Merge branch 'mr/worktree-list'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "lockfile.h"
3 #include "pack.h"
4 #include "refs.h"
5 #include "pkt-line.h"
6 #include "sideband.h"
7 #include "run-command.h"
8 #include "exec_cmd.h"
9 #include "commit.h"
10 #include "object.h"
11 #include "remote.h"
12 #include "connect.h"
13 #include "transport.h"
14 #include "string-list.h"
15 #include "sha1-array.h"
16 #include "connected.h"
17 #include "argv-array.h"
18 #include "version.h"
19 #include "tag.h"
20 #include "gpg-interface.h"
21 #include "sigchain.h"
22 #include "fsck.h"
23
24 static const char receive_pack_usage[] = "git receive-pack <git-dir>";
25
26 enum deny_action {
27         DENY_UNCONFIGURED,
28         DENY_IGNORE,
29         DENY_WARN,
30         DENY_REFUSE,
31         DENY_UPDATE_INSTEAD
32 };
33
34 static int deny_deletes;
35 static int deny_non_fast_forwards;
36 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
37 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
38 static int receive_fsck_objects = -1;
39 static int transfer_fsck_objects = -1;
40 static struct strbuf fsck_msg_types = STRBUF_INIT;
41 static int receive_unpack_limit = -1;
42 static int transfer_unpack_limit = -1;
43 static int advertise_atomic_push = 1;
44 static int unpack_limit = 100;
45 static int report_status;
46 static int use_sideband;
47 static int use_atomic;
48 static int quiet;
49 static int prefer_ofs_delta = 1;
50 static int auto_update_server_info;
51 static int auto_gc = 1;
52 static int fix_thin = 1;
53 static int stateless_rpc;
54 static const char *service_dir;
55 static const char *head_name;
56 static void *head_name_to_free;
57 static int sent_capabilities;
58 static int shallow_update;
59 static const char *alt_shallow_file;
60 static struct strbuf push_cert = STRBUF_INIT;
61 static unsigned char push_cert_sha1[20];
62 static struct signature_check sigcheck;
63 static const char *push_cert_nonce;
64 static const char *cert_nonce_seed;
65
66 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
67 static const char *NONCE_BAD = "BAD";
68 static const char *NONCE_MISSING = "MISSING";
69 static const char *NONCE_OK = "OK";
70 static const char *NONCE_SLOP = "SLOP";
71 static const char *nonce_status;
72 static long nonce_stamp_slop;
73 static unsigned long nonce_stamp_slop_limit;
74 static struct ref_transaction *transaction;
75
76 static enum deny_action parse_deny_action(const char *var, const char *value)
77 {
78         if (value) {
79                 if (!strcasecmp(value, "ignore"))
80                         return DENY_IGNORE;
81                 if (!strcasecmp(value, "warn"))
82                         return DENY_WARN;
83                 if (!strcasecmp(value, "refuse"))
84                         return DENY_REFUSE;
85                 if (!strcasecmp(value, "updateinstead"))
86                         return DENY_UPDATE_INSTEAD;
87         }
88         if (git_config_bool(var, value))
89                 return DENY_REFUSE;
90         return DENY_IGNORE;
91 }
92
93 static int receive_pack_config(const char *var, const char *value, void *cb)
94 {
95         int status = parse_hide_refs_config(var, value, "receive");
96
97         if (status)
98                 return status;
99
100         if (strcmp(var, "receive.denydeletes") == 0) {
101                 deny_deletes = git_config_bool(var, value);
102                 return 0;
103         }
104
105         if (strcmp(var, "receive.denynonfastforwards") == 0) {
106                 deny_non_fast_forwards = git_config_bool(var, value);
107                 return 0;
108         }
109
110         if (strcmp(var, "receive.unpacklimit") == 0) {
111                 receive_unpack_limit = git_config_int(var, value);
112                 return 0;
113         }
114
115         if (strcmp(var, "transfer.unpacklimit") == 0) {
116                 transfer_unpack_limit = git_config_int(var, value);
117                 return 0;
118         }
119
120         if (strcmp(var, "receive.fsck.skiplist") == 0) {
121                 const char *path;
122
123                 if (git_config_pathname(&path, var, value))
124                         return 1;
125                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
126                         fsck_msg_types.len ? ',' : '=', path);
127                 free((char *)path);
128                 return 0;
129         }
130
131         if (skip_prefix(var, "receive.fsck.", &var)) {
132                 if (is_valid_msg_type(var, value))
133                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
134                                 fsck_msg_types.len ? ',' : '=', var, value);
135                 else
136                         warning("Skipping unknown msg id '%s'", var);
137                 return 0;
138         }
139
140         if (strcmp(var, "receive.fsckobjects") == 0) {
141                 receive_fsck_objects = git_config_bool(var, value);
142                 return 0;
143         }
144
145         if (strcmp(var, "transfer.fsckobjects") == 0) {
146                 transfer_fsck_objects = git_config_bool(var, value);
147                 return 0;
148         }
149
150         if (!strcmp(var, "receive.denycurrentbranch")) {
151                 deny_current_branch = parse_deny_action(var, value);
152                 return 0;
153         }
154
155         if (strcmp(var, "receive.denydeletecurrent") == 0) {
156                 deny_delete_current = parse_deny_action(var, value);
157                 return 0;
158         }
159
160         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
161                 prefer_ofs_delta = git_config_bool(var, value);
162                 return 0;
163         }
164
165         if (strcmp(var, "receive.updateserverinfo") == 0) {
166                 auto_update_server_info = git_config_bool(var, value);
167                 return 0;
168         }
169
170         if (strcmp(var, "receive.autogc") == 0) {
171                 auto_gc = git_config_bool(var, value);
172                 return 0;
173         }
174
175         if (strcmp(var, "receive.shallowupdate") == 0) {
176                 shallow_update = git_config_bool(var, value);
177                 return 0;
178         }
179
180         if (strcmp(var, "receive.certnonceseed") == 0)
181                 return git_config_string(&cert_nonce_seed, var, value);
182
183         if (strcmp(var, "receive.certnonceslop") == 0) {
184                 nonce_stamp_slop_limit = git_config_ulong(var, value);
185                 return 0;
186         }
187
188         if (strcmp(var, "receive.advertiseatomic") == 0) {
189                 advertise_atomic_push = git_config_bool(var, value);
190                 return 0;
191         }
192
193         return git_default_config(var, value, cb);
194 }
195
196 static void show_ref(const char *path, const unsigned char *sha1)
197 {
198         if (ref_is_hidden(path))
199                 return;
200
201         if (sent_capabilities) {
202                 packet_write(1, "%s %s\n", sha1_to_hex(sha1), path);
203         } else {
204                 struct strbuf cap = STRBUF_INIT;
205
206                 strbuf_addstr(&cap,
207                               "report-status delete-refs side-band-64k quiet");
208                 if (advertise_atomic_push)
209                         strbuf_addstr(&cap, " atomic");
210                 if (prefer_ofs_delta)
211                         strbuf_addstr(&cap, " ofs-delta");
212                 if (push_cert_nonce)
213                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
214                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
215                 packet_write(1, "%s %s%c%s\n",
216                              sha1_to_hex(sha1), path, 0, cap.buf);
217                 strbuf_release(&cap);
218                 sent_capabilities = 1;
219         }
220 }
221
222 static int show_ref_cb(const char *path, const struct object_id *oid, int flag, void *unused)
223 {
224         path = strip_namespace(path);
225         /*
226          * Advertise refs outside our current namespace as ".have"
227          * refs, so that the client can use them to minimize data
228          * transfer but will otherwise ignore them. This happens to
229          * cover ".have" that are thrown in by add_one_alternate_ref()
230          * to mark histories that are complete in our alternates as
231          * well.
232          */
233         if (!path)
234                 path = ".have";
235         show_ref(path, oid->hash);
236         return 0;
237 }
238
239 static void show_one_alternate_sha1(const unsigned char sha1[20], void *unused)
240 {
241         show_ref(".have", sha1);
242 }
243
244 static void collect_one_alternate_ref(const struct ref *ref, void *data)
245 {
246         struct sha1_array *sa = data;
247         sha1_array_append(sa, ref->old_sha1);
248 }
249
250 static void write_head_info(void)
251 {
252         struct sha1_array sa = SHA1_ARRAY_INIT;
253
254         for_each_alternate_ref(collect_one_alternate_ref, &sa);
255         sha1_array_for_each_unique(&sa, show_one_alternate_sha1, NULL);
256         sha1_array_clear(&sa);
257         for_each_ref(show_ref_cb, NULL);
258         if (!sent_capabilities)
259                 show_ref("capabilities^{}", null_sha1);
260
261         advertise_shallow_grafts(1);
262
263         /* EOF */
264         packet_flush(1);
265 }
266
267 struct command {
268         struct command *next;
269         const char *error_string;
270         unsigned int skip_update:1,
271                      did_not_exist:1;
272         int index;
273         unsigned char old_sha1[20];
274         unsigned char new_sha1[20];
275         char ref_name[FLEX_ARRAY]; /* more */
276 };
277
278 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
279 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
280
281 static void report_message(const char *prefix, const char *err, va_list params)
282 {
283         int sz;
284         char msg[4096];
285
286         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
287         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
288         if (sz > (sizeof(msg) - 1))
289                 sz = sizeof(msg) - 1;
290         msg[sz++] = '\n';
291
292         if (use_sideband)
293                 send_sideband(1, 2, msg, sz, use_sideband);
294         else
295                 xwrite(2, msg, sz);
296 }
297
298 static void rp_warning(const char *err, ...)
299 {
300         va_list params;
301         va_start(params, err);
302         report_message("warning: ", err, params);
303         va_end(params);
304 }
305
306 static void rp_error(const char *err, ...)
307 {
308         va_list params;
309         va_start(params, err);
310         report_message("error: ", err, params);
311         va_end(params);
312 }
313
314 static int copy_to_sideband(int in, int out, void *arg)
315 {
316         char data[128];
317         while (1) {
318                 ssize_t sz = xread(in, data, sizeof(data));
319                 if (sz <= 0)
320                         break;
321                 send_sideband(1, 2, data, sz, use_sideband);
322         }
323         close(in);
324         return 0;
325 }
326
327 #define HMAC_BLOCK_SIZE 64
328
329 static void hmac_sha1(unsigned char *out,
330                       const char *key_in, size_t key_len,
331                       const char *text, size_t text_len)
332 {
333         unsigned char key[HMAC_BLOCK_SIZE];
334         unsigned char k_ipad[HMAC_BLOCK_SIZE];
335         unsigned char k_opad[HMAC_BLOCK_SIZE];
336         int i;
337         git_SHA_CTX ctx;
338
339         /* RFC 2104 2. (1) */
340         memset(key, '\0', HMAC_BLOCK_SIZE);
341         if (HMAC_BLOCK_SIZE < key_len) {
342                 git_SHA1_Init(&ctx);
343                 git_SHA1_Update(&ctx, key_in, key_len);
344                 git_SHA1_Final(key, &ctx);
345         } else {
346                 memcpy(key, key_in, key_len);
347         }
348
349         /* RFC 2104 2. (2) & (5) */
350         for (i = 0; i < sizeof(key); i++) {
351                 k_ipad[i] = key[i] ^ 0x36;
352                 k_opad[i] = key[i] ^ 0x5c;
353         }
354
355         /* RFC 2104 2. (3) & (4) */
356         git_SHA1_Init(&ctx);
357         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
358         git_SHA1_Update(&ctx, text, text_len);
359         git_SHA1_Final(out, &ctx);
360
361         /* RFC 2104 2. (6) & (7) */
362         git_SHA1_Init(&ctx);
363         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
364         git_SHA1_Update(&ctx, out, 20);
365         git_SHA1_Final(out, &ctx);
366 }
367
368 static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
369 {
370         struct strbuf buf = STRBUF_INIT;
371         unsigned char sha1[20];
372
373         strbuf_addf(&buf, "%s:%lu", path, stamp);
374         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
375         strbuf_release(&buf);
376
377         /* RFC 2104 5. HMAC-SHA1-80 */
378         strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
379         return strbuf_detach(&buf, NULL);
380 }
381
382 /*
383  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
384  * after dropping "_commit" from its name and possibly moving it out
385  * of commit.c
386  */
387 static char *find_header(const char *msg, size_t len, const char *key)
388 {
389         int key_len = strlen(key);
390         const char *line = msg;
391
392         while (line && line < msg + len) {
393                 const char *eol = strchrnul(line, '\n');
394
395                 if ((msg + len <= eol) || line == eol)
396                         return NULL;
397                 if (line + key_len < eol &&
398                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
399                         int offset = key_len + 1;
400                         return xmemdupz(line + offset, (eol - line) - offset);
401                 }
402                 line = *eol ? eol + 1 : NULL;
403         }
404         return NULL;
405 }
406
407 static const char *check_nonce(const char *buf, size_t len)
408 {
409         char *nonce = find_header(buf, len, "nonce");
410         unsigned long stamp, ostamp;
411         char *bohmac, *expect = NULL;
412         const char *retval = NONCE_BAD;
413
414         if (!nonce) {
415                 retval = NONCE_MISSING;
416                 goto leave;
417         } else if (!push_cert_nonce) {
418                 retval = NONCE_UNSOLICITED;
419                 goto leave;
420         } else if (!strcmp(push_cert_nonce, nonce)) {
421                 retval = NONCE_OK;
422                 goto leave;
423         }
424
425         if (!stateless_rpc) {
426                 /* returned nonce MUST match what we gave out earlier */
427                 retval = NONCE_BAD;
428                 goto leave;
429         }
430
431         /*
432          * In stateless mode, we may be receiving a nonce issued by
433          * another instance of the server that serving the same
434          * repository, and the timestamps may not match, but the
435          * nonce-seed and dir should match, so we can recompute and
436          * report the time slop.
437          *
438          * In addition, when a nonce issued by another instance has
439          * timestamp within receive.certnonceslop seconds, we pretend
440          * as if we issued that nonce when reporting to the hook.
441          */
442
443         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
444         if (*nonce <= '0' || '9' < *nonce) {
445                 retval = NONCE_BAD;
446                 goto leave;
447         }
448         stamp = strtoul(nonce, &bohmac, 10);
449         if (bohmac == nonce || bohmac[0] != '-') {
450                 retval = NONCE_BAD;
451                 goto leave;
452         }
453
454         expect = prepare_push_cert_nonce(service_dir, stamp);
455         if (strcmp(expect, nonce)) {
456                 /* Not what we would have signed earlier */
457                 retval = NONCE_BAD;
458                 goto leave;
459         }
460
461         /*
462          * By how many seconds is this nonce stale?  Negative value
463          * would mean it was issued by another server with its clock
464          * skewed in the future.
465          */
466         ostamp = strtoul(push_cert_nonce, NULL, 10);
467         nonce_stamp_slop = (long)ostamp - (long)stamp;
468
469         if (nonce_stamp_slop_limit &&
470             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
471                 /*
472                  * Pretend as if the received nonce (which passes the
473                  * HMAC check, so it is not a forged by third-party)
474                  * is what we issued.
475                  */
476                 free((void *)push_cert_nonce);
477                 push_cert_nonce = xstrdup(nonce);
478                 retval = NONCE_OK;
479         } else {
480                 retval = NONCE_SLOP;
481         }
482
483 leave:
484         free(nonce);
485         free(expect);
486         return retval;
487 }
488
489 static void prepare_push_cert_sha1(struct child_process *proc)
490 {
491         static int already_done;
492
493         if (!push_cert.len)
494                 return;
495
496         if (!already_done) {
497                 struct strbuf gpg_output = STRBUF_INIT;
498                 struct strbuf gpg_status = STRBUF_INIT;
499                 int bogs /* beginning_of_gpg_sig */;
500
501                 already_done = 1;
502                 if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
503                         hashclr(push_cert_sha1);
504
505                 memset(&sigcheck, '\0', sizeof(sigcheck));
506                 sigcheck.result = 'N';
507
508                 bogs = parse_signature(push_cert.buf, push_cert.len);
509                 if (verify_signed_buffer(push_cert.buf, bogs,
510                                          push_cert.buf + bogs, push_cert.len - bogs,
511                                          &gpg_output, &gpg_status) < 0) {
512                         ; /* error running gpg */
513                 } else {
514                         sigcheck.payload = push_cert.buf;
515                         sigcheck.gpg_output = gpg_output.buf;
516                         sigcheck.gpg_status = gpg_status.buf;
517                         parse_gpg_output(&sigcheck);
518                 }
519
520                 strbuf_release(&gpg_output);
521                 strbuf_release(&gpg_status);
522                 nonce_status = check_nonce(push_cert.buf, bogs);
523         }
524         if (!is_null_sha1(push_cert_sha1)) {
525                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
526                                  sha1_to_hex(push_cert_sha1));
527                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
528                                  sigcheck.signer ? sigcheck.signer : "");
529                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
530                                  sigcheck.key ? sigcheck.key : "");
531                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
532                                  sigcheck.result);
533                 if (push_cert_nonce) {
534                         argv_array_pushf(&proc->env_array,
535                                          "GIT_PUSH_CERT_NONCE=%s",
536                                          push_cert_nonce);
537                         argv_array_pushf(&proc->env_array,
538                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
539                                          nonce_status);
540                         if (nonce_status == NONCE_SLOP)
541                                 argv_array_pushf(&proc->env_array,
542                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
543                                                  nonce_stamp_slop);
544                 }
545         }
546 }
547
548 typedef int (*feed_fn)(void *, const char **, size_t *);
549 static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_state)
550 {
551         struct child_process proc = CHILD_PROCESS_INIT;
552         struct async muxer;
553         const char *argv[2];
554         int code;
555
556         argv[0] = find_hook(hook_name);
557         if (!argv[0])
558                 return 0;
559
560         argv[1] = NULL;
561
562         proc.argv = argv;
563         proc.in = -1;
564         proc.stdout_to_stderr = 1;
565
566         if (use_sideband) {
567                 memset(&muxer, 0, sizeof(muxer));
568                 muxer.proc = copy_to_sideband;
569                 muxer.in = -1;
570                 code = start_async(&muxer);
571                 if (code)
572                         return code;
573                 proc.err = muxer.in;
574         }
575
576         prepare_push_cert_sha1(&proc);
577
578         code = start_command(&proc);
579         if (code) {
580                 if (use_sideband)
581                         finish_async(&muxer);
582                 return code;
583         }
584
585         sigchain_push(SIGPIPE, SIG_IGN);
586
587         while (1) {
588                 const char *buf;
589                 size_t n;
590                 if (feed(feed_state, &buf, &n))
591                         break;
592                 if (write_in_full(proc.in, buf, n) != n)
593                         break;
594         }
595         close(proc.in);
596         if (use_sideband)
597                 finish_async(&muxer);
598
599         sigchain_pop(SIGPIPE);
600
601         return finish_command(&proc);
602 }
603
604 struct receive_hook_feed_state {
605         struct command *cmd;
606         int skip_broken;
607         struct strbuf buf;
608 };
609
610 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
611 {
612         struct receive_hook_feed_state *state = state_;
613         struct command *cmd = state->cmd;
614
615         while (cmd &&
616                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
617                 cmd = cmd->next;
618         if (!cmd)
619                 return -1; /* EOF */
620         strbuf_reset(&state->buf);
621         strbuf_addf(&state->buf, "%s %s %s\n",
622                     sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
623                     cmd->ref_name);
624         state->cmd = cmd->next;
625         if (bufp) {
626                 *bufp = state->buf.buf;
627                 *sizep = state->buf.len;
628         }
629         return 0;
630 }
631
632 static int run_receive_hook(struct command *commands, const char *hook_name,
633                             int skip_broken)
634 {
635         struct receive_hook_feed_state state;
636         int status;
637
638         strbuf_init(&state.buf, 0);
639         state.cmd = commands;
640         state.skip_broken = skip_broken;
641         if (feed_receive_hook(&state, NULL, NULL))
642                 return 0;
643         state.cmd = commands;
644         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
645         strbuf_release(&state.buf);
646         return status;
647 }
648
649 static int run_update_hook(struct command *cmd)
650 {
651         const char *argv[5];
652         struct child_process proc = CHILD_PROCESS_INIT;
653         int code;
654
655         argv[0] = find_hook("update");
656         if (!argv[0])
657                 return 0;
658
659         argv[1] = cmd->ref_name;
660         argv[2] = sha1_to_hex(cmd->old_sha1);
661         argv[3] = sha1_to_hex(cmd->new_sha1);
662         argv[4] = NULL;
663
664         proc.no_stdin = 1;
665         proc.stdout_to_stderr = 1;
666         proc.err = use_sideband ? -1 : 0;
667         proc.argv = argv;
668
669         code = start_command(&proc);
670         if (code)
671                 return code;
672         if (use_sideband)
673                 copy_to_sideband(proc.err, -1, NULL);
674         return finish_command(&proc);
675 }
676
677 static int is_ref_checked_out(const char *ref)
678 {
679         if (is_bare_repository())
680                 return 0;
681
682         if (!head_name)
683                 return 0;
684         return !strcmp(head_name, ref);
685 }
686
687 static char *refuse_unconfigured_deny_msg[] = {
688         "By default, updating the current branch in a non-bare repository",
689         "is denied, because it will make the index and work tree inconsistent",
690         "with what you pushed, and will require 'git reset --hard' to match",
691         "the work tree to HEAD.",
692         "",
693         "You can set 'receive.denyCurrentBranch' configuration variable to",
694         "'ignore' or 'warn' in the remote repository to allow pushing into",
695         "its current branch; however, this is not recommended unless you",
696         "arranged to update its work tree to match what you pushed in some",
697         "other way.",
698         "",
699         "To squelch this message and still keep the default behaviour, set",
700         "'receive.denyCurrentBranch' configuration variable to 'refuse'."
701 };
702
703 static void refuse_unconfigured_deny(void)
704 {
705         int i;
706         for (i = 0; i < ARRAY_SIZE(refuse_unconfigured_deny_msg); i++)
707                 rp_error("%s", refuse_unconfigured_deny_msg[i]);
708 }
709
710 static char *refuse_unconfigured_deny_delete_current_msg[] = {
711         "By default, deleting the current branch is denied, because the next",
712         "'git clone' won't result in any file checked out, causing confusion.",
713         "",
714         "You can set 'receive.denyDeleteCurrent' configuration variable to",
715         "'warn' or 'ignore' in the remote repository to allow deleting the",
716         "current branch, with or without a warning message.",
717         "",
718         "To squelch this message, you can set it to 'refuse'."
719 };
720
721 static void refuse_unconfigured_deny_delete_current(void)
722 {
723         int i;
724         for (i = 0;
725              i < ARRAY_SIZE(refuse_unconfigured_deny_delete_current_msg);
726              i++)
727                 rp_error("%s", refuse_unconfigured_deny_delete_current_msg[i]);
728 }
729
730 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
731 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
732 {
733         static struct lock_file shallow_lock;
734         struct sha1_array extra = SHA1_ARRAY_INIT;
735         const char *alt_file;
736         uint32_t mask = 1 << (cmd->index % 32);
737         int i;
738
739         trace_printf_key(&trace_shallow,
740                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
741         for (i = 0; i < si->shallow->nr; i++)
742                 if (si->used_shallow[i] &&
743                     (si->used_shallow[i][cmd->index / 32] & mask) &&
744                     !delayed_reachability_test(si, i))
745                         sha1_array_append(&extra, si->shallow->sha1[i]);
746
747         setup_alternate_shallow(&shallow_lock, &alt_file, &extra);
748         if (check_shallow_connected(command_singleton_iterator,
749                                     0, cmd, alt_file)) {
750                 rollback_lock_file(&shallow_lock);
751                 sha1_array_clear(&extra);
752                 return -1;
753         }
754
755         commit_lock_file(&shallow_lock);
756
757         /*
758          * Make sure setup_alternate_shallow() for the next ref does
759          * not lose these new roots..
760          */
761         for (i = 0; i < extra.nr; i++)
762                 register_shallow(extra.sha1[i]);
763
764         si->shallow_ref[cmd->index] = 0;
765         sha1_array_clear(&extra);
766         return 0;
767 }
768
769 /*
770  * NEEDSWORK: we should consolidate various implementions of "are we
771  * on an unborn branch?" test into one, and make the unified one more
772  * robust. !get_sha1() based check used here and elsewhere would not
773  * allow us to tell an unborn branch from corrupt ref, for example.
774  * For the purpose of fixing "deploy-to-update does not work when
775  * pushing into an empty repository" issue, this should suffice for
776  * now.
777  */
778 static int head_has_history(void)
779 {
780         unsigned char sha1[20];
781
782         return !get_sha1("HEAD", sha1);
783 }
784
785 static const char *push_to_deploy(unsigned char *sha1,
786                                   struct argv_array *env,
787                                   const char *work_tree)
788 {
789         const char *update_refresh[] = {
790                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
791         };
792         const char *diff_files[] = {
793                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
794         };
795         const char *diff_index[] = {
796                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
797                 NULL, "--", NULL
798         };
799         const char *read_tree[] = {
800                 "read-tree", "-u", "-m", NULL, NULL
801         };
802         struct child_process child = CHILD_PROCESS_INIT;
803
804         child.argv = update_refresh;
805         child.env = env->argv;
806         child.dir = work_tree;
807         child.no_stdin = 1;
808         child.stdout_to_stderr = 1;
809         child.git_cmd = 1;
810         if (run_command(&child))
811                 return "Up-to-date check failed";
812
813         /* run_command() does not clean up completely; reinitialize */
814         child_process_init(&child);
815         child.argv = diff_files;
816         child.env = env->argv;
817         child.dir = work_tree;
818         child.no_stdin = 1;
819         child.stdout_to_stderr = 1;
820         child.git_cmd = 1;
821         if (run_command(&child))
822                 return "Working directory has unstaged changes";
823
824         /* diff-index with either HEAD or an empty tree */
825         diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
826
827         child_process_init(&child);
828         child.argv = diff_index;
829         child.env = env->argv;
830         child.no_stdin = 1;
831         child.no_stdout = 1;
832         child.stdout_to_stderr = 0;
833         child.git_cmd = 1;
834         if (run_command(&child))
835                 return "Working directory has staged changes";
836
837         read_tree[3] = sha1_to_hex(sha1);
838         child_process_init(&child);
839         child.argv = read_tree;
840         child.env = env->argv;
841         child.dir = work_tree;
842         child.no_stdin = 1;
843         child.no_stdout = 1;
844         child.stdout_to_stderr = 0;
845         child.git_cmd = 1;
846         if (run_command(&child))
847                 return "Could not update working tree to new HEAD";
848
849         return NULL;
850 }
851
852 static const char *push_to_checkout_hook = "push-to-checkout";
853
854 static const char *push_to_checkout(unsigned char *sha1,
855                                     struct argv_array *env,
856                                     const char *work_tree)
857 {
858         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
859         if (run_hook_le(env->argv, push_to_checkout_hook,
860                         sha1_to_hex(sha1), NULL))
861                 return "push-to-checkout hook declined";
862         else
863                 return NULL;
864 }
865
866 static const char *update_worktree(unsigned char *sha1)
867 {
868         const char *retval;
869         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
870         struct argv_array env = ARGV_ARRAY_INIT;
871
872         if (is_bare_repository())
873                 return "denyCurrentBranch = updateInstead needs a worktree";
874
875         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
876
877         if (!find_hook(push_to_checkout_hook))
878                 retval = push_to_deploy(sha1, &env, work_tree);
879         else
880                 retval = push_to_checkout(sha1, &env, work_tree);
881
882         argv_array_clear(&env);
883         return retval;
884 }
885
886 static const char *update(struct command *cmd, struct shallow_info *si)
887 {
888         const char *name = cmd->ref_name;
889         struct strbuf namespaced_name_buf = STRBUF_INIT;
890         const char *namespaced_name, *ret;
891         unsigned char *old_sha1 = cmd->old_sha1;
892         unsigned char *new_sha1 = cmd->new_sha1;
893
894         /* only refs/... are allowed */
895         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
896                 rp_error("refusing to create funny ref '%s' remotely", name);
897                 return "funny refname";
898         }
899
900         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
901         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
902
903         if (is_ref_checked_out(namespaced_name)) {
904                 switch (deny_current_branch) {
905                 case DENY_IGNORE:
906                         break;
907                 case DENY_WARN:
908                         rp_warning("updating the current branch");
909                         break;
910                 case DENY_REFUSE:
911                 case DENY_UNCONFIGURED:
912                         rp_error("refusing to update checked out branch: %s", name);
913                         if (deny_current_branch == DENY_UNCONFIGURED)
914                                 refuse_unconfigured_deny();
915                         return "branch is currently checked out";
916                 case DENY_UPDATE_INSTEAD:
917                         ret = update_worktree(new_sha1);
918                         if (ret)
919                                 return ret;
920                         break;
921                 }
922         }
923
924         if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
925                 error("unpack should have generated %s, "
926                       "but I can't find it!", sha1_to_hex(new_sha1));
927                 return "bad pack";
928         }
929
930         if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
931                 if (deny_deletes && starts_with(name, "refs/heads/")) {
932                         rp_error("denying ref deletion for %s", name);
933                         return "deletion prohibited";
934                 }
935
936                 if (head_name && !strcmp(namespaced_name, head_name)) {
937                         switch (deny_delete_current) {
938                         case DENY_IGNORE:
939                                 break;
940                         case DENY_WARN:
941                                 rp_warning("deleting the current branch");
942                                 break;
943                         case DENY_REFUSE:
944                         case DENY_UNCONFIGURED:
945                         case DENY_UPDATE_INSTEAD:
946                                 if (deny_delete_current == DENY_UNCONFIGURED)
947                                         refuse_unconfigured_deny_delete_current();
948                                 rp_error("refusing to delete the current branch: %s", name);
949                                 return "deletion of the current branch prohibited";
950                         default:
951                                 return "Invalid denyDeleteCurrent setting";
952                         }
953                 }
954         }
955
956         if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
957             !is_null_sha1(old_sha1) &&
958             starts_with(name, "refs/heads/")) {
959                 struct object *old_object, *new_object;
960                 struct commit *old_commit, *new_commit;
961
962                 old_object = parse_object(old_sha1);
963                 new_object = parse_object(new_sha1);
964
965                 if (!old_object || !new_object ||
966                     old_object->type != OBJ_COMMIT ||
967                     new_object->type != OBJ_COMMIT) {
968                         error("bad sha1 objects for %s", name);
969                         return "bad ref";
970                 }
971                 old_commit = (struct commit *)old_object;
972                 new_commit = (struct commit *)new_object;
973                 if (!in_merge_bases(old_commit, new_commit)) {
974                         rp_error("denying non-fast-forward %s"
975                                  " (you should pull first)", name);
976                         return "non-fast-forward";
977                 }
978         }
979         if (run_update_hook(cmd)) {
980                 rp_error("hook declined to update %s", name);
981                 return "hook declined";
982         }
983
984         if (is_null_sha1(new_sha1)) {
985                 struct strbuf err = STRBUF_INIT;
986                 if (!parse_object(old_sha1)) {
987                         old_sha1 = NULL;
988                         if (ref_exists(name)) {
989                                 rp_warning("Allowing deletion of corrupt ref.");
990                         } else {
991                                 rp_warning("Deleting a non-existent ref.");
992                                 cmd->did_not_exist = 1;
993                         }
994                 }
995                 if (ref_transaction_delete(transaction,
996                                            namespaced_name,
997                                            old_sha1,
998                                            0, "push", &err)) {
999                         rp_error("%s", err.buf);
1000                         strbuf_release(&err);
1001                         return "failed to delete";
1002                 }
1003                 strbuf_release(&err);
1004                 return NULL; /* good */
1005         }
1006         else {
1007                 struct strbuf err = STRBUF_INIT;
1008                 if (shallow_update && si->shallow_ref[cmd->index] &&
1009                     update_shallow_ref(cmd, si))
1010                         return "shallow error";
1011
1012                 if (ref_transaction_update(transaction,
1013                                            namespaced_name,
1014                                            new_sha1, old_sha1,
1015                                            0, "push",
1016                                            &err)) {
1017                         rp_error("%s", err.buf);
1018                         strbuf_release(&err);
1019
1020                         return "failed to update ref";
1021                 }
1022                 strbuf_release(&err);
1023
1024                 return NULL; /* good */
1025         }
1026 }
1027
1028 static void run_update_post_hook(struct command *commands)
1029 {
1030         struct command *cmd;
1031         int argc;
1032         const char **argv;
1033         struct child_process proc = CHILD_PROCESS_INIT;
1034         const char *hook;
1035
1036         hook = find_hook("post-update");
1037         for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1038                 if (cmd->error_string || cmd->did_not_exist)
1039                         continue;
1040                 argc++;
1041         }
1042         if (!argc || !hook)
1043                 return;
1044
1045         argv = xmalloc(sizeof(*argv) * (2 + argc));
1046         argv[0] = hook;
1047
1048         for (argc = 1, cmd = commands; cmd; cmd = cmd->next) {
1049                 if (cmd->error_string || cmd->did_not_exist)
1050                         continue;
1051                 argv[argc] = xstrdup(cmd->ref_name);
1052                 argc++;
1053         }
1054         argv[argc] = NULL;
1055
1056         proc.no_stdin = 1;
1057         proc.stdout_to_stderr = 1;
1058         proc.err = use_sideband ? -1 : 0;
1059         proc.argv = argv;
1060
1061         if (!start_command(&proc)) {
1062                 if (use_sideband)
1063                         copy_to_sideband(proc.err, -1, NULL);
1064                 finish_command(&proc);
1065         }
1066 }
1067
1068 static void check_aliased_update(struct command *cmd, struct string_list *list)
1069 {
1070         struct strbuf buf = STRBUF_INIT;
1071         const char *dst_name;
1072         struct string_list_item *item;
1073         struct command *dst_cmd;
1074         unsigned char sha1[GIT_SHA1_RAWSZ];
1075         char cmd_oldh[GIT_SHA1_HEXSZ + 1],
1076              cmd_newh[GIT_SHA1_HEXSZ + 1],
1077              dst_oldh[GIT_SHA1_HEXSZ + 1],
1078              dst_newh[GIT_SHA1_HEXSZ + 1];
1079         int flag;
1080
1081         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1082         dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1083         strbuf_release(&buf);
1084
1085         if (!(flag & REF_ISSYMREF))
1086                 return;
1087
1088         dst_name = strip_namespace(dst_name);
1089         if (!dst_name) {
1090                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1091                 cmd->skip_update = 1;
1092                 cmd->error_string = "broken symref";
1093                 return;
1094         }
1095
1096         if ((item = string_list_lookup(list, dst_name)) == NULL)
1097                 return;
1098
1099         cmd->skip_update = 1;
1100
1101         dst_cmd = (struct command *) item->util;
1102
1103         if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1104             !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1105                 return;
1106
1107         dst_cmd->skip_update = 1;
1108
1109         find_unique_abbrev_r(cmd_oldh, cmd->old_sha1, DEFAULT_ABBREV);
1110         find_unique_abbrev_r(cmd_newh, cmd->new_sha1, DEFAULT_ABBREV);
1111         find_unique_abbrev_r(dst_oldh, dst_cmd->old_sha1, DEFAULT_ABBREV);
1112         find_unique_abbrev_r(dst_newh, dst_cmd->new_sha1, DEFAULT_ABBREV);
1113         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1114                  " its target '%s' (%s..%s)",
1115                  cmd->ref_name, cmd_oldh, cmd_newh,
1116                  dst_cmd->ref_name, dst_oldh, dst_newh);
1117
1118         cmd->error_string = dst_cmd->error_string =
1119                 "inconsistent aliased update";
1120 }
1121
1122 static void check_aliased_updates(struct command *commands)
1123 {
1124         struct command *cmd;
1125         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1126
1127         for (cmd = commands; cmd; cmd = cmd->next) {
1128                 struct string_list_item *item =
1129                         string_list_append(&ref_list, cmd->ref_name);
1130                 item->util = (void *)cmd;
1131         }
1132         string_list_sort(&ref_list);
1133
1134         for (cmd = commands; cmd; cmd = cmd->next) {
1135                 if (!cmd->error_string)
1136                         check_aliased_update(cmd, &ref_list);
1137         }
1138
1139         string_list_clear(&ref_list, 0);
1140 }
1141
1142 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1143 {
1144         struct command **cmd_list = cb_data;
1145         struct command *cmd = *cmd_list;
1146
1147         if (!cmd || is_null_sha1(cmd->new_sha1))
1148                 return -1; /* end of list */
1149         *cmd_list = NULL; /* this returns only one */
1150         hashcpy(sha1, cmd->new_sha1);
1151         return 0;
1152 }
1153
1154 static void set_connectivity_errors(struct command *commands,
1155                                     struct shallow_info *si)
1156 {
1157         struct command *cmd;
1158
1159         for (cmd = commands; cmd; cmd = cmd->next) {
1160                 struct command *singleton = cmd;
1161                 if (shallow_update && si->shallow_ref[cmd->index])
1162                         /* to be checked in update_shallow_ref() */
1163                         continue;
1164                 if (!check_everything_connected(command_singleton_iterator,
1165                                                 0, &singleton))
1166                         continue;
1167                 cmd->error_string = "missing necessary objects";
1168         }
1169 }
1170
1171 struct iterate_data {
1172         struct command *cmds;
1173         struct shallow_info *si;
1174 };
1175
1176 static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1177 {
1178         struct iterate_data *data = cb_data;
1179         struct command **cmd_list = &data->cmds;
1180         struct command *cmd = *cmd_list;
1181
1182         for (; cmd; cmd = cmd->next) {
1183                 if (shallow_update && data->si->shallow_ref[cmd->index])
1184                         /* to be checked in update_shallow_ref() */
1185                         continue;
1186                 if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1187                         hashcpy(sha1, cmd->new_sha1);
1188                         *cmd_list = cmd->next;
1189                         return 0;
1190                 }
1191         }
1192         *cmd_list = NULL;
1193         return -1; /* end of list */
1194 }
1195
1196 static void reject_updates_to_hidden(struct command *commands)
1197 {
1198         struct command *cmd;
1199
1200         for (cmd = commands; cmd; cmd = cmd->next) {
1201                 if (cmd->error_string || !ref_is_hidden(cmd->ref_name))
1202                         continue;
1203                 if (is_null_sha1(cmd->new_sha1))
1204                         cmd->error_string = "deny deleting a hidden ref";
1205                 else
1206                         cmd->error_string = "deny updating a hidden ref";
1207         }
1208 }
1209
1210 static int should_process_cmd(struct command *cmd)
1211 {
1212         return !cmd->error_string && !cmd->skip_update;
1213 }
1214
1215 static void warn_if_skipped_connectivity_check(struct command *commands,
1216                                                struct shallow_info *si)
1217 {
1218         struct command *cmd;
1219         int checked_connectivity = 1;
1220
1221         for (cmd = commands; cmd; cmd = cmd->next) {
1222                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1223                         error("BUG: connectivity check has not been run on ref %s",
1224                               cmd->ref_name);
1225                         checked_connectivity = 0;
1226                 }
1227         }
1228         if (!checked_connectivity)
1229                 die("BUG: connectivity check skipped???");
1230 }
1231
1232 static void execute_commands_non_atomic(struct command *commands,
1233                                         struct shallow_info *si)
1234 {
1235         struct command *cmd;
1236         struct strbuf err = STRBUF_INIT;
1237
1238         for (cmd = commands; cmd; cmd = cmd->next) {
1239                 if (!should_process_cmd(cmd))
1240                         continue;
1241
1242                 transaction = ref_transaction_begin(&err);
1243                 if (!transaction) {
1244                         rp_error("%s", err.buf);
1245                         strbuf_reset(&err);
1246                         cmd->error_string = "transaction failed to start";
1247                         continue;
1248                 }
1249
1250                 cmd->error_string = update(cmd, si);
1251
1252                 if (!cmd->error_string
1253                     && ref_transaction_commit(transaction, &err)) {
1254                         rp_error("%s", err.buf);
1255                         strbuf_reset(&err);
1256                         cmd->error_string = "failed to update ref";
1257                 }
1258                 ref_transaction_free(transaction);
1259         }
1260         strbuf_release(&err);
1261 }
1262
1263 static void execute_commands_atomic(struct command *commands,
1264                                         struct shallow_info *si)
1265 {
1266         struct command *cmd;
1267         struct strbuf err = STRBUF_INIT;
1268         const char *reported_error = "atomic push failure";
1269
1270         transaction = ref_transaction_begin(&err);
1271         if (!transaction) {
1272                 rp_error("%s", err.buf);
1273                 strbuf_reset(&err);
1274                 reported_error = "transaction failed to start";
1275                 goto failure;
1276         }
1277
1278         for (cmd = commands; cmd; cmd = cmd->next) {
1279                 if (!should_process_cmd(cmd))
1280                         continue;
1281
1282                 cmd->error_string = update(cmd, si);
1283
1284                 if (cmd->error_string)
1285                         goto failure;
1286         }
1287
1288         if (ref_transaction_commit(transaction, &err)) {
1289                 rp_error("%s", err.buf);
1290                 reported_error = "atomic transaction failed";
1291                 goto failure;
1292         }
1293         goto cleanup;
1294
1295 failure:
1296         for (cmd = commands; cmd; cmd = cmd->next)
1297                 if (!cmd->error_string)
1298                         cmd->error_string = reported_error;
1299
1300 cleanup:
1301         ref_transaction_free(transaction);
1302         strbuf_release(&err);
1303 }
1304
1305 static void execute_commands(struct command *commands,
1306                              const char *unpacker_error,
1307                              struct shallow_info *si)
1308 {
1309         struct command *cmd;
1310         unsigned char sha1[20];
1311         struct iterate_data data;
1312
1313         if (unpacker_error) {
1314                 for (cmd = commands; cmd; cmd = cmd->next)
1315                         cmd->error_string = "unpacker error";
1316                 return;
1317         }
1318
1319         data.cmds = commands;
1320         data.si = si;
1321         if (check_everything_connected(iterate_receive_command_list, 0, &data))
1322                 set_connectivity_errors(commands, si);
1323
1324         reject_updates_to_hidden(commands);
1325
1326         if (run_receive_hook(commands, "pre-receive", 0)) {
1327                 for (cmd = commands; cmd; cmd = cmd->next) {
1328                         if (!cmd->error_string)
1329                                 cmd->error_string = "pre-receive hook declined";
1330                 }
1331                 return;
1332         }
1333
1334         check_aliased_updates(commands);
1335
1336         free(head_name_to_free);
1337         head_name = head_name_to_free = resolve_refdup("HEAD", 0, sha1, NULL);
1338
1339         if (use_atomic)
1340                 execute_commands_atomic(commands, si);
1341         else
1342                 execute_commands_non_atomic(commands, si);
1343
1344         if (shallow_update)
1345                 warn_if_skipped_connectivity_check(commands, si);
1346 }
1347
1348 static struct command **queue_command(struct command **tail,
1349                                       const char *line,
1350                                       int linelen)
1351 {
1352         unsigned char old_sha1[20], new_sha1[20];
1353         struct command *cmd;
1354         const char *refname;
1355         int reflen;
1356
1357         if (linelen < 83 ||
1358             line[40] != ' ' ||
1359             line[81] != ' ' ||
1360             get_sha1_hex(line, old_sha1) ||
1361             get_sha1_hex(line + 41, new_sha1))
1362                 die("protocol error: expected old/new/ref, got '%s'", line);
1363
1364         refname = line + 82;
1365         reflen = linelen - 82;
1366         cmd = xcalloc(1, sizeof(struct command) + reflen + 1);
1367         hashcpy(cmd->old_sha1, old_sha1);
1368         hashcpy(cmd->new_sha1, new_sha1);
1369         memcpy(cmd->ref_name, refname, reflen);
1370         cmd->ref_name[reflen] = '\0';
1371         *tail = cmd;
1372         return &cmd->next;
1373 }
1374
1375 static void queue_commands_from_cert(struct command **tail,
1376                                      struct strbuf *push_cert)
1377 {
1378         const char *boc, *eoc;
1379
1380         if (*tail)
1381                 die("protocol error: got both push certificate and unsigned commands");
1382
1383         boc = strstr(push_cert->buf, "\n\n");
1384         if (!boc)
1385                 die("malformed push certificate %.*s", 100, push_cert->buf);
1386         else
1387                 boc += 2;
1388         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1389
1390         while (boc < eoc) {
1391                 const char *eol = memchr(boc, '\n', eoc - boc);
1392                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1393                 boc = eol ? eol + 1 : eoc;
1394         }
1395 }
1396
1397 static struct command *read_head_info(struct sha1_array *shallow)
1398 {
1399         struct command *commands = NULL;
1400         struct command **p = &commands;
1401         for (;;) {
1402                 char *line;
1403                 int len, linelen;
1404
1405                 line = packet_read_line(0, &len);
1406                 if (!line)
1407                         break;
1408
1409                 if (len == 48 && starts_with(line, "shallow ")) {
1410                         unsigned char sha1[20];
1411                         if (get_sha1_hex(line + 8, sha1))
1412                                 die("protocol error: expected shallow sha, got '%s'",
1413                                     line + 8);
1414                         sha1_array_append(shallow, sha1);
1415                         continue;
1416                 }
1417
1418                 linelen = strlen(line);
1419                 if (linelen < len) {
1420                         const char *feature_list = line + linelen + 1;
1421                         if (parse_feature_request(feature_list, "report-status"))
1422                                 report_status = 1;
1423                         if (parse_feature_request(feature_list, "side-band-64k"))
1424                                 use_sideband = LARGE_PACKET_MAX;
1425                         if (parse_feature_request(feature_list, "quiet"))
1426                                 quiet = 1;
1427                         if (advertise_atomic_push
1428                             && parse_feature_request(feature_list, "atomic"))
1429                                 use_atomic = 1;
1430                 }
1431
1432                 if (!strcmp(line, "push-cert")) {
1433                         int true_flush = 0;
1434                         char certbuf[1024];
1435
1436                         for (;;) {
1437                                 len = packet_read(0, NULL, NULL,
1438                                                   certbuf, sizeof(certbuf), 0);
1439                                 if (!len) {
1440                                         true_flush = 1;
1441                                         break;
1442                                 }
1443                                 if (!strcmp(certbuf, "push-cert-end\n"))
1444                                         break; /* end of cert */
1445                                 strbuf_addstr(&push_cert, certbuf);
1446                         }
1447
1448                         if (true_flush)
1449                                 break;
1450                         continue;
1451                 }
1452
1453                 p = queue_command(p, line, linelen);
1454         }
1455
1456         if (push_cert.len)
1457                 queue_commands_from_cert(p, &push_cert);
1458
1459         return commands;
1460 }
1461
1462 static const char *parse_pack_header(struct pack_header *hdr)
1463 {
1464         switch (read_pack_header(0, hdr)) {
1465         case PH_ERROR_EOF:
1466                 return "eof before pack header was fully read";
1467
1468         case PH_ERROR_PACK_SIGNATURE:
1469                 return "protocol error (pack signature mismatch detected)";
1470
1471         case PH_ERROR_PROTOCOL:
1472                 return "protocol error (pack version unsupported)";
1473
1474         default:
1475                 return "unknown error in parse_pack_header";
1476
1477         case 0:
1478                 return NULL;
1479         }
1480 }
1481
1482 static const char *pack_lockfile;
1483
1484 static const char *unpack(int err_fd, struct shallow_info *si)
1485 {
1486         struct pack_header hdr;
1487         const char *hdr_err;
1488         int status;
1489         char hdr_arg[38];
1490         struct child_process child = CHILD_PROCESS_INIT;
1491         int fsck_objects = (receive_fsck_objects >= 0
1492                             ? receive_fsck_objects
1493                             : transfer_fsck_objects >= 0
1494                             ? transfer_fsck_objects
1495                             : 0);
1496
1497         hdr_err = parse_pack_header(&hdr);
1498         if (hdr_err) {
1499                 if (err_fd > 0)
1500                         close(err_fd);
1501                 return hdr_err;
1502         }
1503         snprintf(hdr_arg, sizeof(hdr_arg),
1504                         "--pack_header=%"PRIu32",%"PRIu32,
1505                         ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1506
1507         if (si->nr_ours || si->nr_theirs) {
1508                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1509                 argv_array_push(&child.args, "--shallow-file");
1510                 argv_array_push(&child.args, alt_shallow_file);
1511         }
1512
1513         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1514                 argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1515                 if (quiet)
1516                         argv_array_push(&child.args, "-q");
1517                 if (fsck_objects)
1518                         argv_array_pushf(&child.args, "--strict%s",
1519                                 fsck_msg_types.buf);
1520                 child.no_stdout = 1;
1521                 child.err = err_fd;
1522                 child.git_cmd = 1;
1523                 status = run_command(&child);
1524                 if (status)
1525                         return "unpack-objects abnormal exit";
1526         } else {
1527                 char hostname[256];
1528
1529                 argv_array_pushl(&child.args, "index-pack",
1530                                  "--stdin", hdr_arg, NULL);
1531
1532                 if (gethostname(hostname, sizeof(hostname)))
1533                         xsnprintf(hostname, sizeof(hostname), "localhost");
1534                 argv_array_pushf(&child.args,
1535                                  "--keep=receive-pack %"PRIuMAX" on %s",
1536                                  (uintmax_t)getpid(),
1537                                  hostname);
1538
1539                 if (fsck_objects)
1540                         argv_array_pushf(&child.args, "--strict%s",
1541                                 fsck_msg_types.buf);
1542                 if (fix_thin)
1543                         argv_array_push(&child.args, "--fix-thin");
1544                 child.out = -1;
1545                 child.err = err_fd;
1546                 child.git_cmd = 1;
1547                 status = start_command(&child);
1548                 if (status)
1549                         return "index-pack fork failed";
1550                 pack_lockfile = index_pack_lockfile(child.out);
1551                 close(child.out);
1552                 status = finish_command(&child);
1553                 if (status)
1554                         return "index-pack abnormal exit";
1555                 reprepare_packed_git();
1556         }
1557         return NULL;
1558 }
1559
1560 static const char *unpack_with_sideband(struct shallow_info *si)
1561 {
1562         struct async muxer;
1563         const char *ret;
1564
1565         if (!use_sideband)
1566                 return unpack(0, si);
1567
1568         memset(&muxer, 0, sizeof(muxer));
1569         muxer.proc = copy_to_sideband;
1570         muxer.in = -1;
1571         if (start_async(&muxer))
1572                 return NULL;
1573
1574         ret = unpack(muxer.in, si);
1575
1576         finish_async(&muxer);
1577         return ret;
1578 }
1579
1580 static void prepare_shallow_update(struct command *commands,
1581                                    struct shallow_info *si)
1582 {
1583         int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1584
1585         si->used_shallow = xmalloc(sizeof(*si->used_shallow) *
1586                                    si->shallow->nr);
1587         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1588
1589         si->need_reachability_test =
1590                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1591         si->reachable =
1592                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1593         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1594
1595         for (i = 0; i < si->nr_ours; i++)
1596                 si->need_reachability_test[si->ours[i]] = 1;
1597
1598         for (i = 0; i < si->shallow->nr; i++) {
1599                 if (!si->used_shallow[i])
1600                         continue;
1601                 for (j = 0; j < bitmap_size; j++) {
1602                         if (!si->used_shallow[i][j])
1603                                 continue;
1604                         si->need_reachability_test[i]++;
1605                         for (k = 0; k < 32; k++)
1606                                 if (si->used_shallow[i][j] & (1 << k))
1607                                         si->shallow_ref[j * 32 + k]++;
1608                 }
1609
1610                 /*
1611                  * true for those associated with some refs and belong
1612                  * in "ours" list aka "step 7 not done yet"
1613                  */
1614                 si->need_reachability_test[i] =
1615                         si->need_reachability_test[i] > 1;
1616         }
1617
1618         /*
1619          * keep hooks happy by forcing a temporary shallow file via
1620          * env variable because we can't add --shallow-file to every
1621          * command. check_everything_connected() will be done with
1622          * true .git/shallow though.
1623          */
1624         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1625 }
1626
1627 static void update_shallow_info(struct command *commands,
1628                                 struct shallow_info *si,
1629                                 struct sha1_array *ref)
1630 {
1631         struct command *cmd;
1632         int *ref_status;
1633         remove_nonexistent_theirs_shallow(si);
1634         if (!si->nr_ours && !si->nr_theirs) {
1635                 shallow_update = 0;
1636                 return;
1637         }
1638
1639         for (cmd = commands; cmd; cmd = cmd->next) {
1640                 if (is_null_sha1(cmd->new_sha1))
1641                         continue;
1642                 sha1_array_append(ref, cmd->new_sha1);
1643                 cmd->index = ref->nr - 1;
1644         }
1645         si->ref = ref;
1646
1647         if (shallow_update) {
1648                 prepare_shallow_update(commands, si);
1649                 return;
1650         }
1651
1652         ref_status = xmalloc(sizeof(*ref_status) * ref->nr);
1653         assign_shallow_commits_to_refs(si, NULL, ref_status);
1654         for (cmd = commands; cmd; cmd = cmd->next) {
1655                 if (is_null_sha1(cmd->new_sha1))
1656                         continue;
1657                 if (ref_status[cmd->index]) {
1658                         cmd->error_string = "shallow update not allowed";
1659                         cmd->skip_update = 1;
1660                 }
1661         }
1662         free(ref_status);
1663 }
1664
1665 static void report(struct command *commands, const char *unpack_status)
1666 {
1667         struct command *cmd;
1668         struct strbuf buf = STRBUF_INIT;
1669
1670         packet_buf_write(&buf, "unpack %s\n",
1671                          unpack_status ? unpack_status : "ok");
1672         for (cmd = commands; cmd; cmd = cmd->next) {
1673                 if (!cmd->error_string)
1674                         packet_buf_write(&buf, "ok %s\n",
1675                                          cmd->ref_name);
1676                 else
1677                         packet_buf_write(&buf, "ng %s %s\n",
1678                                          cmd->ref_name, cmd->error_string);
1679         }
1680         packet_buf_flush(&buf);
1681
1682         if (use_sideband)
1683                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1684         else
1685                 write_or_die(1, buf.buf, buf.len);
1686         strbuf_release(&buf);
1687 }
1688
1689 static int delete_only(struct command *commands)
1690 {
1691         struct command *cmd;
1692         for (cmd = commands; cmd; cmd = cmd->next) {
1693                 if (!is_null_sha1(cmd->new_sha1))
1694                         return 0;
1695         }
1696         return 1;
1697 }
1698
1699 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1700 {
1701         int advertise_refs = 0;
1702         int i;
1703         struct command *commands;
1704         struct sha1_array shallow = SHA1_ARRAY_INIT;
1705         struct sha1_array ref = SHA1_ARRAY_INIT;
1706         struct shallow_info si;
1707
1708         packet_trace_identity("receive-pack");
1709
1710         argv++;
1711         for (i = 1; i < argc; i++) {
1712                 const char *arg = *argv++;
1713
1714                 if (*arg == '-') {
1715                         if (!strcmp(arg, "--quiet")) {
1716                                 quiet = 1;
1717                                 continue;
1718                         }
1719
1720                         if (!strcmp(arg, "--advertise-refs")) {
1721                                 advertise_refs = 1;
1722                                 continue;
1723                         }
1724                         if (!strcmp(arg, "--stateless-rpc")) {
1725                                 stateless_rpc = 1;
1726                                 continue;
1727                         }
1728                         if (!strcmp(arg, "--reject-thin-pack-for-testing")) {
1729                                 fix_thin = 0;
1730                                 continue;
1731                         }
1732
1733                         usage(receive_pack_usage);
1734                 }
1735                 if (service_dir)
1736                         usage(receive_pack_usage);
1737                 service_dir = arg;
1738         }
1739         if (!service_dir)
1740                 usage(receive_pack_usage);
1741
1742         setup_path();
1743
1744         if (!enter_repo(service_dir, 0))
1745                 die("'%s' does not appear to be a git repository", service_dir);
1746
1747         git_config(receive_pack_config, NULL);
1748         if (cert_nonce_seed)
1749                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1750
1751         if (0 <= transfer_unpack_limit)
1752                 unpack_limit = transfer_unpack_limit;
1753         else if (0 <= receive_unpack_limit)
1754                 unpack_limit = receive_unpack_limit;
1755
1756         if (advertise_refs || !stateless_rpc) {
1757                 write_head_info();
1758         }
1759         if (advertise_refs)
1760                 return 0;
1761
1762         if ((commands = read_head_info(&shallow)) != NULL) {
1763                 const char *unpack_status = NULL;
1764
1765                 prepare_shallow_info(&si, &shallow);
1766                 if (!si.nr_ours && !si.nr_theirs)
1767                         shallow_update = 0;
1768                 if (!delete_only(commands)) {
1769                         unpack_status = unpack_with_sideband(&si);
1770                         update_shallow_info(commands, &si, &ref);
1771                 }
1772                 execute_commands(commands, unpack_status, &si);
1773                 if (pack_lockfile)
1774                         unlink_or_warn(pack_lockfile);
1775                 if (report_status)
1776                         report(commands, unpack_status);
1777                 run_receive_hook(commands, "post-receive", 1);
1778                 run_update_post_hook(commands);
1779                 if (auto_gc) {
1780                         const char *argv_gc_auto[] = {
1781                                 "gc", "--auto", "--quiet", NULL,
1782                         };
1783                         int opt = RUN_GIT_CMD | RUN_COMMAND_STDOUT_TO_STDERR;
1784                         run_command_v_opt(argv_gc_auto, opt);
1785                 }
1786                 if (auto_update_server_info)
1787                         update_server_info(0);
1788                 clear_shallow_info(&si);
1789         }
1790         if (use_sideband)
1791                 packet_flush(1);
1792         sha1_array_clear(&shallow);
1793         sha1_array_clear(&ref);
1794         free((void *)push_cert_nonce);
1795         return 0;
1796 }