Merge branch 'pw/rebase-i-keep-reword-after-conflict'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "repository.h"
3 #include "config.h"
4 #include "lockfile.h"
5 #include "pack.h"
6 #include "refs.h"
7 #include "pkt-line.h"
8 #include "sideband.h"
9 #include "run-command.h"
10 #include "exec-cmd.h"
11 #include "commit.h"
12 #include "object.h"
13 #include "remote.h"
14 #include "connect.h"
15 #include "transport.h"
16 #include "string-list.h"
17 #include "sha1-array.h"
18 #include "connected.h"
19 #include "argv-array.h"
20 #include "version.h"
21 #include "tag.h"
22 #include "gpg-interface.h"
23 #include "sigchain.h"
24 #include "fsck.h"
25 #include "tmp-objdir.h"
26 #include "oidset.h"
27 #include "packfile.h"
28 #include "object-store.h"
29 #include "protocol.h"
30
31 static const char * const receive_pack_usage[] = {
32         N_("git receive-pack <git-dir>"),
33         NULL
34 };
35
36 enum deny_action {
37         DENY_UNCONFIGURED,
38         DENY_IGNORE,
39         DENY_WARN,
40         DENY_REFUSE,
41         DENY_UPDATE_INSTEAD
42 };
43
44 static int deny_deletes;
45 static int deny_non_fast_forwards;
46 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
47 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
48 static int receive_fsck_objects = -1;
49 static int transfer_fsck_objects = -1;
50 static struct strbuf fsck_msg_types = STRBUF_INIT;
51 static int receive_unpack_limit = -1;
52 static int transfer_unpack_limit = -1;
53 static int advertise_atomic_push = 1;
54 static int advertise_push_options;
55 static int unpack_limit = 100;
56 static off_t max_input_size;
57 static int report_status;
58 static int use_sideband;
59 static int use_atomic;
60 static int use_push_options;
61 static int quiet;
62 static int prefer_ofs_delta = 1;
63 static int auto_update_server_info;
64 static int auto_gc = 1;
65 static int reject_thin;
66 static int stateless_rpc;
67 static const char *service_dir;
68 static const char *head_name;
69 static void *head_name_to_free;
70 static int sent_capabilities;
71 static int shallow_update;
72 static const char *alt_shallow_file;
73 static struct strbuf push_cert = STRBUF_INIT;
74 static struct object_id push_cert_oid;
75 static struct signature_check sigcheck;
76 static const char *push_cert_nonce;
77 static const char *cert_nonce_seed;
78
79 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
80 static const char *NONCE_BAD = "BAD";
81 static const char *NONCE_MISSING = "MISSING";
82 static const char *NONCE_OK = "OK";
83 static const char *NONCE_SLOP = "SLOP";
84 static const char *nonce_status;
85 static long nonce_stamp_slop;
86 static timestamp_t nonce_stamp_slop_limit;
87 static struct ref_transaction *transaction;
88
89 static enum {
90         KEEPALIVE_NEVER = 0,
91         KEEPALIVE_AFTER_NUL,
92         KEEPALIVE_ALWAYS
93 } use_keepalive;
94 static int keepalive_in_sec = 5;
95
96 static struct tmp_objdir *tmp_objdir;
97
98 static enum deny_action parse_deny_action(const char *var, const char *value)
99 {
100         if (value) {
101                 if (!strcasecmp(value, "ignore"))
102                         return DENY_IGNORE;
103                 if (!strcasecmp(value, "warn"))
104                         return DENY_WARN;
105                 if (!strcasecmp(value, "refuse"))
106                         return DENY_REFUSE;
107                 if (!strcasecmp(value, "updateinstead"))
108                         return DENY_UPDATE_INSTEAD;
109         }
110         if (git_config_bool(var, value))
111                 return DENY_REFUSE;
112         return DENY_IGNORE;
113 }
114
115 static int receive_pack_config(const char *var, const char *value, void *cb)
116 {
117         int status = parse_hide_refs_config(var, value, "receive");
118
119         if (status)
120                 return status;
121
122         if (strcmp(var, "receive.denydeletes") == 0) {
123                 deny_deletes = git_config_bool(var, value);
124                 return 0;
125         }
126
127         if (strcmp(var, "receive.denynonfastforwards") == 0) {
128                 deny_non_fast_forwards = git_config_bool(var, value);
129                 return 0;
130         }
131
132         if (strcmp(var, "receive.unpacklimit") == 0) {
133                 receive_unpack_limit = git_config_int(var, value);
134                 return 0;
135         }
136
137         if (strcmp(var, "transfer.unpacklimit") == 0) {
138                 transfer_unpack_limit = git_config_int(var, value);
139                 return 0;
140         }
141
142         if (strcmp(var, "receive.fsck.skiplist") == 0) {
143                 const char *path;
144
145                 if (git_config_pathname(&path, var, value))
146                         return 1;
147                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
148                         fsck_msg_types.len ? ',' : '=', path);
149                 free((char *)path);
150                 return 0;
151         }
152
153         if (skip_prefix(var, "receive.fsck.", &var)) {
154                 if (is_valid_msg_type(var, value))
155                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
156                                 fsck_msg_types.len ? ',' : '=', var, value);
157                 else
158                         warning("Skipping unknown msg id '%s'", var);
159                 return 0;
160         }
161
162         if (strcmp(var, "receive.fsckobjects") == 0) {
163                 receive_fsck_objects = git_config_bool(var, value);
164                 return 0;
165         }
166
167         if (strcmp(var, "transfer.fsckobjects") == 0) {
168                 transfer_fsck_objects = git_config_bool(var, value);
169                 return 0;
170         }
171
172         if (!strcmp(var, "receive.denycurrentbranch")) {
173                 deny_current_branch = parse_deny_action(var, value);
174                 return 0;
175         }
176
177         if (strcmp(var, "receive.denydeletecurrent") == 0) {
178                 deny_delete_current = parse_deny_action(var, value);
179                 return 0;
180         }
181
182         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
183                 prefer_ofs_delta = git_config_bool(var, value);
184                 return 0;
185         }
186
187         if (strcmp(var, "receive.updateserverinfo") == 0) {
188                 auto_update_server_info = git_config_bool(var, value);
189                 return 0;
190         }
191
192         if (strcmp(var, "receive.autogc") == 0) {
193                 auto_gc = git_config_bool(var, value);
194                 return 0;
195         }
196
197         if (strcmp(var, "receive.shallowupdate") == 0) {
198                 shallow_update = git_config_bool(var, value);
199                 return 0;
200         }
201
202         if (strcmp(var, "receive.certnonceseed") == 0)
203                 return git_config_string(&cert_nonce_seed, var, value);
204
205         if (strcmp(var, "receive.certnonceslop") == 0) {
206                 nonce_stamp_slop_limit = git_config_ulong(var, value);
207                 return 0;
208         }
209
210         if (strcmp(var, "receive.advertiseatomic") == 0) {
211                 advertise_atomic_push = git_config_bool(var, value);
212                 return 0;
213         }
214
215         if (strcmp(var, "receive.advertisepushoptions") == 0) {
216                 advertise_push_options = git_config_bool(var, value);
217                 return 0;
218         }
219
220         if (strcmp(var, "receive.keepalive") == 0) {
221                 keepalive_in_sec = git_config_int(var, value);
222                 return 0;
223         }
224
225         if (strcmp(var, "receive.maxinputsize") == 0) {
226                 max_input_size = git_config_int64(var, value);
227                 return 0;
228         }
229
230         return git_default_config(var, value, cb);
231 }
232
233 static void show_ref(const char *path, const struct object_id *oid)
234 {
235         if (sent_capabilities) {
236                 packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
237         } else {
238                 struct strbuf cap = STRBUF_INIT;
239
240                 strbuf_addstr(&cap,
241                               "report-status delete-refs side-band-64k quiet");
242                 if (advertise_atomic_push)
243                         strbuf_addstr(&cap, " atomic");
244                 if (prefer_ofs_delta)
245                         strbuf_addstr(&cap, " ofs-delta");
246                 if (push_cert_nonce)
247                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
248                 if (advertise_push_options)
249                         strbuf_addstr(&cap, " push-options");
250                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
251                 packet_write_fmt(1, "%s %s%c%s\n",
252                              oid_to_hex(oid), path, 0, cap.buf);
253                 strbuf_release(&cap);
254                 sent_capabilities = 1;
255         }
256 }
257
258 static int show_ref_cb(const char *path_full, const struct object_id *oid,
259                        int flag, void *data)
260 {
261         struct oidset *seen = data;
262         const char *path = strip_namespace(path_full);
263
264         if (ref_is_hidden(path, path_full))
265                 return 0;
266
267         /*
268          * Advertise refs outside our current namespace as ".have"
269          * refs, so that the client can use them to minimize data
270          * transfer but will otherwise ignore them.
271          */
272         if (!path) {
273                 if (oidset_insert(seen, oid))
274                         return 0;
275                 path = ".have";
276         } else {
277                 oidset_insert(seen, oid);
278         }
279         show_ref(path, oid);
280         return 0;
281 }
282
283 static void show_one_alternate_ref(const char *refname,
284                                    const struct object_id *oid,
285                                    void *data)
286 {
287         struct oidset *seen = data;
288
289         if (oidset_insert(seen, oid))
290                 return;
291
292         show_ref(".have", oid);
293 }
294
295 static void write_head_info(void)
296 {
297         static struct oidset seen = OIDSET_INIT;
298
299         for_each_ref(show_ref_cb, &seen);
300         for_each_alternate_ref(show_one_alternate_ref, &seen);
301         oidset_clear(&seen);
302         if (!sent_capabilities)
303                 show_ref("capabilities^{}", &null_oid);
304
305         advertise_shallow_grafts(1);
306
307         /* EOF */
308         packet_flush(1);
309 }
310
311 struct command {
312         struct command *next;
313         const char *error_string;
314         unsigned int skip_update:1,
315                      did_not_exist:1;
316         int index;
317         struct object_id old_oid;
318         struct object_id new_oid;
319         char ref_name[FLEX_ARRAY]; /* more */
320 };
321
322 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
323 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
324
325 static void report_message(const char *prefix, const char *err, va_list params)
326 {
327         int sz;
328         char msg[4096];
329
330         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
331         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
332         if (sz > (sizeof(msg) - 1))
333                 sz = sizeof(msg) - 1;
334         msg[sz++] = '\n';
335
336         if (use_sideband)
337                 send_sideband(1, 2, msg, sz, use_sideband);
338         else
339                 xwrite(2, msg, sz);
340 }
341
342 static void rp_warning(const char *err, ...)
343 {
344         va_list params;
345         va_start(params, err);
346         report_message("warning: ", err, params);
347         va_end(params);
348 }
349
350 static void rp_error(const char *err, ...)
351 {
352         va_list params;
353         va_start(params, err);
354         report_message("error: ", err, params);
355         va_end(params);
356 }
357
358 static int copy_to_sideband(int in, int out, void *arg)
359 {
360         char data[128];
361         int keepalive_active = 0;
362
363         if (keepalive_in_sec <= 0)
364                 use_keepalive = KEEPALIVE_NEVER;
365         if (use_keepalive == KEEPALIVE_ALWAYS)
366                 keepalive_active = 1;
367
368         while (1) {
369                 ssize_t sz;
370
371                 if (keepalive_active) {
372                         struct pollfd pfd;
373                         int ret;
374
375                         pfd.fd = in;
376                         pfd.events = POLLIN;
377                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
378
379                         if (ret < 0) {
380                                 if (errno == EINTR)
381                                         continue;
382                                 else
383                                         break;
384                         } else if (ret == 0) {
385                                 /* no data; send a keepalive packet */
386                                 static const char buf[] = "0005\1";
387                                 write_or_die(1, buf, sizeof(buf) - 1);
388                                 continue;
389                         } /* else there is actual data to read */
390                 }
391
392                 sz = xread(in, data, sizeof(data));
393                 if (sz <= 0)
394                         break;
395
396                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
397                         const char *p = memchr(data, '\0', sz);
398                         if (p) {
399                                 /*
400                                  * The NUL tells us to start sending keepalives. Make
401                                  * sure we send any other data we read along
402                                  * with it.
403                                  */
404                                 keepalive_active = 1;
405                                 send_sideband(1, 2, data, p - data, use_sideband);
406                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
407                                 continue;
408                         }
409                 }
410
411                 /*
412                  * Either we're not looking for a NUL signal, or we didn't see
413                  * it yet; just pass along the data.
414                  */
415                 send_sideband(1, 2, data, sz, use_sideband);
416         }
417         close(in);
418         return 0;
419 }
420
421 #define HMAC_BLOCK_SIZE 64
422
423 static void hmac_sha1(unsigned char *out,
424                       const char *key_in, size_t key_len,
425                       const char *text, size_t text_len)
426 {
427         unsigned char key[HMAC_BLOCK_SIZE];
428         unsigned char k_ipad[HMAC_BLOCK_SIZE];
429         unsigned char k_opad[HMAC_BLOCK_SIZE];
430         int i;
431         git_SHA_CTX ctx;
432
433         /* RFC 2104 2. (1) */
434         memset(key, '\0', HMAC_BLOCK_SIZE);
435         if (HMAC_BLOCK_SIZE < key_len) {
436                 git_SHA1_Init(&ctx);
437                 git_SHA1_Update(&ctx, key_in, key_len);
438                 git_SHA1_Final(key, &ctx);
439         } else {
440                 memcpy(key, key_in, key_len);
441         }
442
443         /* RFC 2104 2. (2) & (5) */
444         for (i = 0; i < sizeof(key); i++) {
445                 k_ipad[i] = key[i] ^ 0x36;
446                 k_opad[i] = key[i] ^ 0x5c;
447         }
448
449         /* RFC 2104 2. (3) & (4) */
450         git_SHA1_Init(&ctx);
451         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
452         git_SHA1_Update(&ctx, text, text_len);
453         git_SHA1_Final(out, &ctx);
454
455         /* RFC 2104 2. (6) & (7) */
456         git_SHA1_Init(&ctx);
457         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
458         git_SHA1_Update(&ctx, out, GIT_SHA1_RAWSZ);
459         git_SHA1_Final(out, &ctx);
460 }
461
462 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
463 {
464         struct strbuf buf = STRBUF_INIT;
465         unsigned char sha1[GIT_SHA1_RAWSZ];
466
467         strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
468         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
469         strbuf_release(&buf);
470
471         /* RFC 2104 5. HMAC-SHA1-80 */
472         strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, GIT_SHA1_HEXSZ, sha1_to_hex(sha1));
473         return strbuf_detach(&buf, NULL);
474 }
475
476 /*
477  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
478  * after dropping "_commit" from its name and possibly moving it out
479  * of commit.c
480  */
481 static char *find_header(const char *msg, size_t len, const char *key,
482                          const char **next_line)
483 {
484         int key_len = strlen(key);
485         const char *line = msg;
486
487         while (line && line < msg + len) {
488                 const char *eol = strchrnul(line, '\n');
489
490                 if ((msg + len <= eol) || line == eol)
491                         return NULL;
492                 if (line + key_len < eol &&
493                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
494                         int offset = key_len + 1;
495                         if (next_line)
496                                 *next_line = *eol ? eol + 1 : eol;
497                         return xmemdupz(line + offset, (eol - line) - offset);
498                 }
499                 line = *eol ? eol + 1 : NULL;
500         }
501         return NULL;
502 }
503
504 static const char *check_nonce(const char *buf, size_t len)
505 {
506         char *nonce = find_header(buf, len, "nonce", NULL);
507         timestamp_t stamp, ostamp;
508         char *bohmac, *expect = NULL;
509         const char *retval = NONCE_BAD;
510
511         if (!nonce) {
512                 retval = NONCE_MISSING;
513                 goto leave;
514         } else if (!push_cert_nonce) {
515                 retval = NONCE_UNSOLICITED;
516                 goto leave;
517         } else if (!strcmp(push_cert_nonce, nonce)) {
518                 retval = NONCE_OK;
519                 goto leave;
520         }
521
522         if (!stateless_rpc) {
523                 /* returned nonce MUST match what we gave out earlier */
524                 retval = NONCE_BAD;
525                 goto leave;
526         }
527
528         /*
529          * In stateless mode, we may be receiving a nonce issued by
530          * another instance of the server that serving the same
531          * repository, and the timestamps may not match, but the
532          * nonce-seed and dir should match, so we can recompute and
533          * report the time slop.
534          *
535          * In addition, when a nonce issued by another instance has
536          * timestamp within receive.certnonceslop seconds, we pretend
537          * as if we issued that nonce when reporting to the hook.
538          */
539
540         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
541         if (*nonce <= '0' || '9' < *nonce) {
542                 retval = NONCE_BAD;
543                 goto leave;
544         }
545         stamp = parse_timestamp(nonce, &bohmac, 10);
546         if (bohmac == nonce || bohmac[0] != '-') {
547                 retval = NONCE_BAD;
548                 goto leave;
549         }
550
551         expect = prepare_push_cert_nonce(service_dir, stamp);
552         if (strcmp(expect, nonce)) {
553                 /* Not what we would have signed earlier */
554                 retval = NONCE_BAD;
555                 goto leave;
556         }
557
558         /*
559          * By how many seconds is this nonce stale?  Negative value
560          * would mean it was issued by another server with its clock
561          * skewed in the future.
562          */
563         ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
564         nonce_stamp_slop = (long)ostamp - (long)stamp;
565
566         if (nonce_stamp_slop_limit &&
567             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
568                 /*
569                  * Pretend as if the received nonce (which passes the
570                  * HMAC check, so it is not a forged by third-party)
571                  * is what we issued.
572                  */
573                 free((void *)push_cert_nonce);
574                 push_cert_nonce = xstrdup(nonce);
575                 retval = NONCE_OK;
576         } else {
577                 retval = NONCE_SLOP;
578         }
579
580 leave:
581         free(nonce);
582         free(expect);
583         return retval;
584 }
585
586 /*
587  * Return 1 if there is no push_cert or if the push options in push_cert are
588  * the same as those in the argument; 0 otherwise.
589  */
590 static int check_cert_push_options(const struct string_list *push_options)
591 {
592         const char *buf = push_cert.buf;
593         int len = push_cert.len;
594
595         char *option;
596         const char *next_line;
597         int options_seen = 0;
598
599         int retval = 1;
600
601         if (!len)
602                 return 1;
603
604         while ((option = find_header(buf, len, "push-option", &next_line))) {
605                 len -= (next_line - buf);
606                 buf = next_line;
607                 options_seen++;
608                 if (options_seen > push_options->nr
609                     || strcmp(option,
610                               push_options->items[options_seen - 1].string)) {
611                         retval = 0;
612                         goto leave;
613                 }
614                 free(option);
615         }
616
617         if (options_seen != push_options->nr)
618                 retval = 0;
619
620 leave:
621         free(option);
622         return retval;
623 }
624
625 static void prepare_push_cert_sha1(struct child_process *proc)
626 {
627         static int already_done;
628
629         if (!push_cert.len)
630                 return;
631
632         if (!already_done) {
633                 struct strbuf gpg_output = STRBUF_INIT;
634                 struct strbuf gpg_status = STRBUF_INIT;
635                 int bogs /* beginning_of_gpg_sig */;
636
637                 already_done = 1;
638                 if (write_object_file(push_cert.buf, push_cert.len, "blob",
639                                       &push_cert_oid))
640                         oidclr(&push_cert_oid);
641
642                 memset(&sigcheck, '\0', sizeof(sigcheck));
643                 sigcheck.result = 'N';
644
645                 bogs = parse_signature(push_cert.buf, push_cert.len);
646                 if (verify_signed_buffer(push_cert.buf, bogs,
647                                          push_cert.buf + bogs, push_cert.len - bogs,
648                                          &gpg_output, &gpg_status) < 0) {
649                         ; /* error running gpg */
650                 } else {
651                         sigcheck.payload = push_cert.buf;
652                         sigcheck.gpg_output = gpg_output.buf;
653                         sigcheck.gpg_status = gpg_status.buf;
654                         parse_gpg_output(&sigcheck);
655                 }
656
657                 strbuf_release(&gpg_output);
658                 strbuf_release(&gpg_status);
659                 nonce_status = check_nonce(push_cert.buf, bogs);
660         }
661         if (!is_null_oid(&push_cert_oid)) {
662                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
663                                  oid_to_hex(&push_cert_oid));
664                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
665                                  sigcheck.signer ? sigcheck.signer : "");
666                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
667                                  sigcheck.key ? sigcheck.key : "");
668                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
669                                  sigcheck.result);
670                 if (push_cert_nonce) {
671                         argv_array_pushf(&proc->env_array,
672                                          "GIT_PUSH_CERT_NONCE=%s",
673                                          push_cert_nonce);
674                         argv_array_pushf(&proc->env_array,
675                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
676                                          nonce_status);
677                         if (nonce_status == NONCE_SLOP)
678                                 argv_array_pushf(&proc->env_array,
679                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
680                                                  nonce_stamp_slop);
681                 }
682         }
683 }
684
685 struct receive_hook_feed_state {
686         struct command *cmd;
687         int skip_broken;
688         struct strbuf buf;
689         const struct string_list *push_options;
690 };
691
692 typedef int (*feed_fn)(void *, const char **, size_t *);
693 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
694                              struct receive_hook_feed_state *feed_state)
695 {
696         struct child_process proc = CHILD_PROCESS_INIT;
697         struct async muxer;
698         const char *argv[2];
699         int code;
700
701         argv[0] = find_hook(hook_name);
702         if (!argv[0])
703                 return 0;
704
705         argv[1] = NULL;
706
707         proc.argv = argv;
708         proc.in = -1;
709         proc.stdout_to_stderr = 1;
710         if (feed_state->push_options) {
711                 int i;
712                 for (i = 0; i < feed_state->push_options->nr; i++)
713                         argv_array_pushf(&proc.env_array,
714                                 "GIT_PUSH_OPTION_%d=%s", i,
715                                 feed_state->push_options->items[i].string);
716                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
717                                  feed_state->push_options->nr);
718         } else
719                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
720
721         if (tmp_objdir)
722                 argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
723
724         if (use_sideband) {
725                 memset(&muxer, 0, sizeof(muxer));
726                 muxer.proc = copy_to_sideband;
727                 muxer.in = -1;
728                 code = start_async(&muxer);
729                 if (code)
730                         return code;
731                 proc.err = muxer.in;
732         }
733
734         prepare_push_cert_sha1(&proc);
735
736         code = start_command(&proc);
737         if (code) {
738                 if (use_sideband)
739                         finish_async(&muxer);
740                 return code;
741         }
742
743         sigchain_push(SIGPIPE, SIG_IGN);
744
745         while (1) {
746                 const char *buf;
747                 size_t n;
748                 if (feed(feed_state, &buf, &n))
749                         break;
750                 if (write_in_full(proc.in, buf, n) < 0)
751                         break;
752         }
753         close(proc.in);
754         if (use_sideband)
755                 finish_async(&muxer);
756
757         sigchain_pop(SIGPIPE);
758
759         return finish_command(&proc);
760 }
761
762 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
763 {
764         struct receive_hook_feed_state *state = state_;
765         struct command *cmd = state->cmd;
766
767         while (cmd &&
768                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
769                 cmd = cmd->next;
770         if (!cmd)
771                 return -1; /* EOF */
772         strbuf_reset(&state->buf);
773         strbuf_addf(&state->buf, "%s %s %s\n",
774                     oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
775                     cmd->ref_name);
776         state->cmd = cmd->next;
777         if (bufp) {
778                 *bufp = state->buf.buf;
779                 *sizep = state->buf.len;
780         }
781         return 0;
782 }
783
784 static int run_receive_hook(struct command *commands,
785                             const char *hook_name,
786                             int skip_broken,
787                             const struct string_list *push_options)
788 {
789         struct receive_hook_feed_state state;
790         int status;
791
792         strbuf_init(&state.buf, 0);
793         state.cmd = commands;
794         state.skip_broken = skip_broken;
795         if (feed_receive_hook(&state, NULL, NULL))
796                 return 0;
797         state.cmd = commands;
798         state.push_options = push_options;
799         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
800         strbuf_release(&state.buf);
801         return status;
802 }
803
804 static int run_update_hook(struct command *cmd)
805 {
806         const char *argv[5];
807         struct child_process proc = CHILD_PROCESS_INIT;
808         int code;
809
810         argv[0] = find_hook("update");
811         if (!argv[0])
812                 return 0;
813
814         argv[1] = cmd->ref_name;
815         argv[2] = oid_to_hex(&cmd->old_oid);
816         argv[3] = oid_to_hex(&cmd->new_oid);
817         argv[4] = NULL;
818
819         proc.no_stdin = 1;
820         proc.stdout_to_stderr = 1;
821         proc.err = use_sideband ? -1 : 0;
822         proc.argv = argv;
823
824         code = start_command(&proc);
825         if (code)
826                 return code;
827         if (use_sideband)
828                 copy_to_sideband(proc.err, -1, NULL);
829         return finish_command(&proc);
830 }
831
832 static int is_ref_checked_out(const char *ref)
833 {
834         if (is_bare_repository())
835                 return 0;
836
837         if (!head_name)
838                 return 0;
839         return !strcmp(head_name, ref);
840 }
841
842 static char *refuse_unconfigured_deny_msg =
843         N_("By default, updating the current branch in a non-bare repository\n"
844            "is denied, because it will make the index and work tree inconsistent\n"
845            "with what you pushed, and will require 'git reset --hard' to match\n"
846            "the work tree to HEAD.\n"
847            "\n"
848            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
849            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
850            "its current branch; however, this is not recommended unless you\n"
851            "arranged to update its work tree to match what you pushed in some\n"
852            "other way.\n"
853            "\n"
854            "To squelch this message and still keep the default behaviour, set\n"
855            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
856
857 static void refuse_unconfigured_deny(void)
858 {
859         rp_error("%s", _(refuse_unconfigured_deny_msg));
860 }
861
862 static char *refuse_unconfigured_deny_delete_current_msg =
863         N_("By default, deleting the current branch is denied, because the next\n"
864            "'git clone' won't result in any file checked out, causing confusion.\n"
865            "\n"
866            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
867            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
868            "current branch, with or without a warning message.\n"
869            "\n"
870            "To squelch this message, you can set it to 'refuse'.");
871
872 static void refuse_unconfigured_deny_delete_current(void)
873 {
874         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
875 }
876
877 static int command_singleton_iterator(void *cb_data, struct object_id *oid);
878 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
879 {
880         struct lock_file shallow_lock = LOCK_INIT;
881         struct oid_array extra = OID_ARRAY_INIT;
882         struct check_connected_options opt = CHECK_CONNECTED_INIT;
883         uint32_t mask = 1 << (cmd->index % 32);
884         int i;
885
886         trace_printf_key(&trace_shallow,
887                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
888         for (i = 0; i < si->shallow->nr; i++)
889                 if (si->used_shallow[i] &&
890                     (si->used_shallow[i][cmd->index / 32] & mask) &&
891                     !delayed_reachability_test(si, i))
892                         oid_array_append(&extra, &si->shallow->oid[i]);
893
894         opt.env = tmp_objdir_env(tmp_objdir);
895         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
896         if (check_connected(command_singleton_iterator, cmd, &opt)) {
897                 rollback_lock_file(&shallow_lock);
898                 oid_array_clear(&extra);
899                 return -1;
900         }
901
902         commit_lock_file(&shallow_lock);
903
904         /*
905          * Make sure setup_alternate_shallow() for the next ref does
906          * not lose these new roots..
907          */
908         for (i = 0; i < extra.nr; i++)
909                 register_shallow(the_repository, &extra.oid[i]);
910
911         si->shallow_ref[cmd->index] = 0;
912         oid_array_clear(&extra);
913         return 0;
914 }
915
916 /*
917  * NEEDSWORK: we should consolidate various implementions of "are we
918  * on an unborn branch?" test into one, and make the unified one more
919  * robust. !get_sha1() based check used here and elsewhere would not
920  * allow us to tell an unborn branch from corrupt ref, for example.
921  * For the purpose of fixing "deploy-to-update does not work when
922  * pushing into an empty repository" issue, this should suffice for
923  * now.
924  */
925 static int head_has_history(void)
926 {
927         struct object_id oid;
928
929         return !get_oid("HEAD", &oid);
930 }
931
932 static const char *push_to_deploy(unsigned char *sha1,
933                                   struct argv_array *env,
934                                   const char *work_tree)
935 {
936         const char *update_refresh[] = {
937                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
938         };
939         const char *diff_files[] = {
940                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
941         };
942         const char *diff_index[] = {
943                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
944                 NULL, "--", NULL
945         };
946         const char *read_tree[] = {
947                 "read-tree", "-u", "-m", NULL, NULL
948         };
949         struct child_process child = CHILD_PROCESS_INIT;
950
951         child.argv = update_refresh;
952         child.env = env->argv;
953         child.dir = work_tree;
954         child.no_stdin = 1;
955         child.stdout_to_stderr = 1;
956         child.git_cmd = 1;
957         if (run_command(&child))
958                 return "Up-to-date check failed";
959
960         /* run_command() does not clean up completely; reinitialize */
961         child_process_init(&child);
962         child.argv = diff_files;
963         child.env = env->argv;
964         child.dir = work_tree;
965         child.no_stdin = 1;
966         child.stdout_to_stderr = 1;
967         child.git_cmd = 1;
968         if (run_command(&child))
969                 return "Working directory has unstaged changes";
970
971         /* diff-index with either HEAD or an empty tree */
972         diff_index[4] = head_has_history() ? "HEAD" : empty_tree_oid_hex();
973
974         child_process_init(&child);
975         child.argv = diff_index;
976         child.env = env->argv;
977         child.no_stdin = 1;
978         child.no_stdout = 1;
979         child.stdout_to_stderr = 0;
980         child.git_cmd = 1;
981         if (run_command(&child))
982                 return "Working directory has staged changes";
983
984         read_tree[3] = sha1_to_hex(sha1);
985         child_process_init(&child);
986         child.argv = read_tree;
987         child.env = env->argv;
988         child.dir = work_tree;
989         child.no_stdin = 1;
990         child.no_stdout = 1;
991         child.stdout_to_stderr = 0;
992         child.git_cmd = 1;
993         if (run_command(&child))
994                 return "Could not update working tree to new HEAD";
995
996         return NULL;
997 }
998
999 static const char *push_to_checkout_hook = "push-to-checkout";
1000
1001 static const char *push_to_checkout(unsigned char *sha1,
1002                                     struct argv_array *env,
1003                                     const char *work_tree)
1004 {
1005         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
1006         if (run_hook_le(env->argv, push_to_checkout_hook,
1007                         sha1_to_hex(sha1), NULL))
1008                 return "push-to-checkout hook declined";
1009         else
1010                 return NULL;
1011 }
1012
1013 static const char *update_worktree(unsigned char *sha1)
1014 {
1015         const char *retval;
1016         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1017         struct argv_array env = ARGV_ARRAY_INIT;
1018
1019         if (is_bare_repository())
1020                 return "denyCurrentBranch = updateInstead needs a worktree";
1021
1022         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1023
1024         if (!find_hook(push_to_checkout_hook))
1025                 retval = push_to_deploy(sha1, &env, work_tree);
1026         else
1027                 retval = push_to_checkout(sha1, &env, work_tree);
1028
1029         argv_array_clear(&env);
1030         return retval;
1031 }
1032
1033 static const char *update(struct command *cmd, struct shallow_info *si)
1034 {
1035         const char *name = cmd->ref_name;
1036         struct strbuf namespaced_name_buf = STRBUF_INIT;
1037         static char *namespaced_name;
1038         const char *ret;
1039         struct object_id *old_oid = &cmd->old_oid;
1040         struct object_id *new_oid = &cmd->new_oid;
1041
1042         /* only refs/... are allowed */
1043         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1044                 rp_error("refusing to create funny ref '%s' remotely", name);
1045                 return "funny refname";
1046         }
1047
1048         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1049         free(namespaced_name);
1050         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1051
1052         if (is_ref_checked_out(namespaced_name)) {
1053                 switch (deny_current_branch) {
1054                 case DENY_IGNORE:
1055                         break;
1056                 case DENY_WARN:
1057                         rp_warning("updating the current branch");
1058                         break;
1059                 case DENY_REFUSE:
1060                 case DENY_UNCONFIGURED:
1061                         rp_error("refusing to update checked out branch: %s", name);
1062                         if (deny_current_branch == DENY_UNCONFIGURED)
1063                                 refuse_unconfigured_deny();
1064                         return "branch is currently checked out";
1065                 case DENY_UPDATE_INSTEAD:
1066                         ret = update_worktree(new_oid->hash);
1067                         if (ret)
1068                                 return ret;
1069                         break;
1070                 }
1071         }
1072
1073         if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1074                 error("unpack should have generated %s, "
1075                       "but I can't find it!", oid_to_hex(new_oid));
1076                 return "bad pack";
1077         }
1078
1079         if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1080                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1081                         rp_error("denying ref deletion for %s", name);
1082                         return "deletion prohibited";
1083                 }
1084
1085                 if (head_name && !strcmp(namespaced_name, head_name)) {
1086                         switch (deny_delete_current) {
1087                         case DENY_IGNORE:
1088                                 break;
1089                         case DENY_WARN:
1090                                 rp_warning("deleting the current branch");
1091                                 break;
1092                         case DENY_REFUSE:
1093                         case DENY_UNCONFIGURED:
1094                         case DENY_UPDATE_INSTEAD:
1095                                 if (deny_delete_current == DENY_UNCONFIGURED)
1096                                         refuse_unconfigured_deny_delete_current();
1097                                 rp_error("refusing to delete the current branch: %s", name);
1098                                 return "deletion of the current branch prohibited";
1099                         default:
1100                                 return "Invalid denyDeleteCurrent setting";
1101                         }
1102                 }
1103         }
1104
1105         if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1106             !is_null_oid(old_oid) &&
1107             starts_with(name, "refs/heads/")) {
1108                 struct object *old_object, *new_object;
1109                 struct commit *old_commit, *new_commit;
1110
1111                 old_object = parse_object(old_oid);
1112                 new_object = parse_object(new_oid);
1113
1114                 if (!old_object || !new_object ||
1115                     old_object->type != OBJ_COMMIT ||
1116                     new_object->type != OBJ_COMMIT) {
1117                         error("bad sha1 objects for %s", name);
1118                         return "bad ref";
1119                 }
1120                 old_commit = (struct commit *)old_object;
1121                 new_commit = (struct commit *)new_object;
1122                 if (!in_merge_bases(old_commit, new_commit)) {
1123                         rp_error("denying non-fast-forward %s"
1124                                  " (you should pull first)", name);
1125                         return "non-fast-forward";
1126                 }
1127         }
1128         if (run_update_hook(cmd)) {
1129                 rp_error("hook declined to update %s", name);
1130                 return "hook declined";
1131         }
1132
1133         if (is_null_oid(new_oid)) {
1134                 struct strbuf err = STRBUF_INIT;
1135                 if (!parse_object(old_oid)) {
1136                         old_oid = NULL;
1137                         if (ref_exists(name)) {
1138                                 rp_warning("Allowing deletion of corrupt ref.");
1139                         } else {
1140                                 rp_warning("Deleting a non-existent ref.");
1141                                 cmd->did_not_exist = 1;
1142                         }
1143                 }
1144                 if (ref_transaction_delete(transaction,
1145                                            namespaced_name,
1146                                            old_oid,
1147                                            0, "push", &err)) {
1148                         rp_error("%s", err.buf);
1149                         strbuf_release(&err);
1150                         return "failed to delete";
1151                 }
1152                 strbuf_release(&err);
1153                 return NULL; /* good */
1154         }
1155         else {
1156                 struct strbuf err = STRBUF_INIT;
1157                 if (shallow_update && si->shallow_ref[cmd->index] &&
1158                     update_shallow_ref(cmd, si))
1159                         return "shallow error";
1160
1161                 if (ref_transaction_update(transaction,
1162                                            namespaced_name,
1163                                            new_oid, old_oid,
1164                                            0, "push",
1165                                            &err)) {
1166                         rp_error("%s", err.buf);
1167                         strbuf_release(&err);
1168
1169                         return "failed to update ref";
1170                 }
1171                 strbuf_release(&err);
1172
1173                 return NULL; /* good */
1174         }
1175 }
1176
1177 static void run_update_post_hook(struct command *commands)
1178 {
1179         struct command *cmd;
1180         struct child_process proc = CHILD_PROCESS_INIT;
1181         const char *hook;
1182
1183         hook = find_hook("post-update");
1184         if (!hook)
1185                 return;
1186
1187         for (cmd = commands; cmd; cmd = cmd->next) {
1188                 if (cmd->error_string || cmd->did_not_exist)
1189                         continue;
1190                 if (!proc.args.argc)
1191                         argv_array_push(&proc.args, hook);
1192                 argv_array_push(&proc.args, cmd->ref_name);
1193         }
1194         if (!proc.args.argc)
1195                 return;
1196
1197         proc.no_stdin = 1;
1198         proc.stdout_to_stderr = 1;
1199         proc.err = use_sideband ? -1 : 0;
1200
1201         if (!start_command(&proc)) {
1202                 if (use_sideband)
1203                         copy_to_sideband(proc.err, -1, NULL);
1204                 finish_command(&proc);
1205         }
1206 }
1207
1208 static void check_aliased_update(struct command *cmd, struct string_list *list)
1209 {
1210         struct strbuf buf = STRBUF_INIT;
1211         const char *dst_name;
1212         struct string_list_item *item;
1213         struct command *dst_cmd;
1214         int flag;
1215
1216         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1217         dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1218         strbuf_release(&buf);
1219
1220         if (!(flag & REF_ISSYMREF))
1221                 return;
1222
1223         if (!dst_name) {
1224                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1225                 cmd->skip_update = 1;
1226                 cmd->error_string = "broken symref";
1227                 return;
1228         }
1229         dst_name = strip_namespace(dst_name);
1230
1231         if ((item = string_list_lookup(list, dst_name)) == NULL)
1232                 return;
1233
1234         cmd->skip_update = 1;
1235
1236         dst_cmd = (struct command *) item->util;
1237
1238         if (!oidcmp(&cmd->old_oid, &dst_cmd->old_oid) &&
1239             !oidcmp(&cmd->new_oid, &dst_cmd->new_oid))
1240                 return;
1241
1242         dst_cmd->skip_update = 1;
1243
1244         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1245                  " its target '%s' (%s..%s)",
1246                  cmd->ref_name,
1247                  find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1248                  find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1249                  dst_cmd->ref_name,
1250                  find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1251                  find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1252
1253         cmd->error_string = dst_cmd->error_string =
1254                 "inconsistent aliased update";
1255 }
1256
1257 static void check_aliased_updates(struct command *commands)
1258 {
1259         struct command *cmd;
1260         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1261
1262         for (cmd = commands; cmd; cmd = cmd->next) {
1263                 struct string_list_item *item =
1264                         string_list_append(&ref_list, cmd->ref_name);
1265                 item->util = (void *)cmd;
1266         }
1267         string_list_sort(&ref_list);
1268
1269         for (cmd = commands; cmd; cmd = cmd->next) {
1270                 if (!cmd->error_string)
1271                         check_aliased_update(cmd, &ref_list);
1272         }
1273
1274         string_list_clear(&ref_list, 0);
1275 }
1276
1277 static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1278 {
1279         struct command **cmd_list = cb_data;
1280         struct command *cmd = *cmd_list;
1281
1282         if (!cmd || is_null_oid(&cmd->new_oid))
1283                 return -1; /* end of list */
1284         *cmd_list = NULL; /* this returns only one */
1285         oidcpy(oid, &cmd->new_oid);
1286         return 0;
1287 }
1288
1289 static void set_connectivity_errors(struct command *commands,
1290                                     struct shallow_info *si)
1291 {
1292         struct command *cmd;
1293
1294         for (cmd = commands; cmd; cmd = cmd->next) {
1295                 struct command *singleton = cmd;
1296                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1297
1298                 if (shallow_update && si->shallow_ref[cmd->index])
1299                         /* to be checked in update_shallow_ref() */
1300                         continue;
1301
1302                 opt.env = tmp_objdir_env(tmp_objdir);
1303                 if (!check_connected(command_singleton_iterator, &singleton,
1304                                      &opt))
1305                         continue;
1306
1307                 cmd->error_string = "missing necessary objects";
1308         }
1309 }
1310
1311 struct iterate_data {
1312         struct command *cmds;
1313         struct shallow_info *si;
1314 };
1315
1316 static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1317 {
1318         struct iterate_data *data = cb_data;
1319         struct command **cmd_list = &data->cmds;
1320         struct command *cmd = *cmd_list;
1321
1322         for (; cmd; cmd = cmd->next) {
1323                 if (shallow_update && data->si->shallow_ref[cmd->index])
1324                         /* to be checked in update_shallow_ref() */
1325                         continue;
1326                 if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1327                         oidcpy(oid, &cmd->new_oid);
1328                         *cmd_list = cmd->next;
1329                         return 0;
1330                 }
1331         }
1332         *cmd_list = NULL;
1333         return -1; /* end of list */
1334 }
1335
1336 static void reject_updates_to_hidden(struct command *commands)
1337 {
1338         struct strbuf refname_full = STRBUF_INIT;
1339         size_t prefix_len;
1340         struct command *cmd;
1341
1342         strbuf_addstr(&refname_full, get_git_namespace());
1343         prefix_len = refname_full.len;
1344
1345         for (cmd = commands; cmd; cmd = cmd->next) {
1346                 if (cmd->error_string)
1347                         continue;
1348
1349                 strbuf_setlen(&refname_full, prefix_len);
1350                 strbuf_addstr(&refname_full, cmd->ref_name);
1351
1352                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1353                         continue;
1354                 if (is_null_oid(&cmd->new_oid))
1355                         cmd->error_string = "deny deleting a hidden ref";
1356                 else
1357                         cmd->error_string = "deny updating a hidden ref";
1358         }
1359
1360         strbuf_release(&refname_full);
1361 }
1362
1363 static int should_process_cmd(struct command *cmd)
1364 {
1365         return !cmd->error_string && !cmd->skip_update;
1366 }
1367
1368 static void warn_if_skipped_connectivity_check(struct command *commands,
1369                                                struct shallow_info *si)
1370 {
1371         struct command *cmd;
1372         int checked_connectivity = 1;
1373
1374         for (cmd = commands; cmd; cmd = cmd->next) {
1375                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1376                         error("BUG: connectivity check has not been run on ref %s",
1377                               cmd->ref_name);
1378                         checked_connectivity = 0;
1379                 }
1380         }
1381         if (!checked_connectivity)
1382                 BUG("connectivity check skipped???");
1383 }
1384
1385 static void execute_commands_non_atomic(struct command *commands,
1386                                         struct shallow_info *si)
1387 {
1388         struct command *cmd;
1389         struct strbuf err = STRBUF_INIT;
1390
1391         for (cmd = commands; cmd; cmd = cmd->next) {
1392                 if (!should_process_cmd(cmd))
1393                         continue;
1394
1395                 transaction = ref_transaction_begin(&err);
1396                 if (!transaction) {
1397                         rp_error("%s", err.buf);
1398                         strbuf_reset(&err);
1399                         cmd->error_string = "transaction failed to start";
1400                         continue;
1401                 }
1402
1403                 cmd->error_string = update(cmd, si);
1404
1405                 if (!cmd->error_string
1406                     && ref_transaction_commit(transaction, &err)) {
1407                         rp_error("%s", err.buf);
1408                         strbuf_reset(&err);
1409                         cmd->error_string = "failed to update ref";
1410                 }
1411                 ref_transaction_free(transaction);
1412         }
1413         strbuf_release(&err);
1414 }
1415
1416 static void execute_commands_atomic(struct command *commands,
1417                                         struct shallow_info *si)
1418 {
1419         struct command *cmd;
1420         struct strbuf err = STRBUF_INIT;
1421         const char *reported_error = "atomic push failure";
1422
1423         transaction = ref_transaction_begin(&err);
1424         if (!transaction) {
1425                 rp_error("%s", err.buf);
1426                 strbuf_reset(&err);
1427                 reported_error = "transaction failed to start";
1428                 goto failure;
1429         }
1430
1431         for (cmd = commands; cmd; cmd = cmd->next) {
1432                 if (!should_process_cmd(cmd))
1433                         continue;
1434
1435                 cmd->error_string = update(cmd, si);
1436
1437                 if (cmd->error_string)
1438                         goto failure;
1439         }
1440
1441         if (ref_transaction_commit(transaction, &err)) {
1442                 rp_error("%s", err.buf);
1443                 reported_error = "atomic transaction failed";
1444                 goto failure;
1445         }
1446         goto cleanup;
1447
1448 failure:
1449         for (cmd = commands; cmd; cmd = cmd->next)
1450                 if (!cmd->error_string)
1451                         cmd->error_string = reported_error;
1452
1453 cleanup:
1454         ref_transaction_free(transaction);
1455         strbuf_release(&err);
1456 }
1457
1458 static void execute_commands(struct command *commands,
1459                              const char *unpacker_error,
1460                              struct shallow_info *si,
1461                              const struct string_list *push_options)
1462 {
1463         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1464         struct command *cmd;
1465         struct iterate_data data;
1466         struct async muxer;
1467         int err_fd = 0;
1468
1469         if (unpacker_error) {
1470                 for (cmd = commands; cmd; cmd = cmd->next)
1471                         cmd->error_string = "unpacker error";
1472                 return;
1473         }
1474
1475         if (use_sideband) {
1476                 memset(&muxer, 0, sizeof(muxer));
1477                 muxer.proc = copy_to_sideband;
1478                 muxer.in = -1;
1479                 if (!start_async(&muxer))
1480                         err_fd = muxer.in;
1481                 /* ...else, continue without relaying sideband */
1482         }
1483
1484         data.cmds = commands;
1485         data.si = si;
1486         opt.err_fd = err_fd;
1487         opt.progress = err_fd && !quiet;
1488         opt.env = tmp_objdir_env(tmp_objdir);
1489         if (check_connected(iterate_receive_command_list, &data, &opt))
1490                 set_connectivity_errors(commands, si);
1491
1492         if (use_sideband)
1493                 finish_async(&muxer);
1494
1495         reject_updates_to_hidden(commands);
1496
1497         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1498                 for (cmd = commands; cmd; cmd = cmd->next) {
1499                         if (!cmd->error_string)
1500                                 cmd->error_string = "pre-receive hook declined";
1501                 }
1502                 return;
1503         }
1504
1505         /*
1506          * Now we'll start writing out refs, which means the objects need
1507          * to be in their final positions so that other processes can see them.
1508          */
1509         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1510                 for (cmd = commands; cmd; cmd = cmd->next) {
1511                         if (!cmd->error_string)
1512                                 cmd->error_string = "unable to migrate objects to permanent storage";
1513                 }
1514                 return;
1515         }
1516         tmp_objdir = NULL;
1517
1518         check_aliased_updates(commands);
1519
1520         free(head_name_to_free);
1521         head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1522
1523         if (use_atomic)
1524                 execute_commands_atomic(commands, si);
1525         else
1526                 execute_commands_non_atomic(commands, si);
1527
1528         if (shallow_update)
1529                 warn_if_skipped_connectivity_check(commands, si);
1530 }
1531
1532 static struct command **queue_command(struct command **tail,
1533                                       const char *line,
1534                                       int linelen)
1535 {
1536         struct object_id old_oid, new_oid;
1537         struct command *cmd;
1538         const char *refname;
1539         int reflen;
1540         const char *p;
1541
1542         if (parse_oid_hex(line, &old_oid, &p) ||
1543             *p++ != ' ' ||
1544             parse_oid_hex(p, &new_oid, &p) ||
1545             *p++ != ' ')
1546                 die("protocol error: expected old/new/ref, got '%s'", line);
1547
1548         refname = p;
1549         reflen = linelen - (p - line);
1550         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1551         oidcpy(&cmd->old_oid, &old_oid);
1552         oidcpy(&cmd->new_oid, &new_oid);
1553         *tail = cmd;
1554         return &cmd->next;
1555 }
1556
1557 static void queue_commands_from_cert(struct command **tail,
1558                                      struct strbuf *push_cert)
1559 {
1560         const char *boc, *eoc;
1561
1562         if (*tail)
1563                 die("protocol error: got both push certificate and unsigned commands");
1564
1565         boc = strstr(push_cert->buf, "\n\n");
1566         if (!boc)
1567                 die("malformed push certificate %.*s", 100, push_cert->buf);
1568         else
1569                 boc += 2;
1570         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1571
1572         while (boc < eoc) {
1573                 const char *eol = memchr(boc, '\n', eoc - boc);
1574                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1575                 boc = eol ? eol + 1 : eoc;
1576         }
1577 }
1578
1579 static struct command *read_head_info(struct oid_array *shallow)
1580 {
1581         struct command *commands = NULL;
1582         struct command **p = &commands;
1583         for (;;) {
1584                 char *line;
1585                 int len, linelen;
1586
1587                 line = packet_read_line(0, &len);
1588                 if (!line)
1589                         break;
1590
1591                 if (len > 8 && starts_with(line, "shallow ")) {
1592                         struct object_id oid;
1593                         if (get_oid_hex(line + 8, &oid))
1594                                 die("protocol error: expected shallow sha, got '%s'",
1595                                     line + 8);
1596                         oid_array_append(shallow, &oid);
1597                         continue;
1598                 }
1599
1600                 linelen = strlen(line);
1601                 if (linelen < len) {
1602                         const char *feature_list = line + linelen + 1;
1603                         if (parse_feature_request(feature_list, "report-status"))
1604                                 report_status = 1;
1605                         if (parse_feature_request(feature_list, "side-band-64k"))
1606                                 use_sideband = LARGE_PACKET_MAX;
1607                         if (parse_feature_request(feature_list, "quiet"))
1608                                 quiet = 1;
1609                         if (advertise_atomic_push
1610                             && parse_feature_request(feature_list, "atomic"))
1611                                 use_atomic = 1;
1612                         if (advertise_push_options
1613                             && parse_feature_request(feature_list, "push-options"))
1614                                 use_push_options = 1;
1615                 }
1616
1617                 if (!strcmp(line, "push-cert")) {
1618                         int true_flush = 0;
1619                         char certbuf[1024];
1620
1621                         for (;;) {
1622                                 len = packet_read(0, NULL, NULL,
1623                                                   certbuf, sizeof(certbuf), 0);
1624                                 if (!len) {
1625                                         true_flush = 1;
1626                                         break;
1627                                 }
1628                                 if (!strcmp(certbuf, "push-cert-end\n"))
1629                                         break; /* end of cert */
1630                                 strbuf_addstr(&push_cert, certbuf);
1631                         }
1632
1633                         if (true_flush)
1634                                 break;
1635                         continue;
1636                 }
1637
1638                 p = queue_command(p, line, linelen);
1639         }
1640
1641         if (push_cert.len)
1642                 queue_commands_from_cert(p, &push_cert);
1643
1644         return commands;
1645 }
1646
1647 static void read_push_options(struct string_list *options)
1648 {
1649         while (1) {
1650                 char *line;
1651                 int len;
1652
1653                 line = packet_read_line(0, &len);
1654
1655                 if (!line)
1656                         break;
1657
1658                 string_list_append(options, line);
1659         }
1660 }
1661
1662 static const char *parse_pack_header(struct pack_header *hdr)
1663 {
1664         switch (read_pack_header(0, hdr)) {
1665         case PH_ERROR_EOF:
1666                 return "eof before pack header was fully read";
1667
1668         case PH_ERROR_PACK_SIGNATURE:
1669                 return "protocol error (pack signature mismatch detected)";
1670
1671         case PH_ERROR_PROTOCOL:
1672                 return "protocol error (pack version unsupported)";
1673
1674         default:
1675                 return "unknown error in parse_pack_header";
1676
1677         case 0:
1678                 return NULL;
1679         }
1680 }
1681
1682 static const char *pack_lockfile;
1683
1684 static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1685 {
1686         argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1687                         ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1688 }
1689
1690 static const char *unpack(int err_fd, struct shallow_info *si)
1691 {
1692         struct pack_header hdr;
1693         const char *hdr_err;
1694         int status;
1695         struct child_process child = CHILD_PROCESS_INIT;
1696         int fsck_objects = (receive_fsck_objects >= 0
1697                             ? receive_fsck_objects
1698                             : transfer_fsck_objects >= 0
1699                             ? transfer_fsck_objects
1700                             : 0);
1701
1702         hdr_err = parse_pack_header(&hdr);
1703         if (hdr_err) {
1704                 if (err_fd > 0)
1705                         close(err_fd);
1706                 return hdr_err;
1707         }
1708
1709         if (si->nr_ours || si->nr_theirs) {
1710                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1711                 argv_array_push(&child.args, "--shallow-file");
1712                 argv_array_push(&child.args, alt_shallow_file);
1713         }
1714
1715         tmp_objdir = tmp_objdir_create();
1716         if (!tmp_objdir) {
1717                 if (err_fd > 0)
1718                         close(err_fd);
1719                 return "unable to create temporary object directory";
1720         }
1721         child.env = tmp_objdir_env(tmp_objdir);
1722
1723         /*
1724          * Normally we just pass the tmp_objdir environment to the child
1725          * processes that do the heavy lifting, but we may need to see these
1726          * objects ourselves to set up shallow information.
1727          */
1728         tmp_objdir_add_as_alternate(tmp_objdir);
1729
1730         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1731                 argv_array_push(&child.args, "unpack-objects");
1732                 push_header_arg(&child.args, &hdr);
1733                 if (quiet)
1734                         argv_array_push(&child.args, "-q");
1735                 if (fsck_objects)
1736                         argv_array_pushf(&child.args, "--strict%s",
1737                                 fsck_msg_types.buf);
1738                 if (max_input_size)
1739                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1740                                 (uintmax_t)max_input_size);
1741                 child.no_stdout = 1;
1742                 child.err = err_fd;
1743                 child.git_cmd = 1;
1744                 status = run_command(&child);
1745                 if (status)
1746                         return "unpack-objects abnormal exit";
1747         } else {
1748                 char hostname[HOST_NAME_MAX + 1];
1749
1750                 argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1751                 push_header_arg(&child.args, &hdr);
1752
1753                 if (xgethostname(hostname, sizeof(hostname)))
1754                         xsnprintf(hostname, sizeof(hostname), "localhost");
1755                 argv_array_pushf(&child.args,
1756                                  "--keep=receive-pack %"PRIuMAX" on %s",
1757                                  (uintmax_t)getpid(),
1758                                  hostname);
1759
1760                 if (!quiet && err_fd)
1761                         argv_array_push(&child.args, "--show-resolving-progress");
1762                 if (use_sideband)
1763                         argv_array_push(&child.args, "--report-end-of-input");
1764                 if (fsck_objects)
1765                         argv_array_pushf(&child.args, "--strict%s",
1766                                 fsck_msg_types.buf);
1767                 if (!reject_thin)
1768                         argv_array_push(&child.args, "--fix-thin");
1769                 if (max_input_size)
1770                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1771                                 (uintmax_t)max_input_size);
1772                 child.out = -1;
1773                 child.err = err_fd;
1774                 child.git_cmd = 1;
1775                 status = start_command(&child);
1776                 if (status)
1777                         return "index-pack fork failed";
1778                 pack_lockfile = index_pack_lockfile(child.out);
1779                 close(child.out);
1780                 status = finish_command(&child);
1781                 if (status)
1782                         return "index-pack abnormal exit";
1783                 reprepare_packed_git(the_repository);
1784         }
1785         return NULL;
1786 }
1787
1788 static const char *unpack_with_sideband(struct shallow_info *si)
1789 {
1790         struct async muxer;
1791         const char *ret;
1792
1793         if (!use_sideband)
1794                 return unpack(0, si);
1795
1796         use_keepalive = KEEPALIVE_AFTER_NUL;
1797         memset(&muxer, 0, sizeof(muxer));
1798         muxer.proc = copy_to_sideband;
1799         muxer.in = -1;
1800         if (start_async(&muxer))
1801                 return NULL;
1802
1803         ret = unpack(muxer.in, si);
1804
1805         finish_async(&muxer);
1806         return ret;
1807 }
1808
1809 static void prepare_shallow_update(struct command *commands,
1810                                    struct shallow_info *si)
1811 {
1812         int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1813
1814         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1815         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1816
1817         si->need_reachability_test =
1818                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1819         si->reachable =
1820                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1821         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1822
1823         for (i = 0; i < si->nr_ours; i++)
1824                 si->need_reachability_test[si->ours[i]] = 1;
1825
1826         for (i = 0; i < si->shallow->nr; i++) {
1827                 if (!si->used_shallow[i])
1828                         continue;
1829                 for (j = 0; j < bitmap_size; j++) {
1830                         if (!si->used_shallow[i][j])
1831                                 continue;
1832                         si->need_reachability_test[i]++;
1833                         for (k = 0; k < 32; k++)
1834                                 if (si->used_shallow[i][j] & (1U << k))
1835                                         si->shallow_ref[j * 32 + k]++;
1836                 }
1837
1838                 /*
1839                  * true for those associated with some refs and belong
1840                  * in "ours" list aka "step 7 not done yet"
1841                  */
1842                 si->need_reachability_test[i] =
1843                         si->need_reachability_test[i] > 1;
1844         }
1845
1846         /*
1847          * keep hooks happy by forcing a temporary shallow file via
1848          * env variable because we can't add --shallow-file to every
1849          * command. check_everything_connected() will be done with
1850          * true .git/shallow though.
1851          */
1852         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1853 }
1854
1855 static void update_shallow_info(struct command *commands,
1856                                 struct shallow_info *si,
1857                                 struct oid_array *ref)
1858 {
1859         struct command *cmd;
1860         int *ref_status;
1861         remove_nonexistent_theirs_shallow(si);
1862         if (!si->nr_ours && !si->nr_theirs) {
1863                 shallow_update = 0;
1864                 return;
1865         }
1866
1867         for (cmd = commands; cmd; cmd = cmd->next) {
1868                 if (is_null_oid(&cmd->new_oid))
1869                         continue;
1870                 oid_array_append(ref, &cmd->new_oid);
1871                 cmd->index = ref->nr - 1;
1872         }
1873         si->ref = ref;
1874
1875         if (shallow_update) {
1876                 prepare_shallow_update(commands, si);
1877                 return;
1878         }
1879
1880         ALLOC_ARRAY(ref_status, ref->nr);
1881         assign_shallow_commits_to_refs(si, NULL, ref_status);
1882         for (cmd = commands; cmd; cmd = cmd->next) {
1883                 if (is_null_oid(&cmd->new_oid))
1884                         continue;
1885                 if (ref_status[cmd->index]) {
1886                         cmd->error_string = "shallow update not allowed";
1887                         cmd->skip_update = 1;
1888                 }
1889         }
1890         free(ref_status);
1891 }
1892
1893 static void report(struct command *commands, const char *unpack_status)
1894 {
1895         struct command *cmd;
1896         struct strbuf buf = STRBUF_INIT;
1897
1898         packet_buf_write(&buf, "unpack %s\n",
1899                          unpack_status ? unpack_status : "ok");
1900         for (cmd = commands; cmd; cmd = cmd->next) {
1901                 if (!cmd->error_string)
1902                         packet_buf_write(&buf, "ok %s\n",
1903                                          cmd->ref_name);
1904                 else
1905                         packet_buf_write(&buf, "ng %s %s\n",
1906                                          cmd->ref_name, cmd->error_string);
1907         }
1908         packet_buf_flush(&buf);
1909
1910         if (use_sideband)
1911                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1912         else
1913                 write_or_die(1, buf.buf, buf.len);
1914         strbuf_release(&buf);
1915 }
1916
1917 static int delete_only(struct command *commands)
1918 {
1919         struct command *cmd;
1920         for (cmd = commands; cmd; cmd = cmd->next) {
1921                 if (!is_null_oid(&cmd->new_oid))
1922                         return 0;
1923         }
1924         return 1;
1925 }
1926
1927 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1928 {
1929         int advertise_refs = 0;
1930         struct command *commands;
1931         struct oid_array shallow = OID_ARRAY_INIT;
1932         struct oid_array ref = OID_ARRAY_INIT;
1933         struct shallow_info si;
1934
1935         struct option options[] = {
1936                 OPT__QUIET(&quiet, N_("quiet")),
1937                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1938                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1939                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1940                 OPT_END()
1941         };
1942
1943         packet_trace_identity("receive-pack");
1944
1945         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1946
1947         if (argc > 1)
1948                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1949         if (argc == 0)
1950                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1951
1952         service_dir = argv[0];
1953
1954         setup_path();
1955
1956         if (!enter_repo(service_dir, 0))
1957                 die("'%s' does not appear to be a git repository", service_dir);
1958
1959         git_config(receive_pack_config, NULL);
1960         if (cert_nonce_seed)
1961                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1962
1963         if (0 <= transfer_unpack_limit)
1964                 unpack_limit = transfer_unpack_limit;
1965         else if (0 <= receive_unpack_limit)
1966                 unpack_limit = receive_unpack_limit;
1967
1968         switch (determine_protocol_version_server()) {
1969         case protocol_v2:
1970                 /*
1971                  * push support for protocol v2 has not been implemented yet,
1972                  * so ignore the request to use v2 and fallback to using v0.
1973                  */
1974                 break;
1975         case protocol_v1:
1976                 /*
1977                  * v1 is just the original protocol with a version string,
1978                  * so just fall through after writing the version string.
1979                  */
1980                 if (advertise_refs || !stateless_rpc)
1981                         packet_write_fmt(1, "version 1\n");
1982
1983                 /* fallthrough */
1984         case protocol_v0:
1985                 break;
1986         case protocol_unknown_version:
1987                 BUG("unknown protocol version");
1988         }
1989
1990         if (advertise_refs || !stateless_rpc) {
1991                 write_head_info();
1992         }
1993         if (advertise_refs)
1994                 return 0;
1995
1996         if ((commands = read_head_info(&shallow)) != NULL) {
1997                 const char *unpack_status = NULL;
1998                 struct string_list push_options = STRING_LIST_INIT_DUP;
1999
2000                 if (use_push_options)
2001                         read_push_options(&push_options);
2002                 if (!check_cert_push_options(&push_options)) {
2003                         struct command *cmd;
2004                         for (cmd = commands; cmd; cmd = cmd->next)
2005                                 cmd->error_string = "inconsistent push options";
2006                 }
2007
2008                 prepare_shallow_info(&si, &shallow);
2009                 if (!si.nr_ours && !si.nr_theirs)
2010                         shallow_update = 0;
2011                 if (!delete_only(commands)) {
2012                         unpack_status = unpack_with_sideband(&si);
2013                         update_shallow_info(commands, &si, &ref);
2014                 }
2015                 use_keepalive = KEEPALIVE_ALWAYS;
2016                 execute_commands(commands, unpack_status, &si,
2017                                  &push_options);
2018                 if (pack_lockfile)
2019                         unlink_or_warn(pack_lockfile);
2020                 if (report_status)
2021                         report(commands, unpack_status);
2022                 run_receive_hook(commands, "post-receive", 1,
2023                                  &push_options);
2024                 run_update_post_hook(commands);
2025                 string_list_clear(&push_options, 0);
2026                 if (auto_gc) {
2027                         const char *argv_gc_auto[] = {
2028                                 "gc", "--auto", "--quiet", NULL,
2029                         };
2030                         struct child_process proc = CHILD_PROCESS_INIT;
2031
2032                         proc.no_stdin = 1;
2033                         proc.stdout_to_stderr = 1;
2034                         proc.err = use_sideband ? -1 : 0;
2035                         proc.git_cmd = 1;
2036                         proc.argv = argv_gc_auto;
2037
2038                         close_all_packs(the_repository->objects);
2039                         if (!start_command(&proc)) {
2040                                 if (use_sideband)
2041                                         copy_to_sideband(proc.err, -1, NULL);
2042                                 finish_command(&proc);
2043                         }
2044                 }
2045                 if (auto_update_server_info)
2046                         update_server_info(0);
2047                 clear_shallow_info(&si);
2048         }
2049         if (use_sideband)
2050                 packet_flush(1);
2051         oid_array_clear(&shallow);
2052         oid_array_clear(&ref);
2053         free((void *)push_cert_nonce);
2054         return 0;
2055 }