Merge branch 'jk/open-returns-eintr'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "repository.h"
3 #include "config.h"
4 #include "lockfile.h"
5 #include "pack.h"
6 #include "refs.h"
7 #include "pkt-line.h"
8 #include "sideband.h"
9 #include "run-command.h"
10 #include "exec-cmd.h"
11 #include "commit.h"
12 #include "object.h"
13 #include "remote.h"
14 #include "connect.h"
15 #include "string-list.h"
16 #include "oid-array.h"
17 #include "connected.h"
18 #include "strvec.h"
19 #include "version.h"
20 #include "tag.h"
21 #include "gpg-interface.h"
22 #include "sigchain.h"
23 #include "fsck.h"
24 #include "tmp-objdir.h"
25 #include "oidset.h"
26 #include "packfile.h"
27 #include "object-store.h"
28 #include "protocol.h"
29 #include "commit-reach.h"
30 #include "worktree.h"
31 #include "shallow.h"
32
33 static const char * const receive_pack_usage[] = {
34         N_("git receive-pack <git-dir>"),
35         NULL
36 };
37
38 enum deny_action {
39         DENY_UNCONFIGURED,
40         DENY_IGNORE,
41         DENY_WARN,
42         DENY_REFUSE,
43         DENY_UPDATE_INSTEAD
44 };
45
46 static int deny_deletes;
47 static int deny_non_fast_forwards;
48 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
49 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
50 static int receive_fsck_objects = -1;
51 static int transfer_fsck_objects = -1;
52 static struct strbuf fsck_msg_types = STRBUF_INIT;
53 static int receive_unpack_limit = -1;
54 static int transfer_unpack_limit = -1;
55 static int advertise_atomic_push = 1;
56 static int advertise_push_options;
57 static int advertise_sid;
58 static int unpack_limit = 100;
59 static off_t max_input_size;
60 static int report_status;
61 static int report_status_v2;
62 static int use_sideband;
63 static int use_atomic;
64 static int use_push_options;
65 static int quiet;
66 static int prefer_ofs_delta = 1;
67 static int auto_update_server_info;
68 static int auto_gc = 1;
69 static int reject_thin;
70 static int stateless_rpc;
71 static const char *service_dir;
72 static const char *head_name;
73 static void *head_name_to_free;
74 static int sent_capabilities;
75 static int shallow_update;
76 static const char *alt_shallow_file;
77 static struct strbuf push_cert = STRBUF_INIT;
78 static struct object_id push_cert_oid;
79 static struct signature_check sigcheck;
80 static const char *push_cert_nonce;
81 static const char *cert_nonce_seed;
82
83 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
84 static const char *NONCE_BAD = "BAD";
85 static const char *NONCE_MISSING = "MISSING";
86 static const char *NONCE_OK = "OK";
87 static const char *NONCE_SLOP = "SLOP";
88 static const char *nonce_status;
89 static long nonce_stamp_slop;
90 static timestamp_t nonce_stamp_slop_limit;
91 static struct ref_transaction *transaction;
92
93 static enum {
94         KEEPALIVE_NEVER = 0,
95         KEEPALIVE_AFTER_NUL,
96         KEEPALIVE_ALWAYS
97 } use_keepalive;
98 static int keepalive_in_sec = 5;
99
100 static struct tmp_objdir *tmp_objdir;
101
102 static struct proc_receive_ref {
103         unsigned int want_add:1,
104                      want_delete:1,
105                      want_modify:1,
106                      negative_ref:1;
107         char *ref_prefix;
108         struct proc_receive_ref *next;
109 } *proc_receive_ref;
110
111 static void proc_receive_ref_append(const char *prefix);
112
113 static enum deny_action parse_deny_action(const char *var, const char *value)
114 {
115         if (value) {
116                 if (!strcasecmp(value, "ignore"))
117                         return DENY_IGNORE;
118                 if (!strcasecmp(value, "warn"))
119                         return DENY_WARN;
120                 if (!strcasecmp(value, "refuse"))
121                         return DENY_REFUSE;
122                 if (!strcasecmp(value, "updateinstead"))
123                         return DENY_UPDATE_INSTEAD;
124         }
125         if (git_config_bool(var, value))
126                 return DENY_REFUSE;
127         return DENY_IGNORE;
128 }
129
130 static int receive_pack_config(const char *var, const char *value, void *cb)
131 {
132         int status = parse_hide_refs_config(var, value, "receive");
133
134         if (status)
135                 return status;
136
137         if (strcmp(var, "receive.denydeletes") == 0) {
138                 deny_deletes = git_config_bool(var, value);
139                 return 0;
140         }
141
142         if (strcmp(var, "receive.denynonfastforwards") == 0) {
143                 deny_non_fast_forwards = git_config_bool(var, value);
144                 return 0;
145         }
146
147         if (strcmp(var, "receive.unpacklimit") == 0) {
148                 receive_unpack_limit = git_config_int(var, value);
149                 return 0;
150         }
151
152         if (strcmp(var, "transfer.unpacklimit") == 0) {
153                 transfer_unpack_limit = git_config_int(var, value);
154                 return 0;
155         }
156
157         if (strcmp(var, "receive.fsck.skiplist") == 0) {
158                 const char *path;
159
160                 if (git_config_pathname(&path, var, value))
161                         return 1;
162                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
163                         fsck_msg_types.len ? ',' : '=', path);
164                 free((char *)path);
165                 return 0;
166         }
167
168         if (skip_prefix(var, "receive.fsck.", &var)) {
169                 if (is_valid_msg_type(var, value))
170                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
171                                 fsck_msg_types.len ? ',' : '=', var, value);
172                 else
173                         warning("Skipping unknown msg id '%s'", var);
174                 return 0;
175         }
176
177         if (strcmp(var, "receive.fsckobjects") == 0) {
178                 receive_fsck_objects = git_config_bool(var, value);
179                 return 0;
180         }
181
182         if (strcmp(var, "transfer.fsckobjects") == 0) {
183                 transfer_fsck_objects = git_config_bool(var, value);
184                 return 0;
185         }
186
187         if (!strcmp(var, "receive.denycurrentbranch")) {
188                 deny_current_branch = parse_deny_action(var, value);
189                 return 0;
190         }
191
192         if (strcmp(var, "receive.denydeletecurrent") == 0) {
193                 deny_delete_current = parse_deny_action(var, value);
194                 return 0;
195         }
196
197         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
198                 prefer_ofs_delta = git_config_bool(var, value);
199                 return 0;
200         }
201
202         if (strcmp(var, "receive.updateserverinfo") == 0) {
203                 auto_update_server_info = git_config_bool(var, value);
204                 return 0;
205         }
206
207         if (strcmp(var, "receive.autogc") == 0) {
208                 auto_gc = git_config_bool(var, value);
209                 return 0;
210         }
211
212         if (strcmp(var, "receive.shallowupdate") == 0) {
213                 shallow_update = git_config_bool(var, value);
214                 return 0;
215         }
216
217         if (strcmp(var, "receive.certnonceseed") == 0)
218                 return git_config_string(&cert_nonce_seed, var, value);
219
220         if (strcmp(var, "receive.certnonceslop") == 0) {
221                 nonce_stamp_slop_limit = git_config_ulong(var, value);
222                 return 0;
223         }
224
225         if (strcmp(var, "receive.advertiseatomic") == 0) {
226                 advertise_atomic_push = git_config_bool(var, value);
227                 return 0;
228         }
229
230         if (strcmp(var, "receive.advertisepushoptions") == 0) {
231                 advertise_push_options = git_config_bool(var, value);
232                 return 0;
233         }
234
235         if (strcmp(var, "receive.keepalive") == 0) {
236                 keepalive_in_sec = git_config_int(var, value);
237                 return 0;
238         }
239
240         if (strcmp(var, "receive.maxinputsize") == 0) {
241                 max_input_size = git_config_int64(var, value);
242                 return 0;
243         }
244
245         if (strcmp(var, "receive.procreceiverefs") == 0) {
246                 if (!value)
247                         return config_error_nonbool(var);
248                 proc_receive_ref_append(value);
249                 return 0;
250         }
251
252         if (strcmp(var, "transfer.advertisesid") == 0) {
253                 advertise_sid = git_config_bool(var, value);
254                 return 0;
255         }
256
257         return git_default_config(var, value, cb);
258 }
259
260 static void show_ref(const char *path, const struct object_id *oid)
261 {
262         if (sent_capabilities) {
263                 packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
264         } else {
265                 struct strbuf cap = STRBUF_INIT;
266
267                 strbuf_addstr(&cap,
268                               "report-status report-status-v2 delete-refs side-band-64k quiet");
269                 if (advertise_atomic_push)
270                         strbuf_addstr(&cap, " atomic");
271                 if (prefer_ofs_delta)
272                         strbuf_addstr(&cap, " ofs-delta");
273                 if (push_cert_nonce)
274                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
275                 if (advertise_push_options)
276                         strbuf_addstr(&cap, " push-options");
277                 if (advertise_sid)
278                         strbuf_addf(&cap, " session-id=%s", trace2_session_id());
279                 strbuf_addf(&cap, " object-format=%s", the_hash_algo->name);
280                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
281                 packet_write_fmt(1, "%s %s%c%s\n",
282                              oid_to_hex(oid), path, 0, cap.buf);
283                 strbuf_release(&cap);
284                 sent_capabilities = 1;
285         }
286 }
287
288 static int show_ref_cb(const char *path_full, const struct object_id *oid,
289                        int flag, void *data)
290 {
291         struct oidset *seen = data;
292         const char *path = strip_namespace(path_full);
293
294         if (ref_is_hidden(path, path_full))
295                 return 0;
296
297         /*
298          * Advertise refs outside our current namespace as ".have"
299          * refs, so that the client can use them to minimize data
300          * transfer but will otherwise ignore them.
301          */
302         if (!path) {
303                 if (oidset_insert(seen, oid))
304                         return 0;
305                 path = ".have";
306         } else {
307                 oidset_insert(seen, oid);
308         }
309         show_ref(path, oid);
310         return 0;
311 }
312
313 static void show_one_alternate_ref(const struct object_id *oid,
314                                    void *data)
315 {
316         struct oidset *seen = data;
317
318         if (oidset_insert(seen, oid))
319                 return;
320
321         show_ref(".have", oid);
322 }
323
324 static void write_head_info(void)
325 {
326         static struct oidset seen = OIDSET_INIT;
327
328         for_each_ref(show_ref_cb, &seen);
329         for_each_alternate_ref(show_one_alternate_ref, &seen);
330         oidset_clear(&seen);
331         if (!sent_capabilities)
332                 show_ref("capabilities^{}", &null_oid);
333
334         advertise_shallow_grafts(1);
335
336         /* EOF */
337         packet_flush(1);
338 }
339
340 #define RUN_PROC_RECEIVE_SCHEDULED      1
341 #define RUN_PROC_RECEIVE_RETURNED       2
342 struct command {
343         struct command *next;
344         const char *error_string;
345         struct ref_push_report *report;
346         unsigned int skip_update:1,
347                      did_not_exist:1,
348                      run_proc_receive:2;
349         int index;
350         struct object_id old_oid;
351         struct object_id new_oid;
352         char ref_name[FLEX_ARRAY]; /* more */
353 };
354
355 static void proc_receive_ref_append(const char *prefix)
356 {
357         struct proc_receive_ref *ref_pattern;
358         char *p;
359         int len;
360
361         ref_pattern = xcalloc(1, sizeof(struct proc_receive_ref));
362         p = strchr(prefix, ':');
363         if (p) {
364                 while (prefix < p) {
365                         if (*prefix == 'a')
366                                 ref_pattern->want_add = 1;
367                         else if (*prefix == 'd')
368                                 ref_pattern->want_delete = 1;
369                         else if (*prefix == 'm')
370                                 ref_pattern->want_modify = 1;
371                         else if (*prefix == '!')
372                                 ref_pattern->negative_ref = 1;
373                         prefix++;
374                 }
375                 prefix++;
376         } else {
377                 ref_pattern->want_add = 1;
378                 ref_pattern->want_delete = 1;
379                 ref_pattern->want_modify = 1;
380         }
381         len = strlen(prefix);
382         while (len && prefix[len - 1] == '/')
383                 len--;
384         ref_pattern->ref_prefix = xmemdupz(prefix, len);
385         if (!proc_receive_ref) {
386                 proc_receive_ref = ref_pattern;
387         } else {
388                 struct proc_receive_ref *end;
389
390                 end = proc_receive_ref;
391                 while (end->next)
392                         end = end->next;
393                 end->next = ref_pattern;
394         }
395 }
396
397 static int proc_receive_ref_matches(struct command *cmd)
398 {
399         struct proc_receive_ref *p;
400
401         if (!proc_receive_ref)
402                 return 0;
403
404         for (p = proc_receive_ref; p; p = p->next) {
405                 const char *match = p->ref_prefix;
406                 const char *remains;
407
408                 if (!p->want_add && is_null_oid(&cmd->old_oid))
409                         continue;
410                 else if (!p->want_delete && is_null_oid(&cmd->new_oid))
411                         continue;
412                 else if (!p->want_modify &&
413                          !is_null_oid(&cmd->old_oid) &&
414                          !is_null_oid(&cmd->new_oid))
415                         continue;
416
417                 if (skip_prefix(cmd->ref_name, match, &remains) &&
418                     (!*remains || *remains == '/')) {
419                         if (!p->negative_ref)
420                                 return 1;
421                 } else if (p->negative_ref) {
422                         return 1;
423                 }
424         }
425         return 0;
426 }
427
428 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
429 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
430
431 static void report_message(const char *prefix, const char *err, va_list params)
432 {
433         int sz;
434         char msg[4096];
435
436         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
437         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
438         if (sz > (sizeof(msg) - 1))
439                 sz = sizeof(msg) - 1;
440         msg[sz++] = '\n';
441
442         if (use_sideband)
443                 send_sideband(1, 2, msg, sz, use_sideband);
444         else
445                 xwrite(2, msg, sz);
446 }
447
448 static void rp_warning(const char *err, ...)
449 {
450         va_list params;
451         va_start(params, err);
452         report_message("warning: ", err, params);
453         va_end(params);
454 }
455
456 static void rp_error(const char *err, ...)
457 {
458         va_list params;
459         va_start(params, err);
460         report_message("error: ", err, params);
461         va_end(params);
462 }
463
464 static int copy_to_sideband(int in, int out, void *arg)
465 {
466         char data[128];
467         int keepalive_active = 0;
468
469         if (keepalive_in_sec <= 0)
470                 use_keepalive = KEEPALIVE_NEVER;
471         if (use_keepalive == KEEPALIVE_ALWAYS)
472                 keepalive_active = 1;
473
474         while (1) {
475                 ssize_t sz;
476
477                 if (keepalive_active) {
478                         struct pollfd pfd;
479                         int ret;
480
481                         pfd.fd = in;
482                         pfd.events = POLLIN;
483                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
484
485                         if (ret < 0) {
486                                 if (errno == EINTR)
487                                         continue;
488                                 else
489                                         break;
490                         } else if (ret == 0) {
491                                 /* no data; send a keepalive packet */
492                                 static const char buf[] = "0005\1";
493                                 write_or_die(1, buf, sizeof(buf) - 1);
494                                 continue;
495                         } /* else there is actual data to read */
496                 }
497
498                 sz = xread(in, data, sizeof(data));
499                 if (sz <= 0)
500                         break;
501
502                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
503                         const char *p = memchr(data, '\0', sz);
504                         if (p) {
505                                 /*
506                                  * The NUL tells us to start sending keepalives. Make
507                                  * sure we send any other data we read along
508                                  * with it.
509                                  */
510                                 keepalive_active = 1;
511                                 send_sideband(1, 2, data, p - data, use_sideband);
512                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
513                                 continue;
514                         }
515                 }
516
517                 /*
518                  * Either we're not looking for a NUL signal, or we didn't see
519                  * it yet; just pass along the data.
520                  */
521                 send_sideband(1, 2, data, sz, use_sideband);
522         }
523         close(in);
524         return 0;
525 }
526
527 static void hmac_hash(unsigned char *out,
528                       const char *key_in, size_t key_len,
529                       const char *text, size_t text_len)
530 {
531         unsigned char key[GIT_MAX_BLKSZ];
532         unsigned char k_ipad[GIT_MAX_BLKSZ];
533         unsigned char k_opad[GIT_MAX_BLKSZ];
534         int i;
535         git_hash_ctx ctx;
536
537         /* RFC 2104 2. (1) */
538         memset(key, '\0', GIT_MAX_BLKSZ);
539         if (the_hash_algo->blksz < key_len) {
540                 the_hash_algo->init_fn(&ctx);
541                 the_hash_algo->update_fn(&ctx, key_in, key_len);
542                 the_hash_algo->final_fn(key, &ctx);
543         } else {
544                 memcpy(key, key_in, key_len);
545         }
546
547         /* RFC 2104 2. (2) & (5) */
548         for (i = 0; i < sizeof(key); i++) {
549                 k_ipad[i] = key[i] ^ 0x36;
550                 k_opad[i] = key[i] ^ 0x5c;
551         }
552
553         /* RFC 2104 2. (3) & (4) */
554         the_hash_algo->init_fn(&ctx);
555         the_hash_algo->update_fn(&ctx, k_ipad, sizeof(k_ipad));
556         the_hash_algo->update_fn(&ctx, text, text_len);
557         the_hash_algo->final_fn(out, &ctx);
558
559         /* RFC 2104 2. (6) & (7) */
560         the_hash_algo->init_fn(&ctx);
561         the_hash_algo->update_fn(&ctx, k_opad, sizeof(k_opad));
562         the_hash_algo->update_fn(&ctx, out, the_hash_algo->rawsz);
563         the_hash_algo->final_fn(out, &ctx);
564 }
565
566 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
567 {
568         struct strbuf buf = STRBUF_INIT;
569         unsigned char hash[GIT_MAX_RAWSZ];
570
571         strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
572         hmac_hash(hash, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));
573         strbuf_release(&buf);
574
575         /* RFC 2104 5. HMAC-SHA1 or HMAC-SHA256 */
576         strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, (int)the_hash_algo->hexsz, hash_to_hex(hash));
577         return strbuf_detach(&buf, NULL);
578 }
579
580 /*
581  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
582  * after dropping "_commit" from its name and possibly moving it out
583  * of commit.c
584  */
585 static char *find_header(const char *msg, size_t len, const char *key,
586                          const char **next_line)
587 {
588         int key_len = strlen(key);
589         const char *line = msg;
590
591         while (line && line < msg + len) {
592                 const char *eol = strchrnul(line, '\n');
593
594                 if ((msg + len <= eol) || line == eol)
595                         return NULL;
596                 if (line + key_len < eol &&
597                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
598                         int offset = key_len + 1;
599                         if (next_line)
600                                 *next_line = *eol ? eol + 1 : eol;
601                         return xmemdupz(line + offset, (eol - line) - offset);
602                 }
603                 line = *eol ? eol + 1 : NULL;
604         }
605         return NULL;
606 }
607
608 /*
609  * Return zero if a and b are equal up to n bytes and nonzero if they are not.
610  * This operation is guaranteed to run in constant time to avoid leaking data.
611  */
612 static int constant_memequal(const char *a, const char *b, size_t n)
613 {
614         int res = 0;
615         size_t i;
616
617         for (i = 0; i < n; i++)
618                 res |= a[i] ^ b[i];
619         return res;
620 }
621
622 static const char *check_nonce(const char *buf, size_t len)
623 {
624         char *nonce = find_header(buf, len, "nonce", NULL);
625         timestamp_t stamp, ostamp;
626         char *bohmac, *expect = NULL;
627         const char *retval = NONCE_BAD;
628         size_t noncelen;
629
630         if (!nonce) {
631                 retval = NONCE_MISSING;
632                 goto leave;
633         } else if (!push_cert_nonce) {
634                 retval = NONCE_UNSOLICITED;
635                 goto leave;
636         } else if (!strcmp(push_cert_nonce, nonce)) {
637                 retval = NONCE_OK;
638                 goto leave;
639         }
640
641         if (!stateless_rpc) {
642                 /* returned nonce MUST match what we gave out earlier */
643                 retval = NONCE_BAD;
644                 goto leave;
645         }
646
647         /*
648          * In stateless mode, we may be receiving a nonce issued by
649          * another instance of the server that serving the same
650          * repository, and the timestamps may not match, but the
651          * nonce-seed and dir should match, so we can recompute and
652          * report the time slop.
653          *
654          * In addition, when a nonce issued by another instance has
655          * timestamp within receive.certnonceslop seconds, we pretend
656          * as if we issued that nonce when reporting to the hook.
657          */
658
659         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
660         if (*nonce <= '0' || '9' < *nonce) {
661                 retval = NONCE_BAD;
662                 goto leave;
663         }
664         stamp = parse_timestamp(nonce, &bohmac, 10);
665         if (bohmac == nonce || bohmac[0] != '-') {
666                 retval = NONCE_BAD;
667                 goto leave;
668         }
669
670         noncelen = strlen(nonce);
671         expect = prepare_push_cert_nonce(service_dir, stamp);
672         if (noncelen != strlen(expect)) {
673                 /* This is not even the right size. */
674                 retval = NONCE_BAD;
675                 goto leave;
676         }
677         if (constant_memequal(expect, nonce, noncelen)) {
678                 /* Not what we would have signed earlier */
679                 retval = NONCE_BAD;
680                 goto leave;
681         }
682
683         /*
684          * By how many seconds is this nonce stale?  Negative value
685          * would mean it was issued by another server with its clock
686          * skewed in the future.
687          */
688         ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
689         nonce_stamp_slop = (long)ostamp - (long)stamp;
690
691         if (nonce_stamp_slop_limit &&
692             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
693                 /*
694                  * Pretend as if the received nonce (which passes the
695                  * HMAC check, so it is not a forged by third-party)
696                  * is what we issued.
697                  */
698                 free((void *)push_cert_nonce);
699                 push_cert_nonce = xstrdup(nonce);
700                 retval = NONCE_OK;
701         } else {
702                 retval = NONCE_SLOP;
703         }
704
705 leave:
706         free(nonce);
707         free(expect);
708         return retval;
709 }
710
711 /*
712  * Return 1 if there is no push_cert or if the push options in push_cert are
713  * the same as those in the argument; 0 otherwise.
714  */
715 static int check_cert_push_options(const struct string_list *push_options)
716 {
717         const char *buf = push_cert.buf;
718         int len = push_cert.len;
719
720         char *option;
721         const char *next_line;
722         int options_seen = 0;
723
724         int retval = 1;
725
726         if (!len)
727                 return 1;
728
729         while ((option = find_header(buf, len, "push-option", &next_line))) {
730                 len -= (next_line - buf);
731                 buf = next_line;
732                 options_seen++;
733                 if (options_seen > push_options->nr
734                     || strcmp(option,
735                               push_options->items[options_seen - 1].string)) {
736                         retval = 0;
737                         goto leave;
738                 }
739                 free(option);
740         }
741
742         if (options_seen != push_options->nr)
743                 retval = 0;
744
745 leave:
746         free(option);
747         return retval;
748 }
749
750 static void prepare_push_cert_sha1(struct child_process *proc)
751 {
752         static int already_done;
753
754         if (!push_cert.len)
755                 return;
756
757         if (!already_done) {
758                 int bogs /* beginning_of_gpg_sig */;
759
760                 already_done = 1;
761                 if (write_object_file(push_cert.buf, push_cert.len, "blob",
762                                       &push_cert_oid))
763                         oidclr(&push_cert_oid);
764
765                 memset(&sigcheck, '\0', sizeof(sigcheck));
766
767                 bogs = parse_signed_buffer(push_cert.buf, push_cert.len);
768                 check_signature(push_cert.buf, bogs, push_cert.buf + bogs,
769                                 push_cert.len - bogs, &sigcheck);
770
771                 nonce_status = check_nonce(push_cert.buf, bogs);
772         }
773         if (!is_null_oid(&push_cert_oid)) {
774                 strvec_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
775                              oid_to_hex(&push_cert_oid));
776                 strvec_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
777                              sigcheck.signer ? sigcheck.signer : "");
778                 strvec_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
779                              sigcheck.key ? sigcheck.key : "");
780                 strvec_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
781                              sigcheck.result);
782                 if (push_cert_nonce) {
783                         strvec_pushf(&proc->env_array,
784                                      "GIT_PUSH_CERT_NONCE=%s",
785                                      push_cert_nonce);
786                         strvec_pushf(&proc->env_array,
787                                      "GIT_PUSH_CERT_NONCE_STATUS=%s",
788                                      nonce_status);
789                         if (nonce_status == NONCE_SLOP)
790                                 strvec_pushf(&proc->env_array,
791                                              "GIT_PUSH_CERT_NONCE_SLOP=%ld",
792                                              nonce_stamp_slop);
793                 }
794         }
795 }
796
797 struct receive_hook_feed_state {
798         struct command *cmd;
799         struct ref_push_report *report;
800         int skip_broken;
801         struct strbuf buf;
802         const struct string_list *push_options;
803 };
804
805 typedef int (*feed_fn)(void *, const char **, size_t *);
806 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
807                              struct receive_hook_feed_state *feed_state)
808 {
809         struct child_process proc = CHILD_PROCESS_INIT;
810         struct async muxer;
811         const char *argv[2];
812         int code;
813
814         argv[0] = find_hook(hook_name);
815         if (!argv[0])
816                 return 0;
817
818         argv[1] = NULL;
819
820         proc.argv = argv;
821         proc.in = -1;
822         proc.stdout_to_stderr = 1;
823         proc.trace2_hook_name = hook_name;
824
825         if (feed_state->push_options) {
826                 int i;
827                 for (i = 0; i < feed_state->push_options->nr; i++)
828                         strvec_pushf(&proc.env_array,
829                                      "GIT_PUSH_OPTION_%d=%s", i,
830                                      feed_state->push_options->items[i].string);
831                 strvec_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
832                              feed_state->push_options->nr);
833         } else
834                 strvec_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
835
836         if (tmp_objdir)
837                 strvec_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
838
839         if (use_sideband) {
840                 memset(&muxer, 0, sizeof(muxer));
841                 muxer.proc = copy_to_sideband;
842                 muxer.in = -1;
843                 code = start_async(&muxer);
844                 if (code)
845                         return code;
846                 proc.err = muxer.in;
847         }
848
849         prepare_push_cert_sha1(&proc);
850
851         code = start_command(&proc);
852         if (code) {
853                 if (use_sideband)
854                         finish_async(&muxer);
855                 return code;
856         }
857
858         sigchain_push(SIGPIPE, SIG_IGN);
859
860         while (1) {
861                 const char *buf;
862                 size_t n;
863                 if (feed(feed_state, &buf, &n))
864                         break;
865                 if (write_in_full(proc.in, buf, n) < 0)
866                         break;
867         }
868         close(proc.in);
869         if (use_sideband)
870                 finish_async(&muxer);
871
872         sigchain_pop(SIGPIPE);
873
874         return finish_command(&proc);
875 }
876
877 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
878 {
879         struct receive_hook_feed_state *state = state_;
880         struct command *cmd = state->cmd;
881
882         while (cmd &&
883                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
884                 cmd = cmd->next;
885         if (!cmd)
886                 return -1; /* EOF */
887         if (!bufp)
888                 return 0; /* OK, can feed something. */
889         strbuf_reset(&state->buf);
890         if (!state->report)
891                 state->report = cmd->report;
892         if (state->report) {
893                 struct object_id *old_oid;
894                 struct object_id *new_oid;
895                 const char *ref_name;
896
897                 old_oid = state->report->old_oid ? state->report->old_oid : &cmd->old_oid;
898                 new_oid = state->report->new_oid ? state->report->new_oid : &cmd->new_oid;
899                 ref_name = state->report->ref_name ? state->report->ref_name : cmd->ref_name;
900                 strbuf_addf(&state->buf, "%s %s %s\n",
901                             oid_to_hex(old_oid), oid_to_hex(new_oid),
902                             ref_name);
903                 state->report = state->report->next;
904                 if (!state->report)
905                         state->cmd = cmd->next;
906         } else {
907                 strbuf_addf(&state->buf, "%s %s %s\n",
908                             oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
909                             cmd->ref_name);
910                 state->cmd = cmd->next;
911         }
912         if (bufp) {
913                 *bufp = state->buf.buf;
914                 *sizep = state->buf.len;
915         }
916         return 0;
917 }
918
919 static int run_receive_hook(struct command *commands,
920                             const char *hook_name,
921                             int skip_broken,
922                             const struct string_list *push_options)
923 {
924         struct receive_hook_feed_state state;
925         int status;
926
927         strbuf_init(&state.buf, 0);
928         state.cmd = commands;
929         state.skip_broken = skip_broken;
930         state.report = NULL;
931         if (feed_receive_hook(&state, NULL, NULL))
932                 return 0;
933         state.cmd = commands;
934         state.push_options = push_options;
935         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
936         strbuf_release(&state.buf);
937         return status;
938 }
939
940 static int run_update_hook(struct command *cmd)
941 {
942         const char *argv[5];
943         struct child_process proc = CHILD_PROCESS_INIT;
944         int code;
945
946         argv[0] = find_hook("update");
947         if (!argv[0])
948                 return 0;
949
950         argv[1] = cmd->ref_name;
951         argv[2] = oid_to_hex(&cmd->old_oid);
952         argv[3] = oid_to_hex(&cmd->new_oid);
953         argv[4] = NULL;
954
955         proc.no_stdin = 1;
956         proc.stdout_to_stderr = 1;
957         proc.err = use_sideband ? -1 : 0;
958         proc.argv = argv;
959         proc.trace2_hook_name = "update";
960
961         code = start_command(&proc);
962         if (code)
963                 return code;
964         if (use_sideband)
965                 copy_to_sideband(proc.err, -1, NULL);
966         return finish_command(&proc);
967 }
968
969 static struct command *find_command_by_refname(struct command *list,
970                                                const char *refname)
971 {
972         for (; list; list = list->next)
973                 if (!strcmp(list->ref_name, refname))
974                         return list;
975         return NULL;
976 }
977
978 static int read_proc_receive_report(struct packet_reader *reader,
979                                     struct command *commands,
980                                     struct strbuf *errmsg)
981 {
982         struct command *cmd;
983         struct command *hint = NULL;
984         struct ref_push_report *report = NULL;
985         int new_report = 0;
986         int code = 0;
987         int once = 0;
988         int response = 0;
989
990         for (;;) {
991                 struct object_id old_oid, new_oid;
992                 const char *head;
993                 const char *refname;
994                 char *p;
995                 enum packet_read_status status;
996
997                 status = packet_reader_read(reader);
998                 if (status != PACKET_READ_NORMAL) {
999                         /* Check whether proc-receive exited abnormally */
1000                         if (status == PACKET_READ_EOF && !response) {
1001                                 strbuf_addstr(errmsg, "proc-receive exited abnormally");
1002                                 return -1;
1003                         }
1004                         break;
1005                 }
1006                 response++;
1007
1008                 head = reader->line;
1009                 p = strchr(head, ' ');
1010                 if (!p) {
1011                         strbuf_addf(errmsg, "proc-receive reported incomplete status line: '%s'\n", head);
1012                         code = -1;
1013                         continue;
1014                 }
1015                 *p++ = '\0';
1016                 if (!strcmp(head, "option")) {
1017                         const char *key, *val;
1018
1019                         if (!hint || !(report || new_report)) {
1020                                 if (!once++)
1021                                         strbuf_addstr(errmsg, "proc-receive reported 'option' without a matching 'ok/ng' directive\n");
1022                                 code = -1;
1023                                 continue;
1024                         }
1025                         if (new_report) {
1026                                 if (!hint->report) {
1027                                         hint->report = xcalloc(1, sizeof(struct ref_push_report));
1028                                         report = hint->report;
1029                                 } else {
1030                                         report = hint->report;
1031                                         while (report->next)
1032                                                 report = report->next;
1033                                         report->next = xcalloc(1, sizeof(struct ref_push_report));
1034                                         report = report->next;
1035                                 }
1036                                 new_report = 0;
1037                         }
1038                         key = p;
1039                         p = strchr(key, ' ');
1040                         if (p)
1041                                 *p++ = '\0';
1042                         val = p;
1043                         if (!strcmp(key, "refname"))
1044                                 report->ref_name = xstrdup_or_null(val);
1045                         else if (!strcmp(key, "old-oid") && val &&
1046                                  !parse_oid_hex(val, &old_oid, &val))
1047                                 report->old_oid = oiddup(&old_oid);
1048                         else if (!strcmp(key, "new-oid") && val &&
1049                                  !parse_oid_hex(val, &new_oid, &val))
1050                                 report->new_oid = oiddup(&new_oid);
1051                         else if (!strcmp(key, "forced-update"))
1052                                 report->forced_update = 1;
1053                         else if (!strcmp(key, "fall-through"))
1054                                 /* Fall through, let 'receive-pack' to execute it. */
1055                                 hint->run_proc_receive = 0;
1056                         continue;
1057                 }
1058
1059                 report = NULL;
1060                 new_report = 0;
1061                 refname = p;
1062                 p = strchr(refname, ' ');
1063                 if (p)
1064                         *p++ = '\0';
1065                 if (strcmp(head, "ok") && strcmp(head, "ng")) {
1066                         strbuf_addf(errmsg, "proc-receive reported bad status '%s' on ref '%s'\n",
1067                                     head, refname);
1068                         code = -1;
1069                         continue;
1070                 }
1071
1072                 /* first try searching at our hint, falling back to all refs */
1073                 if (hint)
1074                         hint = find_command_by_refname(hint, refname);
1075                 if (!hint)
1076                         hint = find_command_by_refname(commands, refname);
1077                 if (!hint) {
1078                         strbuf_addf(errmsg, "proc-receive reported status on unknown ref: %s\n",
1079                                     refname);
1080                         code = -1;
1081                         continue;
1082                 }
1083                 if (!hint->run_proc_receive) {
1084                         strbuf_addf(errmsg, "proc-receive reported status on unexpected ref: %s\n",
1085                                     refname);
1086                         code = -1;
1087                         continue;
1088                 }
1089                 hint->run_proc_receive |= RUN_PROC_RECEIVE_RETURNED;
1090                 if (!strcmp(head, "ng")) {
1091                         if (p)
1092                                 hint->error_string = xstrdup(p);
1093                         else
1094                                 hint->error_string = "failed";
1095                         code = -1;
1096                         continue;
1097                 }
1098                 new_report = 1;
1099         }
1100
1101         for (cmd = commands; cmd; cmd = cmd->next)
1102                 if (cmd->run_proc_receive && !cmd->error_string &&
1103                     !(cmd->run_proc_receive & RUN_PROC_RECEIVE_RETURNED)) {
1104                     cmd->error_string = "proc-receive failed to report status";
1105                     code = -1;
1106                 }
1107         return code;
1108 }
1109
1110 static int run_proc_receive_hook(struct command *commands,
1111                                  const struct string_list *push_options)
1112 {
1113         struct child_process proc = CHILD_PROCESS_INIT;
1114         struct async muxer;
1115         struct command *cmd;
1116         const char *argv[2];
1117         struct packet_reader reader;
1118         struct strbuf cap = STRBUF_INIT;
1119         struct strbuf errmsg = STRBUF_INIT;
1120         int hook_use_push_options = 0;
1121         int version = 0;
1122         int code;
1123
1124         argv[0] = find_hook("proc-receive");
1125         if (!argv[0]) {
1126                 rp_error("cannot find hook 'proc-receive'");
1127                 return -1;
1128         }
1129         argv[1] = NULL;
1130
1131         proc.argv = argv;
1132         proc.in = -1;
1133         proc.out = -1;
1134         proc.trace2_hook_name = "proc-receive";
1135
1136         if (use_sideband) {
1137                 memset(&muxer, 0, sizeof(muxer));
1138                 muxer.proc = copy_to_sideband;
1139                 muxer.in = -1;
1140                 code = start_async(&muxer);
1141                 if (code)
1142                         return code;
1143                 proc.err = muxer.in;
1144         } else {
1145                 proc.err = 0;
1146         }
1147
1148         code = start_command(&proc);
1149         if (code) {
1150                 if (use_sideband)
1151                         finish_async(&muxer);
1152                 return code;
1153         }
1154
1155         sigchain_push(SIGPIPE, SIG_IGN);
1156
1157         /* Version negotiaton */
1158         packet_reader_init(&reader, proc.out, NULL, 0,
1159                            PACKET_READ_CHOMP_NEWLINE |
1160                            PACKET_READ_GENTLE_ON_EOF);
1161         if (use_atomic)
1162                 strbuf_addstr(&cap, " atomic");
1163         if (use_push_options)
1164                 strbuf_addstr(&cap, " push-options");
1165         if (cap.len) {
1166                 code = packet_write_fmt_gently(proc.in, "version=1%c%s\n", '\0', cap.buf + 1);
1167                 strbuf_release(&cap);
1168         } else {
1169                 code = packet_write_fmt_gently(proc.in, "version=1\n");
1170         }
1171         if (!code)
1172                 code = packet_flush_gently(proc.in);
1173
1174         if (!code)
1175                 for (;;) {
1176                         int linelen;
1177                         enum packet_read_status status;
1178
1179                         status = packet_reader_read(&reader);
1180                         if (status != PACKET_READ_NORMAL) {
1181                                 /* Check whether proc-receive exited abnormally */
1182                                 if (status == PACKET_READ_EOF)
1183                                         code = -1;
1184                                 break;
1185                         }
1186
1187                         if (reader.pktlen > 8 && starts_with(reader.line, "version=")) {
1188                                 version = atoi(reader.line + 8);
1189                                 linelen = strlen(reader.line);
1190                                 if (linelen < reader.pktlen) {
1191                                         const char *feature_list = reader.line + linelen + 1;
1192                                         if (parse_feature_request(feature_list, "push-options"))
1193                                                 hook_use_push_options = 1;
1194                                 }
1195                         }
1196                 }
1197
1198         if (code) {
1199                 strbuf_addstr(&errmsg, "fail to negotiate version with proc-receive hook");
1200                 goto cleanup;
1201         }
1202
1203         switch (version) {
1204         case 0:
1205                 /* fallthrough */
1206         case 1:
1207                 break;
1208         default:
1209                 strbuf_addf(&errmsg, "proc-receive version '%d' is not supported",
1210                             version);
1211                 code = -1;
1212                 goto cleanup;
1213         }
1214
1215         /* Send commands */
1216         for (cmd = commands; cmd; cmd = cmd->next) {
1217                 if (!cmd->run_proc_receive || cmd->skip_update || cmd->error_string)
1218                         continue;
1219                 code = packet_write_fmt_gently(proc.in, "%s %s %s",
1220                                                oid_to_hex(&cmd->old_oid),
1221                                                oid_to_hex(&cmd->new_oid),
1222                                                cmd->ref_name);
1223                 if (code)
1224                         break;
1225         }
1226         if (!code)
1227                 code = packet_flush_gently(proc.in);
1228         if (code) {
1229                 strbuf_addstr(&errmsg, "fail to write commands to proc-receive hook");
1230                 goto cleanup;
1231         }
1232
1233         /* Send push options */
1234         if (hook_use_push_options) {
1235                 struct string_list_item *item;
1236
1237                 for_each_string_list_item(item, push_options) {
1238                         code = packet_write_fmt_gently(proc.in, "%s", item->string);
1239                         if (code)
1240                                 break;
1241                 }
1242                 if (!code)
1243                         code = packet_flush_gently(proc.in);
1244                 if (code) {
1245                         strbuf_addstr(&errmsg,
1246                                       "fail to write push-options to proc-receive hook");
1247                         goto cleanup;
1248                 }
1249         }
1250
1251         /* Read result from proc-receive */
1252         code = read_proc_receive_report(&reader, commands, &errmsg);
1253
1254 cleanup:
1255         close(proc.in);
1256         close(proc.out);
1257         if (use_sideband)
1258                 finish_async(&muxer);
1259         if (finish_command(&proc))
1260                 code = -1;
1261         if (errmsg.len >0) {
1262                 char *p = errmsg.buf;
1263
1264                 p += errmsg.len - 1;
1265                 if (*p == '\n')
1266                         *p = '\0';
1267                 rp_error("%s", errmsg.buf);
1268                 strbuf_release(&errmsg);
1269         }
1270         sigchain_pop(SIGPIPE);
1271
1272         return code;
1273 }
1274
1275 static char *refuse_unconfigured_deny_msg =
1276         N_("By default, updating the current branch in a non-bare repository\n"
1277            "is denied, because it will make the index and work tree inconsistent\n"
1278            "with what you pushed, and will require 'git reset --hard' to match\n"
1279            "the work tree to HEAD.\n"
1280            "\n"
1281            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
1282            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
1283            "its current branch; however, this is not recommended unless you\n"
1284            "arranged to update its work tree to match what you pushed in some\n"
1285            "other way.\n"
1286            "\n"
1287            "To squelch this message and still keep the default behaviour, set\n"
1288            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
1289
1290 static void refuse_unconfigured_deny(void)
1291 {
1292         rp_error("%s", _(refuse_unconfigured_deny_msg));
1293 }
1294
1295 static char *refuse_unconfigured_deny_delete_current_msg =
1296         N_("By default, deleting the current branch is denied, because the next\n"
1297            "'git clone' won't result in any file checked out, causing confusion.\n"
1298            "\n"
1299            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
1300            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
1301            "current branch, with or without a warning message.\n"
1302            "\n"
1303            "To squelch this message, you can set it to 'refuse'.");
1304
1305 static void refuse_unconfigured_deny_delete_current(void)
1306 {
1307         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
1308 }
1309
1310 static int command_singleton_iterator(void *cb_data, struct object_id *oid);
1311 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
1312 {
1313         struct shallow_lock shallow_lock = SHALLOW_LOCK_INIT;
1314         struct oid_array extra = OID_ARRAY_INIT;
1315         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1316         uint32_t mask = 1 << (cmd->index % 32);
1317         int i;
1318
1319         trace_printf_key(&trace_shallow,
1320                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
1321         for (i = 0; i < si->shallow->nr; i++)
1322                 if (si->used_shallow[i] &&
1323                     (si->used_shallow[i][cmd->index / 32] & mask) &&
1324                     !delayed_reachability_test(si, i))
1325                         oid_array_append(&extra, &si->shallow->oid[i]);
1326
1327         opt.env = tmp_objdir_env(tmp_objdir);
1328         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
1329         if (check_connected(command_singleton_iterator, cmd, &opt)) {
1330                 rollback_shallow_file(the_repository, &shallow_lock);
1331                 oid_array_clear(&extra);
1332                 return -1;
1333         }
1334
1335         commit_shallow_file(the_repository, &shallow_lock);
1336
1337         /*
1338          * Make sure setup_alternate_shallow() for the next ref does
1339          * not lose these new roots..
1340          */
1341         for (i = 0; i < extra.nr; i++)
1342                 register_shallow(the_repository, &extra.oid[i]);
1343
1344         si->shallow_ref[cmd->index] = 0;
1345         oid_array_clear(&extra);
1346         return 0;
1347 }
1348
1349 /*
1350  * NEEDSWORK: we should consolidate various implementions of "are we
1351  * on an unborn branch?" test into one, and make the unified one more
1352  * robust. !get_sha1() based check used here and elsewhere would not
1353  * allow us to tell an unborn branch from corrupt ref, for example.
1354  * For the purpose of fixing "deploy-to-update does not work when
1355  * pushing into an empty repository" issue, this should suffice for
1356  * now.
1357  */
1358 static int head_has_history(void)
1359 {
1360         struct object_id oid;
1361
1362         return !get_oid("HEAD", &oid);
1363 }
1364
1365 static const char *push_to_deploy(unsigned char *sha1,
1366                                   struct strvec *env,
1367                                   const char *work_tree)
1368 {
1369         const char *update_refresh[] = {
1370                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
1371         };
1372         const char *diff_files[] = {
1373                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
1374         };
1375         const char *diff_index[] = {
1376                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
1377                 NULL, "--", NULL
1378         };
1379         const char *read_tree[] = {
1380                 "read-tree", "-u", "-m", NULL, NULL
1381         };
1382         struct child_process child = CHILD_PROCESS_INIT;
1383
1384         child.argv = update_refresh;
1385         child.env = env->v;
1386         child.dir = work_tree;
1387         child.no_stdin = 1;
1388         child.stdout_to_stderr = 1;
1389         child.git_cmd = 1;
1390         if (run_command(&child))
1391                 return "Up-to-date check failed";
1392
1393         /* run_command() does not clean up completely; reinitialize */
1394         child_process_init(&child);
1395         child.argv = diff_files;
1396         child.env = env->v;
1397         child.dir = work_tree;
1398         child.no_stdin = 1;
1399         child.stdout_to_stderr = 1;
1400         child.git_cmd = 1;
1401         if (run_command(&child))
1402                 return "Working directory has unstaged changes";
1403
1404         /* diff-index with either HEAD or an empty tree */
1405         diff_index[4] = head_has_history() ? "HEAD" : empty_tree_oid_hex();
1406
1407         child_process_init(&child);
1408         child.argv = diff_index;
1409         child.env = env->v;
1410         child.no_stdin = 1;
1411         child.no_stdout = 1;
1412         child.stdout_to_stderr = 0;
1413         child.git_cmd = 1;
1414         if (run_command(&child))
1415                 return "Working directory has staged changes";
1416
1417         read_tree[3] = hash_to_hex(sha1);
1418         child_process_init(&child);
1419         child.argv = read_tree;
1420         child.env = env->v;
1421         child.dir = work_tree;
1422         child.no_stdin = 1;
1423         child.no_stdout = 1;
1424         child.stdout_to_stderr = 0;
1425         child.git_cmd = 1;
1426         if (run_command(&child))
1427                 return "Could not update working tree to new HEAD";
1428
1429         return NULL;
1430 }
1431
1432 static const char *push_to_checkout_hook = "push-to-checkout";
1433
1434 static const char *push_to_checkout(unsigned char *hash,
1435                                     struct strvec *env,
1436                                     const char *work_tree)
1437 {
1438         strvec_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
1439         if (run_hook_le(env->v, push_to_checkout_hook,
1440                         hash_to_hex(hash), NULL))
1441                 return "push-to-checkout hook declined";
1442         else
1443                 return NULL;
1444 }
1445
1446 static const char *update_worktree(unsigned char *sha1, const struct worktree *worktree)
1447 {
1448         const char *retval, *work_tree, *git_dir = NULL;
1449         struct strvec env = STRVEC_INIT;
1450
1451         if (worktree && worktree->path)
1452                 work_tree = worktree->path;
1453         else if (git_work_tree_cfg)
1454                 work_tree = git_work_tree_cfg;
1455         else
1456                 work_tree = "..";
1457
1458         if (is_bare_repository())
1459                 return "denyCurrentBranch = updateInstead needs a worktree";
1460         if (worktree)
1461                 git_dir = get_worktree_git_dir(worktree);
1462         if (!git_dir)
1463                 git_dir = get_git_dir();
1464
1465         strvec_pushf(&env, "GIT_DIR=%s", absolute_path(git_dir));
1466
1467         if (!find_hook(push_to_checkout_hook))
1468                 retval = push_to_deploy(sha1, &env, work_tree);
1469         else
1470                 retval = push_to_checkout(sha1, &env, work_tree);
1471
1472         strvec_clear(&env);
1473         return retval;
1474 }
1475
1476 static const char *update(struct command *cmd, struct shallow_info *si)
1477 {
1478         const char *name = cmd->ref_name;
1479         struct strbuf namespaced_name_buf = STRBUF_INIT;
1480         static char *namespaced_name;
1481         const char *ret;
1482         struct object_id *old_oid = &cmd->old_oid;
1483         struct object_id *new_oid = &cmd->new_oid;
1484         int do_update_worktree = 0;
1485         const struct worktree *worktree = is_bare_repository() ? NULL : find_shared_symref("HEAD", name);
1486
1487         /* only refs/... are allowed */
1488         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1489                 rp_error("refusing to create funny ref '%s' remotely", name);
1490                 return "funny refname";
1491         }
1492
1493         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1494         free(namespaced_name);
1495         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1496
1497         if (worktree) {
1498                 switch (deny_current_branch) {
1499                 case DENY_IGNORE:
1500                         break;
1501                 case DENY_WARN:
1502                         rp_warning("updating the current branch");
1503                         break;
1504                 case DENY_REFUSE:
1505                 case DENY_UNCONFIGURED:
1506                         rp_error("refusing to update checked out branch: %s", name);
1507                         if (deny_current_branch == DENY_UNCONFIGURED)
1508                                 refuse_unconfigured_deny();
1509                         return "branch is currently checked out";
1510                 case DENY_UPDATE_INSTEAD:
1511                         /* pass -- let other checks intervene first */
1512                         do_update_worktree = 1;
1513                         break;
1514                 }
1515         }
1516
1517         if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1518                 error("unpack should have generated %s, "
1519                       "but I can't find it!", oid_to_hex(new_oid));
1520                 return "bad pack";
1521         }
1522
1523         if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1524                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1525                         rp_error("denying ref deletion for %s", name);
1526                         return "deletion prohibited";
1527                 }
1528
1529                 if (worktree || (head_name && !strcmp(namespaced_name, head_name))) {
1530                         switch (deny_delete_current) {
1531                         case DENY_IGNORE:
1532                                 break;
1533                         case DENY_WARN:
1534                                 rp_warning("deleting the current branch");
1535                                 break;
1536                         case DENY_REFUSE:
1537                         case DENY_UNCONFIGURED:
1538                         case DENY_UPDATE_INSTEAD:
1539                                 if (deny_delete_current == DENY_UNCONFIGURED)
1540                                         refuse_unconfigured_deny_delete_current();
1541                                 rp_error("refusing to delete the current branch: %s", name);
1542                                 return "deletion of the current branch prohibited";
1543                         default:
1544                                 return "Invalid denyDeleteCurrent setting";
1545                         }
1546                 }
1547         }
1548
1549         if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1550             !is_null_oid(old_oid) &&
1551             starts_with(name, "refs/heads/")) {
1552                 struct object *old_object, *new_object;
1553                 struct commit *old_commit, *new_commit;
1554
1555                 old_object = parse_object(the_repository, old_oid);
1556                 new_object = parse_object(the_repository, new_oid);
1557
1558                 if (!old_object || !new_object ||
1559                     old_object->type != OBJ_COMMIT ||
1560                     new_object->type != OBJ_COMMIT) {
1561                         error("bad sha1 objects for %s", name);
1562                         return "bad ref";
1563                 }
1564                 old_commit = (struct commit *)old_object;
1565                 new_commit = (struct commit *)new_object;
1566                 if (!in_merge_bases(old_commit, new_commit)) {
1567                         rp_error("denying non-fast-forward %s"
1568                                  " (you should pull first)", name);
1569                         return "non-fast-forward";
1570                 }
1571         }
1572         if (run_update_hook(cmd)) {
1573                 rp_error("hook declined to update %s", name);
1574                 return "hook declined";
1575         }
1576
1577         if (do_update_worktree) {
1578                 ret = update_worktree(new_oid->hash, find_shared_symref("HEAD", name));
1579                 if (ret)
1580                         return ret;
1581         }
1582
1583         if (is_null_oid(new_oid)) {
1584                 struct strbuf err = STRBUF_INIT;
1585                 if (!parse_object(the_repository, old_oid)) {
1586                         old_oid = NULL;
1587                         if (ref_exists(name)) {
1588                                 rp_warning("Allowing deletion of corrupt ref.");
1589                         } else {
1590                                 rp_warning("Deleting a non-existent ref.");
1591                                 cmd->did_not_exist = 1;
1592                         }
1593                 }
1594                 if (ref_transaction_delete(transaction,
1595                                            namespaced_name,
1596                                            old_oid,
1597                                            0, "push", &err)) {
1598                         rp_error("%s", err.buf);
1599                         strbuf_release(&err);
1600                         return "failed to delete";
1601                 }
1602                 strbuf_release(&err);
1603                 return NULL; /* good */
1604         }
1605         else {
1606                 struct strbuf err = STRBUF_INIT;
1607                 if (shallow_update && si->shallow_ref[cmd->index] &&
1608                     update_shallow_ref(cmd, si))
1609                         return "shallow error";
1610
1611                 if (ref_transaction_update(transaction,
1612                                            namespaced_name,
1613                                            new_oid, old_oid,
1614                                            0, "push",
1615                                            &err)) {
1616                         rp_error("%s", err.buf);
1617                         strbuf_release(&err);
1618
1619                         return "failed to update ref";
1620                 }
1621                 strbuf_release(&err);
1622
1623                 return NULL; /* good */
1624         }
1625 }
1626
1627 static void run_update_post_hook(struct command *commands)
1628 {
1629         struct command *cmd;
1630         struct child_process proc = CHILD_PROCESS_INIT;
1631         const char *hook;
1632
1633         hook = find_hook("post-update");
1634         if (!hook)
1635                 return;
1636
1637         for (cmd = commands; cmd; cmd = cmd->next) {
1638                 if (cmd->error_string || cmd->did_not_exist)
1639                         continue;
1640                 if (!proc.args.nr)
1641                         strvec_push(&proc.args, hook);
1642                 strvec_push(&proc.args, cmd->ref_name);
1643         }
1644         if (!proc.args.nr)
1645                 return;
1646
1647         proc.no_stdin = 1;
1648         proc.stdout_to_stderr = 1;
1649         proc.err = use_sideband ? -1 : 0;
1650         proc.trace2_hook_name = "post-update";
1651
1652         if (!start_command(&proc)) {
1653                 if (use_sideband)
1654                         copy_to_sideband(proc.err, -1, NULL);
1655                 finish_command(&proc);
1656         }
1657 }
1658
1659 static void check_aliased_update_internal(struct command *cmd,
1660                                           struct string_list *list,
1661                                           const char *dst_name, int flag)
1662 {
1663         struct string_list_item *item;
1664         struct command *dst_cmd;
1665
1666         if (!(flag & REF_ISSYMREF))
1667                 return;
1668
1669         if (!dst_name) {
1670                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1671                 cmd->skip_update = 1;
1672                 cmd->error_string = "broken symref";
1673                 return;
1674         }
1675         dst_name = strip_namespace(dst_name);
1676
1677         if ((item = string_list_lookup(list, dst_name)) == NULL)
1678                 return;
1679
1680         cmd->skip_update = 1;
1681
1682         dst_cmd = (struct command *) item->util;
1683
1684         if (oideq(&cmd->old_oid, &dst_cmd->old_oid) &&
1685             oideq(&cmd->new_oid, &dst_cmd->new_oid))
1686                 return;
1687
1688         dst_cmd->skip_update = 1;
1689
1690         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1691                  " its target '%s' (%s..%s)",
1692                  cmd->ref_name,
1693                  find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1694                  find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1695                  dst_cmd->ref_name,
1696                  find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1697                  find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1698
1699         cmd->error_string = dst_cmd->error_string =
1700                 "inconsistent aliased update";
1701 }
1702
1703 static void check_aliased_update(struct command *cmd, struct string_list *list)
1704 {
1705         struct strbuf buf = STRBUF_INIT;
1706         const char *dst_name;
1707         int flag;
1708
1709         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1710         dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1711         check_aliased_update_internal(cmd, list, dst_name, flag);
1712         strbuf_release(&buf);
1713 }
1714
1715 static void check_aliased_updates(struct command *commands)
1716 {
1717         struct command *cmd;
1718         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1719
1720         for (cmd = commands; cmd; cmd = cmd->next) {
1721                 struct string_list_item *item =
1722                         string_list_append(&ref_list, cmd->ref_name);
1723                 item->util = (void *)cmd;
1724         }
1725         string_list_sort(&ref_list);
1726
1727         for (cmd = commands; cmd; cmd = cmd->next) {
1728                 if (!cmd->error_string)
1729                         check_aliased_update(cmd, &ref_list);
1730         }
1731
1732         string_list_clear(&ref_list, 0);
1733 }
1734
1735 static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1736 {
1737         struct command **cmd_list = cb_data;
1738         struct command *cmd = *cmd_list;
1739
1740         if (!cmd || is_null_oid(&cmd->new_oid))
1741                 return -1; /* end of list */
1742         *cmd_list = NULL; /* this returns only one */
1743         oidcpy(oid, &cmd->new_oid);
1744         return 0;
1745 }
1746
1747 static void set_connectivity_errors(struct command *commands,
1748                                     struct shallow_info *si)
1749 {
1750         struct command *cmd;
1751
1752         for (cmd = commands; cmd; cmd = cmd->next) {
1753                 struct command *singleton = cmd;
1754                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1755
1756                 if (shallow_update && si->shallow_ref[cmd->index])
1757                         /* to be checked in update_shallow_ref() */
1758                         continue;
1759
1760                 opt.env = tmp_objdir_env(tmp_objdir);
1761                 if (!check_connected(command_singleton_iterator, &singleton,
1762                                      &opt))
1763                         continue;
1764
1765                 cmd->error_string = "missing necessary objects";
1766         }
1767 }
1768
1769 struct iterate_data {
1770         struct command *cmds;
1771         struct shallow_info *si;
1772 };
1773
1774 static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1775 {
1776         struct iterate_data *data = cb_data;
1777         struct command **cmd_list = &data->cmds;
1778         struct command *cmd = *cmd_list;
1779
1780         for (; cmd; cmd = cmd->next) {
1781                 if (shallow_update && data->si->shallow_ref[cmd->index])
1782                         /* to be checked in update_shallow_ref() */
1783                         continue;
1784                 if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1785                         oidcpy(oid, &cmd->new_oid);
1786                         *cmd_list = cmd->next;
1787                         return 0;
1788                 }
1789         }
1790         *cmd_list = NULL;
1791         return -1; /* end of list */
1792 }
1793
1794 static void reject_updates_to_hidden(struct command *commands)
1795 {
1796         struct strbuf refname_full = STRBUF_INIT;
1797         size_t prefix_len;
1798         struct command *cmd;
1799
1800         strbuf_addstr(&refname_full, get_git_namespace());
1801         prefix_len = refname_full.len;
1802
1803         for (cmd = commands; cmd; cmd = cmd->next) {
1804                 if (cmd->error_string)
1805                         continue;
1806
1807                 strbuf_setlen(&refname_full, prefix_len);
1808                 strbuf_addstr(&refname_full, cmd->ref_name);
1809
1810                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1811                         continue;
1812                 if (is_null_oid(&cmd->new_oid))
1813                         cmd->error_string = "deny deleting a hidden ref";
1814                 else
1815                         cmd->error_string = "deny updating a hidden ref";
1816         }
1817
1818         strbuf_release(&refname_full);
1819 }
1820
1821 static int should_process_cmd(struct command *cmd)
1822 {
1823         return !cmd->error_string && !cmd->skip_update;
1824 }
1825
1826 static void warn_if_skipped_connectivity_check(struct command *commands,
1827                                                struct shallow_info *si)
1828 {
1829         struct command *cmd;
1830         int checked_connectivity = 1;
1831
1832         for (cmd = commands; cmd; cmd = cmd->next) {
1833                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1834                         error("BUG: connectivity check has not been run on ref %s",
1835                               cmd->ref_name);
1836                         checked_connectivity = 0;
1837                 }
1838         }
1839         if (!checked_connectivity)
1840                 BUG("connectivity check skipped???");
1841 }
1842
1843 static void execute_commands_non_atomic(struct command *commands,
1844                                         struct shallow_info *si)
1845 {
1846         struct command *cmd;
1847         struct strbuf err = STRBUF_INIT;
1848
1849         for (cmd = commands; cmd; cmd = cmd->next) {
1850                 if (!should_process_cmd(cmd) || cmd->run_proc_receive)
1851                         continue;
1852
1853                 transaction = ref_transaction_begin(&err);
1854                 if (!transaction) {
1855                         rp_error("%s", err.buf);
1856                         strbuf_reset(&err);
1857                         cmd->error_string = "transaction failed to start";
1858                         continue;
1859                 }
1860
1861                 cmd->error_string = update(cmd, si);
1862
1863                 if (!cmd->error_string
1864                     && ref_transaction_commit(transaction, &err)) {
1865                         rp_error("%s", err.buf);
1866                         strbuf_reset(&err);
1867                         cmd->error_string = "failed to update ref";
1868                 }
1869                 ref_transaction_free(transaction);
1870         }
1871         strbuf_release(&err);
1872 }
1873
1874 static void execute_commands_atomic(struct command *commands,
1875                                         struct shallow_info *si)
1876 {
1877         struct command *cmd;
1878         struct strbuf err = STRBUF_INIT;
1879         const char *reported_error = "atomic push failure";
1880
1881         transaction = ref_transaction_begin(&err);
1882         if (!transaction) {
1883                 rp_error("%s", err.buf);
1884                 strbuf_reset(&err);
1885                 reported_error = "transaction failed to start";
1886                 goto failure;
1887         }
1888
1889         for (cmd = commands; cmd; cmd = cmd->next) {
1890                 if (!should_process_cmd(cmd) || cmd->run_proc_receive)
1891                         continue;
1892
1893                 cmd->error_string = update(cmd, si);
1894
1895                 if (cmd->error_string)
1896                         goto failure;
1897         }
1898
1899         if (ref_transaction_commit(transaction, &err)) {
1900                 rp_error("%s", err.buf);
1901                 reported_error = "atomic transaction failed";
1902                 goto failure;
1903         }
1904         goto cleanup;
1905
1906 failure:
1907         for (cmd = commands; cmd; cmd = cmd->next)
1908                 if (!cmd->error_string)
1909                         cmd->error_string = reported_error;
1910
1911 cleanup:
1912         ref_transaction_free(transaction);
1913         strbuf_release(&err);
1914 }
1915
1916 static void execute_commands(struct command *commands,
1917                              const char *unpacker_error,
1918                              struct shallow_info *si,
1919                              const struct string_list *push_options)
1920 {
1921         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1922         struct command *cmd;
1923         struct iterate_data data;
1924         struct async muxer;
1925         int err_fd = 0;
1926         int run_proc_receive = 0;
1927
1928         if (unpacker_error) {
1929                 for (cmd = commands; cmd; cmd = cmd->next)
1930                         cmd->error_string = "unpacker error";
1931                 return;
1932         }
1933
1934         if (use_sideband) {
1935                 memset(&muxer, 0, sizeof(muxer));
1936                 muxer.proc = copy_to_sideband;
1937                 muxer.in = -1;
1938                 if (!start_async(&muxer))
1939                         err_fd = muxer.in;
1940                 /* ...else, continue without relaying sideband */
1941         }
1942
1943         data.cmds = commands;
1944         data.si = si;
1945         opt.err_fd = err_fd;
1946         opt.progress = err_fd && !quiet;
1947         opt.env = tmp_objdir_env(tmp_objdir);
1948         if (check_connected(iterate_receive_command_list, &data, &opt))
1949                 set_connectivity_errors(commands, si);
1950
1951         if (use_sideband)
1952                 finish_async(&muxer);
1953
1954         reject_updates_to_hidden(commands);
1955
1956         /*
1957          * Try to find commands that have special prefix in their reference names,
1958          * and mark them to run an external "proc-receive" hook later.
1959          */
1960         if (proc_receive_ref) {
1961                 for (cmd = commands; cmd; cmd = cmd->next) {
1962                         if (!should_process_cmd(cmd))
1963                                 continue;
1964
1965                         if (proc_receive_ref_matches(cmd)) {
1966                                 cmd->run_proc_receive = RUN_PROC_RECEIVE_SCHEDULED;
1967                                 run_proc_receive = 1;
1968                         }
1969                 }
1970         }
1971
1972         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1973                 for (cmd = commands; cmd; cmd = cmd->next) {
1974                         if (!cmd->error_string)
1975                                 cmd->error_string = "pre-receive hook declined";
1976                 }
1977                 return;
1978         }
1979
1980         /*
1981          * Now we'll start writing out refs, which means the objects need
1982          * to be in their final positions so that other processes can see them.
1983          */
1984         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1985                 for (cmd = commands; cmd; cmd = cmd->next) {
1986                         if (!cmd->error_string)
1987                                 cmd->error_string = "unable to migrate objects to permanent storage";
1988                 }
1989                 return;
1990         }
1991         tmp_objdir = NULL;
1992
1993         check_aliased_updates(commands);
1994
1995         free(head_name_to_free);
1996         head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1997
1998         if (run_proc_receive &&
1999             run_proc_receive_hook(commands, push_options))
2000                 for (cmd = commands; cmd; cmd = cmd->next)
2001                         if (!cmd->error_string &&
2002                             !(cmd->run_proc_receive & RUN_PROC_RECEIVE_RETURNED) &&
2003                             (cmd->run_proc_receive || use_atomic))
2004                                 cmd->error_string = "fail to run proc-receive hook";
2005
2006         if (use_atomic)
2007                 execute_commands_atomic(commands, si);
2008         else
2009                 execute_commands_non_atomic(commands, si);
2010
2011         if (shallow_update)
2012                 warn_if_skipped_connectivity_check(commands, si);
2013 }
2014
2015 static struct command **queue_command(struct command **tail,
2016                                       const char *line,
2017                                       int linelen)
2018 {
2019         struct object_id old_oid, new_oid;
2020         struct command *cmd;
2021         const char *refname;
2022         int reflen;
2023         const char *p;
2024
2025         if (parse_oid_hex(line, &old_oid, &p) ||
2026             *p++ != ' ' ||
2027             parse_oid_hex(p, &new_oid, &p) ||
2028             *p++ != ' ')
2029                 die("protocol error: expected old/new/ref, got '%s'", line);
2030
2031         refname = p;
2032         reflen = linelen - (p - line);
2033         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
2034         oidcpy(&cmd->old_oid, &old_oid);
2035         oidcpy(&cmd->new_oid, &new_oid);
2036         *tail = cmd;
2037         return &cmd->next;
2038 }
2039
2040 static void queue_commands_from_cert(struct command **tail,
2041                                      struct strbuf *push_cert)
2042 {
2043         const char *boc, *eoc;
2044
2045         if (*tail)
2046                 die("protocol error: got both push certificate and unsigned commands");
2047
2048         boc = strstr(push_cert->buf, "\n\n");
2049         if (!boc)
2050                 die("malformed push certificate %.*s", 100, push_cert->buf);
2051         else
2052                 boc += 2;
2053         eoc = push_cert->buf + parse_signed_buffer(push_cert->buf, push_cert->len);
2054
2055         while (boc < eoc) {
2056                 const char *eol = memchr(boc, '\n', eoc - boc);
2057                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
2058                 boc = eol ? eol + 1 : eoc;
2059         }
2060 }
2061
2062 static struct command *read_head_info(struct packet_reader *reader,
2063                                       struct oid_array *shallow)
2064 {
2065         struct command *commands = NULL;
2066         struct command **p = &commands;
2067         for (;;) {
2068                 int linelen;
2069
2070                 if (packet_reader_read(reader) != PACKET_READ_NORMAL)
2071                         break;
2072
2073                 if (reader->pktlen > 8 && starts_with(reader->line, "shallow ")) {
2074                         struct object_id oid;
2075                         if (get_oid_hex(reader->line + 8, &oid))
2076                                 die("protocol error: expected shallow sha, got '%s'",
2077                                     reader->line + 8);
2078                         oid_array_append(shallow, &oid);
2079                         continue;
2080                 }
2081
2082                 linelen = strlen(reader->line);
2083                 if (linelen < reader->pktlen) {
2084                         const char *feature_list = reader->line + linelen + 1;
2085                         const char *hash = NULL;
2086                         const char *client_sid;
2087                         int len = 0;
2088                         if (parse_feature_request(feature_list, "report-status"))
2089                                 report_status = 1;
2090                         if (parse_feature_request(feature_list, "report-status-v2"))
2091                                 report_status_v2 = 1;
2092                         if (parse_feature_request(feature_list, "side-band-64k"))
2093                                 use_sideband = LARGE_PACKET_MAX;
2094                         if (parse_feature_request(feature_list, "quiet"))
2095                                 quiet = 1;
2096                         if (advertise_atomic_push
2097                             && parse_feature_request(feature_list, "atomic"))
2098                                 use_atomic = 1;
2099                         if (advertise_push_options
2100                             && parse_feature_request(feature_list, "push-options"))
2101                                 use_push_options = 1;
2102                         hash = parse_feature_value(feature_list, "object-format", &len, NULL);
2103                         if (!hash) {
2104                                 hash = hash_algos[GIT_HASH_SHA1].name;
2105                                 len = strlen(hash);
2106                         }
2107                         if (xstrncmpz(the_hash_algo->name, hash, len))
2108                                 die("error: unsupported object format '%s'", hash);
2109                         client_sid = parse_feature_value(feature_list, "session-id", &len, NULL);
2110                         if (client_sid) {
2111                                 char *sid = xstrndup(client_sid, len);
2112                                 trace2_data_string("transfer", NULL, "client-sid", client_sid);
2113                                 free(sid);
2114                         }
2115                 }
2116
2117                 if (!strcmp(reader->line, "push-cert")) {
2118                         int true_flush = 0;
2119                         int saved_options = reader->options;
2120                         reader->options &= ~PACKET_READ_CHOMP_NEWLINE;
2121
2122                         for (;;) {
2123                                 packet_reader_read(reader);
2124                                 if (reader->status == PACKET_READ_FLUSH) {
2125                                         true_flush = 1;
2126                                         break;
2127                                 }
2128                                 if (reader->status != PACKET_READ_NORMAL) {
2129                                         die("protocol error: got an unexpected packet");
2130                                 }
2131                                 if (!strcmp(reader->line, "push-cert-end\n"))
2132                                         break; /* end of cert */
2133                                 strbuf_addstr(&push_cert, reader->line);
2134                         }
2135                         reader->options = saved_options;
2136
2137                         if (true_flush)
2138                                 break;
2139                         continue;
2140                 }
2141
2142                 p = queue_command(p, reader->line, linelen);
2143         }
2144
2145         if (push_cert.len)
2146                 queue_commands_from_cert(p, &push_cert);
2147
2148         return commands;
2149 }
2150
2151 static void read_push_options(struct packet_reader *reader,
2152                               struct string_list *options)
2153 {
2154         while (1) {
2155                 if (packet_reader_read(reader) != PACKET_READ_NORMAL)
2156                         break;
2157
2158                 string_list_append(options, reader->line);
2159         }
2160 }
2161
2162 static const char *parse_pack_header(struct pack_header *hdr)
2163 {
2164         switch (read_pack_header(0, hdr)) {
2165         case PH_ERROR_EOF:
2166                 return "eof before pack header was fully read";
2167
2168         case PH_ERROR_PACK_SIGNATURE:
2169                 return "protocol error (pack signature mismatch detected)";
2170
2171         case PH_ERROR_PROTOCOL:
2172                 return "protocol error (pack version unsupported)";
2173
2174         default:
2175                 return "unknown error in parse_pack_header";
2176
2177         case 0:
2178                 return NULL;
2179         }
2180 }
2181
2182 static const char *pack_lockfile;
2183
2184 static void push_header_arg(struct strvec *args, struct pack_header *hdr)
2185 {
2186         strvec_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
2187                      ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
2188 }
2189
2190 static const char *unpack(int err_fd, struct shallow_info *si)
2191 {
2192         struct pack_header hdr;
2193         const char *hdr_err;
2194         int status;
2195         struct child_process child = CHILD_PROCESS_INIT;
2196         int fsck_objects = (receive_fsck_objects >= 0
2197                             ? receive_fsck_objects
2198                             : transfer_fsck_objects >= 0
2199                             ? transfer_fsck_objects
2200                             : 0);
2201
2202         hdr_err = parse_pack_header(&hdr);
2203         if (hdr_err) {
2204                 if (err_fd > 0)
2205                         close(err_fd);
2206                 return hdr_err;
2207         }
2208
2209         if (si->nr_ours || si->nr_theirs) {
2210                 alt_shallow_file = setup_temporary_shallow(si->shallow);
2211                 strvec_push(&child.args, "--shallow-file");
2212                 strvec_push(&child.args, alt_shallow_file);
2213         }
2214
2215         tmp_objdir = tmp_objdir_create();
2216         if (!tmp_objdir) {
2217                 if (err_fd > 0)
2218                         close(err_fd);
2219                 return "unable to create temporary object directory";
2220         }
2221         child.env = tmp_objdir_env(tmp_objdir);
2222
2223         /*
2224          * Normally we just pass the tmp_objdir environment to the child
2225          * processes that do the heavy lifting, but we may need to see these
2226          * objects ourselves to set up shallow information.
2227          */
2228         tmp_objdir_add_as_alternate(tmp_objdir);
2229
2230         if (ntohl(hdr.hdr_entries) < unpack_limit) {
2231                 strvec_push(&child.args, "unpack-objects");
2232                 push_header_arg(&child.args, &hdr);
2233                 if (quiet)
2234                         strvec_push(&child.args, "-q");
2235                 if (fsck_objects)
2236                         strvec_pushf(&child.args, "--strict%s",
2237                                      fsck_msg_types.buf);
2238                 if (max_input_size)
2239                         strvec_pushf(&child.args, "--max-input-size=%"PRIuMAX,
2240                                      (uintmax_t)max_input_size);
2241                 child.no_stdout = 1;
2242                 child.err = err_fd;
2243                 child.git_cmd = 1;
2244                 status = run_command(&child);
2245                 if (status)
2246                         return "unpack-objects abnormal exit";
2247         } else {
2248                 char hostname[HOST_NAME_MAX + 1];
2249
2250                 strvec_pushl(&child.args, "index-pack", "--stdin", NULL);
2251                 push_header_arg(&child.args, &hdr);
2252
2253                 if (xgethostname(hostname, sizeof(hostname)))
2254                         xsnprintf(hostname, sizeof(hostname), "localhost");
2255                 strvec_pushf(&child.args,
2256                              "--keep=receive-pack %"PRIuMAX" on %s",
2257                              (uintmax_t)getpid(),
2258                              hostname);
2259
2260                 if (!quiet && err_fd)
2261                         strvec_push(&child.args, "--show-resolving-progress");
2262                 if (use_sideband)
2263                         strvec_push(&child.args, "--report-end-of-input");
2264                 if (fsck_objects)
2265                         strvec_pushf(&child.args, "--strict%s",
2266                                      fsck_msg_types.buf);
2267                 if (!reject_thin)
2268                         strvec_push(&child.args, "--fix-thin");
2269                 if (max_input_size)
2270                         strvec_pushf(&child.args, "--max-input-size=%"PRIuMAX,
2271                                      (uintmax_t)max_input_size);
2272                 child.out = -1;
2273                 child.err = err_fd;
2274                 child.git_cmd = 1;
2275                 status = start_command(&child);
2276                 if (status)
2277                         return "index-pack fork failed";
2278                 pack_lockfile = index_pack_lockfile(child.out, NULL);
2279                 close(child.out);
2280                 status = finish_command(&child);
2281                 if (status)
2282                         return "index-pack abnormal exit";
2283                 reprepare_packed_git(the_repository);
2284         }
2285         return NULL;
2286 }
2287
2288 static const char *unpack_with_sideband(struct shallow_info *si)
2289 {
2290         struct async muxer;
2291         const char *ret;
2292
2293         if (!use_sideband)
2294                 return unpack(0, si);
2295
2296         use_keepalive = KEEPALIVE_AFTER_NUL;
2297         memset(&muxer, 0, sizeof(muxer));
2298         muxer.proc = copy_to_sideband;
2299         muxer.in = -1;
2300         if (start_async(&muxer))
2301                 return NULL;
2302
2303         ret = unpack(muxer.in, si);
2304
2305         finish_async(&muxer);
2306         return ret;
2307 }
2308
2309 static void prepare_shallow_update(struct shallow_info *si)
2310 {
2311         int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
2312
2313         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
2314         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
2315
2316         si->need_reachability_test =
2317                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
2318         si->reachable =
2319                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
2320         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
2321
2322         for (i = 0; i < si->nr_ours; i++)
2323                 si->need_reachability_test[si->ours[i]] = 1;
2324
2325         for (i = 0; i < si->shallow->nr; i++) {
2326                 if (!si->used_shallow[i])
2327                         continue;
2328                 for (j = 0; j < bitmap_size; j++) {
2329                         if (!si->used_shallow[i][j])
2330                                 continue;
2331                         si->need_reachability_test[i]++;
2332                         for (k = 0; k < 32; k++)
2333                                 if (si->used_shallow[i][j] & (1U << k))
2334                                         si->shallow_ref[j * 32 + k]++;
2335                 }
2336
2337                 /*
2338                  * true for those associated with some refs and belong
2339                  * in "ours" list aka "step 7 not done yet"
2340                  */
2341                 si->need_reachability_test[i] =
2342                         si->need_reachability_test[i] > 1;
2343         }
2344
2345         /*
2346          * keep hooks happy by forcing a temporary shallow file via
2347          * env variable because we can't add --shallow-file to every
2348          * command. check_connected() will be done with
2349          * true .git/shallow though.
2350          */
2351         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
2352 }
2353
2354 static void update_shallow_info(struct command *commands,
2355                                 struct shallow_info *si,
2356                                 struct oid_array *ref)
2357 {
2358         struct command *cmd;
2359         int *ref_status;
2360         remove_nonexistent_theirs_shallow(si);
2361         if (!si->nr_ours && !si->nr_theirs) {
2362                 shallow_update = 0;
2363                 return;
2364         }
2365
2366         for (cmd = commands; cmd; cmd = cmd->next) {
2367                 if (is_null_oid(&cmd->new_oid))
2368                         continue;
2369                 oid_array_append(ref, &cmd->new_oid);
2370                 cmd->index = ref->nr - 1;
2371         }
2372         si->ref = ref;
2373
2374         if (shallow_update) {
2375                 prepare_shallow_update(si);
2376                 return;
2377         }
2378
2379         ALLOC_ARRAY(ref_status, ref->nr);
2380         assign_shallow_commits_to_refs(si, NULL, ref_status);
2381         for (cmd = commands; cmd; cmd = cmd->next) {
2382                 if (is_null_oid(&cmd->new_oid))
2383                         continue;
2384                 if (ref_status[cmd->index]) {
2385                         cmd->error_string = "shallow update not allowed";
2386                         cmd->skip_update = 1;
2387                 }
2388         }
2389         free(ref_status);
2390 }
2391
2392 static void report(struct command *commands, const char *unpack_status)
2393 {
2394         struct command *cmd;
2395         struct strbuf buf = STRBUF_INIT;
2396
2397         packet_buf_write(&buf, "unpack %s\n",
2398                          unpack_status ? unpack_status : "ok");
2399         for (cmd = commands; cmd; cmd = cmd->next) {
2400                 if (!cmd->error_string)
2401                         packet_buf_write(&buf, "ok %s\n",
2402                                          cmd->ref_name);
2403                 else
2404                         packet_buf_write(&buf, "ng %s %s\n",
2405                                          cmd->ref_name, cmd->error_string);
2406         }
2407         packet_buf_flush(&buf);
2408
2409         if (use_sideband)
2410                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
2411         else
2412                 write_or_die(1, buf.buf, buf.len);
2413         strbuf_release(&buf);
2414 }
2415
2416 static void report_v2(struct command *commands, const char *unpack_status)
2417 {
2418         struct command *cmd;
2419         struct strbuf buf = STRBUF_INIT;
2420         struct ref_push_report *report;
2421
2422         packet_buf_write(&buf, "unpack %s\n",
2423                          unpack_status ? unpack_status : "ok");
2424         for (cmd = commands; cmd; cmd = cmd->next) {
2425                 int count = 0;
2426
2427                 if (cmd->error_string) {
2428                         packet_buf_write(&buf, "ng %s %s\n",
2429                                          cmd->ref_name,
2430                                          cmd->error_string);
2431                         continue;
2432                 }
2433                 packet_buf_write(&buf, "ok %s\n",
2434                                  cmd->ref_name);
2435                 for (report = cmd->report; report; report = report->next) {
2436                         if (count++ > 0)
2437                                 packet_buf_write(&buf, "ok %s\n",
2438                                                  cmd->ref_name);
2439                         if (report->ref_name)
2440                                 packet_buf_write(&buf, "option refname %s\n",
2441                                                  report->ref_name);
2442                         if (report->old_oid)
2443                                 packet_buf_write(&buf, "option old-oid %s\n",
2444                                                  oid_to_hex(report->old_oid));
2445                         if (report->new_oid)
2446                                 packet_buf_write(&buf, "option new-oid %s\n",
2447                                                  oid_to_hex(report->new_oid));
2448                         if (report->forced_update)
2449                                 packet_buf_write(&buf, "option forced-update\n");
2450                 }
2451         }
2452         packet_buf_flush(&buf);
2453
2454         if (use_sideband)
2455                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
2456         else
2457                 write_or_die(1, buf.buf, buf.len);
2458         strbuf_release(&buf);
2459 }
2460
2461 static int delete_only(struct command *commands)
2462 {
2463         struct command *cmd;
2464         for (cmd = commands; cmd; cmd = cmd->next) {
2465                 if (!is_null_oid(&cmd->new_oid))
2466                         return 0;
2467         }
2468         return 1;
2469 }
2470
2471 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
2472 {
2473         int advertise_refs = 0;
2474         struct command *commands;
2475         struct oid_array shallow = OID_ARRAY_INIT;
2476         struct oid_array ref = OID_ARRAY_INIT;
2477         struct shallow_info si;
2478         struct packet_reader reader;
2479
2480         struct option options[] = {
2481                 OPT__QUIET(&quiet, N_("quiet")),
2482                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
2483                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
2484                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
2485                 OPT_END()
2486         };
2487
2488         packet_trace_identity("receive-pack");
2489
2490         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
2491
2492         if (argc > 1)
2493                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
2494         if (argc == 0)
2495                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
2496
2497         service_dir = argv[0];
2498
2499         setup_path();
2500
2501         if (!enter_repo(service_dir, 0))
2502                 die("'%s' does not appear to be a git repository", service_dir);
2503
2504         git_config(receive_pack_config, NULL);
2505         if (cert_nonce_seed)
2506                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
2507
2508         if (0 <= transfer_unpack_limit)
2509                 unpack_limit = transfer_unpack_limit;
2510         else if (0 <= receive_unpack_limit)
2511                 unpack_limit = receive_unpack_limit;
2512
2513         switch (determine_protocol_version_server()) {
2514         case protocol_v2:
2515                 /*
2516                  * push support for protocol v2 has not been implemented yet,
2517                  * so ignore the request to use v2 and fallback to using v0.
2518                  */
2519                 break;
2520         case protocol_v1:
2521                 /*
2522                  * v1 is just the original protocol with a version string,
2523                  * so just fall through after writing the version string.
2524                  */
2525                 if (advertise_refs || !stateless_rpc)
2526                         packet_write_fmt(1, "version 1\n");
2527
2528                 /* fallthrough */
2529         case protocol_v0:
2530                 break;
2531         case protocol_unknown_version:
2532                 BUG("unknown protocol version");
2533         }
2534
2535         if (advertise_refs || !stateless_rpc) {
2536                 write_head_info();
2537         }
2538         if (advertise_refs)
2539                 return 0;
2540
2541         packet_reader_init(&reader, 0, NULL, 0,
2542                            PACKET_READ_CHOMP_NEWLINE |
2543                            PACKET_READ_DIE_ON_ERR_PACKET);
2544
2545         if ((commands = read_head_info(&reader, &shallow)) != NULL) {
2546                 const char *unpack_status = NULL;
2547                 struct string_list push_options = STRING_LIST_INIT_DUP;
2548
2549                 if (use_push_options)
2550                         read_push_options(&reader, &push_options);
2551                 if (!check_cert_push_options(&push_options)) {
2552                         struct command *cmd;
2553                         for (cmd = commands; cmd; cmd = cmd->next)
2554                                 cmd->error_string = "inconsistent push options";
2555                 }
2556
2557                 prepare_shallow_info(&si, &shallow);
2558                 if (!si.nr_ours && !si.nr_theirs)
2559                         shallow_update = 0;
2560                 if (!delete_only(commands)) {
2561                         unpack_status = unpack_with_sideband(&si);
2562                         update_shallow_info(commands, &si, &ref);
2563                 }
2564                 use_keepalive = KEEPALIVE_ALWAYS;
2565                 execute_commands(commands, unpack_status, &si,
2566                                  &push_options);
2567                 if (pack_lockfile)
2568                         unlink_or_warn(pack_lockfile);
2569                 if (report_status_v2)
2570                         report_v2(commands, unpack_status);
2571                 else if (report_status)
2572                         report(commands, unpack_status);
2573                 run_receive_hook(commands, "post-receive", 1,
2574                                  &push_options);
2575                 run_update_post_hook(commands);
2576                 string_list_clear(&push_options, 0);
2577                 if (auto_gc) {
2578                         const char *argv_gc_auto[] = {
2579                                 "gc", "--auto", "--quiet", NULL,
2580                         };
2581                         struct child_process proc = CHILD_PROCESS_INIT;
2582
2583                         proc.no_stdin = 1;
2584                         proc.stdout_to_stderr = 1;
2585                         proc.err = use_sideband ? -1 : 0;
2586                         proc.git_cmd = 1;
2587                         proc.argv = argv_gc_auto;
2588
2589                         close_object_store(the_repository->objects);
2590                         if (!start_command(&proc)) {
2591                                 if (use_sideband)
2592                                         copy_to_sideband(proc.err, -1, NULL);
2593                                 finish_command(&proc);
2594                         }
2595                 }
2596                 if (auto_update_server_info)
2597                         update_server_info(0);
2598                 clear_shallow_info(&si);
2599         }
2600         if (use_sideband)
2601                 packet_flush(1);
2602         oid_array_clear(&shallow);
2603         oid_array_clear(&ref);
2604         free((void *)push_cert_nonce);
2605         return 0;
2606 }