4 # git protocol proxy to check dgit pushes etc.
6 # Copyright (C) 2014-2016 Ian Jackson
8 # This program is free software; you can redistribute it and/or modify
9 # it under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 3 of the License, or
11 # (at your option) any later version.
13 # This program is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with this program. If not, see <http://www.gnu.org/licenses/>.
22 # dgit-repos-server DISTRO DISTRO-DIR AUTH-SPEC [<settings>] --ssh
23 # dgit-repos-server DISTRO DISTRO-DIR AUTH-SPEC [<settings>] --cron
25 # --repos=GIT-REPOS-DIR default DISTRO-DIR/repos/
26 # --suites=SUITES-FILE default DISTRO-DIR/suites
27 # --suites-master=SUITES-FILE default DISTRO-DIR/suites-master
28 # --policy-hook=POLICY-HOOK default DISTRO-DIR/policy-hook
29 # --mirror-hook=MIRROR-HOOK default DISTRO-DIR/mirror-hook
30 # --dgit-live=DGIT-LIVE-DIR default DISTRO-DIR/dgit-live
31 # (DISTRO-DIR is not used other than as default and to pass to policy
34 # .../dgit-repos-server --pre-receive-hook PACKAGE
36 # Invoked as the ssh restricted command
38 # Works like git-receive-pack
40 # SUITES-FILE is the name of a file which lists the permissible suites
41 # one per line (#-comments and blank lines ignored). For --suites-master
42 # it is a list of the suite(s) which should, when pushed to, update
43 # `master' on the server (if fast forward).
45 # AUTH-SPEC is a :-separated list of
46 # KEYRING.GPG,AUTH-SPEC
47 # where AUTH-SPEC is one of
50 # (With --cron AUTH-SPEC is not used and may be the empty string.)
54 use Debian::Dgit::Infra; # must precede Debian::Dgit; - can change @INC!
55 use Debian::Dgit qw(:DEFAULT :policyflags);
58 # DGIT-REPOS-DIR contains:
59 # git tree (or other object) lock (in acquisition order, outer first)
61 # _tmp/PACKAGE_prospective ! } SAME.lock, held during receive-pack
63 # _tmp/PACKAGE_incoming$$ ! } SAME.lock, held during receive-pack
64 # _tmp/PACKAGE_incoming$$_fresh ! }
66 # PACKAGE.git } PACKAGE.git.lock
67 # PACKAGE_garbage } (also covers executions of
68 # PACKAGE_garbage-old } policy hook script for PACKAGE)
69 # PACKAGE_garbage-tmp }
70 # policy* } (for policy hook script, covered by
71 # } lock only when invoked for a package)
73 # leaf locks, held during brief operaton only:
78 # _template } SAME.lock
80 # locks marked ! may be held during client data transfer
82 # What we do on push is this:
83 # - extract the destination repo name
84 # - make a hardlink clone of the destination repo
85 # - provide the destination with a stunt pre-receive hook
86 # - run actual git-receive-pack with that new destination
87 # as a result of this the stunt pre-receive hook runs; it does this:
88 # + understand what refs we are allegedly updating and
89 # check some correspondences:
90 # * we are updating only refs/tags/[archive/]DISTRO/* and refs/dgit/*
91 # * and only one of each
92 # * and the tag does not already exist
94 # * recover the suite name from the destination refs/dgit/ ref
95 # + disassemble the signed tag into its various fields and signature
97 # * parsing the first line of the tag message to recover
98 # the package name, version and suite
99 # * checking that the package name corresponds to the dest repo name
100 # * checking that the suite name is as recovered above
101 # + verify the signature on the signed tag
102 # and if necessary check that the keyid and package are listed in dm.txt
103 # + check various correspondences:
104 # * the signed tag must refer to a commit
105 # * the signed tag commit must be the refs/dgit value
106 # * the name in the signed tag must correspond to its ref name
107 # * the tag name must be [archive/]debian/<version> (massaged as needed)
108 # * the suite is one of those permitted
109 # * the signed tag has a suitable name
110 # * run the "push" policy hook
111 # * replay prevention for --deliberately-not-fast-forward
112 # * check the commit is a fast forward
113 # * handle a request from the policy hook for a fresh repo
114 # + push the signed tag and new dgit branch to the actual repo
116 # If the destination repo does not already exist, we need to make
117 # sure that we create it reasonably atomically, and also that
118 # we don't every have a destination repo containing no refs at all
119 # (because such a thing causes git-fetch-pack to barf). So then we
120 # do as above, except:
121 # - before starting, we take out our own lock for the destination repo
122 # - we create a prospective new destination repo by making a copy
124 # - we use the prospective new destination repo instead of the
125 # actual new destination repo (since the latter doesn't exist)
126 # - after git-receive-pack exits, we
127 # + check that the prospective repo contains a tag and head
128 # + rename the prospective destination repo into place
131 # - We are crash-only
132 # - Temporary working trees and their locks are cleaned up
133 # opportunistically by a program which tries to take each lock and
134 # if successful deletes both the tree and the lockfile
135 # - Prospective working trees and their locks are cleaned up by
136 # a program which tries to take each lock and if successful
137 # deletes any prospective working tree and the lock (but not
138 # of course any actual tree)
139 # - It is forbidden to _remove_ the lockfile without removing
140 # the corresponding temporary tree, as the lockfile is also
141 # a stampfile whose presence indicates that there may be
144 # Policy hook scripts are invoked like this:
145 # POLICY-HOOK-SCRIPT DISTRO DGIT-REPOS-DIR DGIT-LIVE-DIR DISTRO-DIR ACTION...
147 # POLICY-HOOK-SCRIPT ... check-list [...]
148 # POLICY-HOOK-SCRIPT ... check-package PACKAGE [...]
149 # POLICY-HOOK-SCRIPT ... push PACKAGE \
150 # VERSION SUITE TAGNAME DELIBERATELIES [...]
151 # POLICY-HOOK-SCRIPT ... push-confirm PACKAGE \
152 # VERSION SUITE TAGNAME DELIBERATELIES FRESH-REPO|'' [...]
154 # DELIBERATELIES is like this: --deliberately-foo,--deliberately-bar,...
156 # Exit status of policy hook is a bitmask.
157 # Bit weight constants are defined in Dgit.pm.
159 # suppress dgit-repos-server's fast-forward check ("push" only)
161 # blow away repo right away (ie, as if before push or fetch)
162 # ("check-package" and "push" only)
164 # suppress dgit-repos-server's check that commits do
165 # not lack "committer" info (eg as produced by #849041)
167 # any unexpected bits mean failure, and then known set bits are ignored
168 # if no unexpected bits set, operation continues (subject to meaning
169 # of any expected bits set). So, eg, exit 0 means "continue normally"
170 # and would be appropriate for an unknown action.
172 # cwd for push and push-confirm is a temporary repo where the incoming
173 # objects have been received; TAGNAME is the version-based tag.
175 # FRESH-REPO is '' iff the repo for this package already existed, or
176 # the pathname of the newly-created repo which will be renamed into
177 # place if everything goes well. (NB that this is generally not the
178 # same repo as the cwd, because the objects are first received into a
179 # temporary repo so they can be examined.) In this case FRESH-REPO
180 # contains exactly the objects and refs that will appear in the
181 # destination if push-confirm approves.
183 # if push requested FRESHREPO, push-confirm happens in the old working
184 # repo and FRESH-REPO is guaranteed not to be ''.
186 # policy hook for a particular package will be invoked only once at
187 # a time - (see comments about DGIT-REPOS-DIR, above)
189 # check-list and check-package are invoked via the --cron option.
190 # First, without any locking, check-list is called. It should produce
191 # a list of package names (one per line). Then check-package will be
192 # invoked for each named package, in each case after taking an
195 # If policy hook wants to run dgit (or something else in the dgit
196 # package), it should use DGIT-LIVE-DIR/dgit (etc.), or if that is
197 # ENOENT, use the installed version.
199 # Mirror hook scripts are invoked like this:
200 # MIRROR-HOOK-SCRIPT DISTRO-DIR ACTION...
201 # and currently there is only one action invoked by dgit-repos-server:
202 # MIRROR-HOOK-SCRIPT DISTRO-DIR updated-hook PACKAGE [...]
204 # Exit status of the mirror hook is advisory only. The mirror hook
205 # runs too late to do anything useful about a problem, so the only
206 # effect of a mirror hook exiting nonzero is a warning message to
207 # stderr (which the pushing user should end up seeing).
209 # If the mirror hook does not exist, it is silently skipped.
212 use Fcntl qw(:flock);
213 use File::Path qw(rmtree);
214 use File::Temp qw(tempfile);
223 our $suitesformasterfile;
238 #----- utilities -----
240 sub realdestrepo () { "$dgitrepos/$package.git"; }
242 sub acquirelock ($$) {
243 my ($lock, $must) = @_;
245 printdebug sprintf "locking %s %d\n", $lock, $must;
248 $fh = new IO::File $lock, ">" or die "open $lock: $!";
249 my $ok = flock $fh, $must ? LOCK_EX : (LOCK_EX|LOCK_NB);
251 die "flock $lock: $!" if $must;
252 printdebug " locking $lock failed\n";
255 next unless stat_exists $lock;
256 my $want = (stat _)[1];
258 my $got = (stat _)[1];
259 last if $got == $want;
264 sub acquirermtree ($$) {
265 my ($tree, $must) = @_;
266 my $fh = acquirelock("$tree.lock", $must);
274 sub locksometree ($) {
276 acquirelock("$tree.lock", 1);
279 sub lockrealtree () {
280 locksometree(realdestrepo);
283 sub mkrepotmp () { ensuredir "$dgitrepos/_tmp" };
285 sub removedtagsfile () { "$dgitrepos/_removed-tags/$package"; }
287 sub recorderror ($) {
289 my $w = $ENV{'DGIT_DRS_WORK'}; # we are in stunthook
292 open ERR, ">", "$w/drs-error" or die $!;
293 print ERR $why, "\n" or die $!;
302 recorderror "reject: $why";
303 die "\ndgit-repos-server: reject: $why\n\n";
307 my ($policyallowbits, @polargs) = @_;
308 # => ($exitstatuspolicybitmap);
309 die if $policyallowbits & ~0x3e;
310 my @cmd = ($policyhook,$distro,$dgitrepos,$dgitlive,$distrodir,@polargs);
313 die "system: $!" if $r < 0;
314 die "dgit-repos-server: policy hook failed (or rejected) ($?)\n"
315 if $r & ~($policyallowbits << 8);
316 printdebug sprintf "hook => %#x\n", $r;
320 sub mkemptyrepo ($$) {
321 my ($dir,$sharedperm) = @_;
322 runcmd qw(git init --bare --quiet), "--shared=$sharedperm", $dir;
325 sub mkrepo_fromtemplate ($) {
327 my $template = "$dgitrepos/_template";
328 my $templatelock = locksometree($template);
329 printdebug "copy template $template -> $dir\n";
330 my $r = system qw(cp -a --), $template, $dir;
331 !$r or die "create new repo $dir failed: $r $!";
335 sub movetogarbage () {
336 # realdestrepo must have been locked
338 my $real = realdestrepo;
339 return unless stat_exists $real;
341 my $garbagerepo = "$dgitrepos/${package}_garbage";
342 # We arrange to always keep at least one old tree, for recovery
343 # from mistakes. This is either $garbage or $garbage-old.
344 if (stat_exists "$garbagerepo") {
345 printdebug "movetogarbage: rmtree $garbagerepo-tmp\n";
346 rmtree "$garbagerepo-tmp";
347 if (rename "$garbagerepo-old", "$garbagerepo-tmp") {
348 printdebug "movetogarbage: $garbagerepo-old -> -tmp, rmtree\n";
349 rmtree "$garbagerepo-tmp";
351 die "$garbagerepo $!" unless $!==ENOENT;
352 printdebug "movetogarbage: $garbagerepo-old -> -tmp\n";
354 printdebug "movetogarbage: $garbagerepo -> -old\n";
355 rename "$garbagerepo", "$garbagerepo-old" or die "$garbagerepo $!";
358 ensuredir "$dgitrepos/_removed-tags";
359 open PREVIOUS, ">>", removedtagsfile or die removedtagsfile." $!";
360 git_for_each_ref([ map { 'refs/tags/'.$_ } debiantags('*',$distro) ],
362 my ($objid,$objtype,$fullrefname,$reftail) = @_;
363 print PREVIOUS "\n$objid $reftail .\n" or die $!;
365 close PREVIOUS or die $!;
367 printdebug "movetogarbage: $real -> $garbagerepo\n";
368 rename $real, $garbagerepo
370 or die "$garbagerepo $!";
373 sub policy_checkpackage () {
374 my $lfh = lockrealtree();
376 $policy = policyhook(FRESHREPO,'check-package',$package);
377 if ($policy & FRESHREPO) {
384 #----- git-receive-pack -----
386 sub fixmissing__git_receive_pack () {
388 $destrepo = "$dgitrepos/_tmp/${package}_prospective";
389 acquirermtree($destrepo, 1);
390 mkrepo_fromtemplate($destrepo);
393 sub makeworkingclone () {
395 $workrepo = "$dgitrepos/_tmp/${package}_incoming$$";
396 acquirermtree($workrepo, 1);
397 my $lfh = lockrealtree();
398 runcmd qw(git clone -l -q --mirror), $destrepo, $workrepo;
400 rmtree "${workrepo}_fresh";
404 my ($path,$contents) = @_;
405 my $fh = new IO::File $path, O_WRONLY|O_CREAT|O_TRUNC, 0777
407 print $fh $contents or die "$path: $!";
408 close $fh or die "$path: $!";
411 sub setupstunthook () {
412 my $prerecv = "$workrepo/hooks/pre-receive";
413 mkscript $prerecv, <<END;
416 exec $0 --pre-receive-hook $package
418 $ENV{'DGIT_DRS_WORK'}= $workrepo;
419 $ENV{'DGIT_DRS_DEST'}= $destrepo;
420 printdebug " stunt hook set up $prerecv\n";
423 sub dealwithfreshrepo () {
424 my $freshrepo = "${workrepo}_fresh";
425 return unless stat_exists $freshrepo;
426 $destrepo = $freshrepo;
430 my @cmd = ($mirrorhook,$distrodir,@_);
432 return unless stat_exists $mirrorhook;
436 dgit-repos-server: warning: mirror hook failed: %s
437 dgit-repos-server: push complete but may not fully visible.
439 ($r < 0 ? "exec: $!" :
440 $r == (124 << 8) ? "exited status 124 (timeout?)" :
441 !($r & ~0xff00) ? "exited ".($? >> 8) :
446 sub maybeinstallprospective () {
447 return if $destrepo eq realdestrepo;
449 if (open REJ, "<", "$workrepo/drs-error") {
452 REJ->error and die $!;
456 $!==&ENOENT or die $!;
459 printdebug " show-ref ($destrepo) ...\n";
461 my $child = open SR, "-|";
462 defined $child or die $!;
464 chdir $destrepo or die $!;
465 exec qw(git show-ref);
468 my %got = qw(newtag 0 omtag 0 head 0);
471 printdebug " show-refs| $_\n";
472 s/^\S*[1-9a-f]\S* (\S+)$/$1/ or die;
473 next if m{^refs/heads/master$};
475 m{^refs/tags/archive/} ? 'newtag' :
476 m{^refs/tags/} ? 'omtag' :
477 m{^refs/dgit/} ? 'head' :
482 $!=0; $?=0; close SR or $?==256 or die "$? $!";
484 printdebug "installprospective ?\n";
485 die Dumper(\%got)." -- missing refs in new repo"
486 unless $got{head} && grep { m/tag$/ && $got{$_} } keys %got;
490 if ($destrepo eq "${workrepo}_fresh") {
494 printdebug "install $destrepo => ".realdestrepo."\n";
495 rename $destrepo, realdestrepo or die $!;
496 remove realdestrepo.".lock" or die $!;
499 sub main__git_receive_pack () {
502 runcmd qw(git receive-pack), $workrepo;
504 maybeinstallprospective();
505 mirrorhook('updated-hook', $package);
508 #----- stunt post-receive hook -----
510 our ($tagname, $tagval, $suite, $oldcommit, $commit);
511 our ($version, %tagh);
512 our ($maint_tagname, $maint_tagval);
514 our ($tagexists_error);
517 printdebug " updates ...\n";
521 printdebug " upd.| $_\n";
522 m/^(\S+) (\S+) (\S+)$/ or die "$_ ?";
523 my ($old, $sha1, $refname) = ($1, $2, $3);
524 if ($refname =~ m{^refs/tags/(?=(?:archive/)?$distro/)}) {
527 $tagexists_error= "tag $tn already exists -".
528 " not replacing previously-pushed version"
530 } elsif ($refname =~ m{^refs/dgit/}) {
531 reject "pushing multiple heads!" if defined $suite;
536 reject "pushing unexpected ref!";
539 STDIN->error and die $!;
541 reject "push is missing tag ref update" unless %tags;
542 my @dtags = grep { m#^archive/# } keys %tags;
543 reject "need exactly one archive/* tag" if @dtags!=1;
544 my @mtags = grep { !m#^archive/# } keys %tags;
545 reject "pushing too many non-dgit tags" if @mtags>1;
547 ($maint_tagname) = @mtags;
548 $tagval = $tags{$tagname};
549 $maint_tagval = $tags{$maint_tagname // ''};
551 reject "push is missing head ref update" unless defined $suite;
552 printdebug " updates ok.\n";
556 printdebug " readtag...\n";
558 open PT, ">dgit-tmp/plaintext" or die $!;
559 open DS, ">dgit-tmp/plaintext.asc" or die $!;
560 open T, "-|", qw(git cat-file tag), $tagval or die $!;
562 $!=0; $_=<T>; defined or die $!;
564 if (m/^(\S+) (.*)/) {
565 push @{ $tagh{$1} }, $2;
572 $!=0; $_=<T>; defined or die $!;
575 sub parsetag_general ($;$) {
576 my ($dgititemfn, $need_distro) = @_;
577 printdebug " parsetag...\n";
581 print PT $copyl or die $!;
582 $!=0; $_=<T>; defined or die "missing signature? $!";
584 if (m/^\[dgit ([^"].*)\]$/) { # [dgit "something"] is for future
587 if ($dgititemfn->()) {
588 } elsif (s/^distro\=(\S+) //) {
589 die "$1 != $distro" unless $1 eq $distro;
591 } elsif (s/^[-+.=0-9a-z]\S* //) {
593 die "unknown dgit info in tag ($_)";
598 last if m/^-----BEGIN PGP/;
600 reject "need distro info in tag" if $need_distro;
611 printdebug " parsetag ok.\n";
616 m/^($package_re) release (\S+) for \S+ \((\S+)\) \[dgit\]$/ or
617 reject "tag message not in expected format";
618 die unless $1 eq $package;
620 die "$3 != $suite " unless $3 eq $suite;
622 parsetag_general sub {
623 if (s/^(--deliberately-$deliberately_re) //) {
624 push @deliberatelies, $1;
625 } elsif (s/^previously:(\S+)=(\w+) //) {
626 die "previously $1 twice" if defined $previously{$1};
627 $previously{$1} = $2;
635 sub checksig_keyring ($) {
636 my ($keyringfile) = @_;
637 # returns primary-keyid if signed by a key in this keyring
639 # or dies on other errors
643 printdebug " checksig keyring $keyringfile...\n";
645 our @cmd = (qw(gpgv --status-fd=1 --keyring),
647 qw(dgit-tmp/plaintext.asc dgit-tmp/plaintext));
654 next unless s/^\[GNUPG:\] //;
656 printdebug " checksig| $_\n";
657 my @l = split / /, $_;
658 if ($l[0] eq 'NO_PUBKEY') {
660 } elsif ($l[0] eq 'VALIDSIG') {
662 $sigtype eq '00' or reject "signature is not of type 00!";
664 die unless defined $ok;
670 printdebug sprintf " checksig ok=%d\n", !!$ok;
675 sub dm_txt_check ($$) {
676 my ($keyid, $dmtxtfn) = @_;
677 printdebug " dm_txt_check $keyid $dmtxtfn\n";
678 open DT, '<', $dmtxtfn or die "$dmtxtfn $!";
680 m/^fingerprint:\s+\Q$keyid\E$/oi
682 if (s/^allow:/ /i..0) {
685 or reject "key $keyid missing Allow section in permissions!";
690 or reject "package $package not allowed for key $keyid";
695 printdebug " dm_txt_check allow| $_\n";
696 foreach my $p (split /\s+/) {
697 if ($p eq $package) {
699 printdebug " dm_txt_check ok\n";
704 DT->error and die $!;
706 reject "key $keyid not in permissions list although in keyring!";
710 foreach my $kas (split /:/, $keyrings) {
711 printdebug "verifytag $kas...\n";
712 $kas =~ s/^([^,]+),// or die;
713 my $keyid = checksig_keyring $1;
714 if (defined $keyid) {
715 if ($kas =~ m/^a$/) {
716 printdebug "verifytag a ok\n";
718 } elsif ($kas =~ m/^m([^,]+)$/) {
719 dm_txt_check($keyid, $1);
720 printdebug "verifytag m ok\n";
727 reject "key not found in keyrings";
730 sub suite_is_in ($) {
732 printdebug "suite_is_in ($sf)\n";
733 if (!open SUITES, "<", $sf) {
734 $!==ENOENT or die $!;
742 return 1 if $_ eq $suite;
744 die $! if SUITES->error;
749 printdebug "checksuite ($suitesfile)\n";
750 return if suite_is_in $suitesfile;
751 reject "unknown suite";
754 sub checktagnoreplay () {
755 # We need to prevent a replay attack using an earlier signed tag.
756 # We also want to archive in the history the object ids of
757 # anything we remove, even if we get rid of the actual objects.
759 # So, we check that the signed tag mentions the name and tag
762 # (a) In the case of FRESHREPO: all tags and refs/heads/* in
763 # the repo. That is, effectively, all the things we are
766 # This prevents any tag implying a FRESHREPO push
767 # being replayed into a different state of the repo.
769 # There is still the folowing risk: If a non-ff push is of a
770 # head which is an ancestor of a previous ff-only push, the
771 # previous push can be replayed.
773 # So we keep a separate list, as a file in the repo, of all
774 # the tag object ids we have ever seen and removed. Any such
775 # tag object id will be rejected even for ff-only pushes.
777 # (b) In the case of just NOFFCHECK: all tags referring to the
778 # current head for the suite (there must be at least one).
780 # This prevents any tag implying a NOFFCHECK push being
781 # replayed to rewind from a different head.
783 # The possibility of an earlier ff-only push being replayed is
784 # eliminated as follows: the tag from such a push would still
785 # be in our repo, and therefore the replayed push would be
786 # rejected because the set of refs being updated would be
789 if (!open PREVIOUS, "<", removedtagsfile) {
790 die removedtagsfile." $!" unless $!==ENOENT;
792 # Protocol for updating this file is to append to it, not
793 # write-new-and-rename. So all updates are prefixed with \n
794 # and suffixed with " .\n" so that partial writes can be
797 next unless m/^(\w+) (.*) \.\n/;
798 next unless $1 eq $tagval;
799 reject "Replay of previously-rewound upload ($tagval $2)";
801 die removedtagsfile." $!" if PREVIOUS->error;
805 return unless $policy & (FRESHREPO|NOFFCHECK);
807 my $garbagerepo = "$dgitrepos/${package}_garbage";
813 my $check_ref_previously= sub {
814 my ($objid,$objtype,$fullrefname,$reftail) = @_;
815 my $supkey = $fullrefname;
816 $supkey =~ s{^refs/}{} or die "$supkey $objid ?";
817 my $supobjid = $previously{$supkey};
818 if (!defined $supobjid) {
819 printdebug "checktagnoreply - missing\n";
820 push @problems, "does not declare previously $supkey";
821 } elsif ($supobjid ne $objid) {
822 push @problems, "declared previously $supkey=$supobjid".
823 " but actually previously $supkey=$objid";
829 if ($policy & FRESHREPO) {
830 foreach my $kind (qw(tags heads)) {
831 git_for_each_ref("refs/$kind", $check_ref_previously);
834 my $branch= server_branch($suite);
835 my $branchhead= git_get_ref(server_ref($suite));
836 if (!length $branchhead) {
837 # No such branch - NOFFCHECK was unnecessary. Oh well.
838 printdebug "checktagnoreplay - not FRESHREPO, new branch, ok\n";
840 printdebug "checktagnoreplay - not FRESHREPO,".
841 " checking for overwriting refs/$branch=$branchhead\n";
842 git_for_each_tag_referring($branchhead, sub {
843 my ($tagobjid,$refobjid,$fullrefname,$tagname) = @_;
844 $check_ref_previously->($tagobjid,undef,$fullrefname,undef);
846 printdebug "checktagnoreplay - not FRESHREPO, nchecked=$nchecked";
847 push @problems, "does not declare previously any tag".
848 " referring to branch head $branch=$branchhead"
854 reject "replay attack prevention check failed:".
855 " signed tag for $version: ".
856 join("; ", @problems).
859 printdebug "checktagnoreplay - all ok ($tagval)\n"
864 my $vals = $tagh{$tag};
865 reject "missing header $tag in signed tag object" unless $vals;
866 reject "multiple headers $tag in signed tag object" unless @$vals == 1;
870 sub basic_tag_checks() {
871 printdebug "checks\n";
873 tagh1('type') eq 'commit' or reject "tag refers to wrong kind of object";
874 tagh1('object') eq $commit or reject "tag refers to wrong commit";
875 tagh1('tag') eq $tagname or reject "tag name in tag is wrong";
881 my @expecttagnames = debiantags($version, $distro);
882 printdebug "expected tag @expecttagnames\n";
883 grep { $tagname eq $_ } @expecttagnames or die;
885 foreach my $othertag (grep { $_ ne $tagname } @expecttagnames) {
886 reject "tag $othertag already exists -".
887 " not replacing previously-pushed version"
888 if git_get_ref "refs/tags/".$othertag;
893 @policy_args = ($package,$version,$suite,$tagname,
894 join(",",@deliberatelies));
895 $policy = policyhook(NOFFCHECK|FRESHREPO|NOCOMMITCHECK, 'push', @policy_args);
897 if (defined $tagexists_error) {
898 if ($policy & FRESHREPO) {
899 printdebug "ignoring tagexists_error: $tagexists_error\n";
901 reject $tagexists_error;
908 # check that our ref is being fast-forwarded
909 printdebug "oldcommit $oldcommit\n";
910 if (!($policy & NOFFCHECK) && $oldcommit =~ m/[^0]/) {
911 $?=0; $!=0; my $mb = `git merge-base $commit $oldcommit`;
913 $mb eq $oldcommit or reject "not fast forward on dgit branch";
916 # defend against commits generated by #849041
917 if (!($policy & NOCOMMITCHECK)) {
920 my @chk = qw(git log -z);
921 push @chk, '--pretty=tformat:%H%n'.
922 (join "", map { $_, '%n' } @checks);
923 push @chk, "^$oldcommit" if $oldcommit =~ m/[^0]/;
925 printdebug " ~NOCOMMITCHECK @chk\n";
926 open CHK, "-|", @chk or die $!;
930 m/^\w+(?=\n)/ or die;
931 reject "corrupted object $& (missing metadata)";
933 $!=0; $?=0; close CHK or $?==256 or die "$? $!";
936 if ($policy & FRESHREPO) {
937 # It's a bit late to be discovering this here, isn't it ?
939 # What we do is: Generate a fresh destination repo right now,
940 # and arrange to treat it from now on as if it were a
943 # The presence of this fresh destination repo is detected by
944 # the parent, which responds by making a fresh master repo
945 # from the template. (If the repo didn't already exist then
946 # $destrepo was _prospective, and we change it here. This is
947 # OK because the parent's check for _fresh persuades it not to
950 $destrepo = "${workrepo}_fresh"; # workrepo lock covers
951 mkrepo_fromtemplate $destrepo;
956 my @cmdbase = (qw(git send-pack), $destrepo);
957 push @cmdbase, qw(--force) if $policy & NOFFCHECK;
959 if ($ENV{GIT_QUARANTINE_PATH}) {
960 my $recv_wrapper = "$ENV{GIT_QUARANTINE_PATH}/dgit-recv-wrapper";
961 mkscript $recv_wrapper, <<'END';
964 unset GIT_QUARANTINE_PATH
965 exec git receive-pack "$@"
967 push @cmdbase, "--receive-pack=$recv_wrapper";
971 push @cmd, "$commit:refs/dgit/$suite",
972 "$tagval:refs/tags/$tagname";
973 push @cmd, "$maint_tagval:refs/tags/$maint_tagname"
974 if defined $maint_tagname;
978 !$r or die "onward push to $destrepo failed: $r $!";
980 if (suite_is_in $suitesformasterfile) {
982 push @cmd, "$commit:refs/heads/master";
984 $!=0; my $r = system @cmd;
985 # tolerate errors (might be not ff)
986 !($r & ~0xff00) or die
987 "onward push to $destrepo#master failed: $r $!";
991 sub finalisepush () {
992 if ($destrepo eq realdestrepo) {
993 policyhook(0, 'push-confirm', @policy_args, '');
996 # We are to receive the push into a new repo (perhaps
997 # because the policy push hook asked us to with FRESHREPO, or
998 # perhaps because the repo didn't exist before).
1000 # We want to provide the policy push-confirm hook with a repo
1001 # which looks like the one which is going to be installed.
1002 # The working repo is no good because it might contain
1005 # So we push the objects into the prospective new repo right
1006 # away. If the hook declines, we decline, and the prospective
1007 # repo is never installed.
1009 policyhook(0, 'push-confirm', @policy_args, $destrepo);
1014 printdebug "stunthook in $workrepo\n";
1015 chdir $workrepo or die "chdir $workrepo: $!";
1016 mkdir "dgit-tmp" or $!==EEXIST or die $!;
1022 printdebug "stunthook done.\n";
1025 #----- git-upload-pack -----
1027 sub fixmissing__git_upload_pack () {
1028 $destrepo = "$dgitrepos/_empty";
1029 my $lfh = locksometree($destrepo);
1030 return if stat_exists $destrepo;
1031 rmtree "$destrepo.new";
1032 mkemptyrepo "$destrepo.new", "0644";
1033 rename "$destrepo.new", $destrepo or die $!;
1034 unlink "$destrepo.lock" or die $!;
1038 sub main__git_upload_pack () {
1039 my $lfh = locksometree($destrepo);
1040 printdebug "git-upload-pack in $destrepo\n";
1041 chdir $destrepo or die "$destrepo: $!";
1043 runcmd qw(git upload-pack), ".";
1046 #----- arg parsing and main program -----
1050 my $v = shift @ARGV;
1055 our %indistrodir = (
1056 # keys are used for DGIT_DRS_XXX too
1057 'repos' => \$dgitrepos,
1058 'suites' => \$suitesfile,
1059 'suites-master' => \$suitesformasterfile,
1060 'policy-hook' => \$policyhook,
1061 'mirror-hook' => \$mirrorhook,
1062 'dgit-live' => \$dgitlive,
1065 our @hookenvs = qw(distro suitesfile suitesformasterfile policyhook
1066 mirrorhook dgitlive keyrings dgitrepos distrodir);
1068 # workrepo and destrepo handled ad-hoc
1073 my $cmd = $ENV{'SSH_ORIGINAL_COMMAND'};
1083 or reject "command string not understood";
1087 my $funcn = $method;
1089 my $mainfunc = $main::{"main__$funcn"};
1091 reject "unknown method" unless $mainfunc;
1093 policy_checkpackage();
1095 if (stat_exists realdestrepo) {
1096 $destrepo = realdestrepo;
1098 printdebug " fixmissing $funcn\n";
1099 my $fixfunc = $main::{"fixmissing__$funcn"};
1103 printdebug " running main $funcn\n";
1110 my $listfh = tempfile();
1111 open STDOUT, ">&", $listfh or die $!;
1112 policyhook(0,'check-list');
1113 open STDOUT, ">&STDERR" or die $!;
1115 seek $listfh, 0, 0 or die $!;
1120 die unless m/^($package_re)$/;
1123 policy_checkpackage();
1125 die $! if $listfh->error;
1128 sub parseargsdispatch () {
1131 delete $ENV{'GIT_DIR'}; # if not run via ssh, our parent git process
1132 delete $ENV{'GIT_PREFIX'}; # sets these and they mess things up
1134 if ($ENV{'DGIT_DRS_DEBUG'}) {
1138 if ($ARGV[0] eq '--pre-receive-hook') {
1141 printdebug "in stunthook ".(shellquote @ARGV)."\n";
1142 foreach my $k (sort keys %ENV) {
1143 printdebug "$k=$ENV{$k}\n" if $k =~ m/^DGIT/;
1148 $package = shift @ARGV;
1149 ${ $main::{$_} } = $ENV{"DGIT_DRS_\U$_"} foreach @hookenvs;
1150 defined($workrepo = $ENV{'DGIT_DRS_WORK'}) or die;
1151 defined($destrepo = $ENV{'DGIT_DRS_DEST'}) or die;
1152 open STDOUT, ">&STDERR" or die $!;
1157 recorderror "$@" or die;
1164 $distrodir = argval();
1165 $keyrings = argval();
1167 foreach my $dk (keys %indistrodir) {
1168 ${ $indistrodir{$dk} } = "$distrodir/$dk";
1171 while (@ARGV && $ARGV[0] =~ m/^--([-0-9a-z]+)=/ && $indistrodir{$1}) {
1172 ${ $indistrodir{$1} } = $'; #';
1176 $ENV{"DGIT_DRS_\U$_"} = ${ $main::{$_} } foreach @hookenvs;
1178 die unless @ARGV>=1;
1180 my $mode = shift @ARGV;
1181 die unless $mode =~ m/^--(\w+)$/;
1182 my $fn = ${*::}{"mode_$1"};
1188 while (my $fh = pop @lockfhs) { close $fh; }
1193 if (!chdir "$dgitrepos/_tmp") {
1194 $!==ENOENT or die $!;
1197 foreach my $lf (<*.lock>) {
1199 $tree =~ s/\.lock$//;
1200 next unless acquirermtree($tree, 0);
1201 remove $lf or warn $!;
1206 parseargsdispatch();