Sync with 2.18.5
[git] / builtin / receive-pack.c
1 #include "builtin.h"
2 #include "repository.h"
3 #include "config.h"
4 #include "lockfile.h"
5 #include "pack.h"
6 #include "refs.h"
7 #include "pkt-line.h"
8 #include "sideband.h"
9 #include "run-command.h"
10 #include "exec-cmd.h"
11 #include "commit.h"
12 #include "object.h"
13 #include "remote.h"
14 #include "connect.h"
15 #include "transport.h"
16 #include "string-list.h"
17 #include "sha1-array.h"
18 #include "connected.h"
19 #include "argv-array.h"
20 #include "version.h"
21 #include "tag.h"
22 #include "gpg-interface.h"
23 #include "sigchain.h"
24 #include "fsck.h"
25 #include "tmp-objdir.h"
26 #include "oidset.h"
27 #include "packfile.h"
28 #include "object-store.h"
29 #include "protocol.h"
30
31 static const char * const receive_pack_usage[] = {
32         N_("git receive-pack <git-dir>"),
33         NULL
34 };
35
36 enum deny_action {
37         DENY_UNCONFIGURED,
38         DENY_IGNORE,
39         DENY_WARN,
40         DENY_REFUSE,
41         DENY_UPDATE_INSTEAD
42 };
43
44 static int deny_deletes;
45 static int deny_non_fast_forwards;
46 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
47 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
48 static int receive_fsck_objects = -1;
49 static int transfer_fsck_objects = -1;
50 static struct strbuf fsck_msg_types = STRBUF_INIT;
51 static int receive_unpack_limit = -1;
52 static int transfer_unpack_limit = -1;
53 static int advertise_atomic_push = 1;
54 static int advertise_push_options;
55 static int unpack_limit = 100;
56 static off_t max_input_size;
57 static int report_status;
58 static int use_sideband;
59 static int use_atomic;
60 static int use_push_options;
61 static int quiet;
62 static int prefer_ofs_delta = 1;
63 static int auto_update_server_info;
64 static int auto_gc = 1;
65 static int reject_thin;
66 static int stateless_rpc;
67 static const char *service_dir;
68 static const char *head_name;
69 static void *head_name_to_free;
70 static int sent_capabilities;
71 static int shallow_update;
72 static const char *alt_shallow_file;
73 static struct strbuf push_cert = STRBUF_INIT;
74 static struct object_id push_cert_oid;
75 static struct signature_check sigcheck;
76 static const char *push_cert_nonce;
77 static const char *cert_nonce_seed;
78
79 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
80 static const char *NONCE_BAD = "BAD";
81 static const char *NONCE_MISSING = "MISSING";
82 static const char *NONCE_OK = "OK";
83 static const char *NONCE_SLOP = "SLOP";
84 static const char *nonce_status;
85 static long nonce_stamp_slop;
86 static timestamp_t nonce_stamp_slop_limit;
87 static struct ref_transaction *transaction;
88
89 static enum {
90         KEEPALIVE_NEVER = 0,
91         KEEPALIVE_AFTER_NUL,
92         KEEPALIVE_ALWAYS
93 } use_keepalive;
94 static int keepalive_in_sec = 5;
95
96 static struct tmp_objdir *tmp_objdir;
97
98 static enum deny_action parse_deny_action(const char *var, const char *value)
99 {
100         if (value) {
101                 if (!strcasecmp(value, "ignore"))
102                         return DENY_IGNORE;
103                 if (!strcasecmp(value, "warn"))
104                         return DENY_WARN;
105                 if (!strcasecmp(value, "refuse"))
106                         return DENY_REFUSE;
107                 if (!strcasecmp(value, "updateinstead"))
108                         return DENY_UPDATE_INSTEAD;
109         }
110         if (git_config_bool(var, value))
111                 return DENY_REFUSE;
112         return DENY_IGNORE;
113 }
114
115 static int receive_pack_config(const char *var, const char *value, void *cb)
116 {
117         int status = parse_hide_refs_config(var, value, "receive");
118
119         if (status)
120                 return status;
121
122         if (strcmp(var, "receive.denydeletes") == 0) {
123                 deny_deletes = git_config_bool(var, value);
124                 return 0;
125         }
126
127         if (strcmp(var, "receive.denynonfastforwards") == 0) {
128                 deny_non_fast_forwards = git_config_bool(var, value);
129                 return 0;
130         }
131
132         if (strcmp(var, "receive.unpacklimit") == 0) {
133                 receive_unpack_limit = git_config_int(var, value);
134                 return 0;
135         }
136
137         if (strcmp(var, "transfer.unpacklimit") == 0) {
138                 transfer_unpack_limit = git_config_int(var, value);
139                 return 0;
140         }
141
142         if (strcmp(var, "receive.fsck.skiplist") == 0) {
143                 const char *path;
144
145                 if (git_config_pathname(&path, var, value))
146                         return 1;
147                 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
148                         fsck_msg_types.len ? ',' : '=', path);
149                 free((char *)path);
150                 return 0;
151         }
152
153         if (skip_prefix(var, "receive.fsck.", &var)) {
154                 if (is_valid_msg_type(var, value))
155                         strbuf_addf(&fsck_msg_types, "%c%s=%s",
156                                 fsck_msg_types.len ? ',' : '=', var, value);
157                 else
158                         warning("Skipping unknown msg id '%s'", var);
159                 return 0;
160         }
161
162         if (strcmp(var, "receive.fsckobjects") == 0) {
163                 receive_fsck_objects = git_config_bool(var, value);
164                 return 0;
165         }
166
167         if (strcmp(var, "transfer.fsckobjects") == 0) {
168                 transfer_fsck_objects = git_config_bool(var, value);
169                 return 0;
170         }
171
172         if (!strcmp(var, "receive.denycurrentbranch")) {
173                 deny_current_branch = parse_deny_action(var, value);
174                 return 0;
175         }
176
177         if (strcmp(var, "receive.denydeletecurrent") == 0) {
178                 deny_delete_current = parse_deny_action(var, value);
179                 return 0;
180         }
181
182         if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
183                 prefer_ofs_delta = git_config_bool(var, value);
184                 return 0;
185         }
186
187         if (strcmp(var, "receive.updateserverinfo") == 0) {
188                 auto_update_server_info = git_config_bool(var, value);
189                 return 0;
190         }
191
192         if (strcmp(var, "receive.autogc") == 0) {
193                 auto_gc = git_config_bool(var, value);
194                 return 0;
195         }
196
197         if (strcmp(var, "receive.shallowupdate") == 0) {
198                 shallow_update = git_config_bool(var, value);
199                 return 0;
200         }
201
202         if (strcmp(var, "receive.certnonceseed") == 0)
203                 return git_config_string(&cert_nonce_seed, var, value);
204
205         if (strcmp(var, "receive.certnonceslop") == 0) {
206                 nonce_stamp_slop_limit = git_config_ulong(var, value);
207                 return 0;
208         }
209
210         if (strcmp(var, "receive.advertiseatomic") == 0) {
211                 advertise_atomic_push = git_config_bool(var, value);
212                 return 0;
213         }
214
215         if (strcmp(var, "receive.advertisepushoptions") == 0) {
216                 advertise_push_options = git_config_bool(var, value);
217                 return 0;
218         }
219
220         if (strcmp(var, "receive.keepalive") == 0) {
221                 keepalive_in_sec = git_config_int(var, value);
222                 return 0;
223         }
224
225         if (strcmp(var, "receive.maxinputsize") == 0) {
226                 max_input_size = git_config_int64(var, value);
227                 return 0;
228         }
229
230         return git_default_config(var, value, cb);
231 }
232
233 static void show_ref(const char *path, const struct object_id *oid)
234 {
235         if (sent_capabilities) {
236                 packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
237         } else {
238                 struct strbuf cap = STRBUF_INIT;
239
240                 strbuf_addstr(&cap,
241                               "report-status delete-refs side-band-64k quiet");
242                 if (advertise_atomic_push)
243                         strbuf_addstr(&cap, " atomic");
244                 if (prefer_ofs_delta)
245                         strbuf_addstr(&cap, " ofs-delta");
246                 if (push_cert_nonce)
247                         strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
248                 if (advertise_push_options)
249                         strbuf_addstr(&cap, " push-options");
250                 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
251                 packet_write_fmt(1, "%s %s%c%s\n",
252                              oid_to_hex(oid), path, 0, cap.buf);
253                 strbuf_release(&cap);
254                 sent_capabilities = 1;
255         }
256 }
257
258 static int show_ref_cb(const char *path_full, const struct object_id *oid,
259                        int flag, void *data)
260 {
261         struct oidset *seen = data;
262         const char *path = strip_namespace(path_full);
263
264         if (ref_is_hidden(path, path_full))
265                 return 0;
266
267         /*
268          * Advertise refs outside our current namespace as ".have"
269          * refs, so that the client can use them to minimize data
270          * transfer but will otherwise ignore them.
271          */
272         if (!path) {
273                 if (oidset_insert(seen, oid))
274                         return 0;
275                 path = ".have";
276         } else {
277                 oidset_insert(seen, oid);
278         }
279         show_ref(path, oid);
280         return 0;
281 }
282
283 static void show_one_alternate_ref(const char *refname,
284                                    const struct object_id *oid,
285                                    void *data)
286 {
287         struct oidset *seen = data;
288
289         if (oidset_insert(seen, oid))
290                 return;
291
292         show_ref(".have", oid);
293 }
294
295 static void write_head_info(void)
296 {
297         static struct oidset seen = OIDSET_INIT;
298
299         for_each_ref(show_ref_cb, &seen);
300         for_each_alternate_ref(show_one_alternate_ref, &seen);
301         oidset_clear(&seen);
302         if (!sent_capabilities)
303                 show_ref("capabilities^{}", &null_oid);
304
305         advertise_shallow_grafts(1);
306
307         /* EOF */
308         packet_flush(1);
309 }
310
311 struct command {
312         struct command *next;
313         const char *error_string;
314         unsigned int skip_update:1,
315                      did_not_exist:1;
316         int index;
317         struct object_id old_oid;
318         struct object_id new_oid;
319         char ref_name[FLEX_ARRAY]; /* more */
320 };
321
322 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
323 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
324
325 static void report_message(const char *prefix, const char *err, va_list params)
326 {
327         int sz;
328         char msg[4096];
329
330         sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
331         sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
332         if (sz > (sizeof(msg) - 1))
333                 sz = sizeof(msg) - 1;
334         msg[sz++] = '\n';
335
336         if (use_sideband)
337                 send_sideband(1, 2, msg, sz, use_sideband);
338         else
339                 xwrite(2, msg, sz);
340 }
341
342 static void rp_warning(const char *err, ...)
343 {
344         va_list params;
345         va_start(params, err);
346         report_message("warning: ", err, params);
347         va_end(params);
348 }
349
350 static void rp_error(const char *err, ...)
351 {
352         va_list params;
353         va_start(params, err);
354         report_message("error: ", err, params);
355         va_end(params);
356 }
357
358 static int copy_to_sideband(int in, int out, void *arg)
359 {
360         char data[128];
361         int keepalive_active = 0;
362
363         if (keepalive_in_sec <= 0)
364                 use_keepalive = KEEPALIVE_NEVER;
365         if (use_keepalive == KEEPALIVE_ALWAYS)
366                 keepalive_active = 1;
367
368         while (1) {
369                 ssize_t sz;
370
371                 if (keepalive_active) {
372                         struct pollfd pfd;
373                         int ret;
374
375                         pfd.fd = in;
376                         pfd.events = POLLIN;
377                         ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
378
379                         if (ret < 0) {
380                                 if (errno == EINTR)
381                                         continue;
382                                 else
383                                         break;
384                         } else if (ret == 0) {
385                                 /* no data; send a keepalive packet */
386                                 static const char buf[] = "0005\1";
387                                 write_or_die(1, buf, sizeof(buf) - 1);
388                                 continue;
389                         } /* else there is actual data to read */
390                 }
391
392                 sz = xread(in, data, sizeof(data));
393                 if (sz <= 0)
394                         break;
395
396                 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
397                         const char *p = memchr(data, '\0', sz);
398                         if (p) {
399                                 /*
400                                  * The NUL tells us to start sending keepalives. Make
401                                  * sure we send any other data we read along
402                                  * with it.
403                                  */
404                                 keepalive_active = 1;
405                                 send_sideband(1, 2, data, p - data, use_sideband);
406                                 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
407                                 continue;
408                         }
409                 }
410
411                 /*
412                  * Either we're not looking for a NUL signal, or we didn't see
413                  * it yet; just pass along the data.
414                  */
415                 send_sideband(1, 2, data, sz, use_sideband);
416         }
417         close(in);
418         return 0;
419 }
420
421 #define HMAC_BLOCK_SIZE 64
422
423 static void hmac_sha1(unsigned char *out,
424                       const char *key_in, size_t key_len,
425                       const char *text, size_t text_len)
426 {
427         unsigned char key[HMAC_BLOCK_SIZE];
428         unsigned char k_ipad[HMAC_BLOCK_SIZE];
429         unsigned char k_opad[HMAC_BLOCK_SIZE];
430         int i;
431         git_SHA_CTX ctx;
432
433         /* RFC 2104 2. (1) */
434         memset(key, '\0', HMAC_BLOCK_SIZE);
435         if (HMAC_BLOCK_SIZE < key_len) {
436                 git_SHA1_Init(&ctx);
437                 git_SHA1_Update(&ctx, key_in, key_len);
438                 git_SHA1_Final(key, &ctx);
439         } else {
440                 memcpy(key, key_in, key_len);
441         }
442
443         /* RFC 2104 2. (2) & (5) */
444         for (i = 0; i < sizeof(key); i++) {
445                 k_ipad[i] = key[i] ^ 0x36;
446                 k_opad[i] = key[i] ^ 0x5c;
447         }
448
449         /* RFC 2104 2. (3) & (4) */
450         git_SHA1_Init(&ctx);
451         git_SHA1_Update(&ctx, k_ipad, sizeof(k_ipad));
452         git_SHA1_Update(&ctx, text, text_len);
453         git_SHA1_Final(out, &ctx);
454
455         /* RFC 2104 2. (6) & (7) */
456         git_SHA1_Init(&ctx);
457         git_SHA1_Update(&ctx, k_opad, sizeof(k_opad));
458         git_SHA1_Update(&ctx, out, GIT_SHA1_RAWSZ);
459         git_SHA1_Final(out, &ctx);
460 }
461
462 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
463 {
464         struct strbuf buf = STRBUF_INIT;
465         unsigned char sha1[GIT_SHA1_RAWSZ];
466
467         strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
468         hmac_sha1(sha1, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));
469         strbuf_release(&buf);
470
471         /* RFC 2104 5. HMAC-SHA1-80 */
472         strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, GIT_SHA1_HEXSZ, sha1_to_hex(sha1));
473         return strbuf_detach(&buf, NULL);
474 }
475
476 /*
477  * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
478  * after dropping "_commit" from its name and possibly moving it out
479  * of commit.c
480  */
481 static char *find_header(const char *msg, size_t len, const char *key,
482                          const char **next_line)
483 {
484         int key_len = strlen(key);
485         const char *line = msg;
486
487         while (line && line < msg + len) {
488                 const char *eol = strchrnul(line, '\n');
489
490                 if ((msg + len <= eol) || line == eol)
491                         return NULL;
492                 if (line + key_len < eol &&
493                     !memcmp(line, key, key_len) && line[key_len] == ' ') {
494                         int offset = key_len + 1;
495                         if (next_line)
496                                 *next_line = *eol ? eol + 1 : eol;
497                         return xmemdupz(line + offset, (eol - line) - offset);
498                 }
499                 line = *eol ? eol + 1 : NULL;
500         }
501         return NULL;
502 }
503
504 static const char *check_nonce(const char *buf, size_t len)
505 {
506         char *nonce = find_header(buf, len, "nonce", NULL);
507         timestamp_t stamp, ostamp;
508         char *bohmac, *expect = NULL;
509         const char *retval = NONCE_BAD;
510
511         if (!nonce) {
512                 retval = NONCE_MISSING;
513                 goto leave;
514         } else if (!push_cert_nonce) {
515                 retval = NONCE_UNSOLICITED;
516                 goto leave;
517         } else if (!strcmp(push_cert_nonce, nonce)) {
518                 retval = NONCE_OK;
519                 goto leave;
520         }
521
522         if (!stateless_rpc) {
523                 /* returned nonce MUST match what we gave out earlier */
524                 retval = NONCE_BAD;
525                 goto leave;
526         }
527
528         /*
529          * In stateless mode, we may be receiving a nonce issued by
530          * another instance of the server that serving the same
531          * repository, and the timestamps may not match, but the
532          * nonce-seed and dir should match, so we can recompute and
533          * report the time slop.
534          *
535          * In addition, when a nonce issued by another instance has
536          * timestamp within receive.certnonceslop seconds, we pretend
537          * as if we issued that nonce when reporting to the hook.
538          */
539
540         /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
541         if (*nonce <= '0' || '9' < *nonce) {
542                 retval = NONCE_BAD;
543                 goto leave;
544         }
545         stamp = parse_timestamp(nonce, &bohmac, 10);
546         if (bohmac == nonce || bohmac[0] != '-') {
547                 retval = NONCE_BAD;
548                 goto leave;
549         }
550
551         expect = prepare_push_cert_nonce(service_dir, stamp);
552         if (strcmp(expect, nonce)) {
553                 /* Not what we would have signed earlier */
554                 retval = NONCE_BAD;
555                 goto leave;
556         }
557
558         /*
559          * By how many seconds is this nonce stale?  Negative value
560          * would mean it was issued by another server with its clock
561          * skewed in the future.
562          */
563         ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
564         nonce_stamp_slop = (long)ostamp - (long)stamp;
565
566         if (nonce_stamp_slop_limit &&
567             labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
568                 /*
569                  * Pretend as if the received nonce (which passes the
570                  * HMAC check, so it is not a forged by third-party)
571                  * is what we issued.
572                  */
573                 free((void *)push_cert_nonce);
574                 push_cert_nonce = xstrdup(nonce);
575                 retval = NONCE_OK;
576         } else {
577                 retval = NONCE_SLOP;
578         }
579
580 leave:
581         free(nonce);
582         free(expect);
583         return retval;
584 }
585
586 /*
587  * Return 1 if there is no push_cert or if the push options in push_cert are
588  * the same as those in the argument; 0 otherwise.
589  */
590 static int check_cert_push_options(const struct string_list *push_options)
591 {
592         const char *buf = push_cert.buf;
593         int len = push_cert.len;
594
595         char *option;
596         const char *next_line;
597         int options_seen = 0;
598
599         int retval = 1;
600
601         if (!len)
602                 return 1;
603
604         while ((option = find_header(buf, len, "push-option", &next_line))) {
605                 len -= (next_line - buf);
606                 buf = next_line;
607                 options_seen++;
608                 if (options_seen > push_options->nr
609                     || strcmp(option,
610                               push_options->items[options_seen - 1].string)) {
611                         retval = 0;
612                         goto leave;
613                 }
614                 free(option);
615         }
616
617         if (options_seen != push_options->nr)
618                 retval = 0;
619
620 leave:
621         free(option);
622         return retval;
623 }
624
625 static void prepare_push_cert_sha1(struct child_process *proc)
626 {
627         static int already_done;
628
629         if (!push_cert.len)
630                 return;
631
632         if (!already_done) {
633                 int bogs /* beginning_of_gpg_sig */;
634
635                 already_done = 1;
636                 if (write_object_file(push_cert.buf, push_cert.len, "blob",
637                                       &push_cert_oid))
638                         oidclr(&push_cert_oid);
639
640                 memset(&sigcheck, '\0', sizeof(sigcheck));
641
642                 bogs = parse_signature(push_cert.buf, push_cert.len);
643                 check_signature(push_cert.buf, bogs, push_cert.buf + bogs,
644                                 push_cert.len - bogs, &sigcheck);
645
646                 nonce_status = check_nonce(push_cert.buf, bogs);
647         }
648         if (!is_null_oid(&push_cert_oid)) {
649                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
650                                  oid_to_hex(&push_cert_oid));
651                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
652                                  sigcheck.signer ? sigcheck.signer : "");
653                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
654                                  sigcheck.key ? sigcheck.key : "");
655                 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
656                                  sigcheck.result);
657                 if (push_cert_nonce) {
658                         argv_array_pushf(&proc->env_array,
659                                          "GIT_PUSH_CERT_NONCE=%s",
660                                          push_cert_nonce);
661                         argv_array_pushf(&proc->env_array,
662                                          "GIT_PUSH_CERT_NONCE_STATUS=%s",
663                                          nonce_status);
664                         if (nonce_status == NONCE_SLOP)
665                                 argv_array_pushf(&proc->env_array,
666                                                  "GIT_PUSH_CERT_NONCE_SLOP=%ld",
667                                                  nonce_stamp_slop);
668                 }
669         }
670 }
671
672 struct receive_hook_feed_state {
673         struct command *cmd;
674         int skip_broken;
675         struct strbuf buf;
676         const struct string_list *push_options;
677 };
678
679 typedef int (*feed_fn)(void *, const char **, size_t *);
680 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
681                              struct receive_hook_feed_state *feed_state)
682 {
683         struct child_process proc = CHILD_PROCESS_INIT;
684         struct async muxer;
685         const char *argv[2];
686         int code;
687
688         argv[0] = find_hook(hook_name);
689         if (!argv[0])
690                 return 0;
691
692         argv[1] = NULL;
693
694         proc.argv = argv;
695         proc.in = -1;
696         proc.stdout_to_stderr = 1;
697         if (feed_state->push_options) {
698                 int i;
699                 for (i = 0; i < feed_state->push_options->nr; i++)
700                         argv_array_pushf(&proc.env_array,
701                                 "GIT_PUSH_OPTION_%d=%s", i,
702                                 feed_state->push_options->items[i].string);
703                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
704                                  feed_state->push_options->nr);
705         } else
706                 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
707
708         if (tmp_objdir)
709                 argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
710
711         if (use_sideband) {
712                 memset(&muxer, 0, sizeof(muxer));
713                 muxer.proc = copy_to_sideband;
714                 muxer.in = -1;
715                 code = start_async(&muxer);
716                 if (code)
717                         return code;
718                 proc.err = muxer.in;
719         }
720
721         prepare_push_cert_sha1(&proc);
722
723         code = start_command(&proc);
724         if (code) {
725                 if (use_sideband)
726                         finish_async(&muxer);
727                 return code;
728         }
729
730         sigchain_push(SIGPIPE, SIG_IGN);
731
732         while (1) {
733                 const char *buf;
734                 size_t n;
735                 if (feed(feed_state, &buf, &n))
736                         break;
737                 if (write_in_full(proc.in, buf, n) < 0)
738                         break;
739         }
740         close(proc.in);
741         if (use_sideband)
742                 finish_async(&muxer);
743
744         sigchain_pop(SIGPIPE);
745
746         return finish_command(&proc);
747 }
748
749 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
750 {
751         struct receive_hook_feed_state *state = state_;
752         struct command *cmd = state->cmd;
753
754         while (cmd &&
755                state->skip_broken && (cmd->error_string || cmd->did_not_exist))
756                 cmd = cmd->next;
757         if (!cmd)
758                 return -1; /* EOF */
759         strbuf_reset(&state->buf);
760         strbuf_addf(&state->buf, "%s %s %s\n",
761                     oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
762                     cmd->ref_name);
763         state->cmd = cmd->next;
764         if (bufp) {
765                 *bufp = state->buf.buf;
766                 *sizep = state->buf.len;
767         }
768         return 0;
769 }
770
771 static int run_receive_hook(struct command *commands,
772                             const char *hook_name,
773                             int skip_broken,
774                             const struct string_list *push_options)
775 {
776         struct receive_hook_feed_state state;
777         int status;
778
779         strbuf_init(&state.buf, 0);
780         state.cmd = commands;
781         state.skip_broken = skip_broken;
782         if (feed_receive_hook(&state, NULL, NULL))
783                 return 0;
784         state.cmd = commands;
785         state.push_options = push_options;
786         status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
787         strbuf_release(&state.buf);
788         return status;
789 }
790
791 static int run_update_hook(struct command *cmd)
792 {
793         const char *argv[5];
794         struct child_process proc = CHILD_PROCESS_INIT;
795         int code;
796
797         argv[0] = find_hook("update");
798         if (!argv[0])
799                 return 0;
800
801         argv[1] = cmd->ref_name;
802         argv[2] = oid_to_hex(&cmd->old_oid);
803         argv[3] = oid_to_hex(&cmd->new_oid);
804         argv[4] = NULL;
805
806         proc.no_stdin = 1;
807         proc.stdout_to_stderr = 1;
808         proc.err = use_sideband ? -1 : 0;
809         proc.argv = argv;
810
811         code = start_command(&proc);
812         if (code)
813                 return code;
814         if (use_sideband)
815                 copy_to_sideband(proc.err, -1, NULL);
816         return finish_command(&proc);
817 }
818
819 static int is_ref_checked_out(const char *ref)
820 {
821         if (is_bare_repository())
822                 return 0;
823
824         if (!head_name)
825                 return 0;
826         return !strcmp(head_name, ref);
827 }
828
829 static char *refuse_unconfigured_deny_msg =
830         N_("By default, updating the current branch in a non-bare repository\n"
831            "is denied, because it will make the index and work tree inconsistent\n"
832            "with what you pushed, and will require 'git reset --hard' to match\n"
833            "the work tree to HEAD.\n"
834            "\n"
835            "You can set the 'receive.denyCurrentBranch' configuration variable\n"
836            "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
837            "its current branch; however, this is not recommended unless you\n"
838            "arranged to update its work tree to match what you pushed in some\n"
839            "other way.\n"
840            "\n"
841            "To squelch this message and still keep the default behaviour, set\n"
842            "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
843
844 static void refuse_unconfigured_deny(void)
845 {
846         rp_error("%s", _(refuse_unconfigured_deny_msg));
847 }
848
849 static char *refuse_unconfigured_deny_delete_current_msg =
850         N_("By default, deleting the current branch is denied, because the next\n"
851            "'git clone' won't result in any file checked out, causing confusion.\n"
852            "\n"
853            "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
854            "'warn' or 'ignore' in the remote repository to allow deleting the\n"
855            "current branch, with or without a warning message.\n"
856            "\n"
857            "To squelch this message, you can set it to 'refuse'.");
858
859 static void refuse_unconfigured_deny_delete_current(void)
860 {
861         rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
862 }
863
864 static int command_singleton_iterator(void *cb_data, struct object_id *oid);
865 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
866 {
867         struct lock_file shallow_lock = LOCK_INIT;
868         struct oid_array extra = OID_ARRAY_INIT;
869         struct check_connected_options opt = CHECK_CONNECTED_INIT;
870         uint32_t mask = 1 << (cmd->index % 32);
871         int i;
872
873         trace_printf_key(&trace_shallow,
874                          "shallow: update_shallow_ref %s\n", cmd->ref_name);
875         for (i = 0; i < si->shallow->nr; i++)
876                 if (si->used_shallow[i] &&
877                     (si->used_shallow[i][cmd->index / 32] & mask) &&
878                     !delayed_reachability_test(si, i))
879                         oid_array_append(&extra, &si->shallow->oid[i]);
880
881         opt.env = tmp_objdir_env(tmp_objdir);
882         setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
883         if (check_connected(command_singleton_iterator, cmd, &opt)) {
884                 rollback_lock_file(&shallow_lock);
885                 oid_array_clear(&extra);
886                 return -1;
887         }
888
889         commit_lock_file(&shallow_lock);
890
891         /*
892          * Make sure setup_alternate_shallow() for the next ref does
893          * not lose these new roots..
894          */
895         for (i = 0; i < extra.nr; i++)
896                 register_shallow(the_repository, &extra.oid[i]);
897
898         si->shallow_ref[cmd->index] = 0;
899         oid_array_clear(&extra);
900         return 0;
901 }
902
903 /*
904  * NEEDSWORK: we should consolidate various implementions of "are we
905  * on an unborn branch?" test into one, and make the unified one more
906  * robust. !get_sha1() based check used here and elsewhere would not
907  * allow us to tell an unborn branch from corrupt ref, for example.
908  * For the purpose of fixing "deploy-to-update does not work when
909  * pushing into an empty repository" issue, this should suffice for
910  * now.
911  */
912 static int head_has_history(void)
913 {
914         struct object_id oid;
915
916         return !get_oid("HEAD", &oid);
917 }
918
919 static const char *push_to_deploy(unsigned char *sha1,
920                                   struct argv_array *env,
921                                   const char *work_tree)
922 {
923         const char *update_refresh[] = {
924                 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
925         };
926         const char *diff_files[] = {
927                 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
928         };
929         const char *diff_index[] = {
930                 "diff-index", "--quiet", "--cached", "--ignore-submodules",
931                 NULL, "--", NULL
932         };
933         const char *read_tree[] = {
934                 "read-tree", "-u", "-m", NULL, NULL
935         };
936         struct child_process child = CHILD_PROCESS_INIT;
937
938         child.argv = update_refresh;
939         child.env = env->argv;
940         child.dir = work_tree;
941         child.no_stdin = 1;
942         child.stdout_to_stderr = 1;
943         child.git_cmd = 1;
944         if (run_command(&child))
945                 return "Up-to-date check failed";
946
947         /* run_command() does not clean up completely; reinitialize */
948         child_process_init(&child);
949         child.argv = diff_files;
950         child.env = env->argv;
951         child.dir = work_tree;
952         child.no_stdin = 1;
953         child.stdout_to_stderr = 1;
954         child.git_cmd = 1;
955         if (run_command(&child))
956                 return "Working directory has unstaged changes";
957
958         /* diff-index with either HEAD or an empty tree */
959         diff_index[4] = head_has_history() ? "HEAD" : empty_tree_oid_hex();
960
961         child_process_init(&child);
962         child.argv = diff_index;
963         child.env = env->argv;
964         child.no_stdin = 1;
965         child.no_stdout = 1;
966         child.stdout_to_stderr = 0;
967         child.git_cmd = 1;
968         if (run_command(&child))
969                 return "Working directory has staged changes";
970
971         read_tree[3] = sha1_to_hex(sha1);
972         child_process_init(&child);
973         child.argv = read_tree;
974         child.env = env->argv;
975         child.dir = work_tree;
976         child.no_stdin = 1;
977         child.no_stdout = 1;
978         child.stdout_to_stderr = 0;
979         child.git_cmd = 1;
980         if (run_command(&child))
981                 return "Could not update working tree to new HEAD";
982
983         return NULL;
984 }
985
986 static const char *push_to_checkout_hook = "push-to-checkout";
987
988 static const char *push_to_checkout(unsigned char *sha1,
989                                     struct argv_array *env,
990                                     const char *work_tree)
991 {
992         argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
993         if (run_hook_le(env->argv, push_to_checkout_hook,
994                         sha1_to_hex(sha1), NULL))
995                 return "push-to-checkout hook declined";
996         else
997                 return NULL;
998 }
999
1000 static const char *update_worktree(unsigned char *sha1)
1001 {
1002         const char *retval;
1003         const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1004         struct argv_array env = ARGV_ARRAY_INIT;
1005
1006         if (is_bare_repository())
1007                 return "denyCurrentBranch = updateInstead needs a worktree";
1008
1009         argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1010
1011         if (!find_hook(push_to_checkout_hook))
1012                 retval = push_to_deploy(sha1, &env, work_tree);
1013         else
1014                 retval = push_to_checkout(sha1, &env, work_tree);
1015
1016         argv_array_clear(&env);
1017         return retval;
1018 }
1019
1020 static const char *update(struct command *cmd, struct shallow_info *si)
1021 {
1022         const char *name = cmd->ref_name;
1023         struct strbuf namespaced_name_buf = STRBUF_INIT;
1024         static char *namespaced_name;
1025         const char *ret;
1026         struct object_id *old_oid = &cmd->old_oid;
1027         struct object_id *new_oid = &cmd->new_oid;
1028         int do_update_worktree = 0;
1029
1030         /* only refs/... are allowed */
1031         if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1032                 rp_error("refusing to create funny ref '%s' remotely", name);
1033                 return "funny refname";
1034         }
1035
1036         strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1037         free(namespaced_name);
1038         namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1039
1040         if (is_ref_checked_out(namespaced_name)) {
1041                 switch (deny_current_branch) {
1042                 case DENY_IGNORE:
1043                         break;
1044                 case DENY_WARN:
1045                         rp_warning("updating the current branch");
1046                         break;
1047                 case DENY_REFUSE:
1048                 case DENY_UNCONFIGURED:
1049                         rp_error("refusing to update checked out branch: %s", name);
1050                         if (deny_current_branch == DENY_UNCONFIGURED)
1051                                 refuse_unconfigured_deny();
1052                         return "branch is currently checked out";
1053                 case DENY_UPDATE_INSTEAD:
1054                         /* pass -- let other checks intervene first */
1055                         do_update_worktree = 1;
1056                         break;
1057                 }
1058         }
1059
1060         if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1061                 error("unpack should have generated %s, "
1062                       "but I can't find it!", oid_to_hex(new_oid));
1063                 return "bad pack";
1064         }
1065
1066         if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1067                 if (deny_deletes && starts_with(name, "refs/heads/")) {
1068                         rp_error("denying ref deletion for %s", name);
1069                         return "deletion prohibited";
1070                 }
1071
1072                 if (head_name && !strcmp(namespaced_name, head_name)) {
1073                         switch (deny_delete_current) {
1074                         case DENY_IGNORE:
1075                                 break;
1076                         case DENY_WARN:
1077                                 rp_warning("deleting the current branch");
1078                                 break;
1079                         case DENY_REFUSE:
1080                         case DENY_UNCONFIGURED:
1081                         case DENY_UPDATE_INSTEAD:
1082                                 if (deny_delete_current == DENY_UNCONFIGURED)
1083                                         refuse_unconfigured_deny_delete_current();
1084                                 rp_error("refusing to delete the current branch: %s", name);
1085                                 return "deletion of the current branch prohibited";
1086                         default:
1087                                 return "Invalid denyDeleteCurrent setting";
1088                         }
1089                 }
1090         }
1091
1092         if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1093             !is_null_oid(old_oid) &&
1094             starts_with(name, "refs/heads/")) {
1095                 struct object *old_object, *new_object;
1096                 struct commit *old_commit, *new_commit;
1097
1098                 old_object = parse_object(the_repository, old_oid);
1099                 new_object = parse_object(the_repository, new_oid);
1100
1101                 if (!old_object || !new_object ||
1102                     old_object->type != OBJ_COMMIT ||
1103                     new_object->type != OBJ_COMMIT) {
1104                         error("bad sha1 objects for %s", name);
1105                         return "bad ref";
1106                 }
1107                 old_commit = (struct commit *)old_object;
1108                 new_commit = (struct commit *)new_object;
1109                 if (!in_merge_bases(old_commit, new_commit)) {
1110                         rp_error("denying non-fast-forward %s"
1111                                  " (you should pull first)", name);
1112                         return "non-fast-forward";
1113                 }
1114         }
1115         if (run_update_hook(cmd)) {
1116                 rp_error("hook declined to update %s", name);
1117                 return "hook declined";
1118         }
1119
1120         if (do_update_worktree) {
1121                 ret = update_worktree(new_oid->hash);
1122                 if (ret)
1123                         return ret;
1124         }
1125
1126         if (is_null_oid(new_oid)) {
1127                 struct strbuf err = STRBUF_INIT;
1128                 if (!parse_object(the_repository, old_oid)) {
1129                         old_oid = NULL;
1130                         if (ref_exists(name)) {
1131                                 rp_warning("Allowing deletion of corrupt ref.");
1132                         } else {
1133                                 rp_warning("Deleting a non-existent ref.");
1134                                 cmd->did_not_exist = 1;
1135                         }
1136                 }
1137                 if (ref_transaction_delete(transaction,
1138                                            namespaced_name,
1139                                            old_oid,
1140                                            0, "push", &err)) {
1141                         rp_error("%s", err.buf);
1142                         strbuf_release(&err);
1143                         return "failed to delete";
1144                 }
1145                 strbuf_release(&err);
1146                 return NULL; /* good */
1147         }
1148         else {
1149                 struct strbuf err = STRBUF_INIT;
1150                 if (shallow_update && si->shallow_ref[cmd->index] &&
1151                     update_shallow_ref(cmd, si))
1152                         return "shallow error";
1153
1154                 if (ref_transaction_update(transaction,
1155                                            namespaced_name,
1156                                            new_oid, old_oid,
1157                                            0, "push",
1158                                            &err)) {
1159                         rp_error("%s", err.buf);
1160                         strbuf_release(&err);
1161
1162                         return "failed to update ref";
1163                 }
1164                 strbuf_release(&err);
1165
1166                 return NULL; /* good */
1167         }
1168 }
1169
1170 static void run_update_post_hook(struct command *commands)
1171 {
1172         struct command *cmd;
1173         struct child_process proc = CHILD_PROCESS_INIT;
1174         const char *hook;
1175
1176         hook = find_hook("post-update");
1177         if (!hook)
1178                 return;
1179
1180         for (cmd = commands; cmd; cmd = cmd->next) {
1181                 if (cmd->error_string || cmd->did_not_exist)
1182                         continue;
1183                 if (!proc.args.argc)
1184                         argv_array_push(&proc.args, hook);
1185                 argv_array_push(&proc.args, cmd->ref_name);
1186         }
1187         if (!proc.args.argc)
1188                 return;
1189
1190         proc.no_stdin = 1;
1191         proc.stdout_to_stderr = 1;
1192         proc.err = use_sideband ? -1 : 0;
1193
1194         if (!start_command(&proc)) {
1195                 if (use_sideband)
1196                         copy_to_sideband(proc.err, -1, NULL);
1197                 finish_command(&proc);
1198         }
1199 }
1200
1201 static void check_aliased_update(struct command *cmd, struct string_list *list)
1202 {
1203         struct strbuf buf = STRBUF_INIT;
1204         const char *dst_name;
1205         struct string_list_item *item;
1206         struct command *dst_cmd;
1207         int flag;
1208
1209         strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1210         dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1211         strbuf_release(&buf);
1212
1213         if (!(flag & REF_ISSYMREF))
1214                 return;
1215
1216         if (!dst_name) {
1217                 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1218                 cmd->skip_update = 1;
1219                 cmd->error_string = "broken symref";
1220                 return;
1221         }
1222         dst_name = strip_namespace(dst_name);
1223
1224         if ((item = string_list_lookup(list, dst_name)) == NULL)
1225                 return;
1226
1227         cmd->skip_update = 1;
1228
1229         dst_cmd = (struct command *) item->util;
1230
1231         if (!oidcmp(&cmd->old_oid, &dst_cmd->old_oid) &&
1232             !oidcmp(&cmd->new_oid, &dst_cmd->new_oid))
1233                 return;
1234
1235         dst_cmd->skip_update = 1;
1236
1237         rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1238                  " its target '%s' (%s..%s)",
1239                  cmd->ref_name,
1240                  find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1241                  find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1242                  dst_cmd->ref_name,
1243                  find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1244                  find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1245
1246         cmd->error_string = dst_cmd->error_string =
1247                 "inconsistent aliased update";
1248 }
1249
1250 static void check_aliased_updates(struct command *commands)
1251 {
1252         struct command *cmd;
1253         struct string_list ref_list = STRING_LIST_INIT_NODUP;
1254
1255         for (cmd = commands; cmd; cmd = cmd->next) {
1256                 struct string_list_item *item =
1257                         string_list_append(&ref_list, cmd->ref_name);
1258                 item->util = (void *)cmd;
1259         }
1260         string_list_sort(&ref_list);
1261
1262         for (cmd = commands; cmd; cmd = cmd->next) {
1263                 if (!cmd->error_string)
1264                         check_aliased_update(cmd, &ref_list);
1265         }
1266
1267         string_list_clear(&ref_list, 0);
1268 }
1269
1270 static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1271 {
1272         struct command **cmd_list = cb_data;
1273         struct command *cmd = *cmd_list;
1274
1275         if (!cmd || is_null_oid(&cmd->new_oid))
1276                 return -1; /* end of list */
1277         *cmd_list = NULL; /* this returns only one */
1278         oidcpy(oid, &cmd->new_oid);
1279         return 0;
1280 }
1281
1282 static void set_connectivity_errors(struct command *commands,
1283                                     struct shallow_info *si)
1284 {
1285         struct command *cmd;
1286
1287         for (cmd = commands; cmd; cmd = cmd->next) {
1288                 struct command *singleton = cmd;
1289                 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1290
1291                 if (shallow_update && si->shallow_ref[cmd->index])
1292                         /* to be checked in update_shallow_ref() */
1293                         continue;
1294
1295                 opt.env = tmp_objdir_env(tmp_objdir);
1296                 if (!check_connected(command_singleton_iterator, &singleton,
1297                                      &opt))
1298                         continue;
1299
1300                 cmd->error_string = "missing necessary objects";
1301         }
1302 }
1303
1304 struct iterate_data {
1305         struct command *cmds;
1306         struct shallow_info *si;
1307 };
1308
1309 static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1310 {
1311         struct iterate_data *data = cb_data;
1312         struct command **cmd_list = &data->cmds;
1313         struct command *cmd = *cmd_list;
1314
1315         for (; cmd; cmd = cmd->next) {
1316                 if (shallow_update && data->si->shallow_ref[cmd->index])
1317                         /* to be checked in update_shallow_ref() */
1318                         continue;
1319                 if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1320                         oidcpy(oid, &cmd->new_oid);
1321                         *cmd_list = cmd->next;
1322                         return 0;
1323                 }
1324         }
1325         *cmd_list = NULL;
1326         return -1; /* end of list */
1327 }
1328
1329 static void reject_updates_to_hidden(struct command *commands)
1330 {
1331         struct strbuf refname_full = STRBUF_INIT;
1332         size_t prefix_len;
1333         struct command *cmd;
1334
1335         strbuf_addstr(&refname_full, get_git_namespace());
1336         prefix_len = refname_full.len;
1337
1338         for (cmd = commands; cmd; cmd = cmd->next) {
1339                 if (cmd->error_string)
1340                         continue;
1341
1342                 strbuf_setlen(&refname_full, prefix_len);
1343                 strbuf_addstr(&refname_full, cmd->ref_name);
1344
1345                 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1346                         continue;
1347                 if (is_null_oid(&cmd->new_oid))
1348                         cmd->error_string = "deny deleting a hidden ref";
1349                 else
1350                         cmd->error_string = "deny updating a hidden ref";
1351         }
1352
1353         strbuf_release(&refname_full);
1354 }
1355
1356 static int should_process_cmd(struct command *cmd)
1357 {
1358         return !cmd->error_string && !cmd->skip_update;
1359 }
1360
1361 static void warn_if_skipped_connectivity_check(struct command *commands,
1362                                                struct shallow_info *si)
1363 {
1364         struct command *cmd;
1365         int checked_connectivity = 1;
1366
1367         for (cmd = commands; cmd; cmd = cmd->next) {
1368                 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1369                         error("BUG: connectivity check has not been run on ref %s",
1370                               cmd->ref_name);
1371                         checked_connectivity = 0;
1372                 }
1373         }
1374         if (!checked_connectivity)
1375                 BUG("connectivity check skipped???");
1376 }
1377
1378 static void execute_commands_non_atomic(struct command *commands,
1379                                         struct shallow_info *si)
1380 {
1381         struct command *cmd;
1382         struct strbuf err = STRBUF_INIT;
1383
1384         for (cmd = commands; cmd; cmd = cmd->next) {
1385                 if (!should_process_cmd(cmd))
1386                         continue;
1387
1388                 transaction = ref_transaction_begin(&err);
1389                 if (!transaction) {
1390                         rp_error("%s", err.buf);
1391                         strbuf_reset(&err);
1392                         cmd->error_string = "transaction failed to start";
1393                         continue;
1394                 }
1395
1396                 cmd->error_string = update(cmd, si);
1397
1398                 if (!cmd->error_string
1399                     && ref_transaction_commit(transaction, &err)) {
1400                         rp_error("%s", err.buf);
1401                         strbuf_reset(&err);
1402                         cmd->error_string = "failed to update ref";
1403                 }
1404                 ref_transaction_free(transaction);
1405         }
1406         strbuf_release(&err);
1407 }
1408
1409 static void execute_commands_atomic(struct command *commands,
1410                                         struct shallow_info *si)
1411 {
1412         struct command *cmd;
1413         struct strbuf err = STRBUF_INIT;
1414         const char *reported_error = "atomic push failure";
1415
1416         transaction = ref_transaction_begin(&err);
1417         if (!transaction) {
1418                 rp_error("%s", err.buf);
1419                 strbuf_reset(&err);
1420                 reported_error = "transaction failed to start";
1421                 goto failure;
1422         }
1423
1424         for (cmd = commands; cmd; cmd = cmd->next) {
1425                 if (!should_process_cmd(cmd))
1426                         continue;
1427
1428                 cmd->error_string = update(cmd, si);
1429
1430                 if (cmd->error_string)
1431                         goto failure;
1432         }
1433
1434         if (ref_transaction_commit(transaction, &err)) {
1435                 rp_error("%s", err.buf);
1436                 reported_error = "atomic transaction failed";
1437                 goto failure;
1438         }
1439         goto cleanup;
1440
1441 failure:
1442         for (cmd = commands; cmd; cmd = cmd->next)
1443                 if (!cmd->error_string)
1444                         cmd->error_string = reported_error;
1445
1446 cleanup:
1447         ref_transaction_free(transaction);
1448         strbuf_release(&err);
1449 }
1450
1451 static void execute_commands(struct command *commands,
1452                              const char *unpacker_error,
1453                              struct shallow_info *si,
1454                              const struct string_list *push_options)
1455 {
1456         struct check_connected_options opt = CHECK_CONNECTED_INIT;
1457         struct command *cmd;
1458         struct iterate_data data;
1459         struct async muxer;
1460         int err_fd = 0;
1461
1462         if (unpacker_error) {
1463                 for (cmd = commands; cmd; cmd = cmd->next)
1464                         cmd->error_string = "unpacker error";
1465                 return;
1466         }
1467
1468         if (use_sideband) {
1469                 memset(&muxer, 0, sizeof(muxer));
1470                 muxer.proc = copy_to_sideband;
1471                 muxer.in = -1;
1472                 if (!start_async(&muxer))
1473                         err_fd = muxer.in;
1474                 /* ...else, continue without relaying sideband */
1475         }
1476
1477         data.cmds = commands;
1478         data.si = si;
1479         opt.err_fd = err_fd;
1480         opt.progress = err_fd && !quiet;
1481         opt.env = tmp_objdir_env(tmp_objdir);
1482         if (check_connected(iterate_receive_command_list, &data, &opt))
1483                 set_connectivity_errors(commands, si);
1484
1485         if (use_sideband)
1486                 finish_async(&muxer);
1487
1488         reject_updates_to_hidden(commands);
1489
1490         if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1491                 for (cmd = commands; cmd; cmd = cmd->next) {
1492                         if (!cmd->error_string)
1493                                 cmd->error_string = "pre-receive hook declined";
1494                 }
1495                 return;
1496         }
1497
1498         /*
1499          * Now we'll start writing out refs, which means the objects need
1500          * to be in their final positions so that other processes can see them.
1501          */
1502         if (tmp_objdir_migrate(tmp_objdir) < 0) {
1503                 for (cmd = commands; cmd; cmd = cmd->next) {
1504                         if (!cmd->error_string)
1505                                 cmd->error_string = "unable to migrate objects to permanent storage";
1506                 }
1507                 return;
1508         }
1509         tmp_objdir = NULL;
1510
1511         check_aliased_updates(commands);
1512
1513         free(head_name_to_free);
1514         head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1515
1516         if (use_atomic)
1517                 execute_commands_atomic(commands, si);
1518         else
1519                 execute_commands_non_atomic(commands, si);
1520
1521         if (shallow_update)
1522                 warn_if_skipped_connectivity_check(commands, si);
1523 }
1524
1525 static struct command **queue_command(struct command **tail,
1526                                       const char *line,
1527                                       int linelen)
1528 {
1529         struct object_id old_oid, new_oid;
1530         struct command *cmd;
1531         const char *refname;
1532         int reflen;
1533         const char *p;
1534
1535         if (parse_oid_hex(line, &old_oid, &p) ||
1536             *p++ != ' ' ||
1537             parse_oid_hex(p, &new_oid, &p) ||
1538             *p++ != ' ')
1539                 die("protocol error: expected old/new/ref, got '%s'", line);
1540
1541         refname = p;
1542         reflen = linelen - (p - line);
1543         FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1544         oidcpy(&cmd->old_oid, &old_oid);
1545         oidcpy(&cmd->new_oid, &new_oid);
1546         *tail = cmd;
1547         return &cmd->next;
1548 }
1549
1550 static void queue_commands_from_cert(struct command **tail,
1551                                      struct strbuf *push_cert)
1552 {
1553         const char *boc, *eoc;
1554
1555         if (*tail)
1556                 die("protocol error: got both push certificate and unsigned commands");
1557
1558         boc = strstr(push_cert->buf, "\n\n");
1559         if (!boc)
1560                 die("malformed push certificate %.*s", 100, push_cert->buf);
1561         else
1562                 boc += 2;
1563         eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1564
1565         while (boc < eoc) {
1566                 const char *eol = memchr(boc, '\n', eoc - boc);
1567                 tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1568                 boc = eol ? eol + 1 : eoc;
1569         }
1570 }
1571
1572 static struct command *read_head_info(struct oid_array *shallow)
1573 {
1574         struct command *commands = NULL;
1575         struct command **p = &commands;
1576         for (;;) {
1577                 char *line;
1578                 int len, linelen;
1579
1580                 line = packet_read_line(0, &len);
1581                 if (!line)
1582                         break;
1583
1584                 if (len > 8 && starts_with(line, "shallow ")) {
1585                         struct object_id oid;
1586                         if (get_oid_hex(line + 8, &oid))
1587                                 die("protocol error: expected shallow sha, got '%s'",
1588                                     line + 8);
1589                         oid_array_append(shallow, &oid);
1590                         continue;
1591                 }
1592
1593                 linelen = strlen(line);
1594                 if (linelen < len) {
1595                         const char *feature_list = line + linelen + 1;
1596                         if (parse_feature_request(feature_list, "report-status"))
1597                                 report_status = 1;
1598                         if (parse_feature_request(feature_list, "side-band-64k"))
1599                                 use_sideband = LARGE_PACKET_MAX;
1600                         if (parse_feature_request(feature_list, "quiet"))
1601                                 quiet = 1;
1602                         if (advertise_atomic_push
1603                             && parse_feature_request(feature_list, "atomic"))
1604                                 use_atomic = 1;
1605                         if (advertise_push_options
1606                             && parse_feature_request(feature_list, "push-options"))
1607                                 use_push_options = 1;
1608                 }
1609
1610                 if (!strcmp(line, "push-cert")) {
1611                         int true_flush = 0;
1612                         char certbuf[1024];
1613
1614                         for (;;) {
1615                                 len = packet_read(0, NULL, NULL,
1616                                                   certbuf, sizeof(certbuf), 0);
1617                                 if (!len) {
1618                                         true_flush = 1;
1619                                         break;
1620                                 }
1621                                 if (!strcmp(certbuf, "push-cert-end\n"))
1622                                         break; /* end of cert */
1623                                 strbuf_addstr(&push_cert, certbuf);
1624                         }
1625
1626                         if (true_flush)
1627                                 break;
1628                         continue;
1629                 }
1630
1631                 p = queue_command(p, line, linelen);
1632         }
1633
1634         if (push_cert.len)
1635                 queue_commands_from_cert(p, &push_cert);
1636
1637         return commands;
1638 }
1639
1640 static void read_push_options(struct string_list *options)
1641 {
1642         while (1) {
1643                 char *line;
1644                 int len;
1645
1646                 line = packet_read_line(0, &len);
1647
1648                 if (!line)
1649                         break;
1650
1651                 string_list_append(options, line);
1652         }
1653 }
1654
1655 static const char *parse_pack_header(struct pack_header *hdr)
1656 {
1657         switch (read_pack_header(0, hdr)) {
1658         case PH_ERROR_EOF:
1659                 return "eof before pack header was fully read";
1660
1661         case PH_ERROR_PACK_SIGNATURE:
1662                 return "protocol error (pack signature mismatch detected)";
1663
1664         case PH_ERROR_PROTOCOL:
1665                 return "protocol error (pack version unsupported)";
1666
1667         default:
1668                 return "unknown error in parse_pack_header";
1669
1670         case 0:
1671                 return NULL;
1672         }
1673 }
1674
1675 static const char *pack_lockfile;
1676
1677 static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1678 {
1679         argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1680                         ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1681 }
1682
1683 static const char *unpack(int err_fd, struct shallow_info *si)
1684 {
1685         struct pack_header hdr;
1686         const char *hdr_err;
1687         int status;
1688         struct child_process child = CHILD_PROCESS_INIT;
1689         int fsck_objects = (receive_fsck_objects >= 0
1690                             ? receive_fsck_objects
1691                             : transfer_fsck_objects >= 0
1692                             ? transfer_fsck_objects
1693                             : 0);
1694
1695         hdr_err = parse_pack_header(&hdr);
1696         if (hdr_err) {
1697                 if (err_fd > 0)
1698                         close(err_fd);
1699                 return hdr_err;
1700         }
1701
1702         if (si->nr_ours || si->nr_theirs) {
1703                 alt_shallow_file = setup_temporary_shallow(si->shallow);
1704                 argv_array_push(&child.args, "--shallow-file");
1705                 argv_array_push(&child.args, alt_shallow_file);
1706         }
1707
1708         tmp_objdir = tmp_objdir_create();
1709         if (!tmp_objdir) {
1710                 if (err_fd > 0)
1711                         close(err_fd);
1712                 return "unable to create temporary object directory";
1713         }
1714         child.env = tmp_objdir_env(tmp_objdir);
1715
1716         /*
1717          * Normally we just pass the tmp_objdir environment to the child
1718          * processes that do the heavy lifting, but we may need to see these
1719          * objects ourselves to set up shallow information.
1720          */
1721         tmp_objdir_add_as_alternate(tmp_objdir);
1722
1723         if (ntohl(hdr.hdr_entries) < unpack_limit) {
1724                 argv_array_push(&child.args, "unpack-objects");
1725                 push_header_arg(&child.args, &hdr);
1726                 if (quiet)
1727                         argv_array_push(&child.args, "-q");
1728                 if (fsck_objects)
1729                         argv_array_pushf(&child.args, "--strict%s",
1730                                 fsck_msg_types.buf);
1731                 if (max_input_size)
1732                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1733                                 (uintmax_t)max_input_size);
1734                 child.no_stdout = 1;
1735                 child.err = err_fd;
1736                 child.git_cmd = 1;
1737                 status = run_command(&child);
1738                 if (status)
1739                         return "unpack-objects abnormal exit";
1740         } else {
1741                 char hostname[HOST_NAME_MAX + 1];
1742
1743                 argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1744                 push_header_arg(&child.args, &hdr);
1745
1746                 if (xgethostname(hostname, sizeof(hostname)))
1747                         xsnprintf(hostname, sizeof(hostname), "localhost");
1748                 argv_array_pushf(&child.args,
1749                                  "--keep=receive-pack %"PRIuMAX" on %s",
1750                                  (uintmax_t)getpid(),
1751                                  hostname);
1752
1753                 if (!quiet && err_fd)
1754                         argv_array_push(&child.args, "--show-resolving-progress");
1755                 if (use_sideband)
1756                         argv_array_push(&child.args, "--report-end-of-input");
1757                 if (fsck_objects)
1758                         argv_array_pushf(&child.args, "--strict%s",
1759                                 fsck_msg_types.buf);
1760                 if (!reject_thin)
1761                         argv_array_push(&child.args, "--fix-thin");
1762                 if (max_input_size)
1763                         argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1764                                 (uintmax_t)max_input_size);
1765                 child.out = -1;
1766                 child.err = err_fd;
1767                 child.git_cmd = 1;
1768                 status = start_command(&child);
1769                 if (status)
1770                         return "index-pack fork failed";
1771                 pack_lockfile = index_pack_lockfile(child.out);
1772                 close(child.out);
1773                 status = finish_command(&child);
1774                 if (status)
1775                         return "index-pack abnormal exit";
1776                 reprepare_packed_git(the_repository);
1777         }
1778         return NULL;
1779 }
1780
1781 static const char *unpack_with_sideband(struct shallow_info *si)
1782 {
1783         struct async muxer;
1784         const char *ret;
1785
1786         if (!use_sideband)
1787                 return unpack(0, si);
1788
1789         use_keepalive = KEEPALIVE_AFTER_NUL;
1790         memset(&muxer, 0, sizeof(muxer));
1791         muxer.proc = copy_to_sideband;
1792         muxer.in = -1;
1793         if (start_async(&muxer))
1794                 return NULL;
1795
1796         ret = unpack(muxer.in, si);
1797
1798         finish_async(&muxer);
1799         return ret;
1800 }
1801
1802 static void prepare_shallow_update(struct command *commands,
1803                                    struct shallow_info *si)
1804 {
1805         int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1806
1807         ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1808         assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1809
1810         si->need_reachability_test =
1811                 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1812         si->reachable =
1813                 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1814         si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1815
1816         for (i = 0; i < si->nr_ours; i++)
1817                 si->need_reachability_test[si->ours[i]] = 1;
1818
1819         for (i = 0; i < si->shallow->nr; i++) {
1820                 if (!si->used_shallow[i])
1821                         continue;
1822                 for (j = 0; j < bitmap_size; j++) {
1823                         if (!si->used_shallow[i][j])
1824                                 continue;
1825                         si->need_reachability_test[i]++;
1826                         for (k = 0; k < 32; k++)
1827                                 if (si->used_shallow[i][j] & (1U << k))
1828                                         si->shallow_ref[j * 32 + k]++;
1829                 }
1830
1831                 /*
1832                  * true for those associated with some refs and belong
1833                  * in "ours" list aka "step 7 not done yet"
1834                  */
1835                 si->need_reachability_test[i] =
1836                         si->need_reachability_test[i] > 1;
1837         }
1838
1839         /*
1840          * keep hooks happy by forcing a temporary shallow file via
1841          * env variable because we can't add --shallow-file to every
1842          * command. check_connected() will be done with
1843          * true .git/shallow though.
1844          */
1845         setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1846 }
1847
1848 static void update_shallow_info(struct command *commands,
1849                                 struct shallow_info *si,
1850                                 struct oid_array *ref)
1851 {
1852         struct command *cmd;
1853         int *ref_status;
1854         remove_nonexistent_theirs_shallow(si);
1855         if (!si->nr_ours && !si->nr_theirs) {
1856                 shallow_update = 0;
1857                 return;
1858         }
1859
1860         for (cmd = commands; cmd; cmd = cmd->next) {
1861                 if (is_null_oid(&cmd->new_oid))
1862                         continue;
1863                 oid_array_append(ref, &cmd->new_oid);
1864                 cmd->index = ref->nr - 1;
1865         }
1866         si->ref = ref;
1867
1868         if (shallow_update) {
1869                 prepare_shallow_update(commands, si);
1870                 return;
1871         }
1872
1873         ALLOC_ARRAY(ref_status, ref->nr);
1874         assign_shallow_commits_to_refs(si, NULL, ref_status);
1875         for (cmd = commands; cmd; cmd = cmd->next) {
1876                 if (is_null_oid(&cmd->new_oid))
1877                         continue;
1878                 if (ref_status[cmd->index]) {
1879                         cmd->error_string = "shallow update not allowed";
1880                         cmd->skip_update = 1;
1881                 }
1882         }
1883         free(ref_status);
1884 }
1885
1886 static void report(struct command *commands, const char *unpack_status)
1887 {
1888         struct command *cmd;
1889         struct strbuf buf = STRBUF_INIT;
1890
1891         packet_buf_write(&buf, "unpack %s\n",
1892                          unpack_status ? unpack_status : "ok");
1893         for (cmd = commands; cmd; cmd = cmd->next) {
1894                 if (!cmd->error_string)
1895                         packet_buf_write(&buf, "ok %s\n",
1896                                          cmd->ref_name);
1897                 else
1898                         packet_buf_write(&buf, "ng %s %s\n",
1899                                          cmd->ref_name, cmd->error_string);
1900         }
1901         packet_buf_flush(&buf);
1902
1903         if (use_sideband)
1904                 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1905         else
1906                 write_or_die(1, buf.buf, buf.len);
1907         strbuf_release(&buf);
1908 }
1909
1910 static int delete_only(struct command *commands)
1911 {
1912         struct command *cmd;
1913         for (cmd = commands; cmd; cmd = cmd->next) {
1914                 if (!is_null_oid(&cmd->new_oid))
1915                         return 0;
1916         }
1917         return 1;
1918 }
1919
1920 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1921 {
1922         int advertise_refs = 0;
1923         struct command *commands;
1924         struct oid_array shallow = OID_ARRAY_INIT;
1925         struct oid_array ref = OID_ARRAY_INIT;
1926         struct shallow_info si;
1927
1928         struct option options[] = {
1929                 OPT__QUIET(&quiet, N_("quiet")),
1930                 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1931                 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1932                 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1933                 OPT_END()
1934         };
1935
1936         packet_trace_identity("receive-pack");
1937
1938         argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1939
1940         if (argc > 1)
1941                 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1942         if (argc == 0)
1943                 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1944
1945         service_dir = argv[0];
1946
1947         setup_path();
1948
1949         if (!enter_repo(service_dir, 0))
1950                 die("'%s' does not appear to be a git repository", service_dir);
1951
1952         git_config(receive_pack_config, NULL);
1953         if (cert_nonce_seed)
1954                 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1955
1956         if (0 <= transfer_unpack_limit)
1957                 unpack_limit = transfer_unpack_limit;
1958         else if (0 <= receive_unpack_limit)
1959                 unpack_limit = receive_unpack_limit;
1960
1961         switch (determine_protocol_version_server()) {
1962         case protocol_v2:
1963                 /*
1964                  * push support for protocol v2 has not been implemented yet,
1965                  * so ignore the request to use v2 and fallback to using v0.
1966                  */
1967                 break;
1968         case protocol_v1:
1969                 /*
1970                  * v1 is just the original protocol with a version string,
1971                  * so just fall through after writing the version string.
1972                  */
1973                 if (advertise_refs || !stateless_rpc)
1974                         packet_write_fmt(1, "version 1\n");
1975
1976                 /* fallthrough */
1977         case protocol_v0:
1978                 break;
1979         case protocol_unknown_version:
1980                 BUG("unknown protocol version");
1981         }
1982
1983         if (advertise_refs || !stateless_rpc) {
1984                 write_head_info();
1985         }
1986         if (advertise_refs)
1987                 return 0;
1988
1989         if ((commands = read_head_info(&shallow)) != NULL) {
1990                 const char *unpack_status = NULL;
1991                 struct string_list push_options = STRING_LIST_INIT_DUP;
1992
1993                 if (use_push_options)
1994                         read_push_options(&push_options);
1995                 if (!check_cert_push_options(&push_options)) {
1996                         struct command *cmd;
1997                         for (cmd = commands; cmd; cmd = cmd->next)
1998                                 cmd->error_string = "inconsistent push options";
1999                 }
2000
2001                 prepare_shallow_info(&si, &shallow);
2002                 if (!si.nr_ours && !si.nr_theirs)
2003                         shallow_update = 0;
2004                 if (!delete_only(commands)) {
2005                         unpack_status = unpack_with_sideband(&si);
2006                         update_shallow_info(commands, &si, &ref);
2007                 }
2008                 use_keepalive = KEEPALIVE_ALWAYS;
2009                 execute_commands(commands, unpack_status, &si,
2010                                  &push_options);
2011                 if (pack_lockfile)
2012                         unlink_or_warn(pack_lockfile);
2013                 if (report_status)
2014                         report(commands, unpack_status);
2015                 run_receive_hook(commands, "post-receive", 1,
2016                                  &push_options);
2017                 run_update_post_hook(commands);
2018                 string_list_clear(&push_options, 0);
2019                 if (auto_gc) {
2020                         const char *argv_gc_auto[] = {
2021                                 "gc", "--auto", "--quiet", NULL,
2022                         };
2023                         struct child_process proc = CHILD_PROCESS_INIT;
2024
2025                         proc.no_stdin = 1;
2026                         proc.stdout_to_stderr = 1;
2027                         proc.err = use_sideband ? -1 : 0;
2028                         proc.git_cmd = 1;
2029                         proc.argv = argv_gc_auto;
2030
2031                         close_all_packs(the_repository->objects);
2032                         if (!start_command(&proc)) {
2033                                 if (use_sideband)
2034                                         copy_to_sideband(proc.err, -1, NULL);
2035                                 finish_command(&proc);
2036                         }
2037                 }
2038                 if (auto_update_server_info)
2039                         update_server_info(0);
2040                 clear_shallow_info(&si);
2041         }
2042         if (use_sideband)
2043                 packet_flush(1);
2044         oid_array_clear(&shallow);
2045         oid_array_clear(&ref);
2046         free((void *)push_cert_nonce);
2047         return 0;
2048 }