL tells us to start sending keepalives. Make
389                                  * sure we send any other data we read along
390                                  * with it.
391                                  */
392                                 keepalive_active = 1;
393                                 send_sideband(1, 2, data, p - data, use_sideband);
394                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
395                                 continue;
396                         }
397                 }
398
399                 /*
400                  * Either we're not looking for a NUL signal, or we didn't see
401                  * it yet; just pass along the data.
402                  */
403                 send_sideband(1, 2, data, sz, use_sideband);
404         }
405         close(in);
406         return 0;
407 }
408
409 #define HMAC_BLOCK_SIZE 64
410
411 static void hmac_sha1(unsigned char *out,
412                       const char *key_in, size_t key_len,
413                       const char *text, size_t text_len)
414 {
415         unsigned char key[HMAC_BLOCK_SIZE];
416         unsigned char k_ipad[HMAC_BLOCK_SIZE];
417         unsigned char k_opad[HMAC_BLOCK_SIZE];
418         int i;
419         git_SHA_CTX ctx;
420
421         /* RFC 2104 2. (1) */
422         memset(key, '\0', HMAC_BLOCK_SIZE);
423         if (HMAC_BLOCK_SIZE < key_len) {
424                 git_SHA1_Init(&ctx);
425                 git_SHA1_Update(&ctx, key_in, key_len);
426                 git_SHA1_Final(key, &ctx);
427         } else {
428                 memcpy(key, key_in, key_len);
429         }
430
431         /* RFC 2104 2. (2) & (5) */
432         for (i = 0; i < sizeof(key); i++) {
433                 k_ipad[i] = key[i] ^ 0x36;
434                 k_opad[i] = key[i] ^ 0x5c;
435         }
436
437         /* RFC 2104 2. (3) & (4) */
438         git_SHA1_Init(&ctx);
439         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
440         git_SHA1_Update(&ctx, text, text_len);
441         git_SHA1_Final(out, &ctx);
442
443         /* RFC 2104 2. (6) & (7) */
444         git_SHA1_Init(&ctx);
445         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
446         git_SHA1_Update(&ctx, out, 20);
447         git_SHA1_Final(out, &ctx);
448 }
449
450 static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
451 {
452         struct strbuf buf = STRBUF_INIT;
453         unsigned char sha1[20];
454
455         strbuf_addf(&buf, "%s:%lu", path, stamp);
456         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
457         strbuf_release(&buf);
458
459         /* RFC 2104 5. HMAC-SHA1-80 */
460         strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
461         return strbuf_detach(&buf, NULL);
462 }
463
464 /*
465  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
466  * after dropping "_commit" from its name and possibly moving it out
467  * of commit.c
468  */
469 static char *find_header(const char *msg, size_t len, const char *key)
470 {
471         int key_len = strlen(key);
472         const char *line = msg;
473
474         while (line && line < msg + len) {
475                 const char *eol = strchrnul(line, '\n');
476
477                 if ((msg + len <= eol) || line == eol)
478                         return NULL;
479                 if (line + key_len < eol &&
480                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
481                         int offset = key_len + 1;
482                         return xmemdupz(line + offset, (eol - line) - offset);
483                 }
484                 line = *eol ? eol + 1 : NULL;
485         }
486         return NULL;
487 }
488
489 static const char *check_nonce(const char *buf, size_t len)
490 {
491         char *nonce = find_header(buf, len, "nonce");
492         unsigned long stamp, ostamp;
493         char *bohmac, *expect = NULL;
494         const char *retval = NONCE_BAD;
495
496         if (!nonce) {
497                 retval = NONCE_MISSING;
498                 goto leave;
499         } else if (!push_cert_nonce) {
500                 retval = NONCE_UNSOLICITED;
501                 goto leave;
502         } else if (!strcmp(push_cert_nonce, nonce)) {
503                 retval = NONCE_OK;
504                 goto leave;
505         }
506
507         if (!stateless_rpc) {
508                 /* returned nonce MUST match what we gave out earlier */
509                 retval = NONCE_BAD;
510                 goto leave;
511         }
512
513         /*
514          * In stateless mode, we may be receiving a nonce issued by
515          * another instance of the server that serving the same
516          * repository, and the timestamps may not match, but the
517          * nonce-seed and dir should match, so we can recompute and
518          * report the time slop.
519          *
520          * In addition, when a nonce issued by another instance has
521          * timestamp within receive.certnonceslop seconds, we pretend
522          * as if we issued that nonce when reporting to the hook.
523          */
524
525         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
526         if (*nonce <= '0' || '9' < *nonce) {
527                 retval = NONCE_BAD;
528                 goto leave;
529         }
530         stamp = strtoul(nonce, &bohmac, 10);
531         if (bohmac == nonce || bohmac[0] != '-') {
532                 retval = NONCE_BAD;
533                 goto leave;
534         }
535
536         expect = prepare_push_cert_nonce(service_dir, stamp);
537         if (strcmp(expect, nonce)) {
538                 /* Not what we would have signed earlier */
539                 retval = NONCE_BAD;
540                 goto leave;
541         }
542
543         /*
544          * By how many seconds is this nonce stale?  Negative value
545          * would mean it was issued by another server with its clock
546          * skewed in the future.
547          */
548         ostamp = strtoul(push_cert_nonce, NULL, 10);
549         nonce_stamp_slop = (long)ostamp - (long)stamp;
550
551         if (nonce_stamp_slop_limit &&
552             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
553                 /*
554                  * Pretend as if the received nonce (which passes the
555                  * HMAC check, so it is not a forged by third-party)
556                  * is what we issued.
557                  */
558                 free((void *)push_cert_nonce);
559                 push_cert_nonce = xstrdup(nonce);
560                 retval = NONCE_OK;
561         } else {
562                 retval = NONCE_SLOP;
563         }
564
565 leave:
566         free(nonce);
567         free(expect);
568         return retval;
569 }
570
571 static void prepare_push_cert_sha1(struct child_process *proc)
572 {
573         static int already_done;
574
575         if (!push_cert.len)
576                 return;
577
578         if (!already_done) {
579                 struct strbuf gpg_output = STRBUF_INIT;
580                 struct strbuf gpg_status = STRBUF_INIT;
581                 int bogs /* beginning_of_gpg_sig */;
582
583                 already_done = 1;
584                 if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
585                         hashclr(push_cert_sha1);
586
587                 memset(&sigcheck, '\0', sizeof(sigcheck));
588                 sigcheck.result = 'N';
589
590                 bogs = parse_signature(push_cert.buf, push_cert.len);
591                 if (verify_signed_buffer(push_cert.buf, bogs,
592                                          push_cert.buf + bogs, push_cert.len - bogs,
593                                          &gpg_output, &gpg_status) < 0) {
594                         ; /* error running gpg */
595                 } else {
596                         sigcheck.payload = push_cert.buf;
597                         sigcheck.gpg_output = gpg_output.buf;
598                         sigcheck.gpg_status = gpg_status.buf;
599                         parse_gpg_output(&sigcheck);
600                 }
601
602                 strbuf_release(&gpg_output);
603                 strbuf_release(&gpg_status);
604                 nonce_status = check_nonce(push_cert.buf, bogs);
605         }
606         if (!is_null_sha1(push_cert_sha1)) {
607                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
608                                  sha1_to_hex(push_cert_sha1));
609                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
610                                  sigcheck.signer ? sigcheck.signer : "");
611                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
612                                  sigcheck.key ? sigcheck.key : "");
613                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
614                                  sigcheck.result);
615                 if (push_cert_nonce) {
616                         argv_array_pushf(&proc->env_array,
617                                          "GIT_PUSH_CERT_NONCE=%s",
618                                          push_cert_nonce);
619                         argv_array_pushf(&proc->env_array,
620                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
621                                          nonce_status);
622                         if (nonce_status == NONCE_SLOP)
623                                 argv_array_pushf(&proc->env_array,
624                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
625                                                  nonce_stamp_slop);
626                 }
627         }
628 }
629
630 struct receive_hook_feed_state {
631         struct command *cmd;
632         int skip_broken;
633         struct strbuf buf;
634         const struct string_list *push_options;
635 };
636
637 typedef int (*feed_fn)(void *, const char **, size_t *);
638 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
639                              struct receive_hook_feed_state *feed_state)
640 {
641         struct child_process proc = CHILD_PROCESS_INIT;
642         struct async muxer;
643         const char *argv[2];
644         int code;
645
646         argv[0] = find_hook(hook_name);
647         if (!argv[0])
648                 return 0;
649
650         argv[1] = NULL;
651
652         proc.argv = argv;
653         proc.in = -1;
654         proc.stdout_to_stderr = 1;
655         if (feed_state->push_options) {
656                 int i;
657                 for (i = 0; i < feed_state->push_options->nr; i++)
658                         argv_array_pushf(&proc.env_array,
659                                 "GIT_PUSH_OPTION_%d=%s", i,
660                                 feed_state->push_options->items[i].string);
661                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
662                                  feed_state->push_options->nr);
663         } else
664                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
665
666         if (use_sideband) {
667                 memset(&muxer, 0, sizeof(muxer));
668                 muxer.proc = copy_to_sideband;
669                 muxer.in = -1;
670                 code = start_async(&muxer);
671                 if (code)
672                         return code;
673                 proc.err = muxer.in;
674         }
675
676         prepare_push_cert_sha1(&proc);
677
678         code = start_command(&proc);
679         if (code) {
680                 if (use_sideband)
681                         finish_async(&muxer);
682                 return code;
683         }
684
685         sigchain_push(SIGPIPE, SIG_IGN);
686
687         while (1) {
688                 const char *buf;
689                 size_t n;
690                 if (feed(feed_state, &buf, &n))
691                         break;
692                 if (write_in_full(proc.in, buf, n) != n)
693                         break;
694         }
695         close(proc.in);
696         if (use_sideband)
697                 finish_async(&muxer);
698
699         sigchain_pop(SIGPIPE);
700
701         return finish_command(&proc);
702 }
703
704 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
705 {
706         struct receive_hook_feed_state *state = state_;
707         struct command *cmd = state->cmd;
708
709         while (cmd &&
710                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
711                 cmd = cmd->next;
712         if (!cmd)
713                 return -1; /* EOF */
714         strbuf_reset(&state->buf);
715         strbuf_addf(&state->buf, "%s %s %s\n",
716                     sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
717                     cmd->ref_name);
718         state->cmd = cmd->next;
719         if (bufp) {
720                 *bufp = state->buf.buf;
721                 *sizep = state->buf.len;
722         }
723         return 0;
724 }
725
726 static int run_receive_hook(struct command *commands,
727                             const char *hook_name,
728                             int skip_broken,
729                             const struct string_list *push_options)
730 {
731         struct receive_hook_feed_state state;
732         int status;
733
734         strbuf_init(&state.buf, 0);
735         state.cmd = commands;
736         state.skip_broken = skip_broken;
737         if (feed_receive_hook(&state, NULL, NULL))
738                 return 0;
739         state.cmd = commands;
740         state.push_options = push_options;
741         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
742         strbuf_release(&state.buf);
743         return status;
744 }
745
746 static int run_update_hook(struct command *cmd)
747 {
748         const char *argv[5];
749         struct child_process proc = CHILD_PROCESS_INIT;
750         int code;
751
752         argv[0] = find_hook("update");
753         if (!argv[0])
754                 return 0;
755
756         argv[1] = cmd->ref_name;
757         argv[2] = sha1_to_hex(cmd->old_sha1);
758         argv[3] = sha1_to_hex(cmd->new_sha1);
759         argv[4] = NULL;
760
761         proc.no_stdin = 1;
762         proc.stdout_to_stderr = 1;
763         proc.err = use_sideband ? -1 : 0;
764         proc.argv = argv;
765
766         code = start_command(&proc);
767         if (code)
768                 return code;
769         if (use_sideband)
770                 copy_to_sideband(proc.err, -1, NULL);
771         return finish_command(&proc);
772 }
773
774 static int is_ref_checked_out(const char *ref)
775 {
776         if (is_bare_repository())
777                 return 0;
778
779         if (!head_name)
780                 return 0;
781         return !strcmp(head_name, ref);
782 }
783
784 static char *refuse_unconfigured_deny_msg =
785         N_("By default, updating the current branch in a non-bare repository\n"
786            "is denied, because it will make the index and work tree inconsistent\n"
787            "with what you pushed, and will require 'git reset --hard' to match\n"
788            "the work tree to HEAD.\n"
789            "\n"
790            "You can set 'receive.denyCurrentBranch' configuration variable to\n"
791            "'ignore' or 'warn' in the remote repository to allow pushing into\n"
792            "its current branch; however, this is not recommended unless you\n"
793            "arranged to update its work tree to match what you pushed in some\n"
794            "other way.\n"
795            "\n"
796            "To squelch this message and still keep the default behaviour, set\n"
797            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
798
799 static void refuse_unconfigured_deny(void)
800 {
801         rp_error("%s", _(refuse_unconfigured_deny_msg));
802 }
803
804 static char *refuse_unconfigured_deny_delete_current_msg =
805         N_("By default, deleting the current branch is denied, because the next\n"
806            "'git clone' won't result in any file checked out, causing confusion.\n"
807            "\n"
808            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
809            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
810            "current branch, with or without a warning message.\n"
811            "\n"
812            "To squelch this message, you can set it to 'refuse'.");
813
814 static void refuse_unconfigured_deny_delete_current(void)
815 {
816         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
817 }
818
819 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
820 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
821 {
822         static struct lock_file shallow_lock;
823         struct sha1_array extra = SHA1_ARRAY_INIT;
824         struct check_connected_options opt = CHECK_CONNECTED_INIT;
825         uint32_t mask = 1 << (cmd->index % 32);
826         int i;
827
828         trace_printf_key(&trace_shallow,
829                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
830         for (i = 0; i < si->shallow->nr; i++)
831                 if (si->used_shallow[i] &&
832                     (si->used_shallow[i][cmd->index / 32] & mask) &&
833                     !delayed_reachability_test(si, i))
834                         sha1_array_append(&extra, si->shallow->sha1[i]);
835
836         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
837         if (check_connected(command_singleton_iterator, cmd, &opt)) {
838                 rollback_lock_file(&shallow_lock);
839                 sha1_array_clear(&extra);
840                 return -1;
841         }
842
843         commit_lock_file(&shallow_lock);
844
845         /*
846          * Make sure setup_alternate_shallow() for the next ref does
847          * not lose these new roots..
848          */
849         for (i = 0; i < extra.nr; i++)
850                 register_shallow(extra.sha1[i]);
851
852         si->shallow_ref[cmd->index] = 0;
853         sha1_array_clear(&extra);
854         return 0;
855 }
856
857 /*
858  * NEEDSWORK: we should consolidate various implementions of "are we
859  * on an unborn branch?" test into one, and make the unified one more
860  * robust. !get_sha1() based check used here and elsewhere would not
861  * allow us to tell an unborn branch from corrupt ref, for example.
862  * For the purpose of fixing "deploy-to-update does not work when
863  * pushing into an empty repository" issue, this should suffice for
864  * now.
865  */
866 static int head_has_history(void)
867 {
868         unsigned char sha1[20];
869
870         return !get_sha1("HEAD", sha1);
871 }
872
873 static const char *push_to_deploy(unsigned char *sha1,
874                                   struct argv_array *env,
875                                   const char *work_tree)
876 {
877         const char *update_refresh[] = {
878                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
879         };
880         const char *diff_files[] = {
881                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
882         };
883         const char *diff_index[] = {
884                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
885                 NULL, "--", NULL
886         };
887         const char *read_tree[] = {
888                 "read-tree", "-u", "-m", NULL, NULL
889         };
890         struct child_process child = CHILD_PROCESS_INIT;
891
892         child.argv = update_refresh;
893         child.env = env->argv;
894         child.dir = work_tree;
895         child.no_stdin = 1;
896         child.stdout_to_stderr = 1;
897         child.git_cmd = 1;
898         if (run_command(&child))
899                 return "Up-to-date check failed";
900
901         /* run_command() does not clean up completely; reinitialize */
902         child_process_init(&child);
903         child.argv = diff_files;
904         child.env = env->argv;
905         child.dir = work_tree;
906         child.no_stdin = 1;
907         child.stdout_to_stderr = 1;
908         child.git_cmd = 1;
909         if (run_command(&child))
910                 return "Working directory has unstaged changes";
911
912         /* diff-index with either HEAD or an empty tree */
913         diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
914
915         child_process_init(&child);
916         child.argv = diff_index;
917         child.env = env->argv;
918         child.no_stdin = 1;
919         child.no_stdout = 1;
920         child.stdout_to_stderr = 0;
921         child.git_cmd = 1;
922         if (run_command(&child))
923                 return "Working directory has staged changes";
924
925         read_tree[3] = sha1_to_hex(sha1);
926         child_process_init(&child);
927         child.argv = read_tree;
928         child.env = env->argv;
929         child.dir = work_tree;
930         child.no_stdin = 1;
931         child.no_stdout = 1;
932         child.stdout_to_stderr = 0;
933         child.git_cmd = 1;
934         if (run_command(&child))
935                 return "Could not update working tree to new HEAD";
936
937         return NULL;
938 }
939
940 static const char *push_to_checkout_hook = "push-to-checkout";
941
942 static const char *push_to_checkout(unsigned char *sha1,
943                                     struct argv_array *env,
944                                     const char *work_tree)
945 {
946         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
947         if (run_hook_le(env->argv, push_to_checkout_hook,
948                         sha1_to_hex(sha1), NULL))
949                 return "push-to-checkout hook declined";
950         else
951                 return NULL;
952 }
953
954 static const char *update_worktree(unsigned char *sha1)
955 {
956         const char *retval;
957         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
958         struct argv_array env = ARGV_ARRAY_INIT;
959
960         if (is_bare_repository())
961                 return "denyCurrentBranch = updateInstead needs a worktree";
962
963         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
964
965         if (!find_hook(push_to_checkout_hook))
966                 retval = push_to_deploy(sha1, &env, work_tree);
967         else
968                 retval = push_to_checkout(sha1, &env, work_tree);
969
970         argv_array_clear(&env);
971         return retval;
972 }
973
974 static const char *update(struct command *cmd, struct shallow_info *si)
975 {
976         const char *name = cmd->ref_name;
977         struct strbuf namespaced_name_buf = STRBUF_INIT;
978         const char *namespaced_name, *ret;
979         unsigned char *old_sha1 = cmd->old_sha1;
980         unsigned char *new_sha1 = cmd->new_sha1;
981
982         /* only refs/... are allowed */
983         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
984                 rp_error("refusing to create funny ref '%s' remotely", name);
985                 return "funny refname";
986         }
987
988         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
989         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
990
991         if (is_ref_checked_out(namespaced_name)) {
992                 switch (deny_current_branch) {
993                 case DENY_IGNORE:
994                         break;
995                 case DENY_WARN:
996                         rp_warning("updating the current branch");
997                         break;
998                 case DENY_REFUSE:
999                 case DENY_UNCONFIGURED:
1000                         rp_error("refusing to update checked out branch: %s", name);
1001                         if (deny_current_branch == DENY_UNCONFIGURED)
1002                                 refuse_unconfigured_deny();
1003                         return "branch is currently checked out";
1004                 case DENY_UPDATE_INSTEAD:
1005                         ret = update_worktree(new_sha1);
1006                         if (ret)
1007                                 return ret;
1008                         break;
1009                 }
1010         }
1011
1012         if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
1013                 error("unpack should have generated %s, "
1014                       "but I can't find it!", sha1_to_hex(new_sha1));
1015                 return "bad pack";
1016         }
1017
1018         if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
1019                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1020                         rp_error("denying ref deletion for %s", name);
1021                         return "deletion prohibited";
1022                 }
1023
1024                 if (head_name && !strcmp(namespaced_name, head_name)) {
1025                         switch (deny_delete_current) {
1026                         case DENY_IGNORE:
1027                                 break;
1028                         case DENY_WARN:
1029                                 rp_warning("deleting the current branch");
1030                                 break;
1031                         case DENY_REFUSE:
1032                         case DENY_UNCONFIGURED:
1033                         case DENY_UPDATE_INSTEAD:
1034                                 if (deny_delete_current == DENY_UNCONFIGURED)
1035                                         refuse_unconfigured_deny_delete_current();
1036                                 rp_error("refusing to delete the current branch: %s", name);
1037                                 return "deletion of the current branch prohibited";
1038                         default:
1039                                 return "Invalid denyDeleteCurrent setting";
1040                         }
1041                 }
1042         }
1043
1044         if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
1045             !is_null_sha1(old_sha1) &&
1046             starts_with(name, "refs/heads/")) {
1047                 struct object *old_object, *new_object;
1048                 struct commit *old_commit, *new_commit;
1049
1050                 old_object = parse_object(old_sha1);
1051                 new_object = parse_object(new_sha1);
1052
1053                 if (!old_object || !new_object ||
1054                     old_object->type != OBJ_COMMIT ||
1055                     new_object->type != OBJ_COMMIT) {
1056                         error("bad sha1 objects for %s", name);
1057                         return "bad ref";
1058                 }
1059                 old_commit = (struct commit *)old_object;
1060                 new_commit = (struct commit *)new_object;
1061                 if (!in_merge_bases(old_commit, new_commit)) {
1062                         rp_error("denying non-fast-forward %s"
1063                                  " (you should pull first)", name);
1064                         return "non-fast-forward";
1065                 }
1066         }
1067         if (run_update_hook(cmd)) {
1068                 rp_error("hook declined to update %s", name);
1069                 return "hook declined";
1070         }
1071
1072         if (is_null_sha1(new_sha1)) {
1073                 struct strbuf err = STRBUF_INIT;
1074                 if (!parse_object(old_sha1)) {
1075                         old_sha1 = NULL;
1076                         if (ref_exists(name)) {
1077                                 rp_warning("Allowing deletion of corrupt ref.");
1078                         } else {
1079                                 rp_warning("Deleting a non-existent ref.");
1080                                 cmd->did_not_exist = 1;
1081                         }
1082                 }
1083                 if (ref_transaction_delete(transaction,
1084                                            namespaced_name,
1085                                            old_sha1,
1086                                            0, "push", &err)) {
1087                         rp_error("%s", err.buf);
1088                         strbuf_release(&err);
1089                         return "failed to delete";
1090                 }
1091                 strbuf_release(&err);
1092                 return NULL; /* good */
1093         }
1094         else {
1095                 struct strbuf err = STRBUF_INIT;
1096                 if (shallow_update && si->shallow_ref[cmd->index] &&
1097                     update_shallow_ref(cmd, si))
1098                         return "shallow error";
1099
1100                 if (ref_transaction_update(transaction,
1101                                            namespaced_name,
1102                                            new_sha1, old_sha1,
1103                                            0, "push",
1104                                            &err)) {
1105                         rp_error("%s", err.buf);
1106                         strbuf_release(&err);
1107
1108                         return "failed to update ref";
1109                 }
1110                 strbuf_release(&err);
1111
1112                 return NULL; /* good */
1113         }
1114 }
1115
1116 static void run_update_post_hook(struct command *commands)
1117 {
1118         struct command *cmd;
1119         int argc;
1120         struct child_process proc = CHILD_PROCESS_INIT;
1121         const char *hook;
1122
1123         hook = find_hook("post-update");
1124         for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1125                 if (cmd->error_string || cmd->did_not_exist)
1126                         continue;
1127                 argc++;
1128         }
1129         if (!argc || !hook)
1130                 return;
1131
1132         argv_array_push(&proc.args, hook);
1133         for (cmd = commands; cmd; cmd = cmd->next) {
1134                 if (cmd->error_string || cmd->did_not_exist)
1135                         continue;
1136                 argv_array_push(&proc.args, cmd->ref_name);
1137         }
1138
1139         proc.no_stdin = 1;
1140         proc.stdout_to_stderr = 1;
1141         proc.err = use_sideband ? -1 : 0;
1142
1143         if (!start_command(&proc)) {
1144                 if (use_sideband)
1145                         copy_to_sideband(proc.err, -1, NULL);
1146                 finish_command(&proc);
1147         }
1148 }
1149
1150 static void check_aliased_update(struct command *cmd, struct string_list *list)
1151 {
1152         struct strbuf buf = STRBUF_INIT;
1153         const char *dst_name;
1154         struct string_list_item *item;
1155         struct command *dst_cmd;
1156         unsigned char sha1[GIT_SHA1_RAWSZ];
1157         char cmd_oldh[GIT_SHA1_HEXSZ + 1],
1158              cmd_newh[GIT_SHA1_HEXSZ + 1],
1159              dst_oldh[GIT_SHA1_HEXSZ + 1],
1160              dst_newh[GIT_SHA1_HEXSZ + 1];
1161         int flag;
1162
1163         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1164         dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1165         strbuf_release(&buf);
1166
1167         if (!(flag & REF_ISSYMREF))
1168                 return;
1169
1170         if (!dst_name) {
1171                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1172                 cmd->skip_update = 1;
1173                 cmd->error_string = "broken symref";
1174                 return;
1175         }
1176         dst_name = strip_namespace(dst_name);
1177
1178         if ((item = string_list_lookup(list, dst_name)) == NULL)
1179                 return;
1180
1181         cmd->skip_update = 1;
1182
1183         dst_cmd = (struct command *) item->util;
1184
1185         if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1186             !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1187                 return;
1188
1189         dst_cmd->skip_update = 1;
1190
1191         find_unique_abbrev_r(cmd_oldh, cmd->old_sha1, DEFAULT_ABBREV);
1192         find_unique_abbrev_r(cmd_newh, cmd->new_sha1, DEFAULT_ABBREV);
1193         find_unique_abbrev_r(dst_oldh, dst_cmd->old_sha1, DEFAULT_ABBREV);
1194         find_unique_abbrev_r(dst_newh, dst_cmd->new_sha1, DEFAULT_ABBREV);
1195         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1196                  " its target '%s' (%s..%s)",
1197                  cmd->ref_name, cmd_oldh, cmd_newh,
1198                  dst_cmd->ref_name, dst_oldh, dst_newh);
1199
1200         cmd->error_string = dst_cmd->error_string =
1201                 "inconsistent aliased update";
1202 }
1203
1204 static void check_aliased_updates(struct command *commands)
1205 {
1206         struct command *cmd;
1207         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1208
1209         for (cmd = commands; cmd; cmd = cmd->next) {
1210                 struct string_list_item *item =
1211                         string_list_append(&ref_list, cmd->ref_name);
1212                 item->util = (void *)cmd;
1213         }
1214         string_list_sort(&ref_list);
1215
1216         for (cmd = commands; cmd; cmd = cmd->next) {
1217                 if (!cmd->error_string)
1218                         check_aliased_update(cmd, &ref_list);
1219         }
1220
1221         string_list_clear(&ref_list, 0);
1222 }
1223
1224 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1225 {
1226         struct command **cmd_list = cb_data;
1227         struct command *cmd = *cmd_list;
1228
1229         if (!cmd || is_null_sha1(cmd->new_sha1))
1230                 return -1; /* end of list */
1231         *cmd_list = NULL; /* this returns only one */
1232         hashcpy(sha1, cmd->new_sha1);
1233         return 0;
1234 }
1235
1236 static void set_connectivity_errors(struct command *commands,
1237                                     struct shallow_info *si)
1238 {
1239         struct command *cmd;
1240
1241         for (cmd = commands; cmd; cmd = cmd->next) {
1242                 struct command *singleton = cmd;
1243                 if (shallow_update && si->shallow_ref[cmd->index])
1244                         /* to be checked in update_shallow_ref() */
1245                         continue;
1246                 if (!check_connected(command_singleton_iterator, &singleton,
1247                                      NULL))
1248                         continue;
1249                 cmd->error_string = "missing necessary objects";
1250         }
1251 }
1252
1253 struct iterate_data {
1254         struct command *cmds;
1255         struct shallow_info *si;
1256 };
1257
1258 static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1259 {
1260         struct iterate_data *data = cb_data;
1261         struct command **cmd_list = &data->cmds;
1262         struct command *cmd = *cmd_list;
1263
1264         for (; cmd; cmd = cmd->next) {
1265                 if (shallow_update && data->si->shallow_ref[cmd->index])
1266                         /* to be checked in update_shallow_ref() */
1267                         continue;
1268                 if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1269                         hashcpy(sha1, cmd->new_sha1);
1270                         *cmd_list = cmd->next;
1271                         return 0;
1272                 }
1273         }
1274         *cmd_list = NULL;
1275         return -1; /* end of list */
1276 }
1277
1278 static void reject_updates_to_hidden(struct command *commands)
1279 {
1280         struct strbuf refname_full = STRBUF_INIT;
1281         size_t prefix_len;
1282         struct command *cmd;
1283
1284         strbuf_addstr(&refname_full, get_git_namespace());
1285         prefix_len = refname_full.len;
1286
1287         for (cmd = commands; cmd; cmd = cmd->next) {
1288                 if (cmd->error_string)
1289                         continue;
1290
1291                 strbuf_setlen(&refname_full, prefix_len);
1292                 strbuf_addstr(&refname_full, cmd->ref_name);
1293
1294                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1295                         continue;
1296                 if (is_null_sha1(cmd->new_sha1))
1297                         cmd->error_string = "deny deleting a hidden ref";
1298                 else
1299                         cmd->error_string = "deny updating a hidden ref";
1300         }
1301
1302         strbuf_release(&refname_full);
1303 }
1304
1305 static int should_process_cmd(struct command *cmd)
1306 {
1307         return !cmd->error_string && !cmd->skip_update;
1308 }
1309
1310 static void warn_if_skipped_connectivity_check(struct command *commands,
1311                                                struct shallow_info *si)
1312 {
1313         struct command *cmd;
1314         int checked_connectivity = 1;
1315
1316         for (cmd = commands; cmd; cmd = cmd->next) {
1317                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1318                         error("BUG: connectivity check has not been run on ref %s",
1319                               cmd->ref_name);
1320                         checked_connectivity = 0;
1321                 }
1322         }
1323         if (!checked_connectivity)
1324                 die("BUG: connectivity check skipped???");
1325 }
1326
1327 static void execute_commands_non_atomic(struct command *commands,
1328                                         struct shallow_info *si)
1329 {
1330         struct command *cmd;
1331         struct strbuf err = STRBUF_INIT;
1332
1333         for (cmd = commands; cmd; cmd = cmd->next) {
1334                 if (!should_process_cmd(cmd))
1335                         continue;
1336
1337                 transaction = ref_transaction_begin(&err);
1338                 if (!transaction) {
1339                         rp_error("%s", err.buf);
1340                         strbuf_reset(&err);
1341                         cmd->error_string = "transaction failed to start";
1342                         continue;
1343                 }
1344
1345                 cmd->error_string = update(cmd, si);
1346
1347                 if (!cmd->error_string
1348                     && ref_transaction_commit(transaction, &err)) {
1349                         rp_error("%s", err.buf);
1350                         strbuf_reset(&err);
1351                         cmd->error_string = "failed to update ref";
1352                 }
1353                 ref_transaction_free(transaction);
1354         }
1355         strbuf_release(&err);
1356 }
1357
1358 static void execute_commands_atomic(struct command *commands,
1359                                         struct shallow_info *si)
1360 {
1361         struct command *cmd;
1362         struct strbuf err = STRBUF_INIT;
1363         const char *reported_error = "atomic push failure";
1364
1365         transaction = ref_transaction_begin(&err);
1366         if (!transaction) {
1367                 rp_error("%s", err.buf);
1368                 strbuf_reset(&err);
1369                 reported_error = "transaction failed to start";
1370                 goto failure;
1371         }
1372
1373         for (cmd = commands; cmd; cmd = cmd->next) {
1374                 if (!should_process_cmd(cmd))
1375                         continue;
1376
1377                 cmd->error_string = update(cmd, si);
1378
1379                 if (cmd->error_string)
1380                         goto failure;
1381         }
1382
1383         if (ref_transaction_commit(transaction, &err)) {
1384                 rp_error("%s", err.buf);
1385                 reported_error = "atomic transaction failed";
1386                 goto failure;
1387         }
1388         goto cleanup;
1389
1390 failure:
1391         for (cmd = commands; cmd; cmd = cmd->next)
1392                 if (!cmd->error_string)
1393                         cmd->error_string = reported_error;
1394
1395 cleanup:
1396         ref_transaction_free(transaction);
1397         strbuf_release(&err);
1398 }
1399
1400 static void execute_commands(struct command *commands,
1401                              const char *unpacker_error,
1402                              struct shallow_info *si,
1403                              const struct string_list *push_options)
1404 {
1405         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1406         struct command *cmd;
1407         unsigned char sha1[20];
1408         struct iterate_data data;
1409         struct async muxer;
1410         int err_fd = 0;
1411
1412         if (unpacker_error) {
1413                 for (cmd = commands; cmd; cmd = cmd->next)
1414                         cmd->error_string = "unpacker error";
1415                 return;
1416         }
1417
1418         if (use_sideband) {
1419                 memset(&muxer, 0, sizeof(muxer));
1420                 muxer.proc = copy_to_sideband;
1421                 muxer.in = -1;
1422                 if (!start_async(&muxer))
1423                         err_fd = muxer.in;
1424                 /* ...else, continue without relaying sideband */
1425         }
1426
1427         data.cmds = commands;
1428         data.si = si;
1429         opt.err_fd = err_fd;
1430         opt.progress = err_fd && !quiet;
1431         if (check_connected(iterate_receive_command_list, &data, &opt))
1432                 set_connectivity_errors(commands, si);
1433
1434         if (use_sideband)
1435                 finish_async(&muxer);
1436
1437         reject_updates_to_hidden(commands);
1438
1439         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1440                 for (cmd = commands; cmd; cmd = cmd->next) {
1441                         if (!cmd->error_string)
1442                                 cmd->error_string = "pre-receive hook declined";
1443                 }
1444                 return;
1445         }
1446
1447         check_aliased_updates(commands);
1448
1449         free(head_name_to_free);
1450         head_name = head_name_to_free = resolve_refdup("HEAD", 0, sha1, NULL);
1451
1452         if (use_atomic)
1453                 execute_commands_atomic(commands, si);
1454         else
1455                 execute_commands_non_atomic(commands, si);
1456
1457         if (shallow_update)
1458                 warn_if_skipped_connectivity_check(commands, si);
1459 }
1460
1461 static struct command **queue_command(struct command **tail,
1462                                       const char *line,
1463                                       int linelen)
1464 {
1465         unsigned char old_sha1[20], new_sha1[20];
1466         struct command *cmd;
1467         const char *refname;
1468         int reflen;
1469
1470         if (linelen < 83 ||
1471             line[40] != ' ' ||
1472             line[81] != ' ' ||
1473             get_sha1_hex(line, old_sha1) ||
1474             get_sha1_hex(line + 41, new_sha1))
1475                 die("protocol error: expected old/new/ref, got '%s'", line);
1476
1477         refname = line + 82;
1478         reflen = linelen - 82;
1479         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1480         hashcpy(cmd->old_sha1, old_sha1);
1481         hashcpy(cmd->new_sha1, new_sha1);
1482         *tail = cmd;
1483         return &cmd->next;
1484 }
1485
1486 static void queue_commands_from_cert(struct command **tail,
1487                                      struct strbuf *push_cert)
1488 {
1489         const char *boc, *eoc;
1490
1491         if (*tail)
1492                 die("protocol error: got both push certificate and unsigned commands");
1493
1494         boc = strstr(push_cert->buf, "\n\n");
1495         if (!boc)
1496                 die("malformed push certificate %.*s", 100, push_cert->buf);
1497         else
1498                 boc += 2;
1499         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1500
1501         while (boc < eoc) {
1502                 const char *eol = memchr(boc, '\n', eoc - boc);
1503                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1504                 boc = eol ? eol + 1 : eoc;
1505         }
1506 }
1507
1508 static struct command *read_head_info(struct sha1_array *shallow)
1509 {
1510         struct command *commands = NULL;
1511         struct command **p = &commands;
1512         for (;;) {
1513                 char *line;
1514                 int len, linelen;
1515
1516                 line = packet_read_line(0, &len);
1517                 if (!line)
1518                         break;
1519
1520                 if (len == 48 && starts_with(line, "shallow ")) {
1521                         unsigned char sha1[20];
1522                         if (get_sha1_hex(line + 8, sha1))
1523                                 die("protocol error: expected shallow sha, got '%s'",
1524                                     line + 8);
1525                         sha1_array_append(shallow, sha1);
1526                         continue;
1527                 }
1528
1529                 linelen = strlen(line);
1530                 if (linelen < len) {
1531                         const char *feature_list = line + linelen + 1;
1532                         if (parse_feature_request(feature_list, "report-status"))
1533                                 report_status = 1;
1534                         if (parse_feature_request(feature_list, "side-band-64k"))
1535                                 use_sideband = LARGE_PACKET_MAX;
1536                         if (parse_feature_request(feature_list, "quiet"))
1537                                 quiet = 1;
1538                         if (advertise_atomic_push
1539                             && parse_feature_request(feature_list, "atomic"))
1540                                 use_atomic = 1;
1541                         if (advertise_push_options
1542                             && parse_feature_request(feature_list, "push-options"))
1543                                 use_push_options = 1;
1544                 }
1545
1546                 if (!strcmp(line, "push-cert")) {
1547                         int true_flush = 0;
1548                         char certbuf[1024];
1549
1550                         for (;;) {
1551                                 len = packet_read(0, NULL, NULL,
1552                                                   certbuf, sizeof(certbuf), 0);
1553                                 if (!len) {
1554                                         true_flush = 1;
1555                                         break;
1556                                 }
1557                                 if (!strcmp(certbuf, "push-cert-end\n"))
1558                                         break; /* end of cert */
1559                                 strbuf_addstr(&push_cert, certbuf);
1560                         }
1561
1562                         if (true_flush)
1563                                 break;
1564                         continue;
1565                 }
1566
1567                 p = queue_command(p, line, linelen);
1568         }
1569
1570         if (push_cert.len)
1571                 queue_commands_from_cert(p, &push_cert);
1572
1573         return commands;
1574 }
1575
1576 static void read_push_options(struct string_list *options)
1577 {
1578         while (1) {
1579                 char *line;
1580                 int len;
1581
1582                 line = packet_read_line(0, &len);
1583
1584                 if (!line)
1585                         break;
1586
1587                 string_list_append(options, line);
1588         }
1589 }
1590
1591 static const char *parse_pack_header(struct pack_header *hdr)
1592 {
1593         switch (read_pack_header(0, hdr)) {
1594         case PH_ERROR_EOF:
1595                 return "eof before pack header was fully read";
1596
1597         case PH_ERROR_PACK_SIGNATURE:
1598                 return "protocol error (pack signature mismatch detected)";
1599
1600         case PH_ERROR_PROTOCOL:
1601                 return "protocol error (pack version unsupported)";
1602
1603         default:
1604                 return "unknown error in parse_pack_header";
1605
1606         case 0:
1607                 return NULL;
1608         }
1609 }
1610
1611 static const char *pack_lockfile;
1612
1613 static const char *unpack(int err_fd, struct shallow_info *si)
1614 {
1615         struct pack_header hdr;
1616         const char *hdr_err;
1617         int status;
1618         char hdr_arg[38];
1619         struct child_process child = CHILD_PROCESS_INIT;
1620         int fsck_objects = (receive_fsck_objects >= 0
1621                             ? receive_fsck_objects
1622                             : transfer_fsck_objects >= 0
1623                             ? transfer_fsck_objects
1624                             : 0);
1625
1626         hdr_err = parse_pack_header(&hdr);
1627         if (hdr_err) {
1628                 if (err_fd > 0)
1629                         close(err_fd);
1630                 return hdr_err;
1631         }
1632         snprintf(hdr_arg, sizeof(hdr_arg),
1633                         "--pack_header=%"PRIu32",%"PRIu32,
1634                         ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1635
1636         if (si->nr_ours || si->nr_theirs) {
1637                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1638                 argv_array_push(&child.args, "--shallow-file");
1639                 argv_array_push(&child.args, alt_shallow_file);
1640         }
1641
1642         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1643                 argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1644                 if (quiet)
1645                         argv_array_push(&child.args, "-q");
1646                 if (fsck_objects)
1647                         argv_array_pushf(&child.args, "--strict%s",
1648                                 fsck_msg_types.buf);
1649                 if (max_input_size)
1650                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1651                                 (uintmax_t)max_input_size);
1652                 child.no_stdout = 1;
1653                 child.err = err_fd;
1654                 child.git_cmd = 1;
1655                 status = run_command(&child);
1656                 if (status)
1657                         return "unpack-objects abnormal exit";
1658         } else {
1659                 char hostname[256];
1660
1661                 argv_array_pushl(&child.args, "index-pack",
1662                                  "--stdin", hdr_arg, NULL);
1663
1664                 if (gethostname(hostname, sizeof(hostname)))
1665                         xsnprintf(hostname, sizeof(hostname), "localhost");
1666                 argv_array_pushf(&child.args,
1667                                  "--keep=receive-pack %"PRIuMAX" on %s",
1668                                  (uintmax_t)getpid(),
1669                                  hostname);
1670
1671                 if (!quiet && err_fd)
1672                         argv_array_push(&child.args, "--show-resolving-progress");
1673                 if (use_sideband)
1674                         argv_array_push(&child.args, "--report-end-of-input");
1675                 if (fsck_objects)
1676                         argv_array_pushf(&child.args, "--strict%s",
1677                                 fsck_msg_types.buf);
1678                 if (!reject_thin)
1679                         argv_array_push(&child.args, "--fix-thin");
1680                 if (max_input_size)
1681                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1682                                 (uintmax_t)max_input_size);
1683                 child.out = -1;
1684                 child.err = err_fd;
1685                 child.git_cmd = 1;
1686                 status = start_command(&child);
1687                 if (status)
1688                         return "index-pack fork failed";
1689                 pack_lockfile = index_pack_lockfile(child.out);
1690                 close(child.out);
1691                 status = finish_command(&child);
1692                 if (status)
1693                         return "index-pack abnormal exit";
1694                 reprepare_packed_git();
1695         }
1696         return NULL;
1697 }
1698
1699 static const char *unpack_with_sideband(struct shallow_info *si)
1700 {
1701         struct async muxer;
1702         const char *ret;
1703
1704         if (!use_sideband)
1705                 return unpack(0, si);
1706
1707         use_keepalive = KEEPALIVE_AFTER_NUL;
1708         memset(&muxer, 0, sizeof(muxer));
1709         muxer.proc = copy_to_sideband;
1710         muxer.in = -1;
1711         if (start_async(&muxer))
1712                 return NULL;
1713
1714         ret = unpack(muxer.in, si);
1715
1716         finish_async(&muxer);
1717         return ret;
1718 }
1719
1720 static void prepare_shallow_update(struct command *commands,
1721                                    struct shallow_info *si)
1722 {
1723         int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1724
1725         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1726         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1727
1728         si->need_reachability_test =
1729                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1730         si->reachable =
1731                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1732         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1733
1734         for (i = 0; i < si->nr_ours; i++)
1735                 si->need_reachability_test[si->ours[i]] = 1;
1736
1737         for (i = 0; i < si->shallow->nr; i++) {
1738                 if (!si->used_shallow[i])
1739                         continue;
1740                 for (j = 0; j < bitmap_size; j++) {
1741                         if (!si->used_shallow[i][j])
1742                                 continue;
1743                         si->need_reachability_test[i]++;
1744                         for (k = 0; k < 32; k++)
1745                                 if (si->used_shallow[i][j] & (1U << k))
1746                                         si->shallow_ref[j * 32 + k]++;
1747                 }
1748
1749                 /*
1750                  * true for those associated with some refs and belong
1751                  * in "ours" list aka "step 7 not done yet"
1752                  */
1753                 si->need_reachability_test[i] =
1754                         si->need_reachability_test[i] > 1;
1755         }
1756
1757         /*
1758          * keep hooks happy by forcing a temporary shallow file via
1759          * env variable because we can't add --shallow-file to every
1760          * command. check_everything_connected() will be done with
1761          * true .git/shallow though.
1762          */
1763         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1764 }
1765
1766 static void update_shallow_info(struct command *commands,
1767                                 struct shallow_info *si,
1768                                 struct sha1_array *ref)
1769 {
1770         struct command *cmd;
1771         int *ref_status;
1772         remove_nonexistent_theirs_shallow(si);
1773         if (!si->nr_ours && !si->nr_theirs) {
1774                 shallow_update = 0;
1775                 return;
1776         }
1777
1778         for (cmd = commands; cmd; cmd = cmd->next) {
1779                 if (is_null_sha1(cmd->new_sha1))
1780                         continue;
1781                 sha1_array_append(ref, cmd->new_sha1);
1782                 cmd->index = ref->nr - 1;
1783         }
1784         si->ref = ref;
1785
1786         if (shallow_update) {
1787                 prepare_shallow_update(commands, si);
1788                 return;
1789         }
1790
1791         ALLOC_ARRAY(ref_status, ref->nr);
1792         assign_shallow_commits_to_refs(si, NULL, ref_status);
1793         for (cmd = commands; cmd; cmd = cmd->next) {
1794                 if (is_null_sha1(cmd->new_sha1))
1795                         continue;
1796                 if (ref_status[cmd->index]) {
1797                         cmd->error_string = "shallow update not allowed";
1798                         cmd->skip_update = 1;
1799                 }
1800         }
1801         free(ref_status);
1802 }
1803
1804 static void report(struct command *commands, const char *unpack_status)
1805 {
1806         struct command *cmd;
1807         struct strbuf buf = STRBUF_INIT;
1808
1809         packet_buf_write(&buf, "unpack %s\n",
1810                          unpack_status ? unpack_status : "ok");
1811         for (cmd = commands; cmd; cmd = cmd->next) {
1812                 if (!cmd->error_string)
1813                         packet_buf_write(&buf, "ok %s\n",
1814                                          cmd->ref_name);
1815                 else
1816                         packet_buf_write(&buf, "ng %s %s\n",
1817                                          cmd->ref_name, cmd->error_string);
1818         }
1819         packet_buf_flush(&buf);
1820
1821         if (use_sideband)
1822                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1823         else
1824                 write_or_die(1, buf.buf, buf.len);
1825         strbuf_release(&buf);
1826 }
1827
1828 static int delete_only(struct command *commands)
1829 {
1830         struct command *cmd;
1831         for (cmd = commands; cmd; cmd = cmd->next) {
1832                 if (!is_null_sha1(cmd->new_sha1))
1833                         return 0;
1834         }
1835         return 1;
1836 }
1837
1838 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1839 {
1840         int advertise_refs = 0;
1841         struct command *commands;
1842         struct sha1_array shallow = SHA1_ARRAY_INIT;
1843         struct sha1_array ref = SHA1_ARRAY_INIT;
1844         struct shallow_info si;
1845
1846         struct option options[] = {
1847                 OPT__QUIET(&quiet, N_("quiet")),
1848                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1849                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1850                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1851                 OPT_END()
1852         };
1853
1854         packet_trace_identity("receive-pack");
1855
1856         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1857
1858         if (argc > 1)
1859                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1860         if (argc == 0)
1861                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1862
1863         service_dir = argv[0];
1864
1865         setup_path();
1866
1867         if (!enter_repo(service_dir, 0))
1868                 die("'%s' does not appear to be a git repository", service_dir);
1869
1870         git_config(receive_pack_config, NULL);
1871         if (cert_nonce_seed)
1872                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1873
1874         if (0 <= transfer_unpack_limit)
1875                 unpack_limit = transfer_unpack_limit;
1876         else if (0 <= receive_unpack_limit)
1877                 unpack_limit = receive_unpack_limit;
1878
1879         if (advertise_refs || !stateless_rpc) {
1880                 write_head_info();
1881         }
1882         if (advertise_refs)
1883                 return 0;
1884
1885         if ((commands = read_head_info(&shallow)) != NULL) {
1886                 const char *unpack_status = NULL;
1887                 struct string_list push_options = STRING_LIST_INIT_DUP;
1888
1889                 if (use_push_options)
1890                         read_push_options(&push_options);
1891
1892                 prepare_shallow_info(&si, &shallow);
1893                 if (!si.nr_ours && !si.nr_theirs)
1894                         shallow_update = 0;
1895                 if (!delete_only(commands)) {
1896                         unpack_status = unpack_with_sideband(&si);
1897                         update_shallow_info(commands, &si, &ref);
1898                 }
1899                 use_keepalive = KEEPALIVE_ALWAYS;
1900                 execute_commands(commands, unpack_status, &si,
1901                                  &push_options);
1902                 if (pack_lockfile)
1903                         unlink_or_warn(pack_lockfile);
1904                 if (report_status)
1905                         report(commands, unpack_status);
1906                 run_receive_hook(commands, "post-receive", 1,
1907                                  &push_options);
1908                 run_update_post_hook(commands);
1909                 if (push_options.nr)
1910                         string_list_clear(&push_options, 0);
1911                 if (auto_gc) {
1912                         const char *argv_gc_auto[] = {
1913                                 "gc", "--auto", "--quiet", NULL,
1914                         };
1915                         struct child_process proc = CHILD_PROCESS_INIT;
1916
1917                         proc.no_stdin = 1;
1918                         proc.stdout_to_stderr = 1;
1919                         proc.err = use_sideband ? -1 : 0;
1920                         proc.git_cmd = 1;
1921                         proc.argv = argv_gc_auto;
1922
1923                         close_all_packs();
1924                         if (!start_command(&proc)) {
1925                                 if (use_sideband)
1926                                         copy_to_sideband(proc.err, -1, NULL);
1927                                 finish_command(&proc);
1928                         }
1929                 }
1930                 if (auto_update_server_info)
1931                         update_server_info(0);
1932                 clear_shallow_info(&si);
1933         }
1934         if (use_sideband)
1935                 packet_flush(1);
1936         sha1_array_clear(&shallow);
1937         sha1_array_clear(&ref);
1938         free((void *)push_cert_nonce);
1939         return 0;
1940 }