tag: use strbuf to format tag header
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "lockfile.h"
3 #include "pack.h"
4 #include "refs.h"
5 #include "pkt-line.h"
6 #include "sideband.h"
7 #include "run-command.h"
8 #include "exec_cmd.h"
9 #include "commit.h"
10 #include "object.h"
11 #include "remote.h"
12 #include "connect.h"
13 #include "transport.h"
14 #include "string-list.h"
15 #include "sha1-array.h"
16 #include "connected.h"
17 #include "argv-array.h"
18 #include "version.h"
19 #include "tag.h"
20 #include "gpg-interface.h"
21 #include "sigchain.h"
22 #include "fsck.h"
23 #include "tmp-objdir.h"
24 #include "oidset.h"
25
26 static const char * const receive_pack_usage[] = {
27         N_("git receive-pack <git-dir>"),
28         NULL
29 };
30
31 enum deny_action {
32         DENY_UNCONFIGURED,
33         DENY_IGNORE,
34         DENY_WARN,
35         DENY_REFUSE,
36         DENY_UPDATE_INSTEAD
37 };
38
39 static int deny_deletes;
40 static int deny_non_fast_forwards;
41 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
42 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
43 static int receive_fsck_objects = -1;
44 static int transfer_fsck_objects = -1;
45 static struct strbuf fsck_msg_types = STRBUF_INIT;
46 static int receive_unpack_limit = -1;
47 static int transfer_unpack_limit = -1;
48 static int advertise_atomic_push = 1;
49 static int advertise_push_options;
50 static int unpack_limit = 100;
51 static off_t max_input_size;
52 static int report_status;
53 static int use_sideband;
54 static int use_atomic;
55 static int use_push_options;
56 static int quiet;
57 static int prefer_ofs_delta = 1;
58 static int auto_update_server_info;
59 static int auto_gc = 1;
60 static int reject_thin;
61 static int stateless_rpc;
62 static const char *service_dir;
63 static const char *head_name;
64 static void *head_name_to_free;
65 static int sent_capabilities;
66 static int shallow_update;
67 static const char *alt_shallow_file;
68 static struct strbuf push_cert = STRBUF_INIT;
69 static unsigned char push_cert_sha1[20];
70 static struct signature_check sigcheck;
71 static const char *push_cert_nonce;
72 static const char *cert_nonce_seed;
73
74 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
75 static const char *NONCE_BAD = "BAD";
76 static const char *NONCE_MISSING = "MISSING";
77 static const char *NONCE_OK = "OK";
78 static const char *NONCE_SLOP = "SLOP";
79 static const char *nonce_status;
80 static long nonce_stamp_slop;
81 static unsigned long nonce_stamp_slop_limit;
82 static struct ref_transaction *transaction;
83
84 static enum {
85         KEEPALIVE_NEVER = 0,
86         KEEPALIVE_AFTER_NUL,
87         KEEPALIVE_ALWAYS
88 } use_keepalive;
89 static int keepalive_in_sec = 5;
90
91 static struct tmp_objdir *tmp_objdir;
92
93 static enum deny_action parse_deny_action(const char *var, const char *value)
94 {
95         if (value) {
96                 if (!strcasecmp(value, "ignore"))
97                         return DENY_IGNORE;
98                 if (!strcasecmp(value, "warn"))
99                         return DENY_WARN;
100                 if (!strcasecmp(value, "refuse"))
101                         return DENY_REFUSE;
102                 if (!strcasecmp(value, "updateinstead"))
103                         return DENY_UPDATE_INSTEAD;
104         }
105         if (git_config_bool(var, value))
106                 return DENY_REFUSE;
107         return DENY_IGNORE;
108 }
109
110 static int receive_pack_config(const char *var, const char *value, void *cb)
111 {
112         int status = parse_hide_refs_config(var, value, "receive");
113
114         if (status)
115                 return status;
116
117         if (strcmp(var, "receive.denydeletes") == 0) {
118                 deny_deletes = git_config_bool(var, value);
119                 return 0;
120         }
121
122         if (strcmp(var, "receive.denynonfastforwards") == 0) {
123                 deny_non_fast_forwards = git_config_bool(var, value);
124                 return 0;
125         }
126
127         if (strcmp(var, "receive.unpacklimit") == 0) {
128                 receive_unpack_limit = git_config_int(var, value);
129                 return 0;
130         }
131
132         if (strcmp(var, "transfer.unpacklimit") == 0) {
133                 transfer_unpack_limit = git_config_int(var, value);
134                 return 0;
135         }
136
137         if (strcmp(var, "receive.fsck.skiplist") == 0) {
138                 const char *path;
139
140                 if (git_config_pathname(&path, var, value))
141                         return 1;
142                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
143                         fsck_msg_types.len ? ',' : '=', path);
144                 free((char *)path);
145                 return 0;
146         }
147
148         if (skip_prefix(var, "receive.fsck.", &var)) {
149                 if (is_valid_msg_type(var, value))
150                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
151                                 fsck_msg_types.len ? ',' : '=', var, value);
152                 else
153                         warning("Skipping unknown msg id '%s'", var);
154                 return 0;
155         }
156
157         if (strcmp(var, "receive.fsckobjects") == 0) {
158                 receive_fsck_objects = git_config_bool(var, value);
159                 return 0;
160         }
161
162         if (strcmp(var, "transfer.fsckobjects") == 0) {
163                 transfer_fsck_objects = git_config_bool(var, value);
164                 return 0;
165         }
166
167         if (!strcmp(var, "receive.denycurrentbranch")) {
168                 deny_current_branch = parse_deny_action(var, value);
169                 return 0;
170         }
171
172         if (strcmp(var, "receive.denydeletecurrent") == 0) {
173                 deny_delete_current = parse_deny_action(var, value);
174                 return 0;
175         }
176
177         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
178                 prefer_ofs_delta = git_config_bool(var, value);
179                 return 0;
180         }
181
182         if (strcmp(var, "receive.updateserverinfo") == 0) {
183                 auto_update_server_info = git_config_bool(var, value);
184                 return 0;
185         }
186
187         if (strcmp(var, "receive.autogc") == 0) {
188                 auto_gc = git_config_bool(var, value);
189                 return 0;
190         }
191
192         if (strcmp(var, "receive.shallowupdate") == 0) {
193                 shallow_update = git_config_bool(var, value);
194                 return 0;
195         }
196
197         if (strcmp(var, "receive.certnonceseed") == 0)
198                 return git_config_string(&cert_nonce_seed, var, value);
199
200         if (strcmp(var, "receive.certnonceslop") == 0) {
201                 nonce_stamp_slop_limit = git_config_ulong(var, value);
202                 return 0;
203         }
204
205         if (strcmp(var, "receive.advertiseatomic") == 0) {
206                 advertise_atomic_push = git_config_bool(var, value);
207                 return 0;
208         }
209
210         if (strcmp(var, "receive.advertisepushoptions") == 0) {
211                 advertise_push_options = git_config_bool(var, value);
212                 return 0;
213         }
214
215         if (strcmp(var, "receive.keepalive") == 0) {
216                 keepalive_in_sec = git_config_int(var, value);
217                 return 0;
218         }
219
220         if (strcmp(var, "receive.maxinputsize") == 0) {
221                 max_input_size = git_config_int64(var, value);
222                 return 0;
223         }
224
225         return git_default_config(var, value, cb);
226 }
227
228 static void show_ref(const char *path, const unsigned char *sha1)
229 {
230         if (sent_capabilities) {
231                 packet_write_fmt(1, "%s %s\n", sha1_to_hex(sha1), path);
232         } else {
233                 struct strbuf cap = STRBUF_INIT;
234
235                 strbuf_addstr(&cap,
236                               "report-status delete-refs side-band-64k quiet");
237                 if (advertise_atomic_push)
238                         strbuf_addstr(&cap, " atomic");
239                 if (prefer_ofs_delta)
240                         strbuf_addstr(&cap, " ofs-delta");
241                 if (push_cert_nonce)
242                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
243                 if (advertise_push_options)
244                         strbuf_addstr(&cap, " push-options");
245                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
246                 packet_write_fmt(1, "%s %s%c%s\n",
247                              sha1_to_hex(sha1), path, 0, cap.buf);
248                 strbuf_release(&cap);
249                 sent_capabilities = 1;
250         }
251 }
252
253 static int show_ref_cb(const char *path_full, const struct object_id *oid,
254                        int flag, void *data)
255 {
256         struct oidset *seen = data;
257         const char *path = strip_namespace(path_full);
258
259         if (ref_is_hidden(path, path_full))
260                 return 0;
261
262         /*
263          * Advertise refs outside our current namespace as ".have"
264          * refs, so that the client can use them to minimize data
265          * transfer but will otherwise ignore them.
266          */
267         if (!path) {
268                 if (oidset_insert(seen, oid))
269                         return 0;
270                 path = ".have";
271         } else {
272                 oidset_insert(seen, oid);
273         }
274         show_ref(path, oid->hash);
275         return 0;
276 }
277
278 static void show_one_alternate_ref(const char *refname,
279                                    const struct object_id *oid,
280                                    void *data)
281 {
282         struct oidset *seen = data;
283
284         if (oidset_insert(seen, oid))
285                 return;
286
287         show_ref(".have", oid->hash);
288 }
289
290 static void write_head_info(void)
291 {
292         static struct oidset seen = OIDSET_INIT;
293
294         for_each_ref(show_ref_cb, &seen);
295         for_each_alternate_ref(show_one_alternate_ref, &seen);
296         oidset_clear(&seen);
297         if (!sent_capabilities)
298                 show_ref("capabilities^{}", null_sha1);
299
300         advertise_shallow_grafts(1);
301
302         /* EOF */
303         packet_flush(1);
304 }
305
306 struct command {
307         struct command *next;
308         const char *error_string;
309         unsigned int skip_update:1,
310                      did_not_exist:1;
311         int index;
312         unsigned char old_sha1[20];
313         unsigned char new_sha1[20];
314         char ref_name[FLEX_ARRAY]; /* more */
315 };
316
317 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
318 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
319
320 static void report_message(const char *prefix, const char *err, va_list params)
321 {
322         int sz;
323         char msg[4096];
324
325         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
326         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
327         if (sz > (sizeof(msg) - 1))
328                 sz = sizeof(msg) - 1;
329         msg[sz++] = '\n';
330
331         if (use_sideband)
332                 send_sideband(1, 2, msg, sz, use_sideband);
333         else
334                 xwrite(2, msg, sz);
335 }
336
337 static void rp_warning(const char *err, ...)
338 {
339         va_list params;
340         va_start(params, err);
341         report_message("warning: ", err, params);
342         va_end(params);
343 }
344
345 static void rp_error(const char *err, ...)
346 {
347         va_list params;
348         va_start(params, err);
349         report_message("error: ", err, params);
350         va_end(params);
351 }
352
353 static int copy_to_sideband(int in, int out, void *arg)
354 {
355         char data[128];
356         int keepalive_active = 0;
357
358         if (keepalive_in_sec <= 0)
359                 use_keepalive = KEEPALIVE_NEVER;
360         if (use_keepalive == KEEPALIVE_ALWAYS)
361                 keepalive_active = 1;
362
363         while (1) {
364                 ssize_t sz;
365
366                 if (keepalive_active) {
367                         struct pollfd pfd;
368                         int ret;
369
370                         pfd.fd = in;
371                         pfd.events = POLLIN;
372                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
373
374                         if (ret < 0) {
375                                 if (errno == EINTR)
376                                         continue;
377                                 else
378                                         break;
379                         } else if (ret == 0) {
380                                 /* no data; send a keepalive packet */
381                                 static const char buf[] = "0005\1";
382                                 write_or_die(1, buf, sizeof(buf) - 1);
383                                 continue;
384                         } /* else there is actual data to read */
385                 }
386
387                 sz = xread(in, data, sizeof(data));
388                 if (sz <= 0)
389                         break;
390
391                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
392                         const char *p = memchr(data, '\0', sz);
393                         if (p) {
394                                 /*
395                                  * The NUL tells us to start sending keepalives. Make
396                                  * sure we send any other data we read along
397                                  * with it.
398                                  */
399                                 keepalive_active = 1;
400                                 send_sideband(1, 2, data, p - data, use_sideband);
401                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
402                                 continue;
403                         }
404                 }
405
406                 /*
407                  * Either we're not looking for a NUL signal, or we didn't see
408                  * it yet; just pass along the data.
409                  */
410                 send_sideband(1, 2, data, sz, use_sideband);
411         }
412         close(in);
413         return 0;
414 }
415
416 #define HMAC_BLOCK_SIZE 64
417
418 static void hmac_sha1(unsigned char *out,
419                       const char *key_in, size_t key_len,
420                       const char *text, size_t text_len)
421 {
422         unsigned char key[HMAC_BLOCK_SIZE];
423         unsigned char k_ipad[HMAC_BLOCK_SIZE];
424         unsigned char k_opad[HMAC_BLOCK_SIZE];
425         int i;
426         git_SHA_CTX ctx;
427
428         /* RFC 2104 2. (1) */
429         memset(key, '\0', HMAC_BLOCK_SIZE);
430         if (HMAC_BLOCK_SIZE < key_len) {
431                 git_SHA1_Init(&ctx);
432                 git_SHA1_Update(&ctx, key_in, key_len);
433                 git_SHA1_Final(key, &ctx);
434         } else {
435                 memcpy(key, key_in, key_len);
436         }
437
438         /* RFC 2104 2. (2) & (5) */
439         for (i = 0; i < sizeof(key); i++) {
440                 k_ipad[i] = key[i] ^ 0x36;
441                 k_opad[i] = key[i] ^ 0x5c;
442         }
443
444         /* RFC 2104 2. (3) & (4) */
445         git_SHA1_Init(&ctx);
446         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
447         git_SHA1_Update(&ctx, text, text_len);
448         git_SHA1_Final(out, &ctx);
449
450         /* RFC 2104 2. (6) & (7) */
451         git_SHA1_Init(&ctx);
452         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
453         git_SHA1_Update(&ctx, out, 20);
454         git_SHA1_Final(out, &ctx);
455 }
456
457 static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
458 {
459         struct strbuf buf = STRBUF_INIT;
460         unsigned char sha1[20];
461
462         strbuf_addf(&buf, "%s:%lu", path, stamp);
463         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
464         strbuf_release(&buf);
465
466         /* RFC 2104 5. HMAC-SHA1-80 */
467         strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
468         return strbuf_detach(&buf, NULL);
469 }
470
471 /*
472  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
473  * after dropping "_commit" from its name and possibly moving it out
474  * of commit.c
475  */
476 static char *find_header(const char *msg, size_t len, const char *key)
477 {
478         int key_len = strlen(key);
479         const char *line = msg;
480
481         while (line && line < msg + len) {
482                 const char *eol = strchrnul(line, '\n');
483
484                 if ((msg + len <= eol) || line == eol)
485                         return NULL;
486                 if (line + key_len < eol &&
487                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
488                         int offset = key_len + 1;
489                         return xmemdupz(line + offset, (eol - line) - offset);
490                 }
491                 line = *eol ? eol + 1 : NULL;
492         }
493         return NULL;
494 }
495
496 static const char *check_nonce(const char *buf, size_t len)
497 {
498         char *nonce = find_header(buf, len, "nonce");
499         unsigned long stamp, ostamp;
500         char *bohmac, *expect = NULL;
501         const char *retval = NONCE_BAD;
502
503         if (!nonce) {
504                 retval = NONCE_MISSING;
505                 goto leave;
506         } else if (!push_cert_nonce) {
507                 retval = NONCE_UNSOLICITED;
508                 goto leave;
509         } else if (!strcmp(push_cert_nonce, nonce)) {
510                 retval = NONCE_OK;
511                 goto leave;
512         }
513
514         if (!stateless_rpc) {
515                 /* returned nonce MUST match what we gave out earlier */
516                 retval = NONCE_BAD;
517                 goto leave;
518         }
519
520         /*
521          * In stateless mode, we may be receiving a nonce issued by
522          * another instance of the server that serving the same
523          * repository, and the timestamps may not match, but the
524          * nonce-seed and dir should match, so we can recompute and
525          * report the time slop.
526          *
527          * In addition, when a nonce issued by another instance has
528          * timestamp within receive.certnonceslop seconds, we pretend
529          * as if we issued that nonce when reporting to the hook.
530          */
531
532         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
533         if (*nonce <= '0' || '9' < *nonce) {
534                 retval = NONCE_BAD;
535                 goto leave;
536         }
537         stamp = strtoul(nonce, &bohmac, 10);
538         if (bohmac == nonce || bohmac[0] != '-') {
539                 retval = NONCE_BAD;
540                 goto leave;
541         }
542
543         expect = prepare_push_cert_nonce(service_dir, stamp);
544         if (strcmp(expect, nonce)) {
545                 /* Not what we would have signed earlier */
546                 retval = NONCE_BAD;
547                 goto leave;
548         }
549
550         /*
551          * By how many seconds is this nonce stale?  Negative value
552          * would mean it was issued by another server with its clock
553          * skewed in the future.
554          */
555         ostamp = strtoul(push_cert_nonce, NULL, 10);
556         nonce_stamp_slop = (long)ostamp - (long)stamp;
557
558         if (nonce_stamp_slop_limit &&
559             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
560                 /*
561                  * Pretend as if the received nonce (which passes the
562                  * HMAC check, so it is not a forged by third-party)
563                  * is what we issued.
564                  */
565                 free((void *)push_cert_nonce);
566                 push_cert_nonce = xstrdup(nonce);
567                 retval = NONCE_OK;
568         } else {
569                 retval = NONCE_SLOP;
570         }
571
572 leave:
573         free(nonce);
574         free(expect);
575         return retval;
576 }
577
578 static void prepare_push_cert_sha1(struct child_process *proc)
579 {
580         static int already_done;
581
582         if (!push_cert.len)
583                 return;
584
585         if (!already_done) {
586                 struct strbuf gpg_output = STRBUF_INIT;
587                 struct strbuf gpg_status = STRBUF_INIT;
588                 int bogs /* beginning_of_gpg_sig */;
589
590                 already_done = 1;
591                 if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
592                         hashclr(push_cert_sha1);
593
594                 memset(&sigcheck, '\0', sizeof(sigcheck));
595                 sigcheck.result = 'N';
596
597                 bogs = parse_signature(push_cert.buf, push_cert.len);
598                 if (verify_signed_buffer(push_cert.buf, bogs,
599                                          push_cert.buf + bogs, push_cert.len - bogs,
600                                          &gpg_output, &gpg_status) < 0) {
601                         ; /* error running gpg */
602                 } else {
603                         sigcheck.payload = push_cert.buf;
604                         sigcheck.gpg_output = gpg_output.buf;
605                         sigcheck.gpg_status = gpg_status.buf;
606                         parse_gpg_output(&sigcheck);
607                 }
608
609                 strbuf_release(&gpg_output);
610                 strbuf_release(&gpg_status);
611                 nonce_status = check_nonce(push_cert.buf, bogs);
612         }
613         if (!is_null_sha1(push_cert_sha1)) {
614                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
615                                  sha1_to_hex(push_cert_sha1));
616                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
617                                  sigcheck.signer ? sigcheck.signer : "");
618                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
619                                  sigcheck.key ? sigcheck.key : "");
620                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
621                                  sigcheck.result);
622                 if (push_cert_nonce) {
623                         argv_array_pushf(&proc->env_array,
624                                          "GIT_PUSH_CERT_NONCE=%s",
625                                          push_cert_nonce);
626                         argv_array_pushf(&proc->env_array,
627                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
628                                          nonce_status);
629                         if (nonce_status == NONCE_SLOP)
630                                 argv_array_pushf(&proc->env_array,
631                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
632                                                  nonce_stamp_slop);
633                 }
634         }
635 }
636
637 struct receive_hook_feed_state {
638         struct command *cmd;
639         int skip_broken;
640         struct strbuf buf;
641         const struct string_list *push_options;
642 };
643
644 typedef int (*feed_fn)(void *, const char **, size_t *);
645 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
646                              struct receive_hook_feed_state *feed_state)
647 {
648         struct child_process proc = CHILD_PROCESS_INIT;
649         struct async muxer;
650         const char *argv[2];
651         int code;
652
653         argv[0] = find_hook(hook_name);
654         if (!argv[0])
655                 return 0;
656
657         argv[1] = NULL;
658
659         proc.argv = argv;
660         proc.in = -1;
661         proc.stdout_to_stderr = 1;
662         if (feed_state->push_options) {
663                 int i;
664                 for (i = 0; i < feed_state->push_options->nr; i++)
665                         argv_array_pushf(&proc.env_array,
666                                 "GIT_PUSH_OPTION_%d=%s", i,
667                                 feed_state->push_options->items[i].string);
668                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
669                                  feed_state->push_options->nr);
670         } else
671                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
672
673         if (tmp_objdir)
674                 argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
675
676         if (use_sideband) {
677                 memset(&muxer, 0, sizeof(muxer));
678                 muxer.proc = copy_to_sideband;
679                 muxer.in = -1;
680                 code = start_async(&muxer);
681                 if (code)
682                         return code;
683                 proc.err = muxer.in;
684         }
685
686         prepare_push_cert_sha1(&proc);
687
688         code = start_command(&proc);
689         if (code) {
690                 if (use_sideband)
691                         finish_async(&muxer);
692                 return code;
693         }
694
695         sigchain_push(SIGPIPE, SIG_IGN);
696
697         while (1) {
698                 const char *buf;
699                 size_t n;
700                 if (feed(feed_state, &buf, &n))
701                         break;
702                 if (write_in_full(proc.in, buf, n) != n)
703                         break;
704         }
705         close(proc.in);
706         if (use_sideband)
707                 finish_async(&muxer);
708
709         sigchain_pop(SIGPIPE);
710
711         return finish_command(&proc);
712 }
713
714 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
715 {
716         struct receive_hook_feed_state *state = state_;
717         struct command *cmd = state->cmd;
718
719         while (cmd &&
720                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
721                 cmd = cmd->next;
722         if (!cmd)
723                 return -1; /* EOF */
724         strbuf_reset(&state->buf);
725         strbuf_addf(&state->buf, "%s %s %s\n",
726                     sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
727                     cmd->ref_name);
728         state->cmd = cmd->next;
729         if (bufp) {
730                 *bufp = state->buf.buf;
731                 *sizep = state->buf.len;
732         }
733         return 0;
734 }
735
736 static int run_receive_hook(struct command *commands,
737                             const char *hook_name,
738                             int skip_broken,
739                             const struct string_list *push_options)
740 {
741         struct receive_hook_feed_state state;
742         int status;
743
744         strbuf_init(&state.buf, 0);
745         state.cmd = commands;
746         state.skip_broken = skip_broken;
747         if (feed_receive_hook(&state, NULL, NULL))
748                 return 0;
749         state.cmd = commands;
750         state.push_options = push_options;
751         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
752         strbuf_release(&state.buf);
753         return status;
754 }
755
756 static int run_update_hook(struct command *cmd)
757 {
758         const char *argv[5];
759         struct child_process proc = CHILD_PROCESS_INIT;
760         int code;
761
762         argv[0] = find_hook("update");
763         if (!argv[0])
764                 return 0;
765
766         argv[1] = cmd->ref_name;
767         argv[2] = sha1_to_hex(cmd->old_sha1);
768         argv[3] = sha1_to_hex(cmd->new_sha1);
769         argv[4] = NULL;
770
771         proc.no_stdin = 1;
772         proc.stdout_to_stderr = 1;
773         proc.err = use_sideband ? -1 : 0;
774         proc.argv = argv;
775         proc.env = tmp_objdir_env(tmp_objdir);
776
777         code = start_command(&proc);
778         if (code)
779                 return code;
780         if (use_sideband)
781                 copy_to_sideband(proc.err, -1, NULL);
782         return finish_command(&proc);
783 }
784
785 static int is_ref_checked_out(const char *ref)
786 {
787         if (is_bare_repository())
788                 return 0;
789
790         if (!head_name)
791                 return 0;
792         return !strcmp(head_name, ref);
793 }
794
795 static char *refuse_unconfigured_deny_msg =
796         N_("By default, updating the current branch in a non-bare repository\n"
797            "is denied, because it will make the index and work tree inconsistent\n"
798            "with what you pushed, and will require 'git reset --hard' to match\n"
799            "the work tree to HEAD.\n"
800            "\n"
801            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
802            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
803            "its current branch; however, this is not recommended unless you\n"
804            "arranged to update its work tree to match what you pushed in some\n"
805            "other way.\n"
806            "\n"
807            "To squelch this message and still keep the default behaviour, set\n"
808            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
809
810 static void refuse_unconfigured_deny(void)
811 {
812         rp_error("%s", _(refuse_unconfigured_deny_msg));
813 }
814
815 static char *refuse_unconfigured_deny_delete_current_msg =
816         N_("By default, deleting the current branch is denied, because the next\n"
817            "'git clone' won't result in any file checked out, causing confusion.\n"
818            "\n"
819            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
820            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
821            "current branch, with or without a warning message.\n"
822            "\n"
823            "To squelch this message, you can set it to 'refuse'.");
824
825 static void refuse_unconfigured_deny_delete_current(void)
826 {
827         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
828 }
829
830 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
831 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
832 {
833         static struct lock_file shallow_lock;
834         struct sha1_array extra = SHA1_ARRAY_INIT;
835         struct check_connected_options opt = CHECK_CONNECTED_INIT;
836         uint32_t mask = 1 << (cmd->index % 32);
837         int i;
838
839         trace_printf_key(&trace_shallow,
840                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
841         for (i = 0; i < si->shallow->nr; i++)
842                 if (si->used_shallow[i] &&
843                     (si->used_shallow[i][cmd->index / 32] & mask) &&
844                     !delayed_reachability_test(si, i))
845                         sha1_array_append(&extra, si->shallow->sha1[i]);
846
847         opt.env = tmp_objdir_env(tmp_objdir);
848         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
849         if (check_connected(command_singleton_iterator, cmd, &opt)) {
850                 rollback_lock_file(&shallow_lock);
851                 sha1_array_clear(&extra);
852                 return -1;
853         }
854
855         commit_lock_file(&shallow_lock);
856
857         /*
858          * Make sure setup_alternate_shallow() for the next ref does
859          * not lose these new roots..
860          */
861         for (i = 0; i < extra.nr; i++)
862                 register_shallow(extra.sha1[i]);
863
864         si->shallow_ref[cmd->index] = 0;
865         sha1_array_clear(&extra);
866         return 0;
867 }
868
869 /*
870  * NEEDSWORK: we should consolidate various implementions of "are we
871  * on an unborn branch?" test into one, and make the unified one more
872  * robust. !get_sha1() based check used here and elsewhere would not
873  * allow us to tell an unborn branch from corrupt ref, for example.
874  * For the purpose of fixing "deploy-to-update does not work when
875  * pushing into an empty repository" issue, this should suffice for
876  * now.
877  */
878 static int head_has_history(void)
879 {
880         unsigned char sha1[20];
881
882         return !get_sha1("HEAD", sha1);
883 }
884
885 static const char *push_to_deploy(unsigned char *sha1,
886                                   struct argv_array *env,
887                                   const char *work_tree)
888 {
889         const char *update_refresh[] = {
890                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
891         };
892         const char *diff_files[] = {
893                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
894         };
895         const char *diff_index[] = {
896                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
897                 NULL, "--", NULL
898         };
899         const char *read_tree[] = {
900                 "read-tree", "-u", "-m", NULL, NULL
901         };
902         struct child_process child = CHILD_PROCESS_INIT;
903
904         child.argv = update_refresh;
905         child.env = env->argv;
906         child.dir = work_tree;
907         child.no_stdin = 1;
908         child.stdout_to_stderr = 1;
909         child.git_cmd = 1;
910         if (run_command(&child))
911                 return "Up-to-date check failed";
912
913         /* run_command() does not clean up completely; reinitialize */
914         child_process_init(&child);
915         child.argv = diff_files;
916         child.env = env->argv;
917         child.dir = work_tree;
918         child.no_stdin = 1;
919         child.stdout_to_stderr = 1;
920         child.git_cmd = 1;
921         if (run_command(&child))
922                 return "Working directory has unstaged changes";
923
924         /* diff-index with either HEAD or an empty tree */
925         diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
926
927         child_process_init(&child);
928         child.argv = diff_index;
929         child.env = env->argv;
930         child.no_stdin = 1;
931         child.no_stdout = 1;
932         child.stdout_to_stderr = 0;
933         child.git_cmd = 1;
934         if (run_command(&child))
935                 return "Working directory has staged changes";
936
937         read_tree[3] = sha1_to_hex(sha1);
938         child_process_init(&child);
939         child.argv = read_tree;
940         child.env = env->argv;
941         child.dir = work_tree;
942         child.no_stdin = 1;
943         child.no_stdout = 1;
944         child.stdout_to_stderr = 0;
945         child.git_cmd = 1;
946         if (run_command(&child))
947                 return "Could not update working tree to new HEAD";
948
949         return NULL;
950 }
951
952 static const char *push_to_checkout_hook = "push-to-checkout";
953
954 static const char *push_to_checkout(unsigned char *sha1,
955                                     struct argv_array *env,
956                                     const char *work_tree)
957 {
958         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
959         if (run_hook_le(env->argv, push_to_checkout_hook,
960                         sha1_to_hex(sha1), NULL))
961                 return "push-to-checkout hook declined";
962         else
963                 return NULL;
964 }
965
966 static const char *update_worktree(unsigned char *sha1)
967 {
968         const char *retval;
969         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
970         struct argv_array env = ARGV_ARRAY_INIT;
971
972         if (is_bare_repository())
973                 return "denyCurrentBranch = updateInstead needs a worktree";
974
975         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
976
977         if (!find_hook(push_to_checkout_hook))
978                 retval = push_to_deploy(sha1, &env, work_tree);
979         else
980                 retval = push_to_checkout(sha1, &env, work_tree);
981
982         argv_array_clear(&env);
983         return retval;
984 }
985
986 static const char *update(struct command *cmd, struct shallow_info *si)
987 {
988         const char *name = cmd->ref_name;
989         struct strbuf namespaced_name_buf = STRBUF_INIT;
990         const char *namespaced_name, *ret;
991         unsigned char *old_sha1 = cmd->old_sha1;
992         unsigned char *new_sha1 = cmd->new_sha1;
993
994         /* only refs/... are allowed */
995         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
996                 rp_error("refusing to create funny ref '%s' remotely", name);
997                 return "funny refname";
998         }
999
1000         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1001         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1002
1003         if (is_ref_checked_out(namespaced_name)) {
1004                 switch (deny_current_branch) {
1005                 case DENY_IGNORE:
1006                         break;
1007                 case DENY_WARN:
1008                         rp_warning("updating the current branch");
1009                         break;
1010                 case DENY_REFUSE:
1011                 case DENY_UNCONFIGURED:
1012                         rp_error("refusing to update checked out branch: %s", name);
1013                         if (deny_current_branch == DENY_UNCONFIGURED)
1014                                 refuse_unconfigured_deny();
1015                         return "branch is currently checked out";
1016                 case DENY_UPDATE_INSTEAD:
1017                         ret = update_worktree(new_sha1);
1018                         if (ret)
1019                                 return ret;
1020                         break;
1021                 }
1022         }
1023
1024         if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
1025                 error("unpack should have generated %s, "
1026                       "but I can't find it!", sha1_to_hex(new_sha1));
1027                 return "bad pack";
1028         }
1029
1030         if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
1031                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1032                         rp_error("denying ref deletion for %s", name);
1033                         return "deletion prohibited";
1034                 }
1035
1036                 if (head_name && !strcmp(namespaced_name, head_name)) {
1037                         switch (deny_delete_current) {
1038                         case DENY_IGNORE:
1039                                 break;
1040                         case DENY_WARN:
1041                                 rp_warning("deleting the current branch");
1042                                 break;
1043                         case DENY_REFUSE:
1044                         case DENY_UNCONFIGURED:
1045                         case DENY_UPDATE_INSTEAD:
1046                                 if (deny_delete_current == DENY_UNCONFIGURED)
1047                                         refuse_unconfigured_deny_delete_current();
1048                                 rp_error("refusing to delete the current branch: %s", name);
1049                                 return "deletion of the current branch prohibited";
1050                         default:
1051                                 return "Invalid denyDeleteCurrent setting";
1052                         }
1053                 }
1054         }
1055
1056         if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
1057             !is_null_sha1(old_sha1) &&
1058             starts_with(name, "refs/heads/")) {
1059                 struct object *old_object, *new_object;
1060                 struct commit *old_commit, *new_commit;
1061
1062                 old_object = parse_object(old_sha1);
1063                 new_object = parse_object(new_sha1);
1064
1065                 if (!old_object || !new_object ||
1066                     old_object->type != OBJ_COMMIT ||
1067                     new_object->type != OBJ_COMMIT) {
1068                         error("bad sha1 objects for %s", name);
1069                         return "bad ref";
1070                 }
1071                 old_commit = (struct commit *)old_object;
1072                 new_commit = (struct commit *)new_object;
1073                 if (!in_merge_bases(old_commit, new_commit)) {
1074                         rp_error("denying non-fast-forward %s"
1075                                  " (you should pull first)", name);
1076                         return "non-fast-forward";
1077                 }
1078         }
1079         if (run_update_hook(cmd)) {
1080                 rp_error("hook declined to update %s", name);
1081                 return "hook declined";
1082         }
1083
1084         if (is_null_sha1(new_sha1)) {
1085                 struct strbuf err = STRBUF_INIT;
1086                 if (!parse_object(old_sha1)) {
1087                         old_sha1 = NULL;
1088                         if (ref_exists(name)) {
1089                                 rp_warning("Allowing deletion of corrupt ref.");
1090                         } else {
1091                                 rp_warning("Deleting a non-existent ref.");
1092                                 cmd->did_not_exist = 1;
1093                         }
1094                 }
1095                 if (ref_transaction_delete(transaction,
1096                                            namespaced_name,
1097                                            old_sha1,
1098                                            0, "push", &err)) {
1099                         rp_error("%s", err.buf);
1100                         strbuf_release(&err);
1101                         return "failed to delete";
1102                 }
1103                 strbuf_release(&err);
1104                 return NULL; /* good */
1105         }
1106         else {
1107                 struct strbuf err = STRBUF_INIT;
1108                 if (shallow_update && si->shallow_ref[cmd->index] &&
1109                     update_shallow_ref(cmd, si))
1110                         return "shallow error";
1111
1112                 if (ref_transaction_update(transaction,
1113                                            namespaced_name,
1114                                            new_sha1, old_sha1,
1115                                            0, "push",
1116                                            &err)) {
1117                         rp_error("%s", err.buf);
1118                         strbuf_release(&err);
1119
1120                         return "failed to update ref";
1121                 }
1122                 strbuf_release(&err);
1123
1124                 return NULL; /* good */
1125         }
1126 }
1127
1128 static void run_update_post_hook(struct command *commands)
1129 {
1130         struct command *cmd;
1131         struct child_process proc = CHILD_PROCESS_INIT;
1132         const char *hook;
1133
1134         hook = find_hook("post-update");
1135         if (!hook)
1136                 return;
1137
1138         for (cmd = commands; cmd; cmd = cmd->next) {
1139                 if (cmd->error_string || cmd->did_not_exist)
1140                         continue;
1141                 if (!proc.args.argc)
1142                         argv_array_push(&proc.args, hook);
1143                 argv_array_push(&proc.args, cmd->ref_name);
1144         }
1145         if (!proc.args.argc)
1146                 return;
1147
1148         proc.no_stdin = 1;
1149         proc.stdout_to_stderr = 1;
1150         proc.err = use_sideband ? -1 : 0;
1151
1152         if (!start_command(&proc)) {
1153                 if (use_sideband)
1154                         copy_to_sideband(proc.err, -1, NULL);
1155                 finish_command(&proc);
1156         }
1157 }
1158
1159 static void check_aliased_update(struct command *cmd, struct string_list *list)
1160 {
1161         struct strbuf buf = STRBUF_INIT;
1162         const char *dst_name;
1163         struct string_list_item *item;
1164         struct command *dst_cmd;
1165         unsigned char sha1[GIT_SHA1_RAWSZ];
1166         int flag;
1167
1168         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1169         dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1170         strbuf_release(&buf);
1171
1172         if (!(flag & REF_ISSYMREF))
1173                 return;
1174
1175         if (!dst_name) {
1176                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1177                 cmd->skip_update = 1;
1178                 cmd->error_string = "broken symref";
1179                 return;
1180         }
1181         dst_name = strip_namespace(dst_name);
1182
1183         if ((item = string_list_lookup(list, dst_name)) == NULL)
1184                 return;
1185
1186         cmd->skip_update = 1;
1187
1188         dst_cmd = (struct command *) item->util;
1189
1190         if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1191             !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1192                 return;
1193
1194         dst_cmd->skip_update = 1;
1195
1196         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1197                  " its target '%s' (%s..%s)",
1198                  cmd->ref_name,
1199                  find_unique_abbrev(cmd->old_sha1, DEFAULT_ABBREV),
1200                  find_unique_abbrev(cmd->new_sha1, DEFAULT_ABBREV),
1201                  dst_cmd->ref_name,
1202                  find_unique_abbrev(dst_cmd->old_sha1, DEFAULT_ABBREV),
1203                  find_unique_abbrev(dst_cmd->new_sha1, DEFAULT_ABBREV));
1204
1205         cmd->error_string = dst_cmd->error_string =
1206                 "inconsistent aliased update";
1207 }
1208
1209 static void check_aliased_updates(struct command *commands)
1210 {
1211         struct command *cmd;
1212         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1213
1214         for (cmd = commands; cmd; cmd = cmd->next) {
1215                 struct string_list_item *item =
1216                         string_list_append(&ref_list, cmd->ref_name);
1217                 item->util = (void *)cmd;
1218         }
1219         string_list_sort(&ref_list);
1220
1221         for (cmd = commands; cmd; cmd = cmd->next) {
1222                 if (!cmd->error_string)
1223                         check_aliased_update(cmd, &ref_list);
1224         }
1225
1226         string_list_clear(&ref_list, 0);
1227 }
1228
1229 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1230 {
1231         struct command **cmd_list = cb_data;
1232         struct command *cmd = *cmd_list;
1233
1234         if (!cmd || is_null_sha1(cmd->new_sha1))
1235                 return -1; /* end of list */
1236         *cmd_list = NULL; /* this returns only one */
1237         hashcpy(sha1, cmd->new_sha1);
1238         return 0;
1239 }
1240
1241 static void set_connectivity_errors(struct command *commands,
1242                                     struct shallow_info *si)
1243 {
1244         struct command *cmd;
1245
1246         for (cmd = commands; cmd; cmd = cmd->next) {
1247                 struct command *singleton = cmd;
1248                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1249
1250                 if (shallow_update && si->shallow_ref[cmd->index])
1251                         /* to be checked in update_shallow_ref() */
1252                         continue;
1253
1254                 opt.env = tmp_objdir_env(tmp_objdir);
1255                 if (!check_connected(command_singleton_iterator, &singleton,
1256                                      &opt))
1257                         continue;
1258
1259                 cmd->error_string = "missing necessary objects";
1260         }
1261 }
1262
1263 struct iterate_data {
1264         struct command *cmds;
1265         struct shallow_info *si;
1266 };
1267
1268 static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1269 {
1270         struct iterate_data *data = cb_data;
1271         struct command **cmd_list = &data->cmds;
1272         struct command *cmd = *cmd_list;
1273
1274         for (; cmd; cmd = cmd->next) {
1275                 if (shallow_update && data->si->shallow_ref[cmd->index])
1276                         /* to be checked in update_shallow_ref() */
1277                         continue;
1278                 if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1279                         hashcpy(sha1, cmd->new_sha1);
1280                         *cmd_list = cmd->next;
1281                         return 0;
1282                 }
1283         }
1284         *cmd_list = NULL;
1285         return -1; /* end of list */
1286 }
1287
1288 static void reject_updates_to_hidden(struct command *commands)
1289 {
1290         struct strbuf refname_full = STRBUF_INIT;
1291         size_t prefix_len;
1292         struct command *cmd;
1293
1294         strbuf_addstr(&refname_full, get_git_namespace());
1295         prefix_len = refname_full.len;
1296
1297         for (cmd = commands; cmd; cmd = cmd->next) {
1298                 if (cmd->error_string)
1299                         continue;
1300
1301                 strbuf_setlen(&refname_full, prefix_len);
1302                 strbuf_addstr(&refname_full, cmd->ref_name);
1303
1304                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1305                         continue;
1306                 if (is_null_sha1(cmd->new_sha1))
1307                         cmd->error_string = "deny deleting a hidden ref";
1308                 else
1309                         cmd->error_string = "deny updating a hidden ref";
1310         }
1311
1312         strbuf_release(&refname_full);
1313 }
1314
1315 static int should_process_cmd(struct command *cmd)
1316 {
1317         return !cmd->error_string && !cmd->skip_update;
1318 }
1319
1320 static void warn_if_skipped_connectivity_check(struct command *commands,
1321                                                struct shallow_info *si)
1322 {
1323         struct command *cmd;
1324         int checked_connectivity = 1;
1325
1326         for (cmd = commands; cmd; cmd = cmd->next) {
1327                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1328                         error("BUG: connectivity check has not been run on ref %s",
1329                               cmd->ref_name);
1330                         checked_connectivity = 0;
1331                 }
1332         }
1333         if (!checked_connectivity)
1334                 die("BUG: connectivity check skipped???");
1335 }
1336
1337 static void execute_commands_non_atomic(struct command *commands,
1338                                         struct shallow_info *si)
1339 {
1340         struct command *cmd;
1341         struct strbuf err = STRBUF_INIT;
1342
1343         for (cmd = commands; cmd; cmd = cmd->next) {
1344                 if (!should_process_cmd(cmd))
1345                         continue;
1346
1347                 transaction = ref_transaction_begin(&err);
1348                 if (!transaction) {
1349                         rp_error("%s", err.buf);
1350                         strbuf_reset(&err);
1351                         cmd->error_string = "transaction failed to start";
1352                         continue;
1353                 }
1354
1355                 cmd->error_string = update(cmd, si);
1356
1357                 if (!cmd->error_string
1358                     && ref_transaction_commit(transaction, &err)) {
1359                         rp_error("%s", err.buf);
1360                         strbuf_reset(&err);
1361                         cmd->error_string = "failed to update ref";
1362                 }
1363                 ref_transaction_free(transaction);
1364         }
1365         strbuf_release(&err);
1366 }
1367
1368 static void execute_commands_atomic(struct command *commands,
1369                                         struct shallow_info *si)
1370 {
1371         struct command *cmd;
1372         struct strbuf err = STRBUF_INIT;
1373         const char *reported_error = "atomic push failure";
1374
1375         transaction = ref_transaction_begin(&err);
1376         if (!transaction) {
1377                 rp_error("%s", err.buf);
1378                 strbuf_reset(&err);
1379                 reported_error = "transaction failed to start";
1380                 goto failure;
1381         }
1382
1383         for (cmd = commands; cmd; cmd = cmd->next) {
1384                 if (!should_process_cmd(cmd))
1385                         continue;
1386
1387                 cmd->error_string = update(cmd, si);
1388
1389                 if (cmd->error_string)
1390                         goto failure;
1391         }
1392
1393         if (ref_transaction_commit(transaction, &err)) {
1394                 rp_error("%s", err.buf);
1395                 reported_error = "atomic transaction failed";
1396                 goto failure;
1397         }
1398         goto cleanup;
1399
1400 failure:
1401         for (cmd = commands; cmd; cmd = cmd->next)
1402                 if (!cmd->error_string)
1403                         cmd->error_string = reported_error;
1404
1405 cleanup:
1406         ref_transaction_free(transaction);
1407         strbuf_release(&err);
1408 }
1409
1410 static void execute_commands(struct command *commands,
1411                              const char *unpacker_error,
1412                              struct shallow_info *si,
1413                              const struct string_list *push_options)
1414 {
1415         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1416         struct command *cmd;
1417         struct object_id oid;
1418         struct iterate_data data;
1419         struct async muxer;
1420         int err_fd = 0;
1421
1422         if (unpacker_error) {
1423                 for (cmd = commands; cmd; cmd = cmd->next)
1424                         cmd->error_string = "unpacker error";
1425                 return;
1426         }
1427
1428         if (use_sideband) {
1429                 memset(&muxer, 0, sizeof(muxer));
1430                 muxer.proc = copy_to_sideband;
1431                 muxer.in = -1;
1432                 if (!start_async(&muxer))
1433                         err_fd = muxer.in;
1434                 /* ...else, continue without relaying sideband */
1435         }
1436
1437         data.cmds = commands;
1438         data.si = si;
1439         opt.err_fd = err_fd;
1440         opt.progress = err_fd && !quiet;
1441         opt.env = tmp_objdir_env(tmp_objdir);
1442         if (check_connected(iterate_receive_command_list, &data, &opt))
1443                 set_connectivity_errors(commands, si);
1444
1445         if (use_sideband)
1446                 finish_async(&muxer);
1447
1448         reject_updates_to_hidden(commands);
1449
1450         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1451                 for (cmd = commands; cmd; cmd = cmd->next) {
1452                         if (!cmd->error_string)
1453                                 cmd->error_string = "pre-receive hook declined";
1454                 }
1455                 return;
1456         }
1457
1458         /*
1459          * Now we'll start writing out refs, which means the objects need
1460          * to be in their final positions so that other processes can see them.
1461          */
1462         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1463                 for (cmd = commands; cmd; cmd = cmd->next) {
1464                         if (!cmd->error_string)
1465                                 cmd->error_string = "unable to migrate objects to permanent storage";
1466                 }
1467                 return;
1468         }
1469         tmp_objdir = NULL;
1470
1471         check_aliased_updates(commands);
1472
1473         free(head_name_to_free);
1474         head_name = head_name_to_free = resolve_refdup("HEAD", 0, oid.hash, NULL);
1475
1476         if (use_atomic)
1477                 execute_commands_atomic(commands, si);
1478         else
1479                 execute_commands_non_atomic(commands, si);
1480
1481         if (shallow_update)
1482                 warn_if_skipped_connectivity_check(commands, si);
1483 }
1484
1485 static struct command **queue_command(struct command **tail,
1486                                       const char *line,
1487                                       int linelen)
1488 {
1489         unsigned char old_sha1[20], new_sha1[20];
1490         struct command *cmd;
1491         const char *refname;
1492         int reflen;
1493
1494         if (linelen < 83 ||
1495             line[40] != ' ' ||
1496             line[81] != ' ' ||
1497             get_sha1_hex(line, old_sha1) ||
1498             get_sha1_hex(line + 41, new_sha1))
1499                 die("protocol error: expected old/new/ref, got '%s'", line);
1500
1501         refname = line + 82;
1502         reflen = linelen - 82;
1503         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1504         hashcpy(cmd->old_sha1, old_sha1);
1505         hashcpy(cmd->new_sha1, new_sha1);
1506         *tail = cmd;
1507         return &cmd->next;
1508 }
1509
1510 static void queue_commands_from_cert(struct command **tail,
1511                                      struct strbuf *push_cert)
1512 {
1513         const char *boc, *eoc;
1514
1515         if (*tail)
1516                 die("protocol error: got both push certificate and unsigned commands");
1517
1518         boc = strstr(push_cert->buf, "\n\n");
1519         if (!boc)
1520                 die("malformed push certificate %.*s", 100, push_cert->buf);
1521         else
1522                 boc += 2;
1523         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1524
1525         while (boc < eoc) {
1526                 const char *eol = memchr(boc, '\n', eoc - boc);
1527                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1528                 boc = eol ? eol + 1 : eoc;
1529         }
1530 }
1531
1532 static struct command *read_head_info(struct sha1_array *shallow)
1533 {
1534         struct command *commands = NULL;
1535         struct command **p = &commands;
1536         for (;;) {
1537                 char *line;
1538                 int len, linelen;
1539
1540                 line = packet_read_line(0, &len);
1541                 if (!line)
1542                         break;
1543
1544                 if (len == 48 && starts_with(line, "shallow ")) {
1545                         unsigned char sha1[20];
1546                         if (get_sha1_hex(line + 8, sha1))
1547                                 die("protocol error: expected shallow sha, got '%s'",
1548                                     line + 8);
1549                         sha1_array_append(shallow, sha1);
1550                         continue;
1551                 }
1552
1553                 linelen = strlen(line);
1554                 if (linelen < len) {
1555                         const char *feature_list = line + linelen + 1;
1556                         if (parse_feature_request(feature_list, "report-status"))
1557                                 report_status = 1;
1558                         if (parse_feature_request(feature_list, "side-band-64k"))
1559                                 use_sideband = LARGE_PACKET_MAX;
1560                         if (parse_feature_request(feature_list, "quiet"))
1561                                 quiet = 1;
1562                         if (advertise_atomic_push
1563                             && parse_feature_request(feature_list, "atomic"))
1564                                 use_atomic = 1;
1565                         if (advertise_push_options
1566                             && parse_feature_request(feature_list, "push-options"))
1567                                 use_push_options = 1;
1568                 }
1569
1570                 if (!strcmp(line, "push-cert")) {
1571                         int true_flush = 0;
1572                         char certbuf[1024];
1573
1574                         for (;;) {
1575                                 len = packet_read(0, NULL, NULL,
1576                                                   certbuf, sizeof(certbuf), 0);
1577                                 if (!len) {
1578                                         true_flush = 1;
1579                                         break;
1580                                 }
1581                                 if (!strcmp(certbuf, "push-cert-end\n"))
1582                                         break; /* end of cert */
1583                                 strbuf_addstr(&push_cert, certbuf);
1584                         }
1585
1586                         if (true_flush)
1587                                 break;
1588                         continue;
1589                 }
1590
1591                 p = queue_command(p, line, linelen);
1592         }
1593
1594         if (push_cert.len)
1595                 queue_commands_from_cert(p, &push_cert);
1596
1597         return commands;
1598 }
1599
1600 static void read_push_options(struct string_list *options)
1601 {
1602         while (1) {
1603                 char *line;
1604                 int len;
1605
1606                 line = packet_read_line(0, &len);
1607
1608                 if (!line)
1609                         break;
1610
1611                 string_list_append(options, line);
1612         }
1613 }
1614
1615 static const char *parse_pack_header(struct pack_header *hdr)
1616 {
1617         switch (read_pack_header(0, hdr)) {
1618         case PH_ERROR_EOF:
1619                 return "eof before pack header was fully read";
1620
1621         case PH_ERROR_PACK_SIGNATURE:
1622                 return "protocol error (pack signature mismatch detected)";
1623
1624         case PH_ERROR_PROTOCOL:
1625                 return "protocol error (pack version unsupported)";
1626
1627         default:
1628                 return "unknown error in parse_pack_header";
1629
1630         case 0:
1631                 return NULL;
1632         }
1633 }
1634
1635 static const char *pack_lockfile;
1636
1637 static const char *unpack(int err_fd, struct shallow_info *si)
1638 {
1639         struct pack_header hdr;
1640         const char *hdr_err;
1641         int status;
1642         char hdr_arg[38];
1643         struct child_process child = CHILD_PROCESS_INIT;
1644         int fsck_objects = (receive_fsck_objects >= 0
1645                             ? receive_fsck_objects
1646                             : transfer_fsck_objects >= 0
1647                             ? transfer_fsck_objects
1648                             : 0);
1649
1650         hdr_err = parse_pack_header(&hdr);
1651         if (hdr_err) {
1652                 if (err_fd > 0)
1653                         close(err_fd);
1654                 return hdr_err;
1655         }
1656         snprintf(hdr_arg, sizeof(hdr_arg),
1657                         "--pack_header=%"PRIu32",%"PRIu32,
1658                         ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1659
1660         if (si->nr_ours || si->nr_theirs) {
1661                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1662                 argv_array_push(&child.args, "--shallow-file");
1663                 argv_array_push(&child.args, alt_shallow_file);
1664         }
1665
1666         tmp_objdir = tmp_objdir_create();
1667         if (!tmp_objdir) {
1668                 if (err_fd > 0)
1669                         close(err_fd);
1670                 return "unable to create temporary object directory";
1671         }
1672         child.env = tmp_objdir_env(tmp_objdir);
1673
1674         /*
1675          * Normally we just pass the tmp_objdir environment to the child
1676          * processes that do the heavy lifting, but we may need to see these
1677          * objects ourselves to set up shallow information.
1678          */
1679         tmp_objdir_add_as_alternate(tmp_objdir);
1680
1681         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1682                 argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1683                 if (quiet)
1684                         argv_array_push(&child.args, "-q");
1685                 if (fsck_objects)
1686                         argv_array_pushf(&child.args, "--strict%s",
1687                                 fsck_msg_types.buf);
1688                 if (max_input_size)
1689                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1690                                 (uintmax_t)max_input_size);
1691                 child.no_stdout = 1;
1692                 child.err = err_fd;
1693                 child.git_cmd = 1;
1694                 status = run_command(&child);
1695                 if (status)
1696                         return "unpack-objects abnormal exit";
1697         } else {
1698                 char hostname[256];
1699
1700                 argv_array_pushl(&child.args, "index-pack",
1701                                  "--stdin", hdr_arg, NULL);
1702
1703                 if (gethostname(hostname, sizeof(hostname)))
1704                         xsnprintf(hostname, sizeof(hostname), "localhost");
1705                 argv_array_pushf(&child.args,
1706                                  "--keep=receive-pack %"PRIuMAX" on %s",
1707                                  (uintmax_t)getpid(),
1708                                  hostname);
1709
1710                 if (!quiet && err_fd)
1711                         argv_array_push(&child.args, "--show-resolving-progress");
1712                 if (use_sideband)
1713                         argv_array_push(&child.args, "--report-end-of-input");
1714                 if (fsck_objects)
1715                         argv_array_pushf(&child.args, "--strict%s",
1716                                 fsck_msg_types.buf);
1717                 if (!reject_thin)
1718                         argv_array_push(&child.args, "--fix-thin");
1719                 if (max_input_size)
1720                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1721                                 (uintmax_t)max_input_size);
1722                 child.out = -1;
1723                 child.err = err_fd;
1724                 child.git_cmd = 1;
1725                 status = start_command(&child);
1726                 if (status)
1727                         return "index-pack fork failed";
1728                 pack_lockfile = index_pack_lockfile(child.out);
1729                 close(child.out);
1730                 status = finish_command(&child);
1731                 if (status)
1732                         return "index-pack abnormal exit";
1733                 reprepare_packed_git();
1734         }
1735         return NULL;
1736 }
1737
1738 static const char *unpack_with_sideband(struct shallow_info *si)
1739 {
1740         struct async muxer;
1741         const char *ret;
1742
1743         if (!use_sideband)
1744                 return unpack(0, si);
1745
1746         use_keepalive = KEEPALIVE_AFTER_NUL;
1747         memset(&muxer, 0, sizeof(muxer));
1748         muxer.proc = copy_to_sideband;
1749         muxer.in = -1;
1750         if (start_async(&muxer))
1751                 return NULL;
1752
1753         ret = unpack(muxer.in, si);
1754
1755         finish_async(&muxer);
1756         return ret;
1757 }
1758
1759 static void prepare_shallow_update(struct command *commands,
1760                                    struct shallow_info *si)
1761 {
1762         int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1763
1764         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1765         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1766
1767         si->need_reachability_test =
1768                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1769         si->reachable =
1770                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1771         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1772
1773         for (i = 0; i < si->nr_ours; i++)
1774                 si->need_reachability_test[si->ours[i]] = 1;
1775
1776         for (i = 0; i < si->shallow->nr; i++) {
1777                 if (!si->used_shallow[i])
1778                         continue;
1779                 for (j = 0; j < bitmap_size; j++) {
1780                         if (!si->used_shallow[i][j])
1781                                 continue;
1782                         si->need_reachability_test[i]++;
1783                         for (k = 0; k < 32; k++)
1784                                 if (si->used_shallow[i][j] & (1U << k))
1785                                         si->shallow_ref[j * 32 + k]++;
1786                 }
1787
1788                 /*
1789                  * true for those associated with some refs and belong
1790                  * in "ours" list aka "step 7 not done yet"
1791                  */
1792                 si->need_reachability_test[i] =
1793                         si->need_reachability_test[i] > 1;
1794         }
1795
1796         /*
1797          * keep hooks happy by forcing a temporary shallow file via
1798          * env variable because we can't add --shallow-file to every
1799          * command. check_everything_connected() will be done with
1800          * true .git/shallow though.
1801          */
1802         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1803 }
1804
1805 static void update_shallow_info(struct command *commands,
1806                                 struct shallow_info *si,
1807                                 struct sha1_array *ref)
1808 {
1809         struct command *cmd;
1810         int *ref_status;
1811         remove_nonexistent_theirs_shallow(si);
1812         if (!si->nr_ours && !si->nr_theirs) {
1813                 shallow_update = 0;
1814                 return;
1815         }
1816
1817         for (cmd = commands; cmd; cmd = cmd->next) {
1818                 if (is_null_sha1(cmd->new_sha1))
1819                         continue;
1820                 sha1_array_append(ref, cmd->new_sha1);
1821                 cmd->index = ref->nr - 1;
1822         }
1823         si->ref = ref;
1824
1825         if (shallow_update) {
1826                 prepare_shallow_update(commands, si);
1827                 return;
1828         }
1829
1830         ALLOC_ARRAY(ref_status, ref->nr);
1831         assign_shallow_commits_to_refs(si, NULL, ref_status);
1832         for (cmd = commands; cmd; cmd = cmd->next) {
1833                 if (is_null_sha1(cmd->new_sha1))
1834                         continue;
1835                 if (ref_status[cmd->index]) {
1836                         cmd->error_string = "shallow update not allowed";
1837                         cmd->skip_update = 1;
1838                 }
1839         }
1840         free(ref_status);
1841 }
1842
1843 static void report(struct command *commands, const char *unpack_status)
1844 {
1845         struct command *cmd;
1846         struct strbuf buf = STRBUF_INIT;
1847
1848         packet_buf_write(&buf, "unpack %s\n",
1849                          unpack_status ? unpack_status : "ok");
1850         for (cmd = commands; cmd; cmd = cmd->next) {
1851                 if (!cmd->error_string)
1852                         packet_buf_write(&buf, "ok %s\n",
1853                                          cmd->ref_name);
1854                 else
1855                         packet_buf_write(&buf, "ng %s %s\n",
1856                                          cmd->ref_name, cmd->error_string);
1857         }
1858         packet_buf_flush(&buf);
1859
1860         if (use_sideband)
1861                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1862         else
1863                 write_or_die(1, buf.buf, buf.len);
1864         strbuf_release(&buf);
1865 }
1866
1867 static int delete_only(struct command *commands)
1868 {
1869         struct command *cmd;
1870         for (cmd = commands; cmd; cmd = cmd->next) {
1871                 if (!is_null_sha1(cmd->new_sha1))
1872                         return 0;
1873         }
1874         return 1;
1875 }
1876
1877 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1878 {
1879         int advertise_refs = 0;
1880         struct command *commands;
1881         struct sha1_array shallow = SHA1_ARRAY_INIT;
1882         struct sha1_array ref = SHA1_ARRAY_INIT;
1883         struct shallow_info si;
1884
1885         struct option options[] = {
1886                 OPT__QUIET(&quiet, N_("quiet")),
1887                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1888                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1889                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1890                 OPT_END()
1891         };
1892
1893         packet_trace_identity("receive-pack");
1894
1895         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1896
1897         if (argc > 1)
1898                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1899         if (argc == 0)
1900                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1901
1902         service_dir = argv[0];
1903
1904         setup_path();
1905
1906         if (!enter_repo(service_dir, 0))
1907                 die("'%s' does not appear to be a git repository", service_dir);
1908
1909         git_config(receive_pack_config, NULL);
1910         if (cert_nonce_seed)
1911                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1912
1913         if (0 <= transfer_unpack_limit)
1914                 unpack_limit = transfer_unpack_limit;
1915         else if (0 <= receive_unpack_limit)
1916                 unpack_limit = receive_unpack_limit;
1917
1918         if (advertise_refs || !stateless_rpc) {
1919                 write_head_info();
1920         }
1921         if (advertise_refs)
1922                 return 0;
1923
1924         if ((commands = read_head_info(&shallow)) != NULL) {
1925                 const char *unpack_status = NULL;
1926                 struct string_list push_options = STRING_LIST_INIT_DUP;
1927
1928                 if (use_push_options)
1929                         read_push_options(&push_options);
1930
1931                 prepare_shallow_info(&si, &shallow);
1932                 if (!si.nr_ours && !si.nr_theirs)
1933                         shallow_update = 0;
1934                 if (!delete_only(commands)) {
1935                         unpack_status = unpack_with_sideband(&si);
1936                         update_shallow_info(commands, &si, &ref);
1937                 }
1938                 use_keepalive = KEEPALIVE_ALWAYS;
1939                 execute_commands(commands, unpack_status, &si,
1940                                  &push_options);
1941                 if (pack_lockfile)
1942                         unlink_or_warn(pack_lockfile);
1943                 if (report_status)
1944                         report(commands, unpack_status);
1945                 run_receive_hook(commands, "post-receive", 1,
1946                                  &push_options);
1947                 run_update_post_hook(commands);
1948                 string_list_clear(&push_options, 0);
1949                 if (auto_gc) {
1950                         const char *argv_gc_auto[] = {
1951                                 "gc", "--auto", "--quiet", NULL,
1952                         };
1953                         struct child_process proc = CHILD_PROCESS_INIT;
1954
1955                         proc.no_stdin = 1;
1956                         proc.stdout_to_stderr = 1;
1957                         proc.err = use_sideband ? -1 : 0;
1958                         proc.git_cmd = 1;
1959                         proc.argv = argv_gc_auto;
1960
1961                         close_all_packs();
1962                         if (!start_command(&proc)) {
1963                                 if (use_sideband)
1964                                         copy_to_sideband(proc.err, -1, NULL);
1965                                 finish_command(&proc);
1966                         }
1967                 }
1968                 if (auto_update_server_info)
1969                         update_server_info(0);
1970                 clear_shallow_info(&si);
1971         }
1972         if (use_sideband)
1973                 packet_flush(1);
1974         sha1_array_clear(&shallow);
1975         sha1_array_clear(&ref);
1976         free((void *)push_cert_nonce);
1977         return 0;
1978 }