Merge branch 'jk/rerere-xsnprintf'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "lockfile.h"
3 #include "pack.h"
4 #include "refs.h"
5 #include "pkt-line.h"
6 #include "sideband.h"
7 #include "run-command.h"
8 #include "exec_cmd.h"
9 #include "commit.h"
10 #include "object.h"
11 #include "remote.h"
12 #include "connect.h"
13 #include "transport.h"
14 #include "string-list.h"
15 #include "sha1-array.h"
16 #include "connected.h"
17 #include "argv-array.h"
18 #include "version.h"
19 #include "tag.h"
20 #include "gpg-interface.h"
21 #include "sigchain.h"
22 #include "fsck.h"
23
24 static const char receive_pack_usage[] = "git receive-pack <git-dir>";
25
26 enum deny_action {
27         DENY_UNCONFIGURED,
28         DENY_IGNORE,
29         DENY_WARN,
30         DENY_REFUSE,
31         DENY_UPDATE_INSTEAD
32 };
33
34 static int deny_deletes;
35 static int deny_non_fast_forwards;
36 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
37 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
38 static int receive_fsck_objects = -1;
39 static int transfer_fsck_objects = -1;
40 static struct strbuf fsck_msg_types = STRBUF_INIT;
41 static int receive_unpack_limit = -1;
42 static int transfer_unpack_limit = -1;
43 static int advertise_atomic_push = 1;
44 static int unpack_limit = 100;
45 static int report_status;
46 static int use_sideband;
47 static int use_atomic;
48 static int quiet;
49 static int prefer_ofs_delta = 1;
50 static int auto_update_server_info;
51 static int auto_gc = 1;
52 static int fix_thin = 1;
53 static int stateless_rpc;
54 static const char *service_dir;
55 static const char *head_name;
56 static void *head_name_to_free;
57 static int sent_capabilities;
58 static int shallow_update;
59 static const char *alt_shallow_file;
60 static struct strbuf push_cert = STRBUF_INIT;
61 static unsigned char push_cert_sha1[20];
62 static struct signature_check sigcheck;
63 static const char *push_cert_nonce;
64 static const char *cert_nonce_seed;
65
66 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
67 static const char *NONCE_BAD = "BAD";
68 static const char *NONCE_MISSING = "MISSING";
69 static const char *NONCE_OK = "OK";
70 static const char *NONCE_SLOP = "SLOP";
71 static const char *nonce_status;
72 static long nonce_stamp_slop;
73 static unsigned long nonce_stamp_slop_limit;
74 static struct ref_transaction *transaction;
75
76 static enum deny_action parse_deny_action(const char *var, const char *value)
77 {
78         if (value) {
79                 if (!strcasecmp(value, "ignore"))
80                         return DENY_IGNORE;
81                 if (!strcasecmp(value, "warn"))
82                         return DENY_WARN;
83                 if (!strcasecmp(value, "refuse"))
84                         return DENY_REFUSE;
85                 if (!strcasecmp(value, "updateinstead"))
86                         return DENY_UPDATE_INSTEAD;
87         }
88         if (git_config_bool(var, value))
89                 return DENY_REFUSE;
90         return DENY_IGNORE;
91 }
92
93 static int receive_pack_config(const char *var, const char *value, void *cb)
94 {
95         int status = parse_hide_refs_config(var, value, "receive");
96
97         if (status)
98                 return status;
99
100         if (strcmp(var, "receive.denydeletes") == 0) {
101                 deny_deletes = git_config_bool(var, value);
102                 return 0;
103         }
104
105         if (strcmp(var, "receive.denynonfastforwards") == 0) {
106                 deny_non_fast_forwards = git_config_bool(var, value);
107                 return 0;
108         }
109
110         if (strcmp(var, "receive.unpacklimit") == 0) {
111                 receive_unpack_limit = git_config_int(var, value);
112                 return 0;
113         }
114
115         if (strcmp(var, "transfer.unpacklimit") == 0) {
116                 transfer_unpack_limit = git_config_int(var, value);
117                 return 0;
118         }
119
120         if (strcmp(var, "receive.fsck.skiplist") == 0) {
121                 const char *path;
122
123                 if (git_config_pathname(&path, var, value))
124                         return 1;
125                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
126                         fsck_msg_types.len ? ',' : '=', path);
127                 free((char *)path);
128                 return 0;
129         }
130
131         if (skip_prefix(var, "receive.fsck.", &var)) {
132                 if (is_valid_msg_type(var, value))
133                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
134                                 fsck_msg_types.len ? ',' : '=', var, value);
135                 else
136                         warning("Skipping unknown msg id '%s'", var);
137                 return 0;
138         }
139
140         if (strcmp(var, "receive.fsckobjects") == 0) {
141                 receive_fsck_objects = git_config_bool(var, value);
142                 return 0;
143         }
144
145         if (strcmp(var, "transfer.fsckobjects") == 0) {
146                 transfer_fsck_objects = git_config_bool(var, value);
147                 return 0;
148         }
149
150         if (!strcmp(var, "receive.denycurrentbranch")) {
151                 deny_current_branch = parse_deny_action(var, value);
152                 return 0;
153         }
154
155         if (strcmp(var, "receive.denydeletecurrent") == 0) {
156                 deny_delete_current = parse_deny_action(var, value);
157                 return 0;
158         }
159
160         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
161                 prefer_ofs_delta = git_config_bool(var, value);
162                 return 0;
163         }
164
165         if (strcmp(var, "receive.updateserverinfo") == 0) {
166                 auto_update_server_info = git_config_bool(var, value);
167                 return 0;
168         }
169
170         if (strcmp(var, "receive.autogc") == 0) {
171                 auto_gc = git_config_bool(var, value);
172                 return 0;
173         }
174
175         if (strcmp(var, "receive.shallowupdate") == 0) {
176                 shallow_update = git_config_bool(var, value);
177                 return 0;
178         }
179
180         if (strcmp(var, "receive.certnonceseed") == 0)
181                 return git_config_string(&cert_nonce_seed, var, value);
182
183         if (strcmp(var, "receive.certnonceslop") == 0) {
184                 nonce_stamp_slop_limit = git_config_ulong(var, value);
185                 return 0;
186         }
187
188         if (strcmp(var, "receive.advertiseatomic") == 0) {
189                 advertise_atomic_push = git_config_bool(var, value);
190                 return 0;
191         }
192
193         return git_default_config(var, value, cb);
194 }
195
196 static void show_ref(const char *path, const unsigned char *sha1)
197 {
198         if (sent_capabilities) {
199                 packet_write(1, "%s %s\n", sha1_to_hex(sha1), path);
200         } else {
201                 struct strbuf cap = STRBUF_INIT;
202
203                 strbuf_addstr(&cap,
204                               "report-status delete-refs side-band-64k quiet");
205                 if (advertise_atomic_push)
206                         strbuf_addstr(&cap, " atomic");
207                 if (prefer_ofs_delta)
208                         strbuf_addstr(&cap, " ofs-delta");
209                 if (push_cert_nonce)
210                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
211                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
212                 packet_write(1, "%s %s%c%s\n",
213                              sha1_to_hex(sha1), path, 0, cap.buf);
214                 strbuf_release(&cap);
215                 sent_capabilities = 1;
216         }
217 }
218
219 static int show_ref_cb(const char *path_full, const struct object_id *oid,
220                        int flag, void *unused)
221 {
222         const char *path = strip_namespace(path_full);
223
224         if (ref_is_hidden(path, path_full))
225                 return 0;
226
227         /*
228          * Advertise refs outside our current namespace as ".have"
229          * refs, so that the client can use them to minimize data
230          * transfer but will otherwise ignore them. This happens to
231          * cover ".have" that are thrown in by add_one_alternate_ref()
232          * to mark histories that are complete in our alternates as
233          * well.
234          */
235         if (!path)
236                 path = ".have";
237         show_ref(path, oid->hash);
238         return 0;
239 }
240
241 static void show_one_alternate_sha1(const unsigned char sha1[20], void *unused)
242 {
243         show_ref(".have", sha1);
244 }
245
246 static void collect_one_alternate_ref(const struct ref *ref, void *data)
247 {
248         struct sha1_array *sa = data;
249         sha1_array_append(sa, ref->old_oid.hash);
250 }
251
252 static void write_head_info(void)
253 {
254         struct sha1_array sa = SHA1_ARRAY_INIT;
255
256         for_each_alternate_ref(collect_one_alternate_ref, &sa);
257         sha1_array_for_each_unique(&sa, show_one_alternate_sha1, NULL);
258         sha1_array_clear(&sa);
259         for_each_ref(show_ref_cb, NULL);
260         if (!sent_capabilities)
261                 show_ref("capabilities^{}", null_sha1);
262
263         advertise_shallow_grafts(1);
264
265         /* EOF */
266         packet_flush(1);
267 }
268
269 struct command {
270         struct command *next;
271         const char *error_string;
272         unsigned int skip_update:1,
273                      did_not_exist:1;
274         int index;
275         unsigned char old_sha1[20];
276         unsigned char new_sha1[20];
277         char ref_name[FLEX_ARRAY]; /* more */
278 };
279
280 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
281 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
282
283 static void report_message(const char *prefix, const char *err, va_list params)
284 {
285         int sz;
286         char msg[4096];
287
288         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
289         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
290         if (sz > (sizeof(msg) - 1))
291                 sz = sizeof(msg) - 1;
292         msg[sz++] = '\n';
293
294         if (use_sideband)
295                 send_sideband(1, 2, msg, sz, use_sideband);
296         else
297                 xwrite(2, msg, sz);
298 }
299
300 static void rp_warning(const char *err, ...)
301 {
302         va_list params;
303         va_start(params, err);
304         report_message("warning: ", err, params);
305         va_end(params);
306 }
307
308 static void rp_error(const char *err, ...)
309 {
310         va_list params;
311         va_start(params, err);
312         report_message("error: ", err, params);
313         va_end(params);
314 }
315
316 static int copy_to_sideband(int in, int out, void *arg)
317 {
318         char data[128];
319         while (1) {
320                 ssize_t sz = xread(in, data, sizeof(data));
321                 if (sz <= 0)
322                         break;
323                 send_sideband(1, 2, data, sz, use_sideband);
324         }
325         close(in);
326         return 0;
327 }
328
329 #define HMAC_BLOCK_SIZE 64
330
331 static void hmac_sha1(unsigned char *out,
332                       const char *key_in, size_t key_len,
333                       const char *text, size_t text_len)
334 {
335         unsigned char key[HMAC_BLOCK_SIZE];
336         unsigned char k_ipad[HMAC_BLOCK_SIZE];
337         unsigned char k_opad[HMAC_BLOCK_SIZE];
338         int i;
339         git_SHA_CTX ctx;
340
341         /* RFC 2104 2. (1) */
342         memset(key, '\0', HMAC_BLOCK_SIZE);
343         if (HMAC_BLOCK_SIZE < key_len) {
344                 git_SHA1_Init(&ctx);
345                 git_SHA1_Update(&ctx, key_in, key_len);
346                 git_SHA1_Final(key, &ctx);
347         } else {
348                 memcpy(key, key_in, key_len);
349         }
350
351         /* RFC 2104 2. (2) & (5) */
352         for (i = 0; i < sizeof(key); i++) {
353                 k_ipad[i] = key[i] ^ 0x36;
354                 k_opad[i] = key[i] ^ 0x5c;
355         }
356
357         /* RFC 2104 2. (3) & (4) */
358         git_SHA1_Init(&ctx);
359         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
360         git_SHA1_Update(&ctx, text, text_len);
361         git_SHA1_Final(out, &ctx);
362
363         /* RFC 2104 2. (6) & (7) */
364         git_SHA1_Init(&ctx);
365         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
366         git_SHA1_Update(&ctx, out, 20);
367         git_SHA1_Final(out, &ctx);
368 }
369
370 static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
371 {
372         struct strbuf buf = STRBUF_INIT;
373         unsigned char sha1[20];
374
375         strbuf_addf(&buf, "%s:%lu", path, stamp);
376         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
377         strbuf_release(&buf);
378
379         /* RFC 2104 5. HMAC-SHA1-80 */
380         strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
381         return strbuf_detach(&buf, NULL);
382 }
383
384 /*
385  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
386  * after dropping "_commit" from its name and possibly moving it out
387  * of commit.c
388  */
389 static char *find_header(const char *msg, size_t len, const char *key)
390 {
391         int key_len = strlen(key);
392         const char *line = msg;
393
394         while (line && line < msg + len) {
395                 const char *eol = strchrnul(line, '\n');
396
397                 if ((msg + len <= eol) || line == eol)
398                         return NULL;
399                 if (line + key_len < eol &&
400                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
401                         int offset = key_len + 1;
402                         return xmemdupz(line + offset, (eol - line) - offset);
403                 }
404                 line = *eol ? eol + 1 : NULL;
405         }
406         return NULL;
407 }
408
409 static const char *check_nonce(const char *buf, size_t len)
410 {
411         char *nonce = find_header(buf, len, "nonce");
412         unsigned long stamp, ostamp;
413         char *bohmac, *expect = NULL;
414         const char *retval = NONCE_BAD;
415
416         if (!nonce) {
417                 retval = NONCE_MISSING;
418                 goto leave;
419         } else if (!push_cert_nonce) {
420                 retval = NONCE_UNSOLICITED;
421                 goto leave;
422         } else if (!strcmp(push_cert_nonce, nonce)) {
423                 retval = NONCE_OK;
424                 goto leave;
425         }
426
427         if (!stateless_rpc) {
428                 /* returned nonce MUST match what we gave out earlier */
429                 retval = NONCE_BAD;
430                 goto leave;
431         }
432
433         /*
434          * In stateless mode, we may be receiving a nonce issued by
435          * another instance of the server that serving the same
436          * repository, and the timestamps may not match, but the
437          * nonce-seed and dir should match, so we can recompute and
438          * report the time slop.
439          *
440          * In addition, when a nonce issued by another instance has
441          * timestamp within receive.certnonceslop seconds, we pretend
442          * as if we issued that nonce when reporting to the hook.
443          */
444
445         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
446         if (*nonce <= '0' || '9' < *nonce) {
447                 retval = NONCE_BAD;
448                 goto leave;
449         }
450         stamp = strtoul(nonce, &bohmac, 10);
451         if (bohmac == nonce || bohmac[0] != '-') {
452                 retval = NONCE_BAD;
453                 goto leave;
454         }
455
456         expect = prepare_push_cert_nonce(service_dir, stamp);
457         if (strcmp(expect, nonce)) {
458                 /* Not what we would have signed earlier */
459                 retval = NONCE_BAD;
460                 goto leave;
461         }
462
463         /*
464          * By how many seconds is this nonce stale?  Negative value
465          * would mean it was issued by another server with its clock
466          * skewed in the future.
467          */
468         ostamp = strtoul(push_cert_nonce, NULL, 10);
469         nonce_stamp_slop = (long)ostamp - (long)stamp;
470
471         if (nonce_stamp_slop_limit &&
472             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
473                 /*
474                  * Pretend as if the received nonce (which passes the
475                  * HMAC check, so it is not a forged by third-party)
476                  * is what we issued.
477                  */
478                 free((void *)push_cert_nonce);
479                 push_cert_nonce = xstrdup(nonce);
480                 retval = NONCE_OK;
481         } else {
482                 retval = NONCE_SLOP;
483         }
484
485 leave:
486         free(nonce);
487         free(expect);
488         return retval;
489 }
490
491 static void prepare_push_cert_sha1(struct child_process *proc)
492 {
493         static int already_done;
494
495         if (!push_cert.len)
496                 return;
497
498         if (!already_done) {
499                 struct strbuf gpg_output = STRBUF_INIT;
500                 struct strbuf gpg_status = STRBUF_INIT;
501                 int bogs /* beginning_of_gpg_sig */;
502
503                 already_done = 1;
504                 if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
505                         hashclr(push_cert_sha1);
506
507                 memset(&sigcheck, '\0', sizeof(sigcheck));
508                 sigcheck.result = 'N';
509
510                 bogs = parse_signature(push_cert.buf, push_cert.len);
511                 if (verify_signed_buffer(push_cert.buf, bogs,
512                                          push_cert.buf + bogs, push_cert.len - bogs,
513                                          &gpg_output, &gpg_status) < 0) {
514                         ; /* error running gpg */
515                 } else {
516                         sigcheck.payload = push_cert.buf;
517                         sigcheck.gpg_output = gpg_output.buf;
518                         sigcheck.gpg_status = gpg_status.buf;
519                         parse_gpg_output(&sigcheck);
520                 }
521
522                 strbuf_release(&gpg_output);
523                 strbuf_release(&gpg_status);
524                 nonce_status = check_nonce(push_cert.buf, bogs);
525         }
526         if (!is_null_sha1(push_cert_sha1)) {
527                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
528                                  sha1_to_hex(push_cert_sha1));
529                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
530                                  sigcheck.signer ? sigcheck.signer : "");
531                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
532                                  sigcheck.key ? sigcheck.key : "");
533                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
534                                  sigcheck.result);
535                 if (push_cert_nonce) {
536                         argv_array_pushf(&proc->env_array,
537                                          "GIT_PUSH_CERT_NONCE=%s",
538                                          push_cert_nonce);
539                         argv_array_pushf(&proc->env_array,
540                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
541                                          nonce_status);
542                         if (nonce_status == NONCE_SLOP)
543                                 argv_array_pushf(&proc->env_array,
544                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
545                                                  nonce_stamp_slop);
546                 }
547         }
548 }
549
550 typedef int (*feed_fn)(void *, const char **, size_t *);
551 static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_state)
552 {
553         struct child_process proc = CHILD_PROCESS_INIT;
554         struct async muxer;
555         const char *argv[2];
556         int code;
557
558         argv[0] = find_hook(hook_name);
559         if (!argv[0])
560                 return 0;
561
562         argv[1] = NULL;
563
564         proc.argv = argv;
565         proc.in = -1;
566         proc.stdout_to_stderr = 1;
567
568         if (use_sideband) {
569                 memset(&muxer, 0, sizeof(muxer));
570                 muxer.proc = copy_to_sideband;
571                 muxer.in = -1;
572                 code = start_async(&muxer);
573                 if (code)
574                         return code;
575                 proc.err = muxer.in;
576         }
577
578         prepare_push_cert_sha1(&proc);
579
580         code = start_command(&proc);
581         if (code) {
582                 if (use_sideband)
583                         finish_async(&muxer);
584                 return code;
585         }
586
587         sigchain_push(SIGPIPE, SIG_IGN);
588
589         while (1) {
590                 const char *buf;
591                 size_t n;
592                 if (feed(feed_state, &buf, &n))
593                         break;
594                 if (write_in_full(proc.in, buf, n) != n)
595                         break;
596         }
597         close(proc.in);
598         if (use_sideband)
599                 finish_async(&muxer);
600
601         sigchain_pop(SIGPIPE);
602
603         return finish_command(&proc);
604 }
605
606 struct receive_hook_feed_state {
607         struct command *cmd;
608         int skip_broken;
609         struct strbuf buf;
610 };
611
612 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
613 {
614         struct receive_hook_feed_state *state = state_;
615         struct command *cmd = state->cmd;
616
617         while (cmd &&
618                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
619                 cmd = cmd->next;
620         if (!cmd)
621                 return -1; /* EOF */
622         strbuf_reset(&state->buf);
623         strbuf_addf(&state->buf, "%s %s %s\n",
624                     sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
625                     cmd->ref_name);
626         state->cmd = cmd->next;
627         if (bufp) {
628                 *bufp = state->buf.buf;
629                 *sizep = state->buf.len;
630         }
631         return 0;
632 }
633
634 static int run_receive_hook(struct command *commands, const char *hook_name,
635                             int skip_broken)
636 {
637         struct receive_hook_feed_state state;
638         int status;
639
640         strbuf_init(&state.buf, 0);
641         state.cmd = commands;
642         state.skip_broken = skip_broken;
643         if (feed_receive_hook(&state, NULL, NULL))
644                 return 0;
645         state.cmd = commands;
646         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
647         strbuf_release(&state.buf);
648         return status;
649 }
650
651 static int run_update_hook(struct command *cmd)
652 {
653         const char *argv[5];
654         struct child_process proc = CHILD_PROCESS_INIT;
655         int code;
656
657         argv[0] = find_hook("update");
658         if (!argv[0])
659                 return 0;
660
661         argv[1] = cmd->ref_name;
662         argv[2] = sha1_to_hex(cmd->old_sha1);
663         argv[3] = sha1_to_hex(cmd->new_sha1);
664         argv[4] = NULL;
665
666         proc.no_stdin = 1;
667         proc.stdout_to_stderr = 1;
668         proc.err = use_sideband ? -1 : 0;
669         proc.argv = argv;
670
671         code = start_command(&proc);
672         if (code)
673                 return code;
674         if (use_sideband)
675                 copy_to_sideband(proc.err, -1, NULL);
676         return finish_command(&proc);
677 }
678
679 static int is_ref_checked_out(const char *ref)
680 {
681         if (is_bare_repository())
682                 return 0;
683
684         if (!head_name)
685                 return 0;
686         return !strcmp(head_name, ref);
687 }
688
689 static char *refuse_unconfigured_deny_msg[] = {
690         "By default, updating the current branch in a non-bare repository",
691         "is denied, because it will make the index and work tree inconsistent",
692         "with what you pushed, and will require 'git reset --hard' to match",
693         "the work tree to HEAD.",
694         "",
695         "You can set 'receive.denyCurrentBranch' configuration variable to",
696         "'ignore' or 'warn' in the remote repository to allow pushing into",
697         "its current branch; however, this is not recommended unless you",
698         "arranged to update its work tree to match what you pushed in some",
699         "other way.",
700         "",
701         "To squelch this message and still keep the default behaviour, set",
702         "'receive.denyCurrentBranch' configuration variable to 'refuse'."
703 };
704
705 static void refuse_unconfigured_deny(void)
706 {
707         int i;
708         for (i = 0; i < ARRAY_SIZE(refuse_unconfigured_deny_msg); i++)
709                 rp_error("%s", refuse_unconfigured_deny_msg[i]);
710 }
711
712 static char *refuse_unconfigured_deny_delete_current_msg[] = {
713         "By default, deleting the current branch is denied, because the next",
714         "'git clone' won't result in any file checked out, causing confusion.",
715         "",
716         "You can set 'receive.denyDeleteCurrent' configuration variable to",
717         "'warn' or 'ignore' in the remote repository to allow deleting the",
718         "current branch, with or without a warning message.",
719         "",
720         "To squelch this message, you can set it to 'refuse'."
721 };
722
723 static void refuse_unconfigured_deny_delete_current(void)
724 {
725         int i;
726         for (i = 0;
727              i < ARRAY_SIZE(refuse_unconfigured_deny_delete_current_msg);
728              i++)
729                 rp_error("%s", refuse_unconfigured_deny_delete_current_msg[i]);
730 }
731
732 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
733 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
734 {
735         static struct lock_file shallow_lock;
736         struct sha1_array extra = SHA1_ARRAY_INIT;
737         const char *alt_file;
738         uint32_t mask = 1 << (cmd->index % 32);
739         int i;
740
741         trace_printf_key(&trace_shallow,
742                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
743         for (i = 0; i < si->shallow->nr; i++)
744                 if (si->used_shallow[i] &&
745                     (si->used_shallow[i][cmd->index / 32] & mask) &&
746                     !delayed_reachability_test(si, i))
747                         sha1_array_append(&extra, si->shallow->sha1[i]);
748
749         setup_alternate_shallow(&shallow_lock, &alt_file, &extra);
750         if (check_shallow_connected(command_singleton_iterator,
751                                     0, cmd, alt_file)) {
752                 rollback_lock_file(&shallow_lock);
753                 sha1_array_clear(&extra);
754                 return -1;
755         }
756
757         commit_lock_file(&shallow_lock);
758
759         /*
760          * Make sure setup_alternate_shallow() for the next ref does
761          * not lose these new roots..
762          */
763         for (i = 0; i < extra.nr; i++)
764                 register_shallow(extra.sha1[i]);
765
766         si->shallow_ref[cmd->index] = 0;
767         sha1_array_clear(&extra);
768         return 0;
769 }
770
771 /*
772  * NEEDSWORK: we should consolidate various implementions of "are we
773  * on an unborn branch?" test into one, and make the unified one more
774  * robust. !get_sha1() based check used here and elsewhere would not
775  * allow us to tell an unborn branch from corrupt ref, for example.
776  * For the purpose of fixing "deploy-to-update does not work when
777  * pushing into an empty repository" issue, this should suffice for
778  * now.
779  */
780 static int head_has_history(void)
781 {
782         unsigned char sha1[20];
783
784         return !get_sha1("HEAD", sha1);
785 }
786
787 static const char *push_to_deploy(unsigned char *sha1,
788                                   struct argv_array *env,
789                                   const char *work_tree)
790 {
791         const char *update_refresh[] = {
792                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
793         };
794         const char *diff_files[] = {
795                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
796         };
797         const char *diff_index[] = {
798                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
799                 NULL, "--", NULL
800         };
801         const char *read_tree[] = {
802                 "read-tree", "-u", "-m", NULL, NULL
803         };
804         struct child_process child = CHILD_PROCESS_INIT;
805
806         child.argv = update_refresh;
807         child.env = env->argv;
808         child.dir = work_tree;
809         child.no_stdin = 1;
810         child.stdout_to_stderr = 1;
811         child.git_cmd = 1;
812         if (run_command(&child))
813                 return "Up-to-date check failed";
814
815         /* run_command() does not clean up completely; reinitialize */
816         child_process_init(&child);
817         child.argv = diff_files;
818         child.env = env->argv;
819         child.dir = work_tree;
820         child.no_stdin = 1;
821         child.stdout_to_stderr = 1;
822         child.git_cmd = 1;
823         if (run_command(&child))
824                 return "Working directory has unstaged changes";
825
826         /* diff-index with either HEAD or an empty tree */
827         diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
828
829         child_process_init(&child);
830         child.argv = diff_index;
831         child.env = env->argv;
832         child.no_stdin = 1;
833         child.no_stdout = 1;
834         child.stdout_to_stderr = 0;
835         child.git_cmd = 1;
836         if (run_command(&child))
837                 return "Working directory has staged changes";
838
839         read_tree[3] = sha1_to_hex(sha1);
840         child_process_init(&child);
841         child.argv = read_tree;
842         child.env = env->argv;
843         child.dir = work_tree;
844         child.no_stdin = 1;
845         child.no_stdout = 1;
846         child.stdout_to_stderr = 0;
847         child.git_cmd = 1;
848         if (run_command(&child))
849                 return "Could not update working tree to new HEAD";
850
851         return NULL;
852 }
853
854 static const char *push_to_checkout_hook = "push-to-checkout";
855
856 static const char *push_to_checkout(unsigned char *sha1,
857                                     struct argv_array *env,
858                                     const char *work_tree)
859 {
860         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
861         if (run_hook_le(env->argv, push_to_checkout_hook,
862                         sha1_to_hex(sha1), NULL))
863                 return "push-to-checkout hook declined";
864         else
865                 return NULL;
866 }
867
868 static const char *update_worktree(unsigned char *sha1)
869 {
870         const char *retval;
871         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
872         struct argv_array env = ARGV_ARRAY_INIT;
873
874         if (is_bare_repository())
875                 return "denyCurrentBranch = updateInstead needs a worktree";
876
877         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
878
879         if (!find_hook(push_to_checkout_hook))
880                 retval = push_to_deploy(sha1, &env, work_tree);
881         else
882                 retval = push_to_checkout(sha1, &env, work_tree);
883
884         argv_array_clear(&env);
885         return retval;
886 }
887
888 static const char *update(struct command *cmd, struct shallow_info *si)
889 {
890         const char *name = cmd->ref_name;
891         struct strbuf namespaced_name_buf = STRBUF_INIT;
892         const char *namespaced_name, *ret;
893         unsigned char *old_sha1 = cmd->old_sha1;
894         unsigned char *new_sha1 = cmd->new_sha1;
895
896         /* only refs/... are allowed */
897         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
898                 rp_error("refusing to create funny ref '%s' remotely", name);
899                 return "funny refname";
900         }
901
902         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
903         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
904
905         if (is_ref_checked_out(namespaced_name)) {
906                 switch (deny_current_branch) {
907                 case DENY_IGNORE:
908                         break;
909                 case DENY_WARN:
910                         rp_warning("updating the current branch");
911                         break;
912                 case DENY_REFUSE:
913                 case DENY_UNCONFIGURED:
914                         rp_error("refusing to update checked out branch: %s", name);
915                         if (deny_current_branch == DENY_UNCONFIGURED)
916                                 refuse_unconfigured_deny();
917                         return "branch is currently checked out";
918                 case DENY_UPDATE_INSTEAD:
919                         ret = update_worktree(new_sha1);
920                         if (ret)
921                                 return ret;
922                         break;
923                 }
924         }
925
926         if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
927                 error("unpack should have generated %s, "
928                       "but I can't find it!", sha1_to_hex(new_sha1));
929                 return "bad pack";
930         }
931
932         if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
933                 if (deny_deletes && starts_with(name, "refs/heads/")) {
934                         rp_error("denying ref deletion for %s", name);
935                         return "deletion prohibited";
936                 }
937
938                 if (head_name && !strcmp(namespaced_name, head_name)) {
939                         switch (deny_delete_current) {
940                         case DENY_IGNORE:
941                                 break;
942                         case DENY_WARN:
943                                 rp_warning("deleting the current branch");
944                                 break;
945                         case DENY_REFUSE:
946                         case DENY_UNCONFIGURED:
947                         case DENY_UPDATE_INSTEAD:
948                                 if (deny_delete_current == DENY_UNCONFIGURED)
949                                         refuse_unconfigured_deny_delete_current();
950                                 rp_error("refusing to delete the current branch: %s", name);
951                                 return "deletion of the current branch prohibited";
952                         default:
953                                 return "Invalid denyDeleteCurrent setting";
954                         }
955                 }
956         }
957
958         if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
959             !is_null_sha1(old_sha1) &&
960             starts_with(name, "refs/heads/")) {
961                 struct object *old_object, *new_object;
962                 struct commit *old_commit, *new_commit;
963
964                 old_object = parse_object(old_sha1);
965                 new_object = parse_object(new_sha1);
966
967                 if (!old_object || !new_object ||
968                     old_object->type != OBJ_COMMIT ||
969                     new_object->type != OBJ_COMMIT) {
970                         error("bad sha1 objects for %s", name);
971                         return "bad ref";
972                 }
973                 old_commit = (struct commit *)old_object;
974                 new_commit = (struct commit *)new_object;
975                 if (!in_merge_bases(old_commit, new_commit)) {
976                         rp_error("denying non-fast-forward %s"
977                                  " (you should pull first)", name);
978                         return "non-fast-forward";
979                 }
980         }
981         if (run_update_hook(cmd)) {
982                 rp_error("hook declined to update %s", name);
983                 return "hook declined";
984         }
985
986         if (is_null_sha1(new_sha1)) {
987                 struct strbuf err = STRBUF_INIT;
988                 if (!parse_object(old_sha1)) {
989                         old_sha1 = NULL;
990                         if (ref_exists(name)) {
991                                 rp_warning("Allowing deletion of corrupt ref.");
992                         } else {
993                                 rp_warning("Deleting a non-existent ref.");
994                                 cmd->did_not_exist = 1;
995                         }
996                 }
997                 if (ref_transaction_delete(transaction,
998                                            namespaced_name,
999                                            old_sha1,
1000                                            0, "push", &err)) {
1001                         rp_error("%s", err.buf);
1002                         strbuf_release(&err);
1003                         return "failed to delete";
1004                 }
1005                 strbuf_release(&err);
1006                 return NULL; /* good */
1007         }
1008         else {
1009                 struct strbuf err = STRBUF_INIT;
1010                 if (shallow_update && si->shallow_ref[cmd->index] &&
1011                     update_shallow_ref(cmd, si))
1012                         return "shallow error";
1013
1014                 if (ref_transaction_update(transaction,
1015                                            namespaced_name,
1016                                            new_sha1, old_sha1,
1017                                            0, "push",
1018                                            &err)) {
1019                         rp_error("%s", err.buf);
1020                         strbuf_release(&err);
1021
1022                         return "failed to update ref";
1023                 }
1024                 strbuf_release(&err);
1025
1026                 return NULL; /* good */
1027         }
1028 }
1029
1030 static void run_update_post_hook(struct command *commands)
1031 {
1032         struct command *cmd;
1033         int argc;
1034         const char **argv;
1035         struct child_process proc = CHILD_PROCESS_INIT;
1036         const char *hook;
1037
1038         hook = find_hook("post-update");
1039         for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1040                 if (cmd->error_string || cmd->did_not_exist)
1041                         continue;
1042                 argc++;
1043         }
1044         if (!argc || !hook)
1045                 return;
1046
1047         argv = xmalloc(sizeof(*argv) * (2 + argc));
1048         argv[0] = hook;
1049
1050         for (argc = 1, cmd = commands; cmd; cmd = cmd->next) {
1051                 if (cmd->error_string || cmd->did_not_exist)
1052                         continue;
1053                 argv[argc] = xstrdup(cmd->ref_name);
1054                 argc++;
1055         }
1056         argv[argc] = NULL;
1057
1058         proc.no_stdin = 1;
1059         proc.stdout_to_stderr = 1;
1060         proc.err = use_sideband ? -1 : 0;
1061         proc.argv = argv;
1062
1063         if (!start_command(&proc)) {
1064                 if (use_sideband)
1065                         copy_to_sideband(proc.err, -1, NULL);
1066                 finish_command(&proc);
1067         }
1068 }
1069
1070 static void check_aliased_update(struct command *cmd, struct string_list *list)
1071 {
1072         struct strbuf buf = STRBUF_INIT;
1073         const char *dst_name;
1074         struct string_list_item *item;
1075         struct command *dst_cmd;
1076         unsigned char sha1[GIT_SHA1_RAWSZ];
1077         char cmd_oldh[GIT_SHA1_HEXSZ + 1],
1078              cmd_newh[GIT_SHA1_HEXSZ + 1],
1079              dst_oldh[GIT_SHA1_HEXSZ + 1],
1080              dst_newh[GIT_SHA1_HEXSZ + 1];
1081         int flag;
1082
1083         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1084         dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1085         strbuf_release(&buf);
1086
1087         if (!(flag & REF_ISSYMREF))
1088                 return;
1089
1090         dst_name = strip_namespace(dst_name);
1091         if (!dst_name) {
1092                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1093                 cmd->skip_update = 1;
1094                 cmd->error_string = "broken symref";
1095                 return;
1096         }
1097
1098         if ((item = string_list_lookup(list, dst_name)) == NULL)
1099                 return;
1100
1101         cmd->skip_update = 1;
1102
1103         dst_cmd = (struct command *) item->util;
1104
1105         if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1106             !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1107                 return;
1108
1109         dst_cmd->skip_update = 1;
1110
1111         find_unique_abbrev_r(cmd_oldh, cmd->old_sha1, DEFAULT_ABBREV);
1112         find_unique_abbrev_r(cmd_newh, cmd->new_sha1, DEFAULT_ABBREV);
1113         find_unique_abbrev_r(dst_oldh, dst_cmd->old_sha1, DEFAULT_ABBREV);
1114         find_unique_abbrev_r(dst_newh, dst_cmd->new_sha1, DEFAULT_ABBREV);
1115         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1116                  " its target '%s' (%s..%s)",
1117                  cmd->ref_name, cmd_oldh, cmd_newh,
1118                  dst_cmd->ref_name, dst_oldh, dst_newh);
1119
1120         cmd->error_string = dst_cmd->error_string =
1121                 "inconsistent aliased update";
1122 }
1123
1124 static void check_aliased_updates(struct command *commands)
1125 {
1126         struct command *cmd;
1127         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1128
1129         for (cmd = commands; cmd; cmd = cmd->next) {
1130                 struct string_list_item *item =
1131                         string_list_append(&ref_list, cmd->ref_name);
1132                 item->util = (void *)cmd;
1133         }
1134         string_list_sort(&ref_list);
1135
1136         for (cmd = commands; cmd; cmd = cmd->next) {
1137                 if (!cmd->error_string)
1138                         check_aliased_update(cmd, &ref_list);
1139         }
1140
1141         string_list_clear(&ref_list, 0);
1142 }
1143
1144 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1145 {
1146         struct command **cmd_list = cb_data;
1147         struct command *cmd = *cmd_list;
1148
1149         if (!cmd || is_null_sha1(cmd->new_sha1))
1150                 return -1; /* end of list */
1151         *cmd_list = NULL; /* this returns only one */
1152         hashcpy(sha1, cmd->new_sha1);
1153         return 0;
1154 }
1155
1156 static void set_connectivity_errors(struct command *commands,
1157                                     struct shallow_info *si)
1158 {
1159         struct command *cmd;
1160
1161         for (cmd = commands; cmd; cmd = cmd->next) {
1162                 struct command *singleton = cmd;
1163                 if (shallow_update && si->shallow_ref[cmd->index])
1164                         /* to be checked in update_shallow_ref() */
1165                         continue;
1166                 if (!check_everything_connected(command_singleton_iterator,
1167                                                 0, &singleton))
1168                         continue;
1169                 cmd->error_string = "missing necessary objects";
1170         }
1171 }
1172
1173 struct iterate_data {
1174         struct command *cmds;
1175         struct shallow_info *si;
1176 };
1177
1178 static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1179 {
1180         struct iterate_data *data = cb_data;
1181         struct command **cmd_list = &data->cmds;
1182         struct command *cmd = *cmd_list;
1183
1184         for (; cmd; cmd = cmd->next) {
1185                 if (shallow_update && data->si->shallow_ref[cmd->index])
1186                         /* to be checked in update_shallow_ref() */
1187                         continue;
1188                 if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1189                         hashcpy(sha1, cmd->new_sha1);
1190                         *cmd_list = cmd->next;
1191                         return 0;
1192                 }
1193         }
1194         *cmd_list = NULL;
1195         return -1; /* end of list */
1196 }
1197
1198 static void reject_updates_to_hidden(struct command *commands)
1199 {
1200         struct strbuf refname_full = STRBUF_INIT;
1201         size_t prefix_len;
1202         struct command *cmd;
1203
1204         strbuf_addstr(&refname_full, get_git_namespace());
1205         prefix_len = refname_full.len;
1206
1207         for (cmd = commands; cmd; cmd = cmd->next) {
1208                 if (cmd->error_string)
1209                         continue;
1210
1211                 strbuf_setlen(&refname_full, prefix_len);
1212                 strbuf_addstr(&refname_full, cmd->ref_name);
1213
1214                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1215                         continue;
1216                 if (is_null_sha1(cmd->new_sha1))
1217                         cmd->error_string = "deny deleting a hidden ref";
1218                 else
1219                         cmd->error_string = "deny updating a hidden ref";
1220         }
1221
1222         strbuf_release(&refname_full);
1223 }
1224
1225 static int should_process_cmd(struct command *cmd)
1226 {
1227         return !cmd->error_string && !cmd->skip_update;
1228 }
1229
1230 static void warn_if_skipped_connectivity_check(struct command *commands,
1231                                                struct shallow_info *si)
1232 {
1233         struct command *cmd;
1234         int checked_connectivity = 1;
1235
1236         for (cmd = commands; cmd; cmd = cmd->next) {
1237                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1238                         error("BUG: connectivity check has not been run on ref %s",
1239                               cmd->ref_name);
1240                         checked_connectivity = 0;
1241                 }
1242         }
1243         if (!checked_connectivity)
1244                 die("BUG: connectivity check skipped???");
1245 }
1246
1247 static void execute_commands_non_atomic(struct command *commands,
1248                                         struct shallow_info *si)
1249 {
1250         struct command *cmd;
1251         struct strbuf err = STRBUF_INIT;
1252
1253         for (cmd = commands; cmd; cmd = cmd->next) {
1254                 if (!should_process_cmd(cmd))
1255                         continue;
1256
1257                 transaction = ref_transaction_begin(&err);
1258                 if (!transaction) {
1259                         rp_error("%s", err.buf);
1260                         strbuf_reset(&err);
1261                         cmd->error_string = "transaction failed to start";
1262                         continue;
1263                 }
1264
1265                 cmd->error_string = update(cmd, si);
1266
1267                 if (!cmd->error_string
1268                     && ref_transaction_commit(transaction, &err)) {
1269                         rp_error("%s", err.buf);
1270                         strbuf_reset(&err);
1271                         cmd->error_string = "failed to update ref";
1272                 }
1273                 ref_transaction_free(transaction);
1274         }
1275         strbuf_release(&err);
1276 }
1277
1278 static void execute_commands_atomic(struct command *commands,
1279                                         struct shallow_info *si)
1280 {
1281         struct command *cmd;
1282         struct strbuf err = STRBUF_INIT;
1283         const char *reported_error = "atomic push failure";
1284
1285         transaction = ref_transaction_begin(&err);
1286         if (!transaction) {
1287                 rp_error("%s", err.buf);
1288                 strbuf_reset(&err);
1289                 reported_error = "transaction failed to start";
1290                 goto failure;
1291         }
1292
1293         for (cmd = commands; cmd; cmd = cmd->next) {
1294                 if (!should_process_cmd(cmd))
1295                         continue;
1296
1297                 cmd->error_string = update(cmd, si);
1298
1299                 if (cmd->error_string)
1300                         goto failure;
1301         }
1302
1303         if (ref_transaction_commit(transaction, &err)) {
1304                 rp_error("%s", err.buf);
1305                 reported_error = "atomic transaction failed";
1306                 goto failure;
1307         }
1308         goto cleanup;
1309
1310 failure:
1311         for (cmd = commands; cmd; cmd = cmd->next)
1312                 if (!cmd->error_string)
1313                         cmd->error_string = reported_error;
1314
1315 cleanup:
1316         ref_transaction_free(transaction);
1317         strbuf_release(&err);
1318 }
1319
1320 static void execute_commands(struct command *commands,
1321                              const char *unpacker_error,
1322                              struct shallow_info *si)
1323 {
1324         struct command *cmd;
1325         unsigned char sha1[20];
1326         struct iterate_data data;
1327
1328         if (unpacker_error) {
1329                 for (cmd = commands; cmd; cmd = cmd->next)
1330                         cmd->error_string = "unpacker error";
1331                 return;
1332         }
1333
1334         data.cmds = commands;
1335         data.si = si;
1336         if (check_everything_connected(iterate_receive_command_list, 0, &data))
1337                 set_connectivity_errors(commands, si);
1338
1339         reject_updates_to_hidden(commands);
1340
1341         if (run_receive_hook(commands, "pre-receive", 0)) {
1342                 for (cmd = commands; cmd; cmd = cmd->next) {
1343                         if (!cmd->error_string)
1344                                 cmd->error_string = "pre-receive hook declined";
1345                 }
1346                 return;
1347         }
1348
1349         check_aliased_updates(commands);
1350
1351         free(head_name_to_free);
1352         head_name = head_name_to_free = resolve_refdup("HEAD", 0, sha1, NULL);
1353
1354         if (use_atomic)
1355                 execute_commands_atomic(commands, si);
1356         else
1357                 execute_commands_non_atomic(commands, si);
1358
1359         if (shallow_update)
1360                 warn_if_skipped_connectivity_check(commands, si);
1361 }
1362
1363 static struct command **queue_command(struct command **tail,
1364                                       const char *line,
1365                                       int linelen)
1366 {
1367         unsigned char old_sha1[20], new_sha1[20];
1368         struct command *cmd;
1369         const char *refname;
1370         int reflen;
1371
1372         if (linelen < 83 ||
1373             line[40] != ' ' ||
1374             line[81] != ' ' ||
1375             get_sha1_hex(line, old_sha1) ||
1376             get_sha1_hex(line + 41, new_sha1))
1377                 die("protocol error: expected old/new/ref, got '%s'", line);
1378
1379         refname = line + 82;
1380         reflen = linelen - 82;
1381         cmd = xcalloc(1, sizeof(struct command) + reflen + 1);
1382         hashcpy(cmd->old_sha1, old_sha1);
1383         hashcpy(cmd->new_sha1, new_sha1);
1384         memcpy(cmd->ref_name, refname, reflen);
1385         cmd->ref_name[reflen] = '\0';
1386         *tail = cmd;
1387         return &cmd->next;
1388 }
1389
1390 static void queue_commands_from_cert(struct command **tail,
1391                                      struct strbuf *push_cert)
1392 {
1393         const char *boc, *eoc;
1394
1395         if (*tail)
1396                 die("protocol error: got both push certificate and unsigned commands");
1397
1398         boc = strstr(push_cert->buf, "\n\n");
1399         if (!boc)
1400                 die("malformed push certificate %.*s", 100, push_cert->buf);
1401         else
1402                 boc += 2;
1403         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1404
1405         while (boc < eoc) {
1406                 const char *eol = memchr(boc, '\n', eoc - boc);
1407                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1408                 boc = eol ? eol + 1 : eoc;
1409         }
1410 }
1411
1412 static struct command *read_head_info(struct sha1_array *shallow)
1413 {
1414         struct command *commands = NULL;
1415         struct command **p = &commands;
1416         for (;;) {
1417                 char *line;
1418                 int len, linelen;
1419
1420                 line = packet_read_line(0, &len);
1421                 if (!line)
1422                         break;
1423
1424                 if (len == 48 && starts_with(line, "shallow ")) {
1425                         unsigned char sha1[20];
1426                         if (get_sha1_hex(line + 8, sha1))
1427                                 die("protocol error: expected shallow sha, got '%s'",
1428                                     line + 8);
1429                         sha1_array_append(shallow, sha1);
1430                         continue;
1431                 }
1432
1433                 linelen = strlen(line);
1434                 if (linelen < len) {
1435                         const char *feature_list = line + linelen + 1;
1436                         if (parse_feature_request(feature_list, "report-status"))
1437                                 report_status = 1;
1438                         if (parse_feature_request(feature_list, "side-band-64k"))
1439                                 use_sideband = LARGE_PACKET_MAX;
1440                         if (parse_feature_request(feature_list, "quiet"))
1441                                 quiet = 1;
1442                         if (advertise_atomic_push
1443                             && parse_feature_request(feature_list, "atomic"))
1444                                 use_atomic = 1;
1445                 }
1446
1447                 if (!strcmp(line, "push-cert")) {
1448                         int true_flush = 0;
1449                         char certbuf[1024];
1450
1451                         for (;;) {
1452                                 len = packet_read(0, NULL, NULL,
1453                                                   certbuf, sizeof(certbuf), 0);
1454                                 if (!len) {
1455                                         true_flush = 1;
1456                                         break;
1457                                 }
1458                                 if (!strcmp(certbuf, "push-cert-end\n"))
1459                                         break; /* end of cert */
1460                                 strbuf_addstr(&push_cert, certbuf);
1461                         }
1462
1463                         if (true_flush)
1464                                 break;
1465                         continue;
1466                 }
1467
1468                 p = queue_command(p, line, linelen);
1469         }
1470
1471         if (push_cert.len)
1472                 queue_commands_from_cert(p, &push_cert);
1473
1474         return commands;
1475 }
1476
1477 static const char *parse_pack_header(struct pack_header *hdr)
1478 {
1479         switch (read_pack_header(0, hdr)) {
1480         case PH_ERROR_EOF:
1481                 return "eof before pack header was fully read";
1482
1483         case PH_ERROR_PACK_SIGNATURE:
1484                 return "protocol error (pack signature mismatch detected)";
1485
1486         case PH_ERROR_PROTOCOL:
1487                 return "protocol error (pack version unsupported)";
1488
1489         default:
1490                 return "unknown error in parse_pack_header";
1491
1492         case 0:
1493                 return NULL;
1494         }
1495 }
1496
1497 static const char *pack_lockfile;
1498
1499 static const char *unpack(int err_fd, struct shallow_info *si)
1500 {
1501         struct pack_header hdr;
1502         const char *hdr_err;
1503         int status;
1504         char hdr_arg[38];
1505         struct child_process child = CHILD_PROCESS_INIT;
1506         int fsck_objects = (receive_fsck_objects >= 0
1507                             ? receive_fsck_objects
1508                             : transfer_fsck_objects >= 0
1509                             ? transfer_fsck_objects
1510                             : 0);
1511
1512         hdr_err = parse_pack_header(&hdr);
1513         if (hdr_err) {
1514                 if (err_fd > 0)
1515                         close(err_fd);
1516                 return hdr_err;
1517         }
1518         snprintf(hdr_arg, sizeof(hdr_arg),
1519                         "--pack_header=%"PRIu32",%"PRIu32,
1520                         ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1521
1522         if (si->nr_ours || si->nr_theirs) {
1523                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1524                 argv_array_push(&child.args, "--shallow-file");
1525                 argv_array_push(&child.args, alt_shallow_file);
1526         }
1527
1528         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1529                 argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1530                 if (quiet)
1531                         argv_array_push(&child.args, "-q");
1532                 if (fsck_objects)
1533                         argv_array_pushf(&child.args, "--strict%s",
1534                                 fsck_msg_types.buf);
1535                 child.no_stdout = 1;
1536                 child.err = err_fd;
1537                 child.git_cmd = 1;
1538                 status = run_command(&child);
1539                 if (status)
1540                         return "unpack-objects abnormal exit";
1541         } else {
1542                 char hostname[256];
1543
1544                 argv_array_pushl(&child.args, "index-pack",
1545                                  "--stdin", hdr_arg, NULL);
1546
1547                 if (gethostname(hostname, sizeof(hostname)))
1548                         xsnprintf(hostname, sizeof(hostname), "localhost");
1549                 argv_array_pushf(&child.args,
1550                                  "--keep=receive-pack %"PRIuMAX" on %s",
1551                                  (uintmax_t)getpid(),
1552                                  hostname);
1553
1554                 if (fsck_objects)
1555                         argv_array_pushf(&child.args, "--strict%s",
1556                                 fsck_msg_types.buf);
1557                 if (fix_thin)
1558                         argv_array_push(&child.args, "--fix-thin");
1559                 child.out = -1;
1560                 child.err = err_fd;
1561                 child.git_cmd = 1;
1562                 status = start_command(&child);
1563                 if (status)
1564                         return "index-pack fork failed";
1565                 pack_lockfile = index_pack_lockfile(child.out);
1566                 close(child.out);
1567                 status = finish_command(&child);
1568                 if (status)
1569                         return "index-pack abnormal exit";
1570                 reprepare_packed_git();
1571         }
1572         return NULL;
1573 }
1574
1575 static const char *unpack_with_sideband(struct shallow_info *si)
1576 {
1577         struct async muxer;
1578         const char *ret;
1579
1580         if (!use_sideband)
1581                 return unpack(0, si);
1582
1583         memset(&muxer, 0, sizeof(muxer));
1584         muxer.proc = copy_to_sideband;
1585         muxer.in = -1;
1586         if (start_async(&muxer))
1587                 return NULL;
1588
1589         ret = unpack(muxer.in, si);
1590
1591         finish_async(&muxer);
1592         return ret;
1593 }
1594
1595 static void prepare_shallow_update(struct command *commands,
1596                                    struct shallow_info *si)
1597 {
1598         int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1599
1600         si->used_shallow = xmalloc(sizeof(*si->used_shallow) *
1601                                    si->shallow->nr);
1602         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1603
1604         si->need_reachability_test =
1605                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1606         si->reachable =
1607                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1608         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1609
1610         for (i = 0; i < si->nr_ours; i++)
1611                 si->need_reachability_test[si->ours[i]] = 1;
1612
1613         for (i = 0; i < si->shallow->nr; i++) {
1614                 if (!si->used_shallow[i])
1615                         continue;
1616                 for (j = 0; j < bitmap_size; j++) {
1617                         if (!si->used_shallow[i][j])
1618                                 continue;
1619                         si->need_reachability_test[i]++;
1620                         for (k = 0; k < 32; k++)
1621                                 if (si->used_shallow[i][j] & (1U << k))
1622                                         si->shallow_ref[j * 32 + k]++;
1623                 }
1624
1625                 /*
1626                  * true for those associated with some refs and belong
1627                  * in "ours" list aka "step 7 not done yet"
1628                  */
1629                 si->need_reachability_test[i] =
1630                         si->need_reachability_test[i] > 1;
1631         }
1632
1633         /*
1634          * keep hooks happy by forcing a temporary shallow file via
1635          * env variable because we can't add --shallow-file to every
1636          * command. check_everything_connected() will be done with
1637          * true .git/shallow though.
1638          */
1639         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1640 }
1641
1642 static void update_shallow_info(struct command *commands,
1643                                 struct shallow_info *si,
1644                                 struct sha1_array *ref)
1645 {
1646         struct command *cmd;
1647         int *ref_status;
1648         remove_nonexistent_theirs_shallow(si);
1649         if (!si->nr_ours && !si->nr_theirs) {
1650                 shallow_update = 0;
1651                 return;
1652         }
1653
1654         for (cmd = commands; cmd; cmd = cmd->next) {
1655                 if (is_null_sha1(cmd->new_sha1))
1656                         continue;
1657                 sha1_array_append(ref, cmd->new_sha1);
1658                 cmd->index = ref->nr - 1;
1659         }
1660         si->ref = ref;
1661
1662         if (shallow_update) {
1663                 prepare_shallow_update(commands, si);
1664                 return;
1665         }
1666
1667         ref_status = xmalloc(sizeof(*ref_status) * ref->nr);
1668         assign_shallow_commits_to_refs(si, NULL, ref_status);
1669         for (cmd = commands; cmd; cmd = cmd->next) {
1670                 if (is_null_sha1(cmd->new_sha1))
1671                         continue;
1672                 if (ref_status[cmd->index]) {
1673                         cmd->error_string = "shallow update not allowed";
1674                         cmd->skip_update = 1;
1675                 }
1676         }
1677         free(ref_status);
1678 }
1679
1680 static void report(struct command *commands, const char *unpack_status)
1681 {
1682         struct command *cmd;
1683         struct strbuf buf = STRBUF_INIT;
1684
1685         packet_buf_write(&buf, "unpack %s\n",
1686                          unpack_status ? unpack_status : "ok");
1687         for (cmd = commands; cmd; cmd = cmd->next) {
1688                 if (!cmd->error_string)
1689                         packet_buf_write(&buf, "ok %s\n",
1690                                          cmd->ref_name);
1691                 else
1692                         packet_buf_write(&buf, "ng %s %s\n",
1693                                          cmd->ref_name, cmd->error_string);
1694         }
1695         packet_buf_flush(&buf);
1696
1697         if (use_sideband)
1698                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1699         else
1700                 write_or_die(1, buf.buf, buf.len);
1701         strbuf_release(&buf);
1702 }
1703
1704 static int delete_only(struct command *commands)
1705 {
1706         struct command *cmd;
1707         for (cmd = commands; cmd; cmd = cmd->next) {
1708                 if (!is_null_sha1(cmd->new_sha1))
1709                         return 0;
1710         }
1711         return 1;
1712 }
1713
1714 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1715 {
1716         int advertise_refs = 0;
1717         int i;
1718         struct command *commands;
1719         struct sha1_array shallow = SHA1_ARRAY_INIT;
1720         struct sha1_array ref = SHA1_ARRAY_INIT;
1721         struct shallow_info si;
1722
1723         packet_trace_identity("receive-pack");
1724
1725         argv++;
1726         for (i = 1; i < argc; i++) {
1727                 const char *arg = *argv++;
1728
1729                 if (*arg == '-') {
1730                         if (!strcmp(arg, "--quiet")) {
1731                                 quiet = 1;
1732                                 continue;
1733                         }
1734
1735                         if (!strcmp(arg, "--advertise-refs")) {
1736                                 advertise_refs = 1;
1737                                 continue;
1738                         }
1739                         if (!strcmp(arg, "--stateless-rpc")) {
1740                                 stateless_rpc = 1;
1741                                 continue;
1742                         }
1743                         if (!strcmp(arg, "--reject-thin-pack-for-testing")) {
1744                                 fix_thin = 0;
1745                                 continue;
1746                         }
1747
1748                         usage(receive_pack_usage);
1749                 }
1750                 if (service_dir)
1751                         usage(receive_pack_usage);
1752                 service_dir = arg;
1753         }
1754         if (!service_dir)
1755                 usage(receive_pack_usage);
1756
1757         setup_path();
1758
1759         if (!enter_repo(service_dir, 0))
1760                 die("'%s' does not appear to be a git repository", service_dir);
1761
1762         git_config(receive_pack_config, NULL);
1763         if (cert_nonce_seed)
1764                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1765
1766         if (0 <= transfer_unpack_limit)
1767                 unpack_limit = transfer_unpack_limit;
1768         else if (0 <= receive_unpack_limit)
1769                 unpack_limit = receive_unpack_limit;
1770
1771         if (advertise_refs || !stateless_rpc) {
1772                 write_head_info();
1773         }
1774         if (advertise_refs)
1775                 return 0;
1776
1777         if ((commands = read_head_info(&shallow)) != NULL) {
1778                 const char *unpack_status = NULL;
1779
1780                 prepare_shallow_info(&si, &shallow);
1781                 if (!si.nr_ours && !si.nr_theirs)
1782                         shallow_update = 0;
1783                 if (!delete_only(commands)) {
1784                         unpack_status = unpack_with_sideband(&si);
1785                         update_shallow_info(commands, &si, &ref);
1786                 }
1787                 execute_commands(commands, unpack_status, &si);
1788                 if (pack_lockfile)
1789                         unlink_or_warn(pack_lockfile);
1790                 if (report_status)
1791                         report(commands, unpack_status);
1792                 run_receive_hook(commands, "post-receive", 1);
1793                 run_update_post_hook(commands);
1794                 if (auto_gc) {
1795                         const char *argv_gc_auto[] = {
1796                                 "gc", "--auto", "--quiet", NULL,
1797                         };
1798                         int opt = RUN_GIT_CMD | RUN_COMMAND_STDOUT_TO_STDERR;
1799                         close_all_packs();
1800                         run_command_v_opt(argv_gc_auto, opt);
1801                 }
1802                 if (auto_update_server_info)
1803                         update_server_info(0);
1804                 clear_shallow_info(&si);
1805         }
1806         if (use_sideband)
1807                 packet_flush(1);
1808         sha1_array_clear(&shallow);
1809         sha1_array_clear(&ref);
1810         free((void *)push_cert_nonce);
1811         return 0;
1812 }