Merge branch 'jk/am-leakfix'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "lockfile.h"
3 #include "pack.h"
4 #include "refs.h"
5 #include "pkt-line.h"
6 #include "sideband.h"
7 #include "run-command.h"
8 #include "exec_cmd.h"
9 #include "commit.h"
10 #include "object.h"
11 #include "remote.h"
12 #include "connect.h"
13 #include "transport.h"
14 #include "string-list.h"
15 #include "sha1-array.h"
16 #include "connected.h"
17 #include "argv-array.h"
18 #include "version.h"
19 #include "tag.h"
20 #include "gpg-interface.h"
21 #include "sigchain.h"
22 #include "fsck.h"
23 #include "tmp-objdir.h"
24 #include "oidset.h"
25
26 static const char * const receive_pack_usage[] = {
27         N_("git receive-pack <git-dir>"),
28         NULL
29 };
30
31 enum deny_action {
32         DENY_UNCONFIGURED,
33         DENY_IGNORE,
34         DENY_WARN,
35         DENY_REFUSE,
36         DENY_UPDATE_INSTEAD
37 };
38
39 static int deny_deletes;
40 static int deny_non_fast_forwards;
41 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
42 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
43 static int receive_fsck_objects = -1;
44 static int transfer_fsck_objects = -1;
45 static struct strbuf fsck_msg_types = STRBUF_INIT;
46 static int receive_unpack_limit = -1;
47 static int transfer_unpack_limit = -1;
48 static int advertise_atomic_push = 1;
49 static int advertise_push_options;
50 static int unpack_limit = 100;
51 static off_t max_input_size;
52 static int report_status;
53 static int use_sideband;
54 static int use_atomic;
55 static int use_push_options;
56 static int quiet;
57 static int prefer_ofs_delta = 1;
58 static int auto_update_server_info;
59 static int auto_gc = 1;
60 static int reject_thin;
61 static int stateless_rpc;
62 static const char *service_dir;
63 static const char *head_name;
64 static void *head_name_to_free;
65 static int sent_capabilities;
66 static int shallow_update;
67 static const char *alt_shallow_file;
68 static struct strbuf push_cert = STRBUF_INIT;
69 static unsigned char push_cert_sha1[20];
70 static struct signature_check sigcheck;
71 static const char *push_cert_nonce;
72 static const char *cert_nonce_seed;
73
74 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
75 static const char *NONCE_BAD = "BAD";
76 static const char *NONCE_MISSING = "MISSING";
77 static const char *NONCE_OK = "OK";
78 static const char *NONCE_SLOP = "SLOP";
79 static const char *nonce_status;
80 static long nonce_stamp_slop;
81 static unsigned long nonce_stamp_slop_limit;
82 static struct ref_transaction *transaction;
83
84 static enum {
85         KEEPALIVE_NEVER = 0,
86         KEEPALIVE_AFTER_NUL,
87         KEEPALIVE_ALWAYS
88 } use_keepalive;
89 static int keepalive_in_sec = 5;
90
91 static struct tmp_objdir *tmp_objdir;
92
93 static enum deny_action parse_deny_action(const char *var, const char *value)
94 {
95         if (value) {
96                 if (!strcasecmp(value, "ignore"))
97                         return DENY_IGNORE;
98                 if (!strcasecmp(value, "warn"))
99                         return DENY_WARN;
100                 if (!strcasecmp(value, "refuse"))
101                         return DENY_REFUSE;
102                 if (!strcasecmp(value, "updateinstead"))
103                         return DENY_UPDATE_INSTEAD;
104         }
105         if (git_config_bool(var, value))
106                 return DENY_REFUSE;
107         return DENY_IGNORE;
108 }
109
110 static int receive_pack_config(const char *var, const char *value, void *cb)
111 {
112         int status = parse_hide_refs_config(var, value, "receive");
113
114         if (status)
115                 return status;
116
117         if (strcmp(var, "receive.denydeletes") == 0) {
118                 deny_deletes = git_config_bool(var, value);
119                 return 0;
120         }
121
122         if (strcmp(var, "receive.denynonfastforwards") == 0) {
123                 deny_non_fast_forwards = git_config_bool(var, value);
124                 return 0;
125         }
126
127         if (strcmp(var, "receive.unpacklimit") == 0) {
128                 receive_unpack_limit = git_config_int(var, value);
129                 return 0;
130         }
131
132         if (strcmp(var, "transfer.unpacklimit") == 0) {
133                 transfer_unpack_limit = git_config_int(var, value);
134                 return 0;
135         }
136
137         if (strcmp(var, "receive.fsck.skiplist") == 0) {
138                 const char *path;
139
140                 if (git_config_pathname(&path, var, value))
141                         return 1;
142                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
143                         fsck_msg_types.len ? ',' : '=', path);
144                 free((char *)path);
145                 return 0;
146         }
147
148         if (skip_prefix(var, "receive.fsck.", &var)) {
149                 if (is_valid_msg_type(var, value))
150                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
151                                 fsck_msg_types.len ? ',' : '=', var, value);
152                 else
153                         warning("Skipping unknown msg id '%s'", var);
154                 return 0;
155         }
156
157         if (strcmp(var, "receive.fsckobjects") == 0) {
158                 receive_fsck_objects = git_config_bool(var, value);
159                 return 0;
160         }
161
162         if (strcmp(var, "transfer.fsckobjects") == 0) {
163                 transfer_fsck_objects = git_config_bool(var, value);
164                 return 0;
165         }
166
167         if (!strcmp(var, "receive.denycurrentbranch")) {
168                 deny_current_branch = parse_deny_action(var, value);
169                 return 0;
170         }
171
172         if (strcmp(var, "receive.denydeletecurrent") == 0) {
173                 deny_delete_current = parse_deny_action(var, value);
174                 return 0;
175         }
176
177         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
178                 prefer_ofs_delta = git_config_bool(var, value);
179                 return 0;
180         }
181
182         if (strcmp(var, "receive.updateserverinfo") == 0) {
183                 auto_update_server_info = git_config_bool(var, value);
184                 return 0;
185         }
186
187         if (strcmp(var, "receive.autogc") == 0) {
188                 auto_gc = git_config_bool(var, value);
189                 return 0;
190         }
191
192         if (strcmp(var, "receive.shallowupdate") == 0) {
193                 shallow_update = git_config_bool(var, value);
194                 return 0;
195         }
196
197         if (strcmp(var, "receive.certnonceseed") == 0)
198                 return git_config_string(&cert_nonce_seed, var, value);
199
200         if (strcmp(var, "receive.certnonceslop") == 0) {
201                 nonce_stamp_slop_limit = git_config_ulong(var, value);
202                 return 0;
203         }
204
205         if (strcmp(var, "receive.advertiseatomic") == 0) {
206                 advertise_atomic_push = git_config_bool(var, value);
207                 return 0;
208         }
209
210         if (strcmp(var, "receive.advertisepushoptions") == 0) {
211                 advertise_push_options = git_config_bool(var, value);
212                 return 0;
213         }
214
215         if (strcmp(var, "receive.keepalive") == 0) {
216                 keepalive_in_sec = git_config_int(var, value);
217                 return 0;
218         }
219
220         if (strcmp(var, "receive.maxinputsize") == 0) {
221                 max_input_size = git_config_int64(var, value);
222                 return 0;
223         }
224
225         return git_default_config(var, value, cb);
226 }
227
228 static void show_ref(const char *path, const struct object_id *oid)
229 {
230         if (sent_capabilities) {
231                 packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
232         } else {
233                 struct strbuf cap = STRBUF_INIT;
234
235                 strbuf_addstr(&cap,
236                               "report-status delete-refs side-band-64k quiet");
237                 if (advertise_atomic_push)
238                         strbuf_addstr(&cap, " atomic");
239                 if (prefer_ofs_delta)
240                         strbuf_addstr(&cap, " ofs-delta");
241                 if (push_cert_nonce)
242                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
243                 if (advertise_push_options)
244                         strbuf_addstr(&cap, " push-options");
245                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
246                 packet_write_fmt(1, "%s %s%c%s\n",
247                              oid_to_hex(oid), path, 0, cap.buf);
248                 strbuf_release(&cap);
249                 sent_capabilities = 1;
250         }
251 }
252
253 static int show_ref_cb(const char *path_full, const struct object_id *oid,
254                        int flag, void *data)
255 {
256         struct oidset *seen = data;
257         const char *path = strip_namespace(path_full);
258
259         if (ref_is_hidden(path, path_full))
260                 return 0;
261
262         /*
263          * Advertise refs outside our current namespace as ".have"
264          * refs, so that the client can use them to minimize data
265          * transfer but will otherwise ignore them.
266          */
267         if (!path) {
268                 if (oidset_insert(seen, oid))
269                         return 0;
270                 path = ".have";
271         } else {
272                 oidset_insert(seen, oid);
273         }
274         show_ref(path, oid);
275         return 0;
276 }
277
278 static void show_one_alternate_ref(const char *refname,
279                                    const struct object_id *oid,
280                                    void *data)
281 {
282         struct oidset *seen = data;
283
284         if (oidset_insert(seen, oid))
285                 return;
286
287         show_ref(".have", oid);
288 }
289
290 static void write_head_info(void)
291 {
292         static struct oidset seen = OIDSET_INIT;
293
294         for_each_ref(show_ref_cb, &seen);
295         for_each_alternate_ref(show_one_alternate_ref, &seen);
296         oidset_clear(&seen);
297         if (!sent_capabilities)
298                 show_ref("capabilities^{}", &null_oid);
299
300         advertise_shallow_grafts(1);
301
302         /* EOF */
303         packet_flush(1);
304 }
305
306 struct command {
307         struct command *next;
308         const char *error_string;
309         unsigned int skip_update:1,
310                      did_not_exist:1;
311         int index;
312         struct object_id old_oid;
313         struct object_id new_oid;
314         char ref_name[FLEX_ARRAY]; /* more */
315 };
316
317 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
318 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
319
320 static void report_message(const char *prefix, const char *err, va_list params)
321 {
322         int sz;
323         char msg[4096];
324
325         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
326         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
327         if (sz > (sizeof(msg) - 1))
328                 sz = sizeof(msg) - 1;
329         msg[sz++] = '\n';
330
331         if (use_sideband)
332                 send_sideband(1, 2, msg, sz, use_sideband);
333         else
334                 xwrite(2, msg, sz);
335 }
336
337 static void rp_warning(const char *err, ...)
338 {
339         va_list params;
340         va_start(params, err);
341         report_message("warning: ", err, params);
342         va_end(params);
343 }
344
345 static void rp_error(const char *err, ...)
346 {
347         va_list params;
348         va_start(params, err);
349         report_message("error: ", err, params);
350         va_end(params);
351 }
352
353 static int copy_to_sideband(int in, int out, void *arg)
354 {
355         char data[128];
356         int keepalive_active = 0;
357
358         if (keepalive_in_sec <= 0)
359                 use_keepalive = KEEPALIVE_NEVER;
360         if (use_keepalive == KEEPALIVE_ALWAYS)
361                 keepalive_active = 1;
362
363         while (1) {
364                 ssize_t sz;
365
366                 if (keepalive_active) {
367                         struct pollfd pfd;
368                         int ret;
369
370                         pfd.fd = in;
371                         pfd.events = POLLIN;
372                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
373
374                         if (ret < 0) {
375                                 if (errno == EINTR)
376                                         continue;
377                                 else
378                                         break;
379                         } else if (ret == 0) {
380                                 /* no data; send a keepalive packet */
381                                 static const char buf[] = "0005\1";
382                                 write_or_die(1, buf, sizeof(buf) - 1);
383                                 continue;
384                         } /* else there is actual data to read */
385                 }
386
387                 sz = xread(in, data, sizeof(data));
388                 if (sz <= 0)
389                         break;
390
391                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
392                         const char *p = memchr(data, '\0', sz);
393                         if (p) {
394                                 /*
395                                  * The NUL tells us to start sending keepalives. Make
396                                  * sure we send any other data we read along
397                                  * with it.
398                                  */
399                                 keepalive_active = 1;
400                                 send_sideband(1, 2, data, p - data, use_sideband);
401                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
402                                 continue;
403                         }
404                 }
405
406                 /*
407                  * Either we're not looking for a NUL signal, or we didn't see
408                  * it yet; just pass along the data.
409                  */
410                 send_sideband(1, 2, data, sz, use_sideband);
411         }
412         close(in);
413         return 0;
414 }
415
416 #define HMAC_BLOCK_SIZE 64
417
418 static void hmac_sha1(unsigned char *out,
419                       const char *key_in, size_t key_len,
420                       const char *text, size_t text_len)
421 {
422         unsigned char key[HMAC_BLOCK_SIZE];
423         unsigned char k_ipad[HMAC_BLOCK_SIZE];
424         unsigned char k_opad[HMAC_BLOCK_SIZE];
425         int i;
426         git_SHA_CTX ctx;
427
428         /* RFC 2104 2. (1) */
429         memset(key, '\0', HMAC_BLOCK_SIZE);
430         if (HMAC_BLOCK_SIZE < key_len) {
431                 git_SHA1_Init(&ctx);
432                 git_SHA1_Update(&ctx, key_in, key_len);
433                 git_SHA1_Final(key, &ctx);
434         } else {
435                 memcpy(key, key_in, key_len);
436         }
437
438         /* RFC 2104 2. (2) & (5) */
439         for (i = 0; i < sizeof(key); i++) {
440                 k_ipad[i] = key[i] ^ 0x36;
441                 k_opad[i] = key[i] ^ 0x5c;
442         }
443
444         /* RFC 2104 2. (3) & (4) */
445         git_SHA1_Init(&ctx);
446         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
447         git_SHA1_Update(&ctx, text, text_len);
448         git_SHA1_Final(out, &ctx);
449
450         /* RFC 2104 2. (6) & (7) */
451         git_SHA1_Init(&ctx);
452         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
453         git_SHA1_Update(&ctx, out, 20);
454         git_SHA1_Final(out, &ctx);
455 }
456
457 static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
458 {
459         struct strbuf buf = STRBUF_INIT;
460         unsigned char sha1[20];
461
462         strbuf_addf(&buf, "%s:%lu", path, stamp);
463         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
464         strbuf_release(&buf);
465
466         /* RFC 2104 5. HMAC-SHA1-80 */
467         strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
468         return strbuf_detach(&buf, NULL);
469 }
470
471 /*
472  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
473  * after dropping "_commit" from its name and possibly moving it out
474  * of commit.c
475  */
476 static char *find_header(const char *msg, size_t len, const char *key)
477 {
478         int key_len = strlen(key);
479         const char *line = msg;
480
481         while (line && line < msg + len) {
482                 const char *eol = strchrnul(line, '\n');
483
484                 if ((msg + len <= eol) || line == eol)
485                         return NULL;
486                 if (line + key_len < eol &&
487                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
488                         int offset = key_len + 1;
489                         return xmemdupz(line + offset, (eol - line) - offset);
490                 }
491                 line = *eol ? eol + 1 : NULL;
492         }
493         return NULL;
494 }
495
496 static const char *check_nonce(const char *buf, size_t len)
497 {
498         char *nonce = find_header(buf, len, "nonce");
499         unsigned long stamp, ostamp;
500         char *bohmac, *expect = NULL;
501         const char *retval = NONCE_BAD;
502
503         if (!nonce) {
504                 retval = NONCE_MISSING;
505                 goto leave;
506         } else if (!push_cert_nonce) {
507                 retval = NONCE_UNSOLICITED;
508                 goto leave;
509         } else if (!strcmp(push_cert_nonce, nonce)) {
510                 retval = NONCE_OK;
511                 goto leave;
512         }
513
514         if (!stateless_rpc) {
515                 /* returned nonce MUST match what we gave out earlier */
516                 retval = NONCE_BAD;
517                 goto leave;
518         }
519
520         /*
521          * In stateless mode, we may be receiving a nonce issued by
522          * another instance of the server that serving the same
523          * repository, and the timestamps may not match, but the
524          * nonce-seed and dir should match, so we can recompute and
525          * report the time slop.
526          *
527          * In addition, when a nonce issued by another instance has
528          * timestamp within receive.certnonceslop seconds, we pretend
529          * as if we issued that nonce when reporting to the hook.
530          */
531
532         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
533         if (*nonce <= '0' || '9' < *nonce) {
534                 retval = NONCE_BAD;
535                 goto leave;
536         }
537         stamp = strtoul(nonce, &bohmac, 10);
538         if (bohmac == nonce || bohmac[0] != '-') {
539                 retval = NONCE_BAD;
540                 goto leave;
541         }
542
543         expect = prepare_push_cert_nonce(service_dir, stamp);
544         if (strcmp(expect, nonce)) {
545                 /* Not what we would have signed earlier */
546                 retval = NONCE_BAD;
547                 goto leave;
548         }
549
550         /*
551          * By how many seconds is this nonce stale?  Negative value
552          * would mean it was issued by another server with its clock
553          * skewed in the future.
554          */
555         ostamp = strtoul(push_cert_nonce, NULL, 10);
556         nonce_stamp_slop = (long)ostamp - (long)stamp;
557
558         if (nonce_stamp_slop_limit &&
559             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
560                 /*
561                  * Pretend as if the received nonce (which passes the
562                  * HMAC check, so it is not a forged by third-party)
563                  * is what we issued.
564                  */
565                 free((void *)push_cert_nonce);
566                 push_cert_nonce = xstrdup(nonce);
567                 retval = NONCE_OK;
568         } else {
569                 retval = NONCE_SLOP;
570         }
571
572 leave:
573         free(nonce);
574         free(expect);
575         return retval;
576 }
577
578 static void prepare_push_cert_sha1(struct child_process *proc)
579 {
580         static int already_done;
581
582         if (!push_cert.len)
583                 return;
584
585         if (!already_done) {
586                 struct strbuf gpg_output = STRBUF_INIT;
587                 struct strbuf gpg_status = STRBUF_INIT;
588                 int bogs /* beginning_of_gpg_sig */;
589
590                 already_done = 1;
591                 if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
592                         hashclr(push_cert_sha1);
593
594                 memset(&sigcheck, '\0', sizeof(sigcheck));
595                 sigcheck.result = 'N';
596
597                 bogs = parse_signature(push_cert.buf, push_cert.len);
598                 if (verify_signed_buffer(push_cert.buf, bogs,
599                                          push_cert.buf + bogs, push_cert.len - bogs,
600                                          &gpg_output, &gpg_status) < 0) {
601                         ; /* error running gpg */
602                 } else {
603                         sigcheck.payload = push_cert.buf;
604                         sigcheck.gpg_output = gpg_output.buf;
605                         sigcheck.gpg_status = gpg_status.buf;
606                         parse_gpg_output(&sigcheck);
607                 }
608
609                 strbuf_release(&gpg_output);
610                 strbuf_release(&gpg_status);
611                 nonce_status = check_nonce(push_cert.buf, bogs);
612         }
613         if (!is_null_sha1(push_cert_sha1)) {
614                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
615                                  sha1_to_hex(push_cert_sha1));
616                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
617                                  sigcheck.signer ? sigcheck.signer : "");
618                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
619                                  sigcheck.key ? sigcheck.key : "");
620                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
621                                  sigcheck.result);
622                 if (push_cert_nonce) {
623                         argv_array_pushf(&proc->env_array,
624                                          "GIT_PUSH_CERT_NONCE=%s",
625                                          push_cert_nonce);
626                         argv_array_pushf(&proc->env_array,
627                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
628                                          nonce_status);
629                         if (nonce_status == NONCE_SLOP)
630                                 argv_array_pushf(&proc->env_array,
631                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
632                                                  nonce_stamp_slop);
633                 }
634         }
635 }
636
637 struct receive_hook_feed_state {
638         struct command *cmd;
639         int skip_broken;
640         struct strbuf buf;
641         const struct string_list *push_options;
642 };
643
644 typedef int (*feed_fn)(void *, const char **, size_t *);
645 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
646                              struct receive_hook_feed_state *feed_state)
647 {
648         struct child_process proc = CHILD_PROCESS_INIT;
649         struct async muxer;
650         const char *argv[2];
651         int code;
652
653         argv[0] = find_hook(hook_name);
654         if (!argv[0])
655                 return 0;
656
657         argv[1] = NULL;
658
659         proc.argv = argv;
660         proc.in = -1;
661         proc.stdout_to_stderr = 1;
662         if (feed_state->push_options) {
663                 int i;
664                 for (i = 0; i < feed_state->push_options->nr; i++)
665                         argv_array_pushf(&proc.env_array,
666                                 "GIT_PUSH_OPTION_%d=%s", i,
667                                 feed_state->push_options->items[i].string);
668                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
669                                  feed_state->push_options->nr);
670         } else
671                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
672
673         if (tmp_objdir)
674                 argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
675
676         if (use_sideband) {
677                 memset(&muxer, 0, sizeof(muxer));
678                 muxer.proc = copy_to_sideband;
679                 muxer.in = -1;
680                 code = start_async(&muxer);
681                 if (code)
682                         return code;
683                 proc.err = muxer.in;
684         }
685
686         prepare_push_cert_sha1(&proc);
687
688         code = start_command(&proc);
689         if (code) {
690                 if (use_sideband)
691                         finish_async(&muxer);
692                 return code;
693         }
694
695         sigchain_push(SIGPIPE, SIG_IGN);
696
697         while (1) {
698                 const char *buf;
699                 size_t n;
700                 if (feed(feed_state, &buf, &n))
701                         break;
702                 if (write_in_full(proc.in, buf, n) != n)
703                         break;
704         }
705         close(proc.in);
706         if (use_sideband)
707                 finish_async(&muxer);
708
709         sigchain_pop(SIGPIPE);
710
711         return finish_command(&proc);
712 }
713
714 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
715 {
716         struct receive_hook_feed_state *state = state_;
717         struct command *cmd = state->cmd;
718
719         while (cmd &&
720                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
721                 cmd = cmd->next;
722         if (!cmd)
723                 return -1; /* EOF */
724         strbuf_reset(&state->buf);
725         strbuf_addf(&state->buf, "%s %s %s\n",
726                     oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
727                     cmd->ref_name);
728         state->cmd = cmd->next;
729         if (bufp) {
730                 *bufp = state->buf.buf;
731                 *sizep = state->buf.len;
732         }
733         return 0;
734 }
735
736 static int run_receive_hook(struct command *commands,
737                             const char *hook_name,
738                             int skip_broken,
739                             const struct string_list *push_options)
740 {
741         struct receive_hook_feed_state state;
742         int status;
743
744         strbuf_init(&state.buf, 0);
745         state.cmd = commands;
746         state.skip_broken = skip_broken;
747         if (feed_receive_hook(&state, NULL, NULL))
748                 return 0;
749         state.cmd = commands;
750         state.push_options = push_options;
751         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
752         strbuf_release(&state.buf);
753         return status;
754 }
755
756 static int run_update_hook(struct command *cmd)
757 {
758         const char *argv[5];
759         struct child_process proc = CHILD_PROCESS_INIT;
760         int code;
761
762         argv[0] = find_hook("update");
763         if (!argv[0])
764                 return 0;
765
766         argv[1] = cmd->ref_name;
767         argv[2] = oid_to_hex(&cmd->old_oid);
768         argv[3] = oid_to_hex(&cmd->new_oid);
769         argv[4] = NULL;
770
771         proc.no_stdin = 1;
772         proc.stdout_to_stderr = 1;
773         proc.err = use_sideband ? -1 : 0;
774         proc.argv = argv;
775
776         code = start_command(&proc);
777         if (code)
778                 return code;
779         if (use_sideband)
780                 copy_to_sideband(proc.err, -1, NULL);
781         return finish_command(&proc);
782 }
783
784 static int is_ref_checked_out(const char *ref)
785 {
786         if (is_bare_repository())
787                 return 0;
788
789         if (!head_name)
790                 return 0;
791         return !strcmp(head_name, ref);
792 }
793
794 static char *refuse_unconfigured_deny_msg =
795         N_("By default, updating the current branch in a non-bare repository\n"
796            "is denied, because it will make the index and work tree inconsistent\n"
797            "with what you pushed, and will require 'git reset --hard' to match\n"
798            "the work tree to HEAD.\n"
799            "\n"
800            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
801            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
802            "its current branch; however, this is not recommended unless you\n"
803            "arranged to update its work tree to match what you pushed in some\n"
804            "other way.\n"
805            "\n"
806            "To squelch this message and still keep the default behaviour, set\n"
807            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
808
809 static void refuse_unconfigured_deny(void)
810 {
811         rp_error("%s", _(refuse_unconfigured_deny_msg));
812 }
813
814 static char *refuse_unconfigured_deny_delete_current_msg =
815         N_("By default, deleting the current branch is denied, because the next\n"
816            "'git clone' won't result in any file checked out, causing confusion.\n"
817            "\n"
818            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
819            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
820            "current branch, with or without a warning message.\n"
821            "\n"
822            "To squelch this message, you can set it to 'refuse'.");
823
824 static void refuse_unconfigured_deny_delete_current(void)
825 {
826         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
827 }
828
829 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
830 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
831 {
832         static struct lock_file shallow_lock;
833         struct oid_array extra = OID_ARRAY_INIT;
834         struct check_connected_options opt = CHECK_CONNECTED_INIT;
835         uint32_t mask = 1 << (cmd->index % 32);
836         int i;
837
838         trace_printf_key(&trace_shallow,
839                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
840         for (i = 0; i < si->shallow->nr; i++)
841                 if (si->used_shallow[i] &&
842                     (si->used_shallow[i][cmd->index / 32] & mask) &&
843                     !delayed_reachability_test(si, i))
844                         oid_array_append(&extra, &si->shallow->oid[i]);
845
846         opt.env = tmp_objdir_env(tmp_objdir);
847         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
848         if (check_connected(command_singleton_iterator, cmd, &opt)) {
849                 rollback_lock_file(&shallow_lock);
850                 oid_array_clear(&extra);
851                 return -1;
852         }
853
854         commit_lock_file(&shallow_lock);
855
856         /*
857          * Make sure setup_alternate_shallow() for the next ref does
858          * not lose these new roots..
859          */
860         for (i = 0; i < extra.nr; i++)
861                 register_shallow(extra.oid[i].hash);
862
863         si->shallow_ref[cmd->index] = 0;
864         oid_array_clear(&extra);
865         return 0;
866 }
867
868 /*
869  * NEEDSWORK: we should consolidate various implementions of "are we
870  * on an unborn branch?" test into one, and make the unified one more
871  * robust. !get_sha1() based check used here and elsewhere would not
872  * allow us to tell an unborn branch from corrupt ref, for example.
873  * For the purpose of fixing "deploy-to-update does not work when
874  * pushing into an empty repository" issue, this should suffice for
875  * now.
876  */
877 static int head_has_history(void)
878 {
879         unsigned char sha1[20];
880
881         return !get_sha1("HEAD", sha1);
882 }
883
884 static const char *push_to_deploy(unsigned char *sha1,
885                                   struct argv_array *env,
886                                   const char *work_tree)
887 {
888         const char *update_refresh[] = {
889                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
890         };
891         const char *diff_files[] = {
892                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
893         };
894         const char *diff_index[] = {
895                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
896                 NULL, "--", NULL
897         };
898         const char *read_tree[] = {
899                 "read-tree", "-u", "-m", NULL, NULL
900         };
901         struct child_process child = CHILD_PROCESS_INIT;
902
903         child.argv = update_refresh;
904         child.env = env->argv;
905         child.dir = work_tree;
906         child.no_stdin = 1;
907         child.stdout_to_stderr = 1;
908         child.git_cmd = 1;
909         if (run_command(&child))
910                 return "Up-to-date check failed";
911
912         /* run_command() does not clean up completely; reinitialize */
913         child_process_init(&child);
914         child.argv = diff_files;
915         child.env = env->argv;
916         child.dir = work_tree;
917         child.no_stdin = 1;
918         child.stdout_to_stderr = 1;
919         child.git_cmd = 1;
920         if (run_command(&child))
921                 return "Working directory has unstaged changes";
922
923         /* diff-index with either HEAD or an empty tree */
924         diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
925
926         child_process_init(&child);
927         child.argv = diff_index;
928         child.env = env->argv;
929         child.no_stdin = 1;
930         child.no_stdout = 1;
931         child.stdout_to_stderr = 0;
932         child.git_cmd = 1;
933         if (run_command(&child))
934                 return "Working directory has staged changes";
935
936         read_tree[3] = sha1_to_hex(sha1);
937         child_process_init(&child);
938         child.argv = read_tree;
939         child.env = env->argv;
940         child.dir = work_tree;
941         child.no_stdin = 1;
942         child.no_stdout = 1;
943         child.stdout_to_stderr = 0;
944         child.git_cmd = 1;
945         if (run_command(&child))
946                 return "Could not update working tree to new HEAD";
947
948         return NULL;
949 }
950
951 static const char *push_to_checkout_hook = "push-to-checkout";
952
953 static const char *push_to_checkout(unsigned char *sha1,
954                                     struct argv_array *env,
955                                     const char *work_tree)
956 {
957         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
958         if (run_hook_le(env->argv, push_to_checkout_hook,
959                         sha1_to_hex(sha1), NULL))
960                 return "push-to-checkout hook declined";
961         else
962                 return NULL;
963 }
964
965 static const char *update_worktree(unsigned char *sha1)
966 {
967         const char *retval;
968         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
969         struct argv_array env = ARGV_ARRAY_INIT;
970
971         if (is_bare_repository())
972                 return "denyCurrentBranch = updateInstead needs a worktree";
973
974         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
975
976         if (!find_hook(push_to_checkout_hook))
977                 retval = push_to_deploy(sha1, &env, work_tree);
978         else
979                 retval = push_to_checkout(sha1, &env, work_tree);
980
981         argv_array_clear(&env);
982         return retval;
983 }
984
985 static const char *update(struct command *cmd, struct shallow_info *si)
986 {
987         const char *name = cmd->ref_name;
988         struct strbuf namespaced_name_buf = STRBUF_INIT;
989         const char *namespaced_name, *ret;
990         struct object_id *old_oid = &cmd->old_oid;
991         struct object_id *new_oid = &cmd->new_oid;
992
993         /* only refs/... are allowed */
994         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
995                 rp_error("refusing to create funny ref '%s' remotely", name);
996                 return "funny refname";
997         }
998
999         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1000         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1001
1002         if (is_ref_checked_out(namespaced_name)) {
1003                 switch (deny_current_branch) {
1004                 case DENY_IGNORE:
1005                         break;
1006                 case DENY_WARN:
1007                         rp_warning("updating the current branch");
1008                         break;
1009                 case DENY_REFUSE:
1010                 case DENY_UNCONFIGURED:
1011                         rp_error("refusing to update checked out branch: %s", name);
1012                         if (deny_current_branch == DENY_UNCONFIGURED)
1013                                 refuse_unconfigured_deny();
1014                         return "branch is currently checked out";
1015                 case DENY_UPDATE_INSTEAD:
1016                         ret = update_worktree(new_oid->hash);
1017                         if (ret)
1018                                 return ret;
1019                         break;
1020                 }
1021         }
1022
1023         if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1024                 error("unpack should have generated %s, "
1025                       "but I can't find it!", oid_to_hex(new_oid));
1026                 return "bad pack";
1027         }
1028
1029         if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1030                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1031                         rp_error("denying ref deletion for %s", name);
1032                         return "deletion prohibited";
1033                 }
1034
1035                 if (head_name && !strcmp(namespaced_name, head_name)) {
1036                         switch (deny_delete_current) {
1037                         case DENY_IGNORE:
1038                                 break;
1039                         case DENY_WARN:
1040                                 rp_warning("deleting the current branch");
1041                                 break;
1042                         case DENY_REFUSE:
1043                         case DENY_UNCONFIGURED:
1044                         case DENY_UPDATE_INSTEAD:
1045                                 if (deny_delete_current == DENY_UNCONFIGURED)
1046                                         refuse_unconfigured_deny_delete_current();
1047                                 rp_error("refusing to delete the current branch: %s", name);
1048                                 return "deletion of the current branch prohibited";
1049                         default:
1050                                 return "Invalid denyDeleteCurrent setting";
1051                         }
1052                 }
1053         }
1054
1055         if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1056             !is_null_oid(old_oid) &&
1057             starts_with(name, "refs/heads/")) {
1058                 struct object *old_object, *new_object;
1059                 struct commit *old_commit, *new_commit;
1060
1061                 old_object = parse_object(old_oid->hash);
1062                 new_object = parse_object(new_oid->hash);
1063
1064                 if (!old_object || !new_object ||
1065                     old_object->type != OBJ_COMMIT ||
1066                     new_object->type != OBJ_COMMIT) {
1067                         error("bad sha1 objects for %s", name);
1068                         return "bad ref";
1069                 }
1070                 old_commit = (struct commit *)old_object;
1071                 new_commit = (struct commit *)new_object;
1072                 if (!in_merge_bases(old_commit, new_commit)) {
1073                         rp_error("denying non-fast-forward %s"
1074                                  " (you should pull first)", name);
1075                         return "non-fast-forward";
1076                 }
1077         }
1078         if (run_update_hook(cmd)) {
1079                 rp_error("hook declined to update %s", name);
1080                 return "hook declined";
1081         }
1082
1083         if (is_null_oid(new_oid)) {
1084                 struct strbuf err = STRBUF_INIT;
1085                 if (!parse_object(old_oid->hash)) {
1086                         old_oid = NULL;
1087                         if (ref_exists(name)) {
1088                                 rp_warning("Allowing deletion of corrupt ref.");
1089                         } else {
1090                                 rp_warning("Deleting a non-existent ref.");
1091                                 cmd->did_not_exist = 1;
1092                         }
1093                 }
1094                 if (ref_transaction_delete(transaction,
1095                                            namespaced_name,
1096                                            old_oid->hash,
1097                                            0, "push", &err)) {
1098                         rp_error("%s", err.buf);
1099                         strbuf_release(&err);
1100                         return "failed to delete";
1101                 }
1102                 strbuf_release(&err);
1103                 return NULL; /* good */
1104         }
1105         else {
1106                 struct strbuf err = STRBUF_INIT;
1107                 if (shallow_update && si->shallow_ref[cmd->index] &&
1108                     update_shallow_ref(cmd, si))
1109                         return "shallow error";
1110
1111                 if (ref_transaction_update(transaction,
1112                                            namespaced_name,
1113                                            new_oid->hash, old_oid->hash,
1114                                            0, "push",
1115                                            &err)) {
1116                         rp_error("%s", err.buf);
1117                         strbuf_release(&err);
1118
1119                         return "failed to update ref";
1120                 }
1121                 strbuf_release(&err);
1122
1123                 return NULL; /* good */
1124         }
1125 }
1126
1127 static void run_update_post_hook(struct command *commands)
1128 {
1129         struct command *cmd;
1130         struct child_process proc = CHILD_PROCESS_INIT;
1131         const char *hook;
1132
1133         hook = find_hook("post-update");
1134         if (!hook)
1135                 return;
1136
1137         for (cmd = commands; cmd; cmd = cmd->next) {
1138                 if (cmd->error_string || cmd->did_not_exist)
1139                         continue;
1140                 if (!proc.args.argc)
1141                         argv_array_push(&proc.args, hook);
1142                 argv_array_push(&proc.args, cmd->ref_name);
1143         }
1144         if (!proc.args.argc)
1145                 return;
1146
1147         proc.no_stdin = 1;
1148         proc.stdout_to_stderr = 1;
1149         proc.err = use_sideband ? -1 : 0;
1150
1151         if (!start_command(&proc)) {
1152                 if (use_sideband)
1153                         copy_to_sideband(proc.err, -1, NULL);
1154                 finish_command(&proc);
1155         }
1156 }
1157
1158 static void check_aliased_update(struct command *cmd, struct string_list *list)
1159 {
1160         struct strbuf buf = STRBUF_INIT;
1161         const char *dst_name;
1162         struct string_list_item *item;
1163         struct command *dst_cmd;
1164         unsigned char sha1[GIT_MAX_RAWSZ];
1165         int flag;
1166
1167         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1168         dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1169         strbuf_release(&buf);
1170
1171         if (!(flag & REF_ISSYMREF))
1172                 return;
1173
1174         if (!dst_name) {
1175                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1176                 cmd->skip_update = 1;
1177                 cmd->error_string = "broken symref";
1178                 return;
1179         }
1180         dst_name = strip_namespace(dst_name);
1181
1182         if ((item = string_list_lookup(list, dst_name)) == NULL)
1183                 return;
1184
1185         cmd->skip_update = 1;
1186
1187         dst_cmd = (struct command *) item->util;
1188
1189         if (!oidcmp(&cmd->old_oid, &dst_cmd->old_oid) &&
1190             !oidcmp(&cmd->new_oid, &dst_cmd->new_oid))
1191                 return;
1192
1193         dst_cmd->skip_update = 1;
1194
1195         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1196                  " its target '%s' (%s..%s)",
1197                  cmd->ref_name,
1198                  find_unique_abbrev(cmd->old_oid.hash, DEFAULT_ABBREV),
1199                  find_unique_abbrev(cmd->new_oid.hash, DEFAULT_ABBREV),
1200                  dst_cmd->ref_name,
1201                  find_unique_abbrev(dst_cmd->old_oid.hash, DEFAULT_ABBREV),
1202                  find_unique_abbrev(dst_cmd->new_oid.hash, DEFAULT_ABBREV));
1203
1204         cmd->error_string = dst_cmd->error_string =
1205                 "inconsistent aliased update";
1206 }
1207
1208 static void check_aliased_updates(struct command *commands)
1209 {
1210         struct command *cmd;
1211         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1212
1213         for (cmd = commands; cmd; cmd = cmd->next) {
1214                 struct string_list_item *item =
1215                         string_list_append(&ref_list, cmd->ref_name);
1216                 item->util = (void *)cmd;
1217         }
1218         string_list_sort(&ref_list);
1219
1220         for (cmd = commands; cmd; cmd = cmd->next) {
1221                 if (!cmd->error_string)
1222                         check_aliased_update(cmd, &ref_list);
1223         }
1224
1225         string_list_clear(&ref_list, 0);
1226 }
1227
1228 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1229 {
1230         struct command **cmd_list = cb_data;
1231         struct command *cmd = *cmd_list;
1232
1233         if (!cmd || is_null_oid(&cmd->new_oid))
1234                 return -1; /* end of list */
1235         *cmd_list = NULL; /* this returns only one */
1236         hashcpy(sha1, cmd->new_oid.hash);
1237         return 0;
1238 }
1239
1240 static void set_connectivity_errors(struct command *commands,
1241                                     struct shallow_info *si)
1242 {
1243         struct command *cmd;
1244
1245         for (cmd = commands; cmd; cmd = cmd->next) {
1246                 struct command *singleton = cmd;
1247                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1248
1249                 if (shallow_update && si->shallow_ref[cmd->index])
1250                         /* to be checked in update_shallow_ref() */
1251                         continue;
1252
1253                 opt.env = tmp_objdir_env(tmp_objdir);
1254                 if (!check_connected(command_singleton_iterator, &singleton,
1255                                      &opt))
1256                         continue;
1257
1258                 cmd->error_string = "missing necessary objects";
1259         }
1260 }
1261
1262 struct iterate_data {
1263         struct command *cmds;
1264         struct shallow_info *si;
1265 };
1266
1267 static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1268 {
1269         struct iterate_data *data = cb_data;
1270         struct command **cmd_list = &data->cmds;
1271         struct command *cmd = *cmd_list;
1272
1273         for (; cmd; cmd = cmd->next) {
1274                 if (shallow_update && data->si->shallow_ref[cmd->index])
1275                         /* to be checked in update_shallow_ref() */
1276                         continue;
1277                 if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1278                         hashcpy(sha1, cmd->new_oid.hash);
1279                         *cmd_list = cmd->next;
1280                         return 0;
1281                 }
1282         }
1283         *cmd_list = NULL;
1284         return -1; /* end of list */
1285 }
1286
1287 static void reject_updates_to_hidden(struct command *commands)
1288 {
1289         struct strbuf refname_full = STRBUF_INIT;
1290         size_t prefix_len;
1291         struct command *cmd;
1292
1293         strbuf_addstr(&refname_full, get_git_namespace());
1294         prefix_len = refname_full.len;
1295
1296         for (cmd = commands; cmd; cmd = cmd->next) {
1297                 if (cmd->error_string)
1298                         continue;
1299
1300                 strbuf_setlen(&refname_full, prefix_len);
1301                 strbuf_addstr(&refname_full, cmd->ref_name);
1302
1303                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1304                         continue;
1305                 if (is_null_oid(&cmd->new_oid))
1306                         cmd->error_string = "deny deleting a hidden ref";
1307                 else
1308                         cmd->error_string = "deny updating a hidden ref";
1309         }
1310
1311         strbuf_release(&refname_full);
1312 }
1313
1314 static int should_process_cmd(struct command *cmd)
1315 {
1316         return !cmd->error_string && !cmd->skip_update;
1317 }
1318
1319 static void warn_if_skipped_connectivity_check(struct command *commands,
1320                                                struct shallow_info *si)
1321 {
1322         struct command *cmd;
1323         int checked_connectivity = 1;
1324
1325         for (cmd = commands; cmd; cmd = cmd->next) {
1326                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1327                         error("BUG: connectivity check has not been run on ref %s",
1328                               cmd->ref_name);
1329                         checked_connectivity = 0;
1330                 }
1331         }
1332         if (!checked_connectivity)
1333                 die("BUG: connectivity check skipped???");
1334 }
1335
1336 static void execute_commands_non_atomic(struct command *commands,
1337                                         struct shallow_info *si)
1338 {
1339         struct command *cmd;
1340         struct strbuf err = STRBUF_INIT;
1341
1342         for (cmd = commands; cmd; cmd = cmd->next) {
1343                 if (!should_process_cmd(cmd))
1344                         continue;
1345
1346                 transaction = ref_transaction_begin(&err);
1347                 if (!transaction) {
1348                         rp_error("%s", err.buf);
1349                         strbuf_reset(&err);
1350                         cmd->error_string = "transaction failed to start";
1351                         continue;
1352                 }
1353
1354                 cmd->error_string = update(cmd, si);
1355
1356                 if (!cmd->error_string
1357                     && ref_transaction_commit(transaction, &err)) {
1358                         rp_error("%s", err.buf);
1359                         strbuf_reset(&err);
1360                         cmd->error_string = "failed to update ref";
1361                 }
1362                 ref_transaction_free(transaction);
1363         }
1364         strbuf_release(&err);
1365 }
1366
1367 static void execute_commands_atomic(struct command *commands,
1368                                         struct shallow_info *si)
1369 {
1370         struct command *cmd;
1371         struct strbuf err = STRBUF_INIT;
1372         const char *reported_error = "atomic push failure";
1373
1374         transaction = ref_transaction_begin(&err);
1375         if (!transaction) {
1376                 rp_error("%s", err.buf);
1377                 strbuf_reset(&err);
1378                 reported_error = "transaction failed to start";
1379                 goto failure;
1380         }
1381
1382         for (cmd = commands; cmd; cmd = cmd->next) {
1383                 if (!should_process_cmd(cmd))
1384                         continue;
1385
1386                 cmd->error_string = update(cmd, si);
1387
1388                 if (cmd->error_string)
1389                         goto failure;
1390         }
1391
1392         if (ref_transaction_commit(transaction, &err)) {
1393                 rp_error("%s", err.buf);
1394                 reported_error = "atomic transaction failed";
1395                 goto failure;
1396         }
1397         goto cleanup;
1398
1399 failure:
1400         for (cmd = commands; cmd; cmd = cmd->next)
1401                 if (!cmd->error_string)
1402                         cmd->error_string = reported_error;
1403
1404 cleanup:
1405         ref_transaction_free(transaction);
1406         strbuf_release(&err);
1407 }
1408
1409 static void execute_commands(struct command *commands,
1410                              const char *unpacker_error,
1411                              struct shallow_info *si,
1412                              const struct string_list *push_options)
1413 {
1414         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1415         struct command *cmd;
1416         struct object_id oid;
1417         struct iterate_data data;
1418         struct async muxer;
1419         int err_fd = 0;
1420
1421         if (unpacker_error) {
1422                 for (cmd = commands; cmd; cmd = cmd->next)
1423                         cmd->error_string = "unpacker error";
1424                 return;
1425         }
1426
1427         if (use_sideband) {
1428                 memset(&muxer, 0, sizeof(muxer));
1429                 muxer.proc = copy_to_sideband;
1430                 muxer.in = -1;
1431                 if (!start_async(&muxer))
1432                         err_fd = muxer.in;
1433                 /* ...else, continue without relaying sideband */
1434         }
1435
1436         data.cmds = commands;
1437         data.si = si;
1438         opt.err_fd = err_fd;
1439         opt.progress = err_fd && !quiet;
1440         opt.env = tmp_objdir_env(tmp_objdir);
1441         if (check_connected(iterate_receive_command_list, &data, &opt))
1442                 set_connectivity_errors(commands, si);
1443
1444         if (use_sideband)
1445                 finish_async(&muxer);
1446
1447         reject_updates_to_hidden(commands);
1448
1449         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1450                 for (cmd = commands; cmd; cmd = cmd->next) {
1451                         if (!cmd->error_string)
1452                                 cmd->error_string = "pre-receive hook declined";
1453                 }
1454                 return;
1455         }
1456
1457         /*
1458          * Now we'll start writing out refs, which means the objects need
1459          * to be in their final positions so that other processes can see them.
1460          */
1461         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1462                 for (cmd = commands; cmd; cmd = cmd->next) {
1463                         if (!cmd->error_string)
1464                                 cmd->error_string = "unable to migrate objects to permanent storage";
1465                 }
1466                 return;
1467         }
1468         tmp_objdir = NULL;
1469
1470         check_aliased_updates(commands);
1471
1472         free(head_name_to_free);
1473         head_name = head_name_to_free = resolve_refdup("HEAD", 0, oid.hash, NULL);
1474
1475         if (use_atomic)
1476                 execute_commands_atomic(commands, si);
1477         else
1478                 execute_commands_non_atomic(commands, si);
1479
1480         if (shallow_update)
1481                 warn_if_skipped_connectivity_check(commands, si);
1482 }
1483
1484 static struct command **queue_command(struct command **tail,
1485                                       const char *line,
1486                                       int linelen)
1487 {
1488         struct object_id old_oid, new_oid;
1489         struct command *cmd;
1490         const char *refname;
1491         int reflen;
1492         const char *p;
1493
1494         if (parse_oid_hex(line, &old_oid, &p) ||
1495             *p++ != ' ' ||
1496             parse_oid_hex(p, &new_oid, &p) ||
1497             *p++ != ' ')
1498                 die("protocol error: expected old/new/ref, got '%s'", line);
1499
1500         refname = p;
1501         reflen = linelen - (p - line);
1502         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1503         oidcpy(&cmd->old_oid, &old_oid);
1504         oidcpy(&cmd->new_oid, &new_oid);
1505         *tail = cmd;
1506         return &cmd->next;
1507 }
1508
1509 static void queue_commands_from_cert(struct command **tail,
1510                                      struct strbuf *push_cert)
1511 {
1512         const char *boc, *eoc;
1513
1514         if (*tail)
1515                 die("protocol error: got both push certificate and unsigned commands");
1516
1517         boc = strstr(push_cert->buf, "\n\n");
1518         if (!boc)
1519                 die("malformed push certificate %.*s", 100, push_cert->buf);
1520         else
1521                 boc += 2;
1522         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1523
1524         while (boc < eoc) {
1525                 const char *eol = memchr(boc, '\n', eoc - boc);
1526                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1527                 boc = eol ? eol + 1 : eoc;
1528         }
1529 }
1530
1531 static struct command *read_head_info(struct oid_array *shallow)
1532 {
1533         struct command *commands = NULL;
1534         struct command **p = &commands;
1535         for (;;) {
1536                 char *line;
1537                 int len, linelen;
1538
1539                 line = packet_read_line(0, &len);
1540                 if (!line)
1541                         break;
1542
1543                 if (len > 8 && starts_with(line, "shallow ")) {
1544                         struct object_id oid;
1545                         if (get_oid_hex(line + 8, &oid))
1546                                 die("protocol error: expected shallow sha, got '%s'",
1547                                     line + 8);
1548                         oid_array_append(shallow, &oid);
1549                         continue;
1550                 }
1551
1552                 linelen = strlen(line);
1553                 if (linelen < len) {
1554                         const char *feature_list = line + linelen + 1;
1555                         if (parse_feature_request(feature_list, "report-status"))
1556                                 report_status = 1;
1557                         if (parse_feature_request(feature_list, "side-band-64k"))
1558                                 use_sideband = LARGE_PACKET_MAX;
1559                         if (parse_feature_request(feature_list, "quiet"))
1560                                 quiet = 1;
1561                         if (advertise_atomic_push
1562                             && parse_feature_request(feature_list, "atomic"))
1563                                 use_atomic = 1;
1564                         if (advertise_push_options
1565                             && parse_feature_request(feature_list, "push-options"))
1566                                 use_push_options = 1;
1567                 }
1568
1569                 if (!strcmp(line, "push-cert")) {
1570                         int true_flush = 0;
1571                         char certbuf[1024];
1572
1573                         for (;;) {
1574                                 len = packet_read(0, NULL, NULL,
1575                                                   certbuf, sizeof(certbuf), 0);
1576                                 if (!len) {
1577                                         true_flush = 1;
1578                                         break;
1579                                 }
1580                                 if (!strcmp(certbuf, "push-cert-end\n"))
1581                                         break; /* end of cert */
1582                                 strbuf_addstr(&push_cert, certbuf);
1583                         }
1584
1585                         if (true_flush)
1586                                 break;
1587                         continue;
1588                 }
1589
1590                 p = queue_command(p, line, linelen);
1591         }
1592
1593         if (push_cert.len)
1594                 queue_commands_from_cert(p, &push_cert);
1595
1596         return commands;
1597 }
1598
1599 static void read_push_options(struct string_list *options)
1600 {
1601         while (1) {
1602                 char *line;
1603                 int len;
1604
1605                 line = packet_read_line(0, &len);
1606
1607                 if (!line)
1608                         break;
1609
1610                 string_list_append(options, line);
1611         }
1612 }
1613
1614 static const char *parse_pack_header(struct pack_header *hdr)
1615 {
1616         switch (read_pack_header(0, hdr)) {
1617         case PH_ERROR_EOF:
1618                 return "eof before pack header was fully read";
1619
1620         case PH_ERROR_PACK_SIGNATURE:
1621                 return "protocol error (pack signature mismatch detected)";
1622
1623         case PH_ERROR_PROTOCOL:
1624                 return "protocol error (pack version unsupported)";
1625
1626         default:
1627                 return "unknown error in parse_pack_header";
1628
1629         case 0:
1630                 return NULL;
1631         }
1632 }
1633
1634 static const char *pack_lockfile;
1635
1636 static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1637 {
1638         argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1639                         ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1640 }
1641
1642 static const char *unpack(int err_fd, struct shallow_info *si)
1643 {
1644         struct pack_header hdr;
1645         const char *hdr_err;
1646         int status;
1647         struct child_process child = CHILD_PROCESS_INIT;
1648         int fsck_objects = (receive_fsck_objects >= 0
1649                             ? receive_fsck_objects
1650                             : transfer_fsck_objects >= 0
1651                             ? transfer_fsck_objects
1652                             : 0);
1653
1654         hdr_err = parse_pack_header(&hdr);
1655         if (hdr_err) {
1656                 if (err_fd > 0)
1657                         close(err_fd);
1658                 return hdr_err;
1659         }
1660
1661         if (si->nr_ours || si->nr_theirs) {
1662                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1663                 argv_array_push(&child.args, "--shallow-file");
1664                 argv_array_push(&child.args, alt_shallow_file);
1665         }
1666
1667         tmp_objdir = tmp_objdir_create();
1668         if (!tmp_objdir) {
1669                 if (err_fd > 0)
1670                         close(err_fd);
1671                 return "unable to create temporary object directory";
1672         }
1673         child.env = tmp_objdir_env(tmp_objdir);
1674
1675         /*
1676          * Normally we just pass the tmp_objdir environment to the child
1677          * processes that do the heavy lifting, but we may need to see these
1678          * objects ourselves to set up shallow information.
1679          */
1680         tmp_objdir_add_as_alternate(tmp_objdir);
1681
1682         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1683                 argv_array_push(&child.args, "unpack-objects");
1684                 push_header_arg(&child.args, &hdr);
1685                 if (quiet)
1686                         argv_array_push(&child.args, "-q");
1687                 if (fsck_objects)
1688                         argv_array_pushf(&child.args, "--strict%s",
1689                                 fsck_msg_types.buf);
1690                 if (max_input_size)
1691                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1692                                 (uintmax_t)max_input_size);
1693                 child.no_stdout = 1;
1694                 child.err = err_fd;
1695                 child.git_cmd = 1;
1696                 status = run_command(&child);
1697                 if (status)
1698                         return "unpack-objects abnormal exit";
1699         } else {
1700                 char hostname[HOST_NAME_MAX + 1];
1701
1702                 argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1703                 push_header_arg(&child.args, &hdr);
1704
1705                 if (xgethostname(hostname, sizeof(hostname)))
1706                         xsnprintf(hostname, sizeof(hostname), "localhost");
1707                 argv_array_pushf(&child.args,
1708                                  "--keep=receive-pack %"PRIuMAX" on %s",
1709                                  (uintmax_t)getpid(),
1710                                  hostname);
1711
1712                 if (!quiet && err_fd)
1713                         argv_array_push(&child.args, "--show-resolving-progress");
1714                 if (use_sideband)
1715                         argv_array_push(&child.args, "--report-end-of-input");
1716                 if (fsck_objects)
1717                         argv_array_pushf(&child.args, "--strict%s",
1718                                 fsck_msg_types.buf);
1719                 if (!reject_thin)
1720                         argv_array_push(&child.args, "--fix-thin");
1721                 if (max_input_size)
1722                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1723                                 (uintmax_t)max_input_size);
1724                 child.out = -1;
1725                 child.err = err_fd;
1726                 child.git_cmd = 1;
1727                 status = start_command(&child);
1728                 if (status)
1729                         return "index-pack fork failed";
1730                 pack_lockfile = index_pack_lockfile(child.out);
1731                 close(child.out);
1732                 status = finish_command(&child);
1733                 if (status)
1734                         return "index-pack abnormal exit";
1735                 reprepare_packed_git();
1736         }
1737         return NULL;
1738 }
1739
1740 static const char *unpack_with_sideband(struct shallow_info *si)
1741 {
1742         struct async muxer;
1743         const char *ret;
1744
1745         if (!use_sideband)
1746                 return unpack(0, si);
1747
1748         use_keepalive = KEEPALIVE_AFTER_NUL;
1749         memset(&muxer, 0, sizeof(muxer));
1750         muxer.proc = copy_to_sideband;
1751         muxer.in = -1;
1752         if (start_async(&muxer))
1753                 return NULL;
1754
1755         ret = unpack(muxer.in, si);
1756
1757         finish_async(&muxer);
1758         return ret;
1759 }
1760
1761 static void prepare_shallow_update(struct command *commands,
1762                                    struct shallow_info *si)
1763 {
1764         int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1765
1766         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1767         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1768
1769         si->need_reachability_test =
1770                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1771         si->reachable =
1772                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1773         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1774
1775         for (i = 0; i < si->nr_ours; i++)
1776                 si->need_reachability_test[si->ours[i]] = 1;
1777
1778         for (i = 0; i < si->shallow->nr; i++) {
1779                 if (!si->used_shallow[i])
1780                         continue;
1781                 for (j = 0; j < bitmap_size; j++) {
1782                         if (!si->used_shallow[i][j])
1783                                 continue;
1784                         si->need_reachability_test[i]++;
1785                         for (k = 0; k < 32; k++)
1786                                 if (si->used_shallow[i][j] & (1U << k))
1787                                         si->shallow_ref[j * 32 + k]++;
1788                 }
1789
1790                 /*
1791                  * true for those associated with some refs and belong
1792                  * in "ours" list aka "step 7 not done yet"
1793                  */
1794                 si->need_reachability_test[i] =
1795                         si->need_reachability_test[i] > 1;
1796         }
1797
1798         /*
1799          * keep hooks happy by forcing a temporary shallow file via
1800          * env variable because we can't add --shallow-file to every
1801          * command. check_everything_connected() will be done with
1802          * true .git/shallow though.
1803          */
1804         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1805 }
1806
1807 static void update_shallow_info(struct command *commands,
1808                                 struct shallow_info *si,
1809                                 struct oid_array *ref)
1810 {
1811         struct command *cmd;
1812         int *ref_status;
1813         remove_nonexistent_theirs_shallow(si);
1814         if (!si->nr_ours && !si->nr_theirs) {
1815                 shallow_update = 0;
1816                 return;
1817         }
1818
1819         for (cmd = commands; cmd; cmd = cmd->next) {
1820                 if (is_null_oid(&cmd->new_oid))
1821                         continue;
1822                 oid_array_append(ref, &cmd->new_oid);
1823                 cmd->index = ref->nr - 1;
1824         }
1825         si->ref = ref;
1826
1827         if (shallow_update) {
1828                 prepare_shallow_update(commands, si);
1829                 return;
1830         }
1831
1832         ALLOC_ARRAY(ref_status, ref->nr);
1833         assign_shallow_commits_to_refs(si, NULL, ref_status);
1834         for (cmd = commands; cmd; cmd = cmd->next) {
1835                 if (is_null_oid(&cmd->new_oid))
1836                         continue;
1837                 if (ref_status[cmd->index]) {
1838                         cmd->error_string = "shallow update not allowed";
1839                         cmd->skip_update = 1;
1840                 }
1841         }
1842         free(ref_status);
1843 }
1844
1845 static void report(struct command *commands, const char *unpack_status)
1846 {
1847         struct command *cmd;
1848         struct strbuf buf = STRBUF_INIT;
1849
1850         packet_buf_write(&buf, "unpack %s\n",
1851                          unpack_status ? unpack_status : "ok");
1852         for (cmd = commands; cmd; cmd = cmd->next) {
1853                 if (!cmd->error_string)
1854                         packet_buf_write(&buf, "ok %s\n",
1855                                          cmd->ref_name);
1856                 else
1857                         packet_buf_write(&buf, "ng %s %s\n",
1858                                          cmd->ref_name, cmd->error_string);
1859         }
1860         packet_buf_flush(&buf);
1861
1862         if (use_sideband)
1863                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1864         else
1865                 write_or_die(1, buf.buf, buf.len);
1866         strbuf_release(&buf);
1867 }
1868
1869 static int delete_only(struct command *commands)
1870 {
1871         struct command *cmd;
1872         for (cmd = commands; cmd; cmd = cmd->next) {
1873                 if (!is_null_oid(&cmd->new_oid))
1874                         return 0;
1875         }
1876         return 1;
1877 }
1878
1879 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1880 {
1881         int advertise_refs = 0;
1882         struct command *commands;
1883         struct oid_array shallow = OID_ARRAY_INIT;
1884         struct oid_array ref = OID_ARRAY_INIT;
1885         struct shallow_info si;
1886
1887         struct option options[] = {
1888                 OPT__QUIET(&quiet, N_("quiet")),
1889                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1890                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1891                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1892                 OPT_END()
1893         };
1894
1895         packet_trace_identity("receive-pack");
1896
1897         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1898
1899         if (argc > 1)
1900                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1901         if (argc == 0)
1902                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1903
1904         service_dir = argv[0];
1905
1906         setup_path();
1907
1908         if (!enter_repo(service_dir, 0))
1909                 die("'%s' does not appear to be a git repository", service_dir);
1910
1911         git_config(receive_pack_config, NULL);
1912         if (cert_nonce_seed)
1913                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1914
1915         if (0 <= transfer_unpack_limit)
1916                 unpack_limit = transfer_unpack_limit;
1917         else if (0 <= receive_unpack_limit)
1918                 unpack_limit = receive_unpack_limit;
1919
1920         if (advertise_refs || !stateless_rpc) {
1921                 write_head_info();
1922         }
1923         if (advertise_refs)
1924                 return 0;
1925
1926         if ((commands = read_head_info(&shallow)) != NULL) {
1927                 const char *unpack_status = NULL;
1928                 struct string_list push_options = STRING_LIST_INIT_DUP;
1929
1930                 if (use_push_options)
1931                         read_push_options(&push_options);
1932
1933                 prepare_shallow_info(&si, &shallow);
1934                 if (!si.nr_ours && !si.nr_theirs)
1935                         shallow_update = 0;
1936                 if (!delete_only(commands)) {
1937                         unpack_status = unpack_with_sideband(&si);
1938                         update_shallow_info(commands, &si, &ref);
1939                 }
1940                 use_keepalive = KEEPALIVE_ALWAYS;
1941                 execute_commands(commands, unpack_status, &si,
1942                                  &push_options);
1943                 if (pack_lockfile)
1944                         unlink_or_warn(pack_lockfile);
1945                 if (report_status)
1946                         report(commands, unpack_status);
1947                 run_receive_hook(commands, "post-receive", 1,
1948                                  &push_options);
1949                 run_update_post_hook(commands);
1950                 string_list_clear(&push_options, 0);
1951                 if (auto_gc) {
1952                         const char *argv_gc_auto[] = {
1953                                 "gc", "--auto", "--quiet", NULL,
1954                         };
1955                         struct child_process proc = CHILD_PROCESS_INIT;
1956
1957                         proc.no_stdin = 1;
1958                         proc.stdout_to_stderr = 1;
1959                         proc.err = use_sideband ? -1 : 0;
1960                         proc.git_cmd = 1;
1961                         proc.argv = argv_gc_auto;
1962
1963                         close_all_packs();
1964                         if (!start_command(&proc)) {
1965                                 if (use_sideband)
1966                                         copy_to_sideband(proc.err, -1, NULL);
1967                                 finish_command(&proc);
1968                         }
1969                 }
1970                 if (auto_update_server_info)
1971                         update_server_info(0);
1972                 clear_shallow_info(&si);
1973         }
1974         if (use_sideband)
1975                 packet_flush(1);
1976         oid_array_clear(&shallow);
1977         oid_array_clear(&ref);
1978         free((void *)push_cert_nonce);
1979         return 0;
1980 }