Merge branch 'jk/submodule-c-credential'
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "lockfile.h"
3 #include "pack.h"
4 #include "refs.h"
5 #include "pkt-line.h"
6 #include "sideband.h"
7 #include "run-command.h"
8 #include "exec_cmd.h"
9 #include "commit.h"
10 #include "object.h"
11 #include "remote.h"
12 #include "connect.h"
13 #include "transport.h"
14 #include "string-list.h"
15 #include "sha1-array.h"
16 #include "connected.h"
17 #include "argv-array.h"
18 #include "version.h"
19 #include "tag.h"
20 #include "gpg-interface.h"
21 #include "sigchain.h"
22 #include "fsck.h"
23
24 static const char * const receive_pack_usage[] = {
25         N_("git receive-pack <git-dir>"),
26         NULL
27 };
28
29 enum deny_action {
30         DENY_UNCONFIGURED,
31         DENY_IGNORE,
32         DENY_WARN,
33         DENY_REFUSE,
34         DENY_UPDATE_INSTEAD
35 };
36
37 static int deny_deletes;
38 static int deny_non_fast_forwards;
39 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
40 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
41 static int receive_fsck_objects = -1;
42 static int transfer_fsck_objects = -1;
43 static struct strbuf fsck_msg_types = STRBUF_INIT;
44 static int receive_unpack_limit = -1;
45 static int transfer_unpack_limit = -1;
46 static int advertise_atomic_push = 1;
47 static int unpack_limit = 100;
48 static int report_status;
49 static int use_sideband;
50 static int use_atomic;
51 static int quiet;
52 static int prefer_ofs_delta = 1;
53 static int auto_update_server_info;
54 static int auto_gc = 1;
55 static int reject_thin;
56 static int stateless_rpc;
57 static const char *service_dir;
58 static const char *head_name;
59 static void *head_name_to_free;
60 static int sent_capabilities;
61 static int shallow_update;
62 static const char *alt_shallow_file;
63 static struct strbuf push_cert = STRBUF_INIT;
64 static unsigned char push_cert_sha1[20];
65 static struct signature_check sigcheck;
66 static const char *push_cert_nonce;
67 static const char *cert_nonce_seed;
68
69 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
70 static const char *NONCE_BAD = "BAD";
71 static const char *NONCE_MISSING = "MISSING";
72 static const char *NONCE_OK = "OK";
73 static const char *NONCE_SLOP = "SLOP";
74 static const char *nonce_status;
75 static long nonce_stamp_slop;
76 static unsigned long nonce_stamp_slop_limit;
77 static struct ref_transaction *transaction;
78
79 static enum deny_action parse_deny_action(const char *var, const char *value)
80 {
81         if (value) {
82                 if (!strcasecmp(value, "ignore"))
83                         return DENY_IGNORE;
84                 if (!strcasecmp(value, "warn"))
85                         return DENY_WARN;
86                 if (!strcasecmp(value, "refuse"))
87                         return DENY_REFUSE;
88                 if (!strcasecmp(value, "updateinstead"))
89                         return DENY_UPDATE_INSTEAD;
90         }
91         if (git_config_bool(var, value))
92                 return DENY_REFUSE;
93         return DENY_IGNORE;
94 }
95
96 static int receive_pack_config(const char *var, const char *value, void *cb)
97 {
98         int status = parse_hide_refs_config(var, value, "receive");
99
100         if (status)
101                 return status;
102
103         if (strcmp(var, "receive.denydeletes") == 0) {
104                 deny_deletes = git_config_bool(var, value);
105                 return 0;
106         }
107
108         if (strcmp(var, "receive.denynonfastforwards") == 0) {
109                 deny_non_fast_forwards = git_config_bool(var, value);
110                 return 0;
111         }
112
113         if (strcmp(var, "receive.unpacklimit") == 0) {
114                 receive_unpack_limit = git_config_int(var, value);
115                 return 0;
116         }
117
118         if (strcmp(var, "transfer.unpacklimit") == 0) {
119                 transfer_unpack_limit = git_config_int(var, value);
120                 return 0;
121         }
122
123         if (strcmp(var, "receive.fsck.skiplist") == 0) {
124                 const char *path;
125
126                 if (git_config_pathname(&path, var, value))
127                         return 1;
128                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
129                         fsck_msg_types.len ? ',' : '=', path);
130                 free((char *)path);
131                 return 0;
132         }
133
134         if (skip_prefix(var, "receive.fsck.", &var)) {
135                 if (is_valid_msg_type(var, value))
136                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
137                                 fsck_msg_types.len ? ',' : '=', var, value);
138                 else
139                         warning("Skipping unknown msg id '%s'", var);
140                 return 0;
141         }
142
143         if (strcmp(var, "receive.fsckobjects") == 0) {
144                 receive_fsck_objects = git_config_bool(var, value);
145                 return 0;
146         }
147
148         if (strcmp(var, "transfer.fsckobjects") == 0) {
149                 transfer_fsck_objects = git_config_bool(var, value);
150                 return 0;
151         }
152
153         if (!strcmp(var, "receive.denycurrentbranch")) {
154                 deny_current_branch = parse_deny_action(var, value);
155                 return 0;
156         }
157
158         if (strcmp(var, "receive.denydeletecurrent") == 0) {
159                 deny_delete_current = parse_deny_action(var, value);
160                 return 0;
161         }
162
163         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
164                 prefer_ofs_delta = git_config_bool(var, value);
165                 return 0;
166         }
167
168         if (strcmp(var, "receive.updateserverinfo") == 0) {
169                 auto_update_server_info = git_config_bool(var, value);
170                 return 0;
171         }
172
173         if (strcmp(var, "receive.autogc") == 0) {
174                 auto_gc = git_config_bool(var, value);
175                 return 0;
176         }
177
178         if (strcmp(var, "receive.shallowupdate") == 0) {
179                 shallow_update = git_config_bool(var, value);
180                 return 0;
181         }
182
183         if (strcmp(var, "receive.certnonceseed") == 0)
184                 return git_config_string(&cert_nonce_seed, var, value);
185
186         if (strcmp(var, "receive.certnonceslop") == 0) {
187                 nonce_stamp_slop_limit = git_config_ulong(var, value);
188                 return 0;
189         }
190
191         if (strcmp(var, "receive.advertiseatomic") == 0) {
192                 advertise_atomic_push = git_config_bool(var, value);
193                 return 0;
194         }
195
196         return git_default_config(var, value, cb);
197 }
198
199 static void show_ref(const char *path, const unsigned char *sha1)
200 {
201         if (sent_capabilities) {
202                 packet_write(1, "%s %s\n", sha1_to_hex(sha1), path);
203         } else {
204                 struct strbuf cap = STRBUF_INIT;
205
206                 strbuf_addstr(&cap,
207                               "report-status delete-refs side-band-64k quiet");
208                 if (advertise_atomic_push)
209                         strbuf_addstr(&cap, " atomic");
210                 if (prefer_ofs_delta)
211                         strbuf_addstr(&cap, " ofs-delta");
212                 if (push_cert_nonce)
213                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
214                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
215                 packet_write(1, "%s %s%c%s\n",
216                              sha1_to_hex(sha1), path, 0, cap.buf);
217                 strbuf_release(&cap);
218                 sent_capabilities = 1;
219         }
220 }
221
222 static int show_ref_cb(const char *path_full, const struct object_id *oid,
223                        int flag, void *unused)
224 {
225         const char *path = strip_namespace(path_full);
226
227         if (ref_is_hidden(path, path_full))
228                 return 0;
229
230         /*
231          * Advertise refs outside our current namespace as ".have"
232          * refs, so that the client can use them to minimize data
233          * transfer but will otherwise ignore them. This happens to
234          * cover ".have" that are thrown in by add_one_alternate_ref()
235          * to mark histories that are complete in our alternates as
236          * well.
237          */
238         if (!path)
239                 path = ".have";
240         show_ref(path, oid->hash);
241         return 0;
242 }
243
244 static void show_one_alternate_sha1(const unsigned char sha1[20], void *unused)
245 {
246         show_ref(".have", sha1);
247 }
248
249 static void collect_one_alternate_ref(const struct ref *ref, void *data)
250 {
251         struct sha1_array *sa = data;
252         sha1_array_append(sa, ref->old_oid.hash);
253 }
254
255 static void write_head_info(void)
256 {
257         struct sha1_array sa = SHA1_ARRAY_INIT;
258
259         for_each_alternate_ref(collect_one_alternate_ref, &sa);
260         sha1_array_for_each_unique(&sa, show_one_alternate_sha1, NULL);
261         sha1_array_clear(&sa);
262         for_each_ref(show_ref_cb, NULL);
263         if (!sent_capabilities)
264                 show_ref("capabilities^{}", null_sha1);
265
266         advertise_shallow_grafts(1);
267
268         /* EOF */
269         packet_flush(1);
270 }
271
272 struct command {
273         struct command *next;
274         const char *error_string;
275         unsigned int skip_update:1,
276                      did_not_exist:1;
277         int index;
278         unsigned char old_sha1[20];
279         unsigned char new_sha1[20];
280         char ref_name[FLEX_ARRAY]; /* more */
281 };
282
283 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
284 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
285
286 static void report_message(const char *prefix, const char *err, va_list params)
287 {
288         int sz;
289         char msg[4096];
290
291         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
292         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
293         if (sz > (sizeof(msg) - 1))
294                 sz = sizeof(msg) - 1;
295         msg[sz++] = '\n';
296
297         if (use_sideband)
298                 send_sideband(1, 2, msg, sz, use_sideband);
299         else
300                 xwrite(2, msg, sz);
301 }
302
303 static void rp_warning(const char *err, ...)
304 {
305         va_list params;
306         va_start(params, err);
307         report_message("warning: ", err, params);
308         va_end(params);
309 }
310
311 static void rp_error(const char *err, ...)
312 {
313         va_list params;
314         va_start(params, err);
315         report_message("error: ", err, params);
316         va_end(params);
317 }
318
319 static int copy_to_sideband(int in, int out, void *arg)
320 {
321         char data[128];
322         while (1) {
323                 ssize_t sz = xread(in, data, sizeof(data));
324                 if (sz <= 0)
325                         break;
326                 send_sideband(1, 2, data, sz, use_sideband);
327         }
328         close(in);
329         return 0;
330 }
331
332 #define HMAC_BLOCK_SIZE 64
333
334 static void hmac_sha1(unsigned char *out,
335                       const char *key_in, size_t key_len,
336                       const char *text, size_t text_len)
337 {
338         unsigned char key[HMAC_BLOCK_SIZE];
339         unsigned char k_ipad[HMAC_BLOCK_SIZE];
340         unsigned char k_opad[HMAC_BLOCK_SIZE];
341         int i;
342         git_SHA_CTX ctx;
343
344         /* RFC 2104 2. (1) */
345         memset(key, '\0', HMAC_BLOCK_SIZE);
346         if (HMAC_BLOCK_SIZE < key_len) {
347                 git_SHA1_Init(&ctx);
348                 git_SHA1_Update(&ctx, key_in, key_len);
349                 git_SHA1_Final(key, &ctx);
350         } else {
351                 memcpy(key, key_in, key_len);
352         }
353
354         /* RFC 2104 2. (2) & (5) */
355         for (i = 0; i < sizeof(key); i++) {
356                 k_ipad[i] = key[i] ^ 0x36;
357                 k_opad[i] = key[i] ^ 0x5c;
358         }
359
360         /* RFC 2104 2. (3) & (4) */
361         git_SHA1_Init(&ctx);
362         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
363         git_SHA1_Update(&ctx, text, text_len);
364         git_SHA1_Final(out, &ctx);
365
366         /* RFC 2104 2. (6) & (7) */
367         git_SHA1_Init(&ctx);
368         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
369         git_SHA1_Update(&ctx, out, 20);
370         git_SHA1_Final(out, &ctx);
371 }
372
373 static char *prepare_push_cert_nonce(const char *path, unsigned long stamp)
374 {
375         struct strbuf buf = STRBUF_INIT;
376         unsigned char sha1[20];
377
378         strbuf_addf(&buf, "%s:%lu", path, stamp);
379         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));;
380         strbuf_release(&buf);
381
382         /* RFC 2104 5. HMAC-SHA1-80 */
383         strbuf_addf(&buf, "%lu-%.*s", stamp, 20, sha1_to_hex(sha1));
384         return strbuf_detach(&buf, NULL);
385 }
386
387 /*
388  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
389  * after dropping "_commit" from its name and possibly moving it out
390  * of commit.c
391  */
392 static char *find_header(const char *msg, size_t len, const char *key)
393 {
394         int key_len = strlen(key);
395         const char *line = msg;
396
397         while (line && line < msg + len) {
398                 const char *eol = strchrnul(line, '\n');
399
400                 if ((msg + len <= eol) || line == eol)
401                         return NULL;
402                 if (line + key_len < eol &&
403                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
404                         int offset = key_len + 1;
405                         return xmemdupz(line + offset, (eol - line) - offset);
406                 }
407                 line = *eol ? eol + 1 : NULL;
408         }
409         return NULL;
410 }
411
412 static const char *check_nonce(const char *buf, size_t len)
413 {
414         char *nonce = find_header(buf, len, "nonce");
415         unsigned long stamp, ostamp;
416         char *bohmac, *expect = NULL;
417         const char *retval = NONCE_BAD;
418
419         if (!nonce) {
420                 retval = NONCE_MISSING;
421                 goto leave;
422         } else if (!push_cert_nonce) {
423                 retval = NONCE_UNSOLICITED;
424                 goto leave;
425         } else if (!strcmp(push_cert_nonce, nonce)) {
426                 retval = NONCE_OK;
427                 goto leave;
428         }
429
430         if (!stateless_rpc) {
431                 /* returned nonce MUST match what we gave out earlier */
432                 retval = NONCE_BAD;
433                 goto leave;
434         }
435
436         /*
437          * In stateless mode, we may be receiving a nonce issued by
438          * another instance of the server that serving the same
439          * repository, and the timestamps may not match, but the
440          * nonce-seed and dir should match, so we can recompute and
441          * report the time slop.
442          *
443          * In addition, when a nonce issued by another instance has
444          * timestamp within receive.certnonceslop seconds, we pretend
445          * as if we issued that nonce when reporting to the hook.
446          */
447
448         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
449         if (*nonce <= '0' || '9' < *nonce) {
450                 retval = NONCE_BAD;
451                 goto leave;
452         }
453         stamp = strtoul(nonce, &bohmac, 10);
454         if (bohmac == nonce || bohmac[0] != '-') {
455                 retval = NONCE_BAD;
456                 goto leave;
457         }
458
459         expect = prepare_push_cert_nonce(service_dir, stamp);
460         if (strcmp(expect, nonce)) {
461                 /* Not what we would have signed earlier */
462                 retval = NONCE_BAD;
463                 goto leave;
464         }
465
466         /*
467          * By how many seconds is this nonce stale?  Negative value
468          * would mean it was issued by another server with its clock
469          * skewed in the future.
470          */
471         ostamp = strtoul(push_cert_nonce, NULL, 10);
472         nonce_stamp_slop = (long)ostamp - (long)stamp;
473
474         if (nonce_stamp_slop_limit &&
475             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
476                 /*
477                  * Pretend as if the received nonce (which passes the
478                  * HMAC check, so it is not a forged by third-party)
479                  * is what we issued.
480                  */
481                 free((void *)push_cert_nonce);
482                 push_cert_nonce = xstrdup(nonce);
483                 retval = NONCE_OK;
484         } else {
485                 retval = NONCE_SLOP;
486         }
487
488 leave:
489         free(nonce);
490         free(expect);
491         return retval;
492 }
493
494 static void prepare_push_cert_sha1(struct child_process *proc)
495 {
496         static int already_done;
497
498         if (!push_cert.len)
499                 return;
500
501         if (!already_done) {
502                 struct strbuf gpg_output = STRBUF_INIT;
503                 struct strbuf gpg_status = STRBUF_INIT;
504                 int bogs /* beginning_of_gpg_sig */;
505
506                 already_done = 1;
507                 if (write_sha1_file(push_cert.buf, push_cert.len, "blob", push_cert_sha1))
508                         hashclr(push_cert_sha1);
509
510                 memset(&sigcheck, '\0', sizeof(sigcheck));
511                 sigcheck.result = 'N';
512
513                 bogs = parse_signature(push_cert.buf, push_cert.len);
514                 if (verify_signed_buffer(push_cert.buf, bogs,
515                                          push_cert.buf + bogs, push_cert.len - bogs,
516                                          &gpg_output, &gpg_status) < 0) {
517                         ; /* error running gpg */
518                 } else {
519                         sigcheck.payload = push_cert.buf;
520                         sigcheck.gpg_output = gpg_output.buf;
521                         sigcheck.gpg_status = gpg_status.buf;
522                         parse_gpg_output(&sigcheck);
523                 }
524
525                 strbuf_release(&gpg_output);
526                 strbuf_release(&gpg_status);
527                 nonce_status = check_nonce(push_cert.buf, bogs);
528         }
529         if (!is_null_sha1(push_cert_sha1)) {
530                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
531                                  sha1_to_hex(push_cert_sha1));
532                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
533                                  sigcheck.signer ? sigcheck.signer : "");
534                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
535                                  sigcheck.key ? sigcheck.key : "");
536                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
537                                  sigcheck.result);
538                 if (push_cert_nonce) {
539                         argv_array_pushf(&proc->env_array,
540                                          "GIT_PUSH_CERT_NONCE=%s",
541                                          push_cert_nonce);
542                         argv_array_pushf(&proc->env_array,
543                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
544                                          nonce_status);
545                         if (nonce_status == NONCE_SLOP)
546                                 argv_array_pushf(&proc->env_array,
547                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
548                                                  nonce_stamp_slop);
549                 }
550         }
551 }
552
553 typedef int (*feed_fn)(void *, const char **, size_t *);
554 static int run_and_feed_hook(const char *hook_name, feed_fn feed, void *feed_state)
555 {
556         struct child_process proc = CHILD_PROCESS_INIT;
557         struct async muxer;
558         const char *argv[2];
559         int code;
560
561         argv[0] = find_hook(hook_name);
562         if (!argv[0])
563                 return 0;
564
565         argv[1] = NULL;
566
567         proc.argv = argv;
568         proc.in = -1;
569         proc.stdout_to_stderr = 1;
570
571         if (use_sideband) {
572                 memset(&muxer, 0, sizeof(muxer));
573                 muxer.proc = copy_to_sideband;
574                 muxer.in = -1;
575                 code = start_async(&muxer);
576                 if (code)
577                         return code;
578                 proc.err = muxer.in;
579         }
580
581         prepare_push_cert_sha1(&proc);
582
583         code = start_command(&proc);
584         if (code) {
585                 if (use_sideband)
586                         finish_async(&muxer);
587                 return code;
588         }
589
590         sigchain_push(SIGPIPE, SIG_IGN);
591
592         while (1) {
593                 const char *buf;
594                 size_t n;
595                 if (feed(feed_state, &buf, &n))
596                         break;
597                 if (write_in_full(proc.in, buf, n) != n)
598                         break;
599         }
600         close(proc.in);
601         if (use_sideband)
602                 finish_async(&muxer);
603
604         sigchain_pop(SIGPIPE);
605
606         return finish_command(&proc);
607 }
608
609 struct receive_hook_feed_state {
610         struct command *cmd;
611         int skip_broken;
612         struct strbuf buf;
613 };
614
615 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
616 {
617         struct receive_hook_feed_state *state = state_;
618         struct command *cmd = state->cmd;
619
620         while (cmd &&
621                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
622                 cmd = cmd->next;
623         if (!cmd)
624                 return -1; /* EOF */
625         strbuf_reset(&state->buf);
626         strbuf_addf(&state->buf, "%s %s %s\n",
627                     sha1_to_hex(cmd->old_sha1), sha1_to_hex(cmd->new_sha1),
628                     cmd->ref_name);
629         state->cmd = cmd->next;
630         if (bufp) {
631                 *bufp = state->buf.buf;
632                 *sizep = state->buf.len;
633         }
634         return 0;
635 }
636
637 static int run_receive_hook(struct command *commands, const char *hook_name,
638                             int skip_broken)
639 {
640         struct receive_hook_feed_state state;
641         int status;
642
643         strbuf_init(&state.buf, 0);
644         state.cmd = commands;
645         state.skip_broken = skip_broken;
646         if (feed_receive_hook(&state, NULL, NULL))
647                 return 0;
648         state.cmd = commands;
649         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
650         strbuf_release(&state.buf);
651         return status;
652 }
653
654 static int run_update_hook(struct command *cmd)
655 {
656         const char *argv[5];
657         struct child_process proc = CHILD_PROCESS_INIT;
658         int code;
659
660         argv[0] = find_hook("update");
661         if (!argv[0])
662                 return 0;
663
664         argv[1] = cmd->ref_name;
665         argv[2] = sha1_to_hex(cmd->old_sha1);
666         argv[3] = sha1_to_hex(cmd->new_sha1);
667         argv[4] = NULL;
668
669         proc.no_stdin = 1;
670         proc.stdout_to_stderr = 1;
671         proc.err = use_sideband ? -1 : 0;
672         proc.argv = argv;
673
674         code = start_command(&proc);
675         if (code)
676                 return code;
677         if (use_sideband)
678                 copy_to_sideband(proc.err, -1, NULL);
679         return finish_command(&proc);
680 }
681
682 static int is_ref_checked_out(const char *ref)
683 {
684         if (is_bare_repository())
685                 return 0;
686
687         if (!head_name)
688                 return 0;
689         return !strcmp(head_name, ref);
690 }
691
692 static char *refuse_unconfigured_deny_msg[] = {
693         "By default, updating the current branch in a non-bare repository",
694         "is denied, because it will make the index and work tree inconsistent",
695         "with what you pushed, and will require 'git reset --hard' to match",
696         "the work tree to HEAD.",
697         "",
698         "You can set 'receive.denyCurrentBranch' configuration variable to",
699         "'ignore' or 'warn' in the remote repository to allow pushing into",
700         "its current branch; however, this is not recommended unless you",
701         "arranged to update its work tree to match what you pushed in some",
702         "other way.",
703         "",
704         "To squelch this message and still keep the default behaviour, set",
705         "'receive.denyCurrentBranch' configuration variable to 'refuse'."
706 };
707
708 static void refuse_unconfigured_deny(void)
709 {
710         int i;
711         for (i = 0; i < ARRAY_SIZE(refuse_unconfigured_deny_msg); i++)
712                 rp_error("%s", refuse_unconfigured_deny_msg[i]);
713 }
714
715 static char *refuse_unconfigured_deny_delete_current_msg[] = {
716         "By default, deleting the current branch is denied, because the next",
717         "'git clone' won't result in any file checked out, causing confusion.",
718         "",
719         "You can set 'receive.denyDeleteCurrent' configuration variable to",
720         "'warn' or 'ignore' in the remote repository to allow deleting the",
721         "current branch, with or without a warning message.",
722         "",
723         "To squelch this message, you can set it to 'refuse'."
724 };
725
726 static void refuse_unconfigured_deny_delete_current(void)
727 {
728         int i;
729         for (i = 0;
730              i < ARRAY_SIZE(refuse_unconfigured_deny_delete_current_msg);
731              i++)
732                 rp_error("%s", refuse_unconfigured_deny_delete_current_msg[i]);
733 }
734
735 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20]);
736 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
737 {
738         static struct lock_file shallow_lock;
739         struct sha1_array extra = SHA1_ARRAY_INIT;
740         const char *alt_file;
741         uint32_t mask = 1 << (cmd->index % 32);
742         int i;
743
744         trace_printf_key(&trace_shallow,
745                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
746         for (i = 0; i < si->shallow->nr; i++)
747                 if (si->used_shallow[i] &&
748                     (si->used_shallow[i][cmd->index / 32] & mask) &&
749                     !delayed_reachability_test(si, i))
750                         sha1_array_append(&extra, si->shallow->sha1[i]);
751
752         setup_alternate_shallow(&shallow_lock, &alt_file, &extra);
753         if (check_shallow_connected(command_singleton_iterator,
754                                     0, cmd, alt_file)) {
755                 rollback_lock_file(&shallow_lock);
756                 sha1_array_clear(&extra);
757                 return -1;
758         }
759
760         commit_lock_file(&shallow_lock);
761
762         /*
763          * Make sure setup_alternate_shallow() for the next ref does
764          * not lose these new roots..
765          */
766         for (i = 0; i < extra.nr; i++)
767                 register_shallow(extra.sha1[i]);
768
769         si->shallow_ref[cmd->index] = 0;
770         sha1_array_clear(&extra);
771         return 0;
772 }
773
774 /*
775  * NEEDSWORK: we should consolidate various implementions of "are we
776  * on an unborn branch?" test into one, and make the unified one more
777  * robust. !get_sha1() based check used here and elsewhere would not
778  * allow us to tell an unborn branch from corrupt ref, for example.
779  * For the purpose of fixing "deploy-to-update does not work when
780  * pushing into an empty repository" issue, this should suffice for
781  * now.
782  */
783 static int head_has_history(void)
784 {
785         unsigned char sha1[20];
786
787         return !get_sha1("HEAD", sha1);
788 }
789
790 static const char *push_to_deploy(unsigned char *sha1,
791                                   struct argv_array *env,
792                                   const char *work_tree)
793 {
794         const char *update_refresh[] = {
795                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
796         };
797         const char *diff_files[] = {
798                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
799         };
800         const char *diff_index[] = {
801                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
802                 NULL, "--", NULL
803         };
804         const char *read_tree[] = {
805                 "read-tree", "-u", "-m", NULL, NULL
806         };
807         struct child_process child = CHILD_PROCESS_INIT;
808
809         child.argv = update_refresh;
810         child.env = env->argv;
811         child.dir = work_tree;
812         child.no_stdin = 1;
813         child.stdout_to_stderr = 1;
814         child.git_cmd = 1;
815         if (run_command(&child))
816                 return "Up-to-date check failed";
817
818         /* run_command() does not clean up completely; reinitialize */
819         child_process_init(&child);
820         child.argv = diff_files;
821         child.env = env->argv;
822         child.dir = work_tree;
823         child.no_stdin = 1;
824         child.stdout_to_stderr = 1;
825         child.git_cmd = 1;
826         if (run_command(&child))
827                 return "Working directory has unstaged changes";
828
829         /* diff-index with either HEAD or an empty tree */
830         diff_index[4] = head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX;
831
832         child_process_init(&child);
833         child.argv = diff_index;
834         child.env = env->argv;
835         child.no_stdin = 1;
836         child.no_stdout = 1;
837         child.stdout_to_stderr = 0;
838         child.git_cmd = 1;
839         if (run_command(&child))
840                 return "Working directory has staged changes";
841
842         read_tree[3] = sha1_to_hex(sha1);
843         child_process_init(&child);
844         child.argv = read_tree;
845         child.env = env->argv;
846         child.dir = work_tree;
847         child.no_stdin = 1;
848         child.no_stdout = 1;
849         child.stdout_to_stderr = 0;
850         child.git_cmd = 1;
851         if (run_command(&child))
852                 return "Could not update working tree to new HEAD";
853
854         return NULL;
855 }
856
857 static const char *push_to_checkout_hook = "push-to-checkout";
858
859 static const char *push_to_checkout(unsigned char *sha1,
860                                     struct argv_array *env,
861                                     const char *work_tree)
862 {
863         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
864         if (run_hook_le(env->argv, push_to_checkout_hook,
865                         sha1_to_hex(sha1), NULL))
866                 return "push-to-checkout hook declined";
867         else
868                 return NULL;
869 }
870
871 static const char *update_worktree(unsigned char *sha1)
872 {
873         const char *retval;
874         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
875         struct argv_array env = ARGV_ARRAY_INIT;
876
877         if (is_bare_repository())
878                 return "denyCurrentBranch = updateInstead needs a worktree";
879
880         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
881
882         if (!find_hook(push_to_checkout_hook))
883                 retval = push_to_deploy(sha1, &env, work_tree);
884         else
885                 retval = push_to_checkout(sha1, &env, work_tree);
886
887         argv_array_clear(&env);
888         return retval;
889 }
890
891 static const char *update(struct command *cmd, struct shallow_info *si)
892 {
893         const char *name = cmd->ref_name;
894         struct strbuf namespaced_name_buf = STRBUF_INIT;
895         const char *namespaced_name, *ret;
896         unsigned char *old_sha1 = cmd->old_sha1;
897         unsigned char *new_sha1 = cmd->new_sha1;
898
899         /* only refs/... are allowed */
900         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
901                 rp_error("refusing to create funny ref '%s' remotely", name);
902                 return "funny refname";
903         }
904
905         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
906         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
907
908         if (is_ref_checked_out(namespaced_name)) {
909                 switch (deny_current_branch) {
910                 case DENY_IGNORE:
911                         break;
912                 case DENY_WARN:
913                         rp_warning("updating the current branch");
914                         break;
915                 case DENY_REFUSE:
916                 case DENY_UNCONFIGURED:
917                         rp_error("refusing to update checked out branch: %s", name);
918                         if (deny_current_branch == DENY_UNCONFIGURED)
919                                 refuse_unconfigured_deny();
920                         return "branch is currently checked out";
921                 case DENY_UPDATE_INSTEAD:
922                         ret = update_worktree(new_sha1);
923                         if (ret)
924                                 return ret;
925                         break;
926                 }
927         }
928
929         if (!is_null_sha1(new_sha1) && !has_sha1_file(new_sha1)) {
930                 error("unpack should have generated %s, "
931                       "but I can't find it!", sha1_to_hex(new_sha1));
932                 return "bad pack";
933         }
934
935         if (!is_null_sha1(old_sha1) && is_null_sha1(new_sha1)) {
936                 if (deny_deletes && starts_with(name, "refs/heads/")) {
937                         rp_error("denying ref deletion for %s", name);
938                         return "deletion prohibited";
939                 }
940
941                 if (head_name && !strcmp(namespaced_name, head_name)) {
942                         switch (deny_delete_current) {
943                         case DENY_IGNORE:
944                                 break;
945                         case DENY_WARN:
946                                 rp_warning("deleting the current branch");
947                                 break;
948                         case DENY_REFUSE:
949                         case DENY_UNCONFIGURED:
950                         case DENY_UPDATE_INSTEAD:
951                                 if (deny_delete_current == DENY_UNCONFIGURED)
952                                         refuse_unconfigured_deny_delete_current();
953                                 rp_error("refusing to delete the current branch: %s", name);
954                                 return "deletion of the current branch prohibited";
955                         default:
956                                 return "Invalid denyDeleteCurrent setting";
957                         }
958                 }
959         }
960
961         if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
962             !is_null_sha1(old_sha1) &&
963             starts_with(name, "refs/heads/")) {
964                 struct object *old_object, *new_object;
965                 struct commit *old_commit, *new_commit;
966
967                 old_object = parse_object(old_sha1);
968                 new_object = parse_object(new_sha1);
969
970                 if (!old_object || !new_object ||
971                     old_object->type != OBJ_COMMIT ||
972                     new_object->type != OBJ_COMMIT) {
973                         error("bad sha1 objects for %s", name);
974                         return "bad ref";
975                 }
976                 old_commit = (struct commit *)old_object;
977                 new_commit = (struct commit *)new_object;
978                 if (!in_merge_bases(old_commit, new_commit)) {
979                         rp_error("denying non-fast-forward %s"
980                                  " (you should pull first)", name);
981                         return "non-fast-forward";
982                 }
983         }
984         if (run_update_hook(cmd)) {
985                 rp_error("hook declined to update %s", name);
986                 return "hook declined";
987         }
988
989         if (is_null_sha1(new_sha1)) {
990                 struct strbuf err = STRBUF_INIT;
991                 if (!parse_object(old_sha1)) {
992                         old_sha1 = NULL;
993                         if (ref_exists(name)) {
994                                 rp_warning("Allowing deletion of corrupt ref.");
995                         } else {
996                                 rp_warning("Deleting a non-existent ref.");
997                                 cmd->did_not_exist = 1;
998                         }
999                 }
1000                 if (ref_transaction_delete(transaction,
1001                                            namespaced_name,
1002                                            old_sha1,
1003                                            0, "push", &err)) {
1004                         rp_error("%s", err.buf);
1005                         strbuf_release(&err);
1006                         return "failed to delete";
1007                 }
1008                 strbuf_release(&err);
1009                 return NULL; /* good */
1010         }
1011         else {
1012                 struct strbuf err = STRBUF_INIT;
1013                 if (shallow_update && si->shallow_ref[cmd->index] &&
1014                     update_shallow_ref(cmd, si))
1015                         return "shallow error";
1016
1017                 if (ref_transaction_update(transaction,
1018                                            namespaced_name,
1019                                            new_sha1, old_sha1,
1020                                            0, "push",
1021                                            &err)) {
1022                         rp_error("%s", err.buf);
1023                         strbuf_release(&err);
1024
1025                         return "failed to update ref";
1026                 }
1027                 strbuf_release(&err);
1028
1029                 return NULL; /* good */
1030         }
1031 }
1032
1033 static void run_update_post_hook(struct command *commands)
1034 {
1035         struct command *cmd;
1036         int argc;
1037         struct child_process proc = CHILD_PROCESS_INIT;
1038         const char *hook;
1039
1040         hook = find_hook("post-update");
1041         for (argc = 0, cmd = commands; cmd; cmd = cmd->next) {
1042                 if (cmd->error_string || cmd->did_not_exist)
1043                         continue;
1044                 argc++;
1045         }
1046         if (!argc || !hook)
1047                 return;
1048
1049         argv_array_push(&proc.args, hook);
1050         for (cmd = commands; cmd; cmd = cmd->next) {
1051                 if (cmd->error_string || cmd->did_not_exist)
1052                         continue;
1053                 argv_array_push(&proc.args, cmd->ref_name);
1054         }
1055
1056         proc.no_stdin = 1;
1057         proc.stdout_to_stderr = 1;
1058         proc.err = use_sideband ? -1 : 0;
1059
1060         if (!start_command(&proc)) {
1061                 if (use_sideband)
1062                         copy_to_sideband(proc.err, -1, NULL);
1063                 finish_command(&proc);
1064         }
1065 }
1066
1067 static void check_aliased_update(struct command *cmd, struct string_list *list)
1068 {
1069         struct strbuf buf = STRBUF_INIT;
1070         const char *dst_name;
1071         struct string_list_item *item;
1072         struct command *dst_cmd;
1073         unsigned char sha1[GIT_SHA1_RAWSZ];
1074         char cmd_oldh[GIT_SHA1_HEXSZ + 1],
1075              cmd_newh[GIT_SHA1_HEXSZ + 1],
1076              dst_oldh[GIT_SHA1_HEXSZ + 1],
1077              dst_newh[GIT_SHA1_HEXSZ + 1];
1078         int flag;
1079
1080         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1081         dst_name = resolve_ref_unsafe(buf.buf, 0, sha1, &flag);
1082         strbuf_release(&buf);
1083
1084         if (!(flag & REF_ISSYMREF))
1085                 return;
1086
1087         if (!dst_name) {
1088                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1089                 cmd->skip_update = 1;
1090                 cmd->error_string = "broken symref";
1091                 return;
1092         }
1093         dst_name = strip_namespace(dst_name);
1094
1095         if ((item = string_list_lookup(list, dst_name)) == NULL)
1096                 return;
1097
1098         cmd->skip_update = 1;
1099
1100         dst_cmd = (struct command *) item->util;
1101
1102         if (!hashcmp(cmd->old_sha1, dst_cmd->old_sha1) &&
1103             !hashcmp(cmd->new_sha1, dst_cmd->new_sha1))
1104                 return;
1105
1106         dst_cmd->skip_update = 1;
1107
1108         find_unique_abbrev_r(cmd_oldh, cmd->old_sha1, DEFAULT_ABBREV);
1109         find_unique_abbrev_r(cmd_newh, cmd->new_sha1, DEFAULT_ABBREV);
1110         find_unique_abbrev_r(dst_oldh, dst_cmd->old_sha1, DEFAULT_ABBREV);
1111         find_unique_abbrev_r(dst_newh, dst_cmd->new_sha1, DEFAULT_ABBREV);
1112         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1113                  " its target '%s' (%s..%s)",
1114                  cmd->ref_name, cmd_oldh, cmd_newh,
1115                  dst_cmd->ref_name, dst_oldh, dst_newh);
1116
1117         cmd->error_string = dst_cmd->error_string =
1118                 "inconsistent aliased update";
1119 }
1120
1121 static void check_aliased_updates(struct command *commands)
1122 {
1123         struct command *cmd;
1124         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1125
1126         for (cmd = commands; cmd; cmd = cmd->next) {
1127                 struct string_list_item *item =
1128                         string_list_append(&ref_list, cmd->ref_name);
1129                 item->util = (void *)cmd;
1130         }
1131         string_list_sort(&ref_list);
1132
1133         for (cmd = commands; cmd; cmd = cmd->next) {
1134                 if (!cmd->error_string)
1135                         check_aliased_update(cmd, &ref_list);
1136         }
1137
1138         string_list_clear(&ref_list, 0);
1139 }
1140
1141 static int command_singleton_iterator(void *cb_data, unsigned char sha1[20])
1142 {
1143         struct command **cmd_list = cb_data;
1144         struct command *cmd = *cmd_list;
1145
1146         if (!cmd || is_null_sha1(cmd->new_sha1))
1147                 return -1; /* end of list */
1148         *cmd_list = NULL; /* this returns only one */
1149         hashcpy(sha1, cmd->new_sha1);
1150         return 0;
1151 }
1152
1153 static void set_connectivity_errors(struct command *commands,
1154                                     struct shallow_info *si)
1155 {
1156         struct command *cmd;
1157
1158         for (cmd = commands; cmd; cmd = cmd->next) {
1159                 struct command *singleton = cmd;
1160                 if (shallow_update && si->shallow_ref[cmd->index])
1161                         /* to be checked in update_shallow_ref() */
1162                         continue;
1163                 if (!check_everything_connected(command_singleton_iterator,
1164                                                 0, &singleton))
1165                         continue;
1166                 cmd->error_string = "missing necessary objects";
1167         }
1168 }
1169
1170 struct iterate_data {
1171         struct command *cmds;
1172         struct shallow_info *si;
1173 };
1174
1175 static int iterate_receive_command_list(void *cb_data, unsigned char sha1[20])
1176 {
1177         struct iterate_data *data = cb_data;
1178         struct command **cmd_list = &data->cmds;
1179         struct command *cmd = *cmd_list;
1180
1181         for (; cmd; cmd = cmd->next) {
1182                 if (shallow_update && data->si->shallow_ref[cmd->index])
1183                         /* to be checked in update_shallow_ref() */
1184                         continue;
1185                 if (!is_null_sha1(cmd->new_sha1) && !cmd->skip_update) {
1186                         hashcpy(sha1, cmd->new_sha1);
1187                         *cmd_list = cmd->next;
1188                         return 0;
1189                 }
1190         }
1191         *cmd_list = NULL;
1192         return -1; /* end of list */
1193 }
1194
1195 static void reject_updates_to_hidden(struct command *commands)
1196 {
1197         struct strbuf refname_full = STRBUF_INIT;
1198         size_t prefix_len;
1199         struct command *cmd;
1200
1201         strbuf_addstr(&refname_full, get_git_namespace());
1202         prefix_len = refname_full.len;
1203
1204         for (cmd = commands; cmd; cmd = cmd->next) {
1205                 if (cmd->error_string)
1206                         continue;
1207
1208                 strbuf_setlen(&refname_full, prefix_len);
1209                 strbuf_addstr(&refname_full, cmd->ref_name);
1210
1211                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1212                         continue;
1213                 if (is_null_sha1(cmd->new_sha1))
1214                         cmd->error_string = "deny deleting a hidden ref";
1215                 else
1216                         cmd->error_string = "deny updating a hidden ref";
1217         }
1218
1219         strbuf_release(&refname_full);
1220 }
1221
1222 static int should_process_cmd(struct command *cmd)
1223 {
1224         return !cmd->error_string && !cmd->skip_update;
1225 }
1226
1227 static void warn_if_skipped_connectivity_check(struct command *commands,
1228                                                struct shallow_info *si)
1229 {
1230         struct command *cmd;
1231         int checked_connectivity = 1;
1232
1233         for (cmd = commands; cmd; cmd = cmd->next) {
1234                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1235                         error("BUG: connectivity check has not been run on ref %s",
1236                               cmd->ref_name);
1237                         checked_connectivity = 0;
1238                 }
1239         }
1240         if (!checked_connectivity)
1241                 die("BUG: connectivity check skipped???");
1242 }
1243
1244 static void execute_commands_non_atomic(struct command *commands,
1245                                         struct shallow_info *si)
1246 {
1247         struct command *cmd;
1248         struct strbuf err = STRBUF_INIT;
1249
1250         for (cmd = commands; cmd; cmd = cmd->next) {
1251                 if (!should_process_cmd(cmd))
1252                         continue;
1253
1254                 transaction = ref_transaction_begin(&err);
1255                 if (!transaction) {
1256                         rp_error("%s", err.buf);
1257                         strbuf_reset(&err);
1258                         cmd->error_string = "transaction failed to start";
1259                         continue;
1260                 }
1261
1262                 cmd->error_string = update(cmd, si);
1263
1264                 if (!cmd->error_string
1265                     && ref_transaction_commit(transaction, &err)) {
1266                         rp_error("%s", err.buf);
1267                         strbuf_reset(&err);
1268                         cmd->error_string = "failed to update ref";
1269                 }
1270                 ref_transaction_free(transaction);
1271         }
1272         strbuf_release(&err);
1273 }
1274
1275 static void execute_commands_atomic(struct command *commands,
1276                                         struct shallow_info *si)
1277 {
1278         struct command *cmd;
1279         struct strbuf err = STRBUF_INIT;
1280         const char *reported_error = "atomic push failure";
1281
1282         transaction = ref_transaction_begin(&err);
1283         if (!transaction) {
1284                 rp_error("%s", err.buf);
1285                 strbuf_reset(&err);
1286                 reported_error = "transaction failed to start";
1287                 goto failure;
1288         }
1289
1290         for (cmd = commands; cmd; cmd = cmd->next) {
1291                 if (!should_process_cmd(cmd))
1292                         continue;
1293
1294                 cmd->error_string = update(cmd, si);
1295
1296                 if (cmd->error_string)
1297                         goto failure;
1298         }
1299
1300         if (ref_transaction_commit(transaction, &err)) {
1301                 rp_error("%s", err.buf);
1302                 reported_error = "atomic transaction failed";
1303                 goto failure;
1304         }
1305         goto cleanup;
1306
1307 failure:
1308         for (cmd = commands; cmd; cmd = cmd->next)
1309                 if (!cmd->error_string)
1310                         cmd->error_string = reported_error;
1311
1312 cleanup:
1313         ref_transaction_free(transaction);
1314         strbuf_release(&err);
1315 }
1316
1317 static void execute_commands(struct command *commands,
1318                              const char *unpacker_error,
1319                              struct shallow_info *si)
1320 {
1321         struct command *cmd;
1322         unsigned char sha1[20];
1323         struct iterate_data data;
1324
1325         if (unpacker_error) {
1326                 for (cmd = commands; cmd; cmd = cmd->next)
1327                         cmd->error_string = "unpacker error";
1328                 return;
1329         }
1330
1331         data.cmds = commands;
1332         data.si = si;
1333         if (check_everything_connected(iterate_receive_command_list, 0, &data))
1334                 set_connectivity_errors(commands, si);
1335
1336         reject_updates_to_hidden(commands);
1337
1338         if (run_receive_hook(commands, "pre-receive", 0)) {
1339                 for (cmd = commands; cmd; cmd = cmd->next) {
1340                         if (!cmd->error_string)
1341                                 cmd->error_string = "pre-receive hook declined";
1342                 }
1343                 return;
1344         }
1345
1346         check_aliased_updates(commands);
1347
1348         free(head_name_to_free);
1349         head_name = head_name_to_free = resolve_refdup("HEAD", 0, sha1, NULL);
1350
1351         if (use_atomic)
1352                 execute_commands_atomic(commands, si);
1353         else
1354                 execute_commands_non_atomic(commands, si);
1355
1356         if (shallow_update)
1357                 warn_if_skipped_connectivity_check(commands, si);
1358 }
1359
1360 static struct command **queue_command(struct command **tail,
1361                                       const char *line,
1362                                       int linelen)
1363 {
1364         unsigned char old_sha1[20], new_sha1[20];
1365         struct command *cmd;
1366         const char *refname;
1367         int reflen;
1368
1369         if (linelen < 83 ||
1370             line[40] != ' ' ||
1371             line[81] != ' ' ||
1372             get_sha1_hex(line, old_sha1) ||
1373             get_sha1_hex(line + 41, new_sha1))
1374                 die("protocol error: expected old/new/ref, got '%s'", line);
1375
1376         refname = line + 82;
1377         reflen = linelen - 82;
1378         cmd = xcalloc(1, st_add3(sizeof(struct command), reflen, 1));
1379         hashcpy(cmd->old_sha1, old_sha1);
1380         hashcpy(cmd->new_sha1, new_sha1);
1381         memcpy(cmd->ref_name, refname, reflen);
1382         cmd->ref_name[reflen] = '\0';
1383         *tail = cmd;
1384         return &cmd->next;
1385 }
1386
1387 static void queue_commands_from_cert(struct command **tail,
1388                                      struct strbuf *push_cert)
1389 {
1390         const char *boc, *eoc;
1391
1392         if (*tail)
1393                 die("protocol error: got both push certificate and unsigned commands");
1394
1395         boc = strstr(push_cert->buf, "\n\n");
1396         if (!boc)
1397                 die("malformed push certificate %.*s", 100, push_cert->buf);
1398         else
1399                 boc += 2;
1400         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1401
1402         while (boc < eoc) {
1403                 const char *eol = memchr(boc, '\n', eoc - boc);
1404                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
1405                 boc = eol ? eol + 1 : eoc;
1406         }
1407 }
1408
1409 static struct command *read_head_info(struct sha1_array *shallow)
1410 {
1411         struct command *commands = NULL;
1412         struct command **p = &commands;
1413         for (;;) {
1414                 char *line;
1415                 int len, linelen;
1416
1417                 line = packet_read_line(0, &len);
1418                 if (!line)
1419                         break;
1420
1421                 if (len == 48 && starts_with(line, "shallow ")) {
1422                         unsigned char sha1[20];
1423                         if (get_sha1_hex(line + 8, sha1))
1424                                 die("protocol error: expected shallow sha, got '%s'",
1425                                     line + 8);
1426                         sha1_array_append(shallow, sha1);
1427                         continue;
1428                 }
1429
1430                 linelen = strlen(line);
1431                 if (linelen < len) {
1432                         const char *feature_list = line + linelen + 1;
1433                         if (parse_feature_request(feature_list, "report-status"))
1434                                 report_status = 1;
1435                         if (parse_feature_request(feature_list, "side-band-64k"))
1436                                 use_sideband = LARGE_PACKET_MAX;
1437                         if (parse_feature_request(feature_list, "quiet"))
1438                                 quiet = 1;
1439                         if (advertise_atomic_push
1440                             && parse_feature_request(feature_list, "atomic"))
1441                                 use_atomic = 1;
1442                 }
1443
1444                 if (!strcmp(line, "push-cert")) {
1445                         int true_flush = 0;
1446                         char certbuf[1024];
1447
1448                         for (;;) {
1449                                 len = packet_read(0, NULL, NULL,
1450                                                   certbuf, sizeof(certbuf), 0);
1451                                 if (!len) {
1452                                         true_flush = 1;
1453                                         break;
1454                                 }
1455                                 if (!strcmp(certbuf, "push-cert-end\n"))
1456                                         break; /* end of cert */
1457                                 strbuf_addstr(&push_cert, certbuf);
1458                         }
1459
1460                         if (true_flush)
1461                                 break;
1462                         continue;
1463                 }
1464
1465                 p = queue_command(p, line, linelen);
1466         }
1467
1468         if (push_cert.len)
1469                 queue_commands_from_cert(p, &push_cert);
1470
1471         return commands;
1472 }
1473
1474 static const char *parse_pack_header(struct pack_header *hdr)
1475 {
1476         switch (read_pack_header(0, hdr)) {
1477         case PH_ERROR_EOF:
1478                 return "eof before pack header was fully read";
1479
1480         case PH_ERROR_PACK_SIGNATURE:
1481                 return "protocol error (pack signature mismatch detected)";
1482
1483         case PH_ERROR_PROTOCOL:
1484                 return "protocol error (pack version unsupported)";
1485
1486         default:
1487                 return "unknown error in parse_pack_header";
1488
1489         case 0:
1490                 return NULL;
1491         }
1492 }
1493
1494 static const char *pack_lockfile;
1495
1496 static const char *unpack(int err_fd, struct shallow_info *si)
1497 {
1498         struct pack_header hdr;
1499         const char *hdr_err;
1500         int status;
1501         char hdr_arg[38];
1502         struct child_process child = CHILD_PROCESS_INIT;
1503         int fsck_objects = (receive_fsck_objects >= 0
1504                             ? receive_fsck_objects
1505                             : transfer_fsck_objects >= 0
1506                             ? transfer_fsck_objects
1507                             : 0);
1508
1509         hdr_err = parse_pack_header(&hdr);
1510         if (hdr_err) {
1511                 if (err_fd > 0)
1512                         close(err_fd);
1513                 return hdr_err;
1514         }
1515         snprintf(hdr_arg, sizeof(hdr_arg),
1516                         "--pack_header=%"PRIu32",%"PRIu32,
1517                         ntohl(hdr.hdr_version), ntohl(hdr.hdr_entries));
1518
1519         if (si->nr_ours || si->nr_theirs) {
1520                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1521                 argv_array_push(&child.args, "--shallow-file");
1522                 argv_array_push(&child.args, alt_shallow_file);
1523         }
1524
1525         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1526                 argv_array_pushl(&child.args, "unpack-objects", hdr_arg, NULL);
1527                 if (quiet)
1528                         argv_array_push(&child.args, "-q");
1529                 if (fsck_objects)
1530                         argv_array_pushf(&child.args, "--strict%s",
1531                                 fsck_msg_types.buf);
1532                 child.no_stdout = 1;
1533                 child.err = err_fd;
1534                 child.git_cmd = 1;
1535                 status = run_command(&child);
1536                 if (status)
1537                         return "unpack-objects abnormal exit";
1538         } else {
1539                 char hostname[256];
1540
1541                 argv_array_pushl(&child.args, "index-pack",
1542                                  "--stdin", hdr_arg, NULL);
1543
1544                 if (gethostname(hostname, sizeof(hostname)))
1545                         xsnprintf(hostname, sizeof(hostname), "localhost");
1546                 argv_array_pushf(&child.args,
1547                                  "--keep=receive-pack %"PRIuMAX" on %s",
1548                                  (uintmax_t)getpid(),
1549                                  hostname);
1550
1551                 if (fsck_objects)
1552                         argv_array_pushf(&child.args, "--strict%s",
1553                                 fsck_msg_types.buf);
1554                 if (!reject_thin)
1555                         argv_array_push(&child.args, "--fix-thin");
1556                 child.out = -1;
1557                 child.err = err_fd;
1558                 child.git_cmd = 1;
1559                 status = start_command(&child);
1560                 if (status)
1561                         return "index-pack fork failed";
1562                 pack_lockfile = index_pack_lockfile(child.out);
1563                 close(child.out);
1564                 status = finish_command(&child);
1565                 if (status)
1566                         return "index-pack abnormal exit";
1567                 reprepare_packed_git();
1568         }
1569         return NULL;
1570 }
1571
1572 static const char *unpack_with_sideband(struct shallow_info *si)
1573 {
1574         struct async muxer;
1575         const char *ret;
1576
1577         if (!use_sideband)
1578                 return unpack(0, si);
1579
1580         memset(&muxer, 0, sizeof(muxer));
1581         muxer.proc = copy_to_sideband;
1582         muxer.in = -1;
1583         if (start_async(&muxer))
1584                 return NULL;
1585
1586         ret = unpack(muxer.in, si);
1587
1588         finish_async(&muxer);
1589         return ret;
1590 }
1591
1592 static void prepare_shallow_update(struct command *commands,
1593                                    struct shallow_info *si)
1594 {
1595         int i, j, k, bitmap_size = (si->ref->nr + 31) / 32;
1596
1597         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1598         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1599
1600         si->need_reachability_test =
1601                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1602         si->reachable =
1603                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1604         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1605
1606         for (i = 0; i < si->nr_ours; i++)
1607                 si->need_reachability_test[si->ours[i]] = 1;
1608
1609         for (i = 0; i < si->shallow->nr; i++) {
1610                 if (!si->used_shallow[i])
1611                         continue;
1612                 for (j = 0; j < bitmap_size; j++) {
1613                         if (!si->used_shallow[i][j])
1614                                 continue;
1615                         si->need_reachability_test[i]++;
1616                         for (k = 0; k < 32; k++)
1617                                 if (si->used_shallow[i][j] & (1U << k))
1618                                         si->shallow_ref[j * 32 + k]++;
1619                 }
1620
1621                 /*
1622                  * true for those associated with some refs and belong
1623                  * in "ours" list aka "step 7 not done yet"
1624                  */
1625                 si->need_reachability_test[i] =
1626                         si->need_reachability_test[i] > 1;
1627         }
1628
1629         /*
1630          * keep hooks happy by forcing a temporary shallow file via
1631          * env variable because we can't add --shallow-file to every
1632          * command. check_everything_connected() will be done with
1633          * true .git/shallow though.
1634          */
1635         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1636 }
1637
1638 static void update_shallow_info(struct command *commands,
1639                                 struct shallow_info *si,
1640                                 struct sha1_array *ref)
1641 {
1642         struct command *cmd;
1643         int *ref_status;
1644         remove_nonexistent_theirs_shallow(si);
1645         if (!si->nr_ours && !si->nr_theirs) {
1646                 shallow_update = 0;
1647                 return;
1648         }
1649
1650         for (cmd = commands; cmd; cmd = cmd->next) {
1651                 if (is_null_sha1(cmd->new_sha1))
1652                         continue;
1653                 sha1_array_append(ref, cmd->new_sha1);
1654                 cmd->index = ref->nr - 1;
1655         }
1656         si->ref = ref;
1657
1658         if (shallow_update) {
1659                 prepare_shallow_update(commands, si);
1660                 return;
1661         }
1662
1663         ALLOC_ARRAY(ref_status, ref->nr);
1664         assign_shallow_commits_to_refs(si, NULL, ref_status);
1665         for (cmd = commands; cmd; cmd = cmd->next) {
1666                 if (is_null_sha1(cmd->new_sha1))
1667                         continue;
1668                 if (ref_status[cmd->index]) {
1669                         cmd->error_string = "shallow update not allowed";
1670                         cmd->skip_update = 1;
1671                 }
1672         }
1673         free(ref_status);
1674 }
1675
1676 static void report(struct command *commands, const char *unpack_status)
1677 {
1678         struct command *cmd;
1679         struct strbuf buf = STRBUF_INIT;
1680
1681         packet_buf_write(&buf, "unpack %s\n",
1682                          unpack_status ? unpack_status : "ok");
1683         for (cmd = commands; cmd; cmd = cmd->next) {
1684                 if (!cmd->error_string)
1685                         packet_buf_write(&buf, "ok %s\n",
1686                                          cmd->ref_name);
1687                 else
1688                         packet_buf_write(&buf, "ng %s %s\n",
1689                                          cmd->ref_name, cmd->error_string);
1690         }
1691         packet_buf_flush(&buf);
1692
1693         if (use_sideband)
1694                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1695         else
1696                 write_or_die(1, buf.buf, buf.len);
1697         strbuf_release(&buf);
1698 }
1699
1700 static int delete_only(struct command *commands)
1701 {
1702         struct command *cmd;
1703         for (cmd = commands; cmd; cmd = cmd->next) {
1704                 if (!is_null_sha1(cmd->new_sha1))
1705                         return 0;
1706         }
1707         return 1;
1708 }
1709
1710 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1711 {
1712         int advertise_refs = 0;
1713         struct command *commands;
1714         struct sha1_array shallow = SHA1_ARRAY_INIT;
1715         struct sha1_array ref = SHA1_ARRAY_INIT;
1716         struct shallow_info si;
1717
1718         struct option options[] = {
1719                 OPT__QUIET(&quiet, N_("quiet")),
1720                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1721                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1722                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1723                 OPT_END()
1724         };
1725
1726         packet_trace_identity("receive-pack");
1727
1728         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1729
1730         if (argc > 1)
1731                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1732         if (argc == 0)
1733                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1734
1735         service_dir = argv[0];
1736
1737         setup_path();
1738
1739         if (!enter_repo(service_dir, 0))
1740                 die("'%s' does not appear to be a git repository", service_dir);
1741
1742         git_config(receive_pack_config, NULL);
1743         if (cert_nonce_seed)
1744                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1745
1746         if (0 <= transfer_unpack_limit)
1747                 unpack_limit = transfer_unpack_limit;
1748         else if (0 <= receive_unpack_limit)
1749                 unpack_limit = receive_unpack_limit;
1750
1751         if (advertise_refs || !stateless_rpc) {
1752                 write_head_info();
1753         }
1754         if (advertise_refs)
1755                 return 0;
1756
1757         if ((commands = read_head_info(&shallow)) != NULL) {
1758                 const char *unpack_status = NULL;
1759
1760                 prepare_shallow_info(&si, &shallow);
1761                 if (!si.nr_ours && !si.nr_theirs)
1762                         shallow_update = 0;
1763                 if (!delete_only(commands)) {
1764                         unpack_status = unpack_with_sideband(&si);
1765                         update_shallow_info(commands, &si, &ref);
1766                 }
1767                 execute_commands(commands, unpack_status, &si);
1768                 if (pack_lockfile)
1769                         unlink_or_warn(pack_lockfile);
1770                 if (report_status)
1771                         report(commands, unpack_status);
1772                 run_receive_hook(commands, "post-receive", 1);
1773                 run_update_post_hook(commands);
1774                 if (auto_gc) {
1775                         const char *argv_gc_auto[] = {
1776                                 "gc", "--auto", "--quiet", NULL,
1777                         };
1778                         int opt = RUN_GIT_CMD | RUN_COMMAND_STDOUT_TO_STDERR;
1779                         close_all_packs();
1780                         run_command_v_opt(argv_gc_auto, opt);
1781                 }
1782                 if (auto_update_server_info)
1783                         update_server_info(0);
1784                 clear_shallow_info(&si);
1785         }
1786         if (use_sideband)
1787                 packet_flush(1);
1788         sha1_array_clear(&shallow);
1789         sha1_array_clear(&ref);
1790         free((void *)push_cert_nonce);
1791         return 0;
1792 }