2007-09-11 05:03:04 +02:00
|
|
|
#ifndef TRANSPORT_H
|
|
|
|
#define TRANSPORT_H
|
|
|
|
|
|
|
|
#include "cache.h"
|
2013-07-08 22:56:53 +02:00
|
|
|
#include "run-command.h"
|
2007-09-11 05:03:04 +02:00
|
|
|
#include "remote.h"
|
|
|
|
|
2009-12-09 16:26:30 +01:00
|
|
|
struct git_transport_options {
|
|
|
|
unsigned thin : 1;
|
|
|
|
unsigned keep : 1;
|
|
|
|
unsigned followtags : 1;
|
2013-05-26 03:16:17 +02:00
|
|
|
unsigned check_self_contained_and_connected : 1;
|
|
|
|
unsigned self_contained_and_connected : 1;
|
2013-12-05 14:02:42 +01:00
|
|
|
unsigned update_shallow : 1;
|
2009-12-09 16:26:30 +01:00
|
|
|
int depth;
|
|
|
|
const char *uploadpack;
|
|
|
|
const char *receivepack;
|
2013-07-09 20:01:06 +02:00
|
|
|
struct push_cas_option *cas;
|
2009-12-09 16:26:30 +01:00
|
|
|
};
|
|
|
|
|
2007-09-11 05:03:04 +02:00
|
|
|
struct transport {
|
|
|
|
struct remote *remote;
|
|
|
|
const char *url;
|
|
|
|
void *data;
|
2007-10-30 02:05:40 +01:00
|
|
|
const struct ref *remote_refs;
|
2007-09-11 05:03:04 +02:00
|
|
|
|
2010-02-16 08:18:21 +01:00
|
|
|
/**
|
|
|
|
* Indicates whether we already called get_refs_list(); set by
|
|
|
|
* transport.c::transport_get_remote_refs().
|
|
|
|
*/
|
|
|
|
unsigned got_remote_refs : 1;
|
|
|
|
|
fetch: work around "transport-take-over" hack
A Git-aware "connect" transport allows the "transport_take_over" to
redirect generic transport requests like fetch(), push_refs() and
get_refs_list() to the native Git transport handling methods. The
take-over process replaces transport->data with a fake data that
these method implementations understand.
While this hack works OK for a single request, it breaks when the
transport needs to make more than one requests. transport->data
that used to hold necessary information for the specific helper to
work correctly is destroyed during the take-over process.
One codepath that this matters is "git fetch" in auto-follow mode;
when it does not get all the tags that ought to point at the history
it got (which can be determined by looking at the peeled tags in the
initial advertisement) from the primary transfer, it internally
makes a second request to complete the fetch. Because "take-over"
hack has already destroyed the data necessary to talk to the
transport helper by the time this happens, the second request cannot
make a request to the helper to make another connection to fetch
these additional tags.
Mark such a transport as "cannot_reuse", and use a separate
transport to perform the backfill fetch in order to work around
this breakage.
Note that this problem does not manifest itself when running t5802,
because our upload-pack gives you all the necessary auto-followed
tags during the primary transfer. You would need to step through
"git fetch" in a debugger, stop immediately after the primary
transfer finishes and writes these auto-followed tags, remove the
tag references and repack/prune the repository to convince the
"find-non-local-tags" procedure that the primary transfer failed to
give us all the necessary tags, and then let it continue, in order
to trigger the bug in the secondary transfer this patch fixes.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-08-08 00:47:18 +02:00
|
|
|
/*
|
|
|
|
* Transports that call take-over destroys the data specific to
|
|
|
|
* the transport type while doing so, and cannot be reused.
|
|
|
|
*/
|
|
|
|
unsigned cannot_reuse : 1;
|
|
|
|
|
2013-12-05 14:02:39 +01:00
|
|
|
/*
|
|
|
|
* A hint from caller that it will be performing a clone, not
|
|
|
|
* normal fetch. IOW the repository is guaranteed empty.
|
|
|
|
*/
|
|
|
|
unsigned cloning : 1;
|
|
|
|
|
2007-09-11 05:03:04 +02:00
|
|
|
/**
|
|
|
|
* Returns 0 if successful, positive if the option is not
|
|
|
|
* recognized or is inapplicable, and negative if the option
|
|
|
|
* is applicable but the value is invalid.
|
|
|
|
**/
|
|
|
|
int (*set_option)(struct transport *connection, const char *name,
|
|
|
|
const char *value);
|
|
|
|
|
2009-11-18 02:42:24 +01:00
|
|
|
/**
|
|
|
|
* Returns a list of the remote side's refs. In order to allow
|
|
|
|
* the transport to try to share connections, for_push is a
|
|
|
|
* hint as to whether the ultimate operation is a push or a fetch.
|
|
|
|
*
|
|
|
|
* If the transport is able to determine the remote hash for
|
|
|
|
* the ref without a huge amount of effort, it should store it
|
|
|
|
* in the ref's old_sha1 field; otherwise it should be all 0.
|
|
|
|
**/
|
2009-03-09 02:06:07 +01:00
|
|
|
struct ref *(*get_refs_list)(struct transport *transport, int for_push);
|
2009-11-18 02:42:24 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Fetch the objects for the given refs. Note that this gets
|
|
|
|
* an array, and should ignore the list structure.
|
|
|
|
*
|
|
|
|
* If the transport did not get hashes for refs in
|
|
|
|
* get_refs_list(), it should set the old_sha1 fields in the
|
|
|
|
* provided refs now.
|
|
|
|
**/
|
|
|
|
int (*fetch)(struct transport *transport, int refs_nr, struct ref **refs);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Push the objects and refs. Send the necessary objects, and
|
|
|
|
* then, for any refs where peer_ref is set and
|
|
|
|
* peer_ref->new_sha1 is different from old_sha1, tell the
|
|
|
|
* remote side to update each ref in the list from old_sha1 to
|
|
|
|
* peer_ref->new_sha1.
|
|
|
|
*
|
|
|
|
* Where possible, set the status for each ref appropriately.
|
|
|
|
*
|
|
|
|
* The transport must modify new_sha1 in the ref to the new
|
|
|
|
* value if the remote accepted the change. Note that this
|
|
|
|
* could be a different value from peer_ref->new_sha1 if the
|
|
|
|
* process involved generating new commits.
|
|
|
|
**/
|
2009-03-09 02:06:07 +01:00
|
|
|
int (*push_refs)(struct transport *transport, struct ref *refs, int flags);
|
2007-09-11 05:03:04 +02:00
|
|
|
int (*push)(struct transport *connection, int refspec_nr, const char **refspec, int flags);
|
2009-12-09 16:26:33 +01:00
|
|
|
int (*connect)(struct transport *connection, const char *name,
|
|
|
|
const char *executable, int fd[2]);
|
2007-09-11 05:03:04 +02:00
|
|
|
|
2009-11-18 02:42:24 +01:00
|
|
|
/** get_refs_list(), fetch(), and push_refs() can keep
|
2013-04-12 00:36:10 +02:00
|
|
|
* resources (such as a connection) reserved for further
|
2009-11-18 02:42:24 +01:00
|
|
|
* use. disconnect() releases these resources.
|
|
|
|
**/
|
2007-09-11 05:03:04 +02:00
|
|
|
int (*disconnect)(struct transport *connection);
|
2007-09-19 06:49:31 +02:00
|
|
|
char *pack_lockfile;
|
2009-10-31 01:47:27 +01:00
|
|
|
signed verbose : 3;
|
2010-02-24 13:50:26 +01:00
|
|
|
/**
|
|
|
|
* Transports should not set this directly, and should use this
|
|
|
|
* value without having to check isatty(2), -q/--quiet
|
|
|
|
* (transport->verbose < 0), etc. - checking has already been done
|
|
|
|
* in transport_set_verbosity().
|
|
|
|
**/
|
2008-10-09 01:40:32 +02:00
|
|
|
unsigned progress : 1;
|
2009-12-09 16:26:30 +01:00
|
|
|
/*
|
|
|
|
* If transport is at least potentially smart, this points to
|
|
|
|
* git_transport_options structure to use in case transport
|
|
|
|
* actually turns out to be smart.
|
|
|
|
*/
|
|
|
|
struct git_transport_options *smart_options;
|
2007-09-11 05:03:04 +02:00
|
|
|
};
|
|
|
|
|
2007-09-19 06:49:31 +02:00
|
|
|
#define TRANSPORT_PUSH_ALL 1
|
|
|
|
#define TRANSPORT_PUSH_FORCE 2
|
2007-10-16 06:15:25 +02:00
|
|
|
#define TRANSPORT_PUSH_DRY_RUN 4
|
2007-11-10 00:32:25 +01:00
|
|
|
#define TRANSPORT_PUSH_MIRROR 8
|
2010-02-24 13:50:29 +01:00
|
|
|
#define TRANSPORT_PUSH_PORCELAIN 16
|
|
|
|
#define TRANSPORT_PUSH_SET_UPSTREAM 32
|
2011-08-20 00:08:47 +02:00
|
|
|
#define TRANSPORT_RECURSE_SUBMODULES_CHECK 64
|
2012-02-22 23:43:41 +01:00
|
|
|
#define TRANSPORT_PUSH_PRUNE 128
|
2012-03-29 09:21:24 +02:00
|
|
|
#define TRANSPORT_RECURSE_SUBMODULES_ON_DEMAND 256
|
2013-01-13 06:17:03 +01:00
|
|
|
#define TRANSPORT_PUSH_NO_HOOK 512
|
2013-03-04 21:09:50 +01:00
|
|
|
#define TRANSPORT_PUSH_FOLLOW_TAGS 1024
|
push: the beginning of "git push --signed"
While signed tags and commits assert that the objects thusly signed
came from you, who signed these objects, there is not a good way to
assert that you wanted to have a particular object at the tip of a
particular branch. My signing v2.0.1 tag only means I want to call
the version v2.0.1, and it does not mean I want to push it out to my
'master' branch---it is likely that I only want it in 'maint', so
the signature on the object alone is insufficient.
The only assurance to you that 'maint' points at what I wanted to
place there comes from your trust on the hosting site and my
authentication with it, which cannot easily audited later.
Introduce a mechanism that allows you to sign a "push certificate"
(for the lack of better name) every time you push, asserting that
what object you are pushing to update which ref that used to point
at what other object. Think of it as a cryptographic protection for
ref updates, similar to signed tags/commits but working on an
orthogonal axis.
The basic flow based on this mechanism goes like this:
1. You push out your work with "git push --signed".
2. The sending side learns where the remote refs are as usual,
together with what protocol extension the receiving end
supports. If the receiving end does not advertise the protocol
extension "push-cert", an attempt to "git push --signed" fails.
Otherwise, a text file, that looks like the following, is
prepared in core:
certificate version 0.1
pusher Junio C Hamano <gitster@pobox.com> 1315427886 -0700
7339ca65... 21580ecb... refs/heads/master
3793ac56... 12850bec... refs/heads/next
The file begins with a few header lines, which may grow as we
gain more experience. The 'pusher' header records the name of
the signer (the value of user.signingkey configuration variable,
falling back to GIT_COMMITTER_{NAME|EMAIL}) and the time of the
certificate generation. After the header, a blank line follows,
followed by a copy of the protocol message lines.
Each line shows the old and the new object name at the tip of
the ref this push tries to update, in the way identical to how
the underlying "git push" protocol exchange tells the ref
updates to the receiving end (by recording the "old" object
name, the push certificate also protects against replaying). It
is expected that new command packet types other than the
old-new-refname kind will be included in push certificate in the
same way as would appear in the plain vanilla command packets in
unsigned pushes.
The user then is asked to sign this push certificate using GPG,
formatted in a way similar to how signed tag objects are signed,
and the result is sent to the other side (i.e. receive-pack).
In the protocol exchange, this step comes immediately before the
sender tells what the result of the push should be, which in
turn comes before it sends the pack data.
3. When the receiving end sees a push certificate, the certificate
is written out as a blob. The pre-receive hook can learn about
the certificate by checking GIT_PUSH_CERT environment variable,
which, if present, tells the object name of this blob, and make
the decision to allow or reject this push. Additionally, the
post-receive hook can also look at the certificate, which may be
a good place to log all the received certificates for later
audits.
Because a push certificate carry the same information as the usual
command packets in the protocol exchange, we can omit the latter
when a push certificate is in use and reduce the protocol overhead.
This however is not included in this patch to make it easier to
review (in other words, the series at this step should never be
released without the remainder of the series, as it implements an
interim protocol that will be incompatible with the final one).
As such, the documentation update for the protocol is left out of
this step.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-12 20:17:07 +02:00
|
|
|
#define TRANSPORT_PUSH_CERT 2048
|
2015-01-08 04:23:23 +01:00
|
|
|
#define TRANSPORT_PUSH_ATOMIC 4096
|
2007-09-19 06:49:31 +02:00
|
|
|
|
2010-02-17 00:42:52 +01:00
|
|
|
#define TRANSPORT_SUMMARY_WIDTH (2 * DEFAULT_ABBREV + 3)
|
2012-09-04 12:39:35 +02:00
|
|
|
#define TRANSPORT_SUMMARY(x) (int)(TRANSPORT_SUMMARY_WIDTH + strlen(x) - gettext_width(x)), (x)
|
2007-09-19 06:49:31 +02:00
|
|
|
|
2007-09-11 05:03:04 +02:00
|
|
|
/* Returns a transport suitable for the url */
|
2007-09-15 09:23:14 +02:00
|
|
|
struct transport *transport_get(struct remote *, const char *);
|
2007-09-11 05:03:04 +02:00
|
|
|
|
|
|
|
/* Transport options which apply to git:// and scp-style URLs */
|
|
|
|
|
2007-09-11 05:03:11 +02:00
|
|
|
/* The program to use on the remote side to send a pack */
|
|
|
|
#define TRANS_OPT_UPLOADPACK "uploadpack"
|
|
|
|
|
2007-09-11 05:03:04 +02:00
|
|
|
/* The program to use on the remote side to receive a pack */
|
|
|
|
#define TRANS_OPT_RECEIVEPACK "receivepack"
|
|
|
|
|
|
|
|
/* Transfer the data as a thin pack if not null */
|
|
|
|
#define TRANS_OPT_THIN "thin"
|
|
|
|
|
2013-07-09 20:01:06 +02:00
|
|
|
/* Check the current value of the remote ref */
|
|
|
|
#define TRANS_OPT_CAS "cas"
|
|
|
|
|
2007-09-11 05:03:11 +02:00
|
|
|
/* Keep the pack that was transferred if not null */
|
|
|
|
#define TRANS_OPT_KEEP "keep"
|
|
|
|
|
|
|
|
/* Limit the depth of the fetch if not null */
|
|
|
|
#define TRANS_OPT_DEPTH "depth"
|
|
|
|
|
2008-03-04 04:27:40 +01:00
|
|
|
/* Aggressively fetch annotated tags if possible */
|
|
|
|
#define TRANS_OPT_FOLLOWTAGS "followtags"
|
|
|
|
|
2013-12-05 14:02:42 +01:00
|
|
|
/* Accept refs that may update .git/shallow without --depth */
|
|
|
|
#define TRANS_OPT_UPDATE_SHALLOW "updateshallow"
|
|
|
|
|
push: the beginning of "git push --signed"
While signed tags and commits assert that the objects thusly signed
came from you, who signed these objects, there is not a good way to
assert that you wanted to have a particular object at the tip of a
particular branch. My signing v2.0.1 tag only means I want to call
the version v2.0.1, and it does not mean I want to push it out to my
'master' branch---it is likely that I only want it in 'maint', so
the signature on the object alone is insufficient.
The only assurance to you that 'maint' points at what I wanted to
place there comes from your trust on the hosting site and my
authentication with it, which cannot easily audited later.
Introduce a mechanism that allows you to sign a "push certificate"
(for the lack of better name) every time you push, asserting that
what object you are pushing to update which ref that used to point
at what other object. Think of it as a cryptographic protection for
ref updates, similar to signed tags/commits but working on an
orthogonal axis.
The basic flow based on this mechanism goes like this:
1. You push out your work with "git push --signed".
2. The sending side learns where the remote refs are as usual,
together with what protocol extension the receiving end
supports. If the receiving end does not advertise the protocol
extension "push-cert", an attempt to "git push --signed" fails.
Otherwise, a text file, that looks like the following, is
prepared in core:
certificate version 0.1
pusher Junio C Hamano <gitster@pobox.com> 1315427886 -0700
7339ca65... 21580ecb... refs/heads/master
3793ac56... 12850bec... refs/heads/next
The file begins with a few header lines, which may grow as we
gain more experience. The 'pusher' header records the name of
the signer (the value of user.signingkey configuration variable,
falling back to GIT_COMMITTER_{NAME|EMAIL}) and the time of the
certificate generation. After the header, a blank line follows,
followed by a copy of the protocol message lines.
Each line shows the old and the new object name at the tip of
the ref this push tries to update, in the way identical to how
the underlying "git push" protocol exchange tells the ref
updates to the receiving end (by recording the "old" object
name, the push certificate also protects against replaying). It
is expected that new command packet types other than the
old-new-refname kind will be included in push certificate in the
same way as would appear in the plain vanilla command packets in
unsigned pushes.
The user then is asked to sign this push certificate using GPG,
formatted in a way similar to how signed tag objects are signed,
and the result is sent to the other side (i.e. receive-pack).
In the protocol exchange, this step comes immediately before the
sender tells what the result of the push should be, which in
turn comes before it sends the pack data.
3. When the receiving end sees a push certificate, the certificate
is written out as a blob. The pre-receive hook can learn about
the certificate by checking GIT_PUSH_CERT environment variable,
which, if present, tells the object name of this blob, and make
the decision to allow or reject this push. Additionally, the
post-receive hook can also look at the certificate, which may be
a good place to log all the received certificates for later
audits.
Because a push certificate carry the same information as the usual
command packets in the protocol exchange, we can omit the latter
when a push certificate is in use and reduce the protocol overhead.
This however is not included in this patch to make it easier to
review (in other words, the series at this step should never be
released without the remainder of the series, as it implements an
interim protocol that will be incompatible with the final one).
As such, the documentation update for the protocol is left out of
this step.
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-09-12 20:17:07 +02:00
|
|
|
/* Send push certificates */
|
|
|
|
#define TRANS_OPT_PUSH_CERT "pushcert"
|
|
|
|
|
2007-09-11 05:03:04 +02:00
|
|
|
/**
|
|
|
|
* Returns 0 if the option was used, non-zero otherwise. Prints a
|
|
|
|
* message to stderr if the option is not used.
|
|
|
|
**/
|
|
|
|
int transport_set_option(struct transport *transport, const char *name,
|
|
|
|
const char *value);
|
2010-02-24 13:50:26 +01:00
|
|
|
void transport_set_verbosity(struct transport *transport, int verbosity,
|
|
|
|
int force_progress);
|
2007-09-11 05:03:04 +02:00
|
|
|
|
2012-11-30 02:41:33 +01:00
|
|
|
#define REJECT_NON_FF_HEAD 0x01
|
|
|
|
#define REJECT_NON_FF_OTHER 0x02
|
2012-11-30 02:41:34 +01:00
|
|
|
#define REJECT_ALREADY_EXISTS 0x04
|
push: introduce REJECT_FETCH_FIRST and REJECT_NEEDS_FORCE
When we push to update an existing ref, if:
* the object at the tip of the remote is not a commit; or
* the object we are pushing is not a commit,
it won't be correct to suggest to fetch, integrate and push again,
as the old and new objects will not "merge". We should explain that
the push must be forced when there is a non-committish object is
involved in such a case.
If we do not have the current object at the tip of the remote, we do
not even know that object, when fetched, is something that can be
merged. In such a case, suggesting to pull first just like
non-fast-forward case may not be technically correct, but in
practice, most such failures are seen when you try to push your work
to a branch without knowing that somebody else already pushed to
update the same branch since you forked, so "pull first" would work
as a suggestion most of the time. And if the object at the tip is
not a commit, "pull first" will fail, without making any permanent
damage. As a side effect, it also makes the error message the user
will get during the next "push" attempt easier to understand, now
the user is aware that a non-commit object is involved.
In these cases, the current code already rejects such a push on the
client end, but we used the same error and advice messages as the
ones used when rejecting a non-fast-forward push, i.e. pull from
there and integrate before pushing again.
Introduce new rejection reasons and reword the messages
appropriately.
[jc: with help by Peff on message details]
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2013-01-23 22:55:30 +01:00
|
|
|
#define REJECT_FETCH_FIRST 0x08
|
|
|
|
#define REJECT_NEEDS_FORCE 0x10
|
2012-11-30 02:41:33 +01:00
|
|
|
|
2007-09-11 05:03:04 +02:00
|
|
|
int transport_push(struct transport *connection,
|
2009-08-08 09:51:08 +02:00
|
|
|
int refspec_nr, const char **refspec, int flags,
|
2012-11-30 02:41:33 +01:00
|
|
|
unsigned int * reject_reasons);
|
2007-09-11 05:03:04 +02:00
|
|
|
|
2007-10-30 02:05:40 +01:00
|
|
|
const struct ref *transport_get_remote_refs(struct transport *transport);
|
2007-09-11 05:03:11 +02:00
|
|
|
|
2009-11-18 02:42:24 +01:00
|
|
|
int transport_fetch_refs(struct transport *transport, struct ref *refs);
|
2007-09-14 09:31:23 +02:00
|
|
|
void transport_unlock_pack(struct transport *transport);
|
2007-09-11 05:03:04 +02:00
|
|
|
int transport_disconnect(struct transport *transport);
|
2009-04-17 10:20:11 +02:00
|
|
|
char *transport_anonymize_url(const char *url);
|
2009-12-09 16:26:31 +01:00
|
|
|
void transport_take_over(struct transport *transport,
|
|
|
|
struct child_process *child);
|
2007-09-11 05:03:04 +02:00
|
|
|
|
2009-12-09 16:26:33 +01:00
|
|
|
int transport_connect(struct transport *transport, const char *name,
|
|
|
|
const char *exec, int fd[2]);
|
|
|
|
|
2009-08-05 07:01:53 +02:00
|
|
|
/* Transport methods defined outside transport.c */
|
2009-09-04 04:13:49 +02:00
|
|
|
int transport_helper_init(struct transport *transport, const char *name);
|
2010-10-12 18:39:41 +02:00
|
|
|
int bidirectional_transfer_loop(int input, int output);
|
2009-08-05 07:01:53 +02:00
|
|
|
|
2013-06-18 19:44:58 +02:00
|
|
|
/* common methods used by transport.c and builtin/send-pack.c */
|
2010-02-17 00:42:52 +01:00
|
|
|
void transport_verify_remote_names(int nr_heads, const char **heads);
|
|
|
|
|
|
|
|
void transport_update_tracking_ref(struct remote *remote, struct ref *ref, int verbose);
|
|
|
|
|
|
|
|
int transport_refs_pushed(struct ref *ref);
|
|
|
|
|
|
|
|
void transport_print_push_status(const char *dest, struct ref *refs,
|
2012-11-30 02:41:33 +01:00
|
|
|
int verbose, int porcelain, unsigned int *reject_reasons);
|
2010-02-17 00:42:52 +01:00
|
|
|
|
2011-03-11 20:32:53 +01:00
|
|
|
typedef void alternate_ref_fn(const struct ref *, void *);
|
refactor refs_from_alternate_cb to allow passing extra data
The foreach_alt_odb function triggers a callback for each
alternate object db we have, with room for a single void
pointer as data. Currently, we always call refs_from_alternate_cb
as the callback function, and then pass another callback (to
receive each ref individually) as the void pointer.
This has two problems:
1. C technically forbids stuffing a function pointer into
a "void *". In practice, this probably doesn't matter
on any architectures git runs on, but it never hurts to
follow the letter of the law.
2. There is no room for an extra data pointer. Indeed, the
alternate_ref_fn that refs_from_alternate_cb calls
takes a void* for data, but we always pass it NULL.
Instead, let's properly stuff our function pointer into a
data struct, which also leaves room for an extra
caller-supplied data pointer. And to keep things simple for
existing callers, let's make a for_each_alternate_ref
function that takes care of creating the extra struct.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-05-19 23:33:17 +02:00
|
|
|
extern void for_each_alternate_ref(alternate_ref_fn, void *);
|
2007-09-11 05:03:04 +02:00
|
|
|
#endif
|