Blob


1 /*
2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
17 #include <sys/queue.h>
18 #include <sys/tree.h>
19 #include <sys/time.h>
20 #include <sys/types.h>
21 #include <sys/stat.h>
22 #include <sys/socket.h>
23 #include <sys/un.h>
24 #include <sys/wait.h>
26 #include <fcntl.h>
27 #include <err.h>
28 #include <errno.h>
29 #include <event.h>
30 #include <limits.h>
31 #include <pwd.h>
32 #include <imsg.h>
33 #include <sha1.h>
34 #include <signal.h>
35 #include <siphash.h>
36 #include <stdarg.h>
37 #include <stdio.h>
38 #include <stdlib.h>
39 #include <string.h>
40 #include <syslog.h>
41 #include <unistd.h>
43 #include "got_error.h"
44 #include "got_opentemp.h"
45 #include "got_path.h"
46 #include "got_repository.h"
47 #include "got_object.h"
48 #include "got_reference.h"
50 #include "got_lib_delta.h"
51 #include "got_lib_object.h"
52 #include "got_lib_object_cache.h"
53 #include "got_lib_sha1.h"
54 #include "got_lib_gitproto.h"
55 #include "got_lib_pack.h"
56 #include "got_lib_repository.h"
58 #include "gotd.h"
59 #include "log.h"
60 #include "listen.h"
61 #include "auth.h"
62 #include "repo_read.h"
63 #include "repo_write.h"
65 #ifndef nitems
66 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
67 #endif
69 struct gotd_client {
70 STAILQ_ENTRY(gotd_client) entry;
71 enum gotd_client_state state;
72 struct gotd_client_capability *capabilities;
73 size_t ncapa_alloc;
74 size_t ncapabilities;
75 uint32_t id;
76 int fd;
77 int delta_cache_fd;
78 struct gotd_imsgev iev;
79 struct event tmo;
80 uid_t euid;
81 gid_t egid;
82 struct gotd_child_proc *repo_read;
83 struct gotd_child_proc *repo_write;
84 struct gotd_child_proc *auth;
85 int required_auth;
86 char *packfile_path;
87 char *packidx_path;
88 int nref_updates;
89 };
90 STAILQ_HEAD(gotd_clients, gotd_client);
92 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
93 static SIPHASH_KEY clients_hash_key;
94 volatile int client_cnt;
95 static struct timeval auth_timeout = { 5, 0 };
96 static struct gotd gotd;
98 void gotd_sighdlr(int sig, short event, void *arg);
99 static void gotd_shutdown(void);
100 static const struct got_error *start_repo_child(struct gotd_client *,
101 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
102 static const struct got_error *start_auth_child(struct gotd_client *, int,
103 struct gotd_repo *, char *, const char *, int, int);
104 static void kill_proc(struct gotd_child_proc *, int);
106 __dead static void
107 usage()
109 fprintf(stderr, "usage: %s [-dv] [-f config-file]\n", getprogname());
110 exit(1);
113 static int
114 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
116 struct sockaddr_un sun;
117 int fd = -1;
118 mode_t old_umask, mode;
120 fd = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK| SOCK_CLOEXEC, 0);
121 if (fd == -1) {
122 log_warn("socket");
123 return -1;
126 sun.sun_family = AF_UNIX;
127 if (strlcpy(sun.sun_path, unix_socket_path,
128 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
129 log_warnx("%s: name too long", unix_socket_path);
130 close(fd);
131 return -1;
134 if (unlink(unix_socket_path) == -1) {
135 if (errno != ENOENT) {
136 log_warn("unlink %s", unix_socket_path);
137 close(fd);
138 return -1;
142 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
143 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
145 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
146 log_warn("bind: %s", unix_socket_path);
147 close(fd);
148 umask(old_umask);
149 return -1;
152 umask(old_umask);
154 if (chmod(unix_socket_path, mode) == -1) {
155 log_warn("chmod %o %s", mode, unix_socket_path);
156 close(fd);
157 unlink(unix_socket_path);
158 return -1;
161 if (chown(unix_socket_path, uid, gid) == -1) {
162 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
163 close(fd);
164 unlink(unix_socket_path);
165 return -1;
168 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
169 log_warn("listen");
170 close(fd);
171 unlink(unix_socket_path);
172 return -1;
175 return fd;
178 static uint64_t
179 client_hash(uint32_t client_id)
181 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
184 static void
185 add_client(struct gotd_client *client)
187 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
188 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
189 client_cnt++;
192 static struct gotd_client *
193 find_client(uint32_t client_id)
195 uint64_t slot;
196 struct gotd_client *c;
198 slot = client_hash(client_id) % nitems(gotd_clients);
199 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
200 if (c->id == client_id)
201 return c;
204 return NULL;
207 static struct gotd_child_proc *
208 get_client_proc(struct gotd_client *client)
210 if (client->repo_read && client->repo_write) {
211 fatalx("uid %d is reading and writing in the same session",
212 client->euid);
213 /* NOTREACHED */
216 if (client->repo_read)
217 return client->repo_read;
218 else if (client->repo_write)
219 return client->repo_write;
221 return NULL;
224 static struct gotd_client *
225 find_client_by_proc_fd(int fd)
227 uint64_t slot;
229 for (slot = 0; slot < nitems(gotd_clients); slot++) {
230 struct gotd_client *c;
232 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
233 struct gotd_child_proc *proc = get_client_proc(c);
234 if (proc && proc->iev.ibuf.fd == fd)
235 return c;
236 if (c->auth && c->auth->iev.ibuf.fd == fd)
237 return c;
241 return NULL;
244 static int
245 client_is_reading(struct gotd_client *client)
247 return client->repo_read != NULL;
250 static int
251 client_is_writing(struct gotd_client *client)
253 return client->repo_write != NULL;
256 static const struct got_error *
257 ensure_client_is_reading(struct gotd_client *client)
259 if (!client_is_reading(client)) {
260 return got_error_fmt(GOT_ERR_BAD_PACKET,
261 "uid %d made a read-request but is not reading from "
262 "a repository", client->euid);
265 return NULL;
268 static const struct got_error *
269 ensure_client_is_writing(struct gotd_client *client)
271 if (!client_is_writing(client)) {
272 return got_error_fmt(GOT_ERR_BAD_PACKET,
273 "uid %d made a write-request but is not writing to "
274 "a repository", client->euid);
277 return NULL;
280 static const struct got_error *
281 ensure_client_is_not_writing(struct gotd_client *client)
283 if (client_is_writing(client)) {
284 return got_error_fmt(GOT_ERR_BAD_PACKET,
285 "uid %d made a read-request but is writing to "
286 "a repository", client->euid);
289 return NULL;
292 static const struct got_error *
293 ensure_client_is_not_reading(struct gotd_client *client)
295 if (client_is_reading(client)) {
296 return got_error_fmt(GOT_ERR_BAD_PACKET,
297 "uid %d made a write-request but is reading from "
298 "a repository", client->euid);
301 return NULL;
304 static void
305 wait_for_child(pid_t child_pid)
307 pid_t pid;
308 int status;
310 log_debug("waiting for child PID %ld to terminate",
311 (long)child_pid);
313 do {
314 pid = waitpid(child_pid, &status, WNOHANG);
315 if (pid == -1) {
316 if (errno != EINTR && errno != ECHILD)
317 fatal("wait");
318 } else if (WIFSIGNALED(status)) {
319 log_warnx("child PID %ld terminated; signal %d",
320 (long)pid, WTERMSIG(status));
322 } while (pid != -1 || (pid == -1 && errno == EINTR));
325 static void
326 kill_auth_proc(struct gotd_client *client)
328 struct gotd_child_proc *proc;
330 if (client->auth == NULL)
331 return;
333 proc = client->auth;
334 client->auth = NULL;
336 event_del(&proc->iev.ev);
337 msgbuf_clear(&proc->iev.ibuf.w);
338 close(proc->iev.ibuf.fd);
339 kill_proc(proc, 0);
340 wait_for_child(proc->pid);
341 free(proc);
344 static void
345 disconnect(struct gotd_client *client)
347 struct gotd_imsg_disconnect idisconnect;
348 struct gotd_child_proc *proc = get_client_proc(client);
349 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
350 uint64_t slot;
352 log_debug("uid %d: disconnecting", client->euid);
354 kill_auth_proc(client);
356 idisconnect.client_id = client->id;
357 if (proc) {
358 if (gotd_imsg_compose_event(&proc->iev,
359 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
360 &idisconnect, sizeof(idisconnect)) == -1)
361 log_warn("imsg compose DISCONNECT");
363 msgbuf_clear(&proc->iev.ibuf.w);
364 close(proc->iev.ibuf.fd);
365 kill_proc(proc, 0);
366 wait_for_child(proc->pid);
367 free(proc);
368 proc = NULL;
371 if (gotd_imsg_compose_event(&listen_proc->iev,
372 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
373 &idisconnect, sizeof(idisconnect)) == -1)
374 log_warn("imsg compose DISCONNECT");
376 slot = client_hash(client->id) % nitems(gotd_clients);
377 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
378 imsg_clear(&client->iev.ibuf);
379 event_del(&client->iev.ev);
380 evtimer_del(&client->tmo);
381 close(client->fd);
382 if (client->delta_cache_fd != -1)
383 close(client->delta_cache_fd);
384 if (client->packfile_path) {
385 if (unlink(client->packfile_path) == -1 && errno != ENOENT)
386 log_warn("unlink %s: ", client->packfile_path);
387 free(client->packfile_path);
389 if (client->packidx_path) {
390 if (unlink(client->packidx_path) == -1 && errno != ENOENT)
391 log_warn("unlink %s: ", client->packidx_path);
392 free(client->packidx_path);
394 free(client->capabilities);
395 free(client);
396 client_cnt--;
399 static void
400 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
402 struct imsgbuf ibuf;
404 log_warnx("uid %d: %s", client->euid, err->msg);
405 if (err->code != GOT_ERR_EOF) {
406 imsg_init(&ibuf, client->fd);
407 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
408 imsg_clear(&ibuf);
410 disconnect(client);
413 static const struct got_error *
414 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
416 const struct got_error *err = NULL;
417 struct gotd_imsg_info_repo irepo;
419 memset(&irepo, 0, sizeof(irepo));
421 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
422 >= sizeof(irepo.repo_name))
423 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
424 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
425 >= sizeof(irepo.repo_path))
426 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
428 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
429 &irepo, sizeof(irepo)) == -1) {
430 err = got_error_from_errno("imsg compose INFO_REPO");
431 if (err)
432 return err;
435 return NULL;
438 static const struct got_error *
439 send_capability(struct gotd_client_capability *capa, struct gotd_imsgev* iev)
441 const struct got_error *err = NULL;
442 struct gotd_imsg_capability icapa;
443 size_t len;
444 struct ibuf *wbuf;
446 memset(&icapa, 0, sizeof(icapa));
448 icapa.key_len = strlen(capa->key);
449 len = sizeof(icapa) + icapa.key_len;
450 if (capa->value) {
451 icapa.value_len = strlen(capa->value);
452 len += icapa.value_len;
455 wbuf = imsg_create(&iev->ibuf, GOTD_IMSG_CAPABILITY, 0, 0, len);
456 if (wbuf == NULL) {
457 err = got_error_from_errno("imsg_create CAPABILITY");
458 return err;
461 if (imsg_add(wbuf, &icapa, sizeof(icapa)) == -1)
462 return got_error_from_errno("imsg_add CAPABILITY");
463 if (imsg_add(wbuf, capa->key, icapa.key_len) == -1)
464 return got_error_from_errno("imsg_add CAPABILITY");
465 if (capa->value) {
466 if (imsg_add(wbuf, capa->value, icapa.value_len) == -1)
467 return got_error_from_errno("imsg_add CAPABILITY");
470 wbuf->fd = -1;
471 imsg_close(&iev->ibuf, wbuf);
473 gotd_imsg_event_add(iev);
475 return NULL;
478 static const struct got_error *
479 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
481 const struct got_error *err = NULL;
482 struct gotd_imsg_info_client iclient;
483 struct gotd_child_proc *proc;
484 size_t i;
486 memset(&iclient, 0, sizeof(iclient));
487 iclient.euid = client->euid;
488 iclient.egid = client->egid;
490 proc = get_client_proc(client);
491 if (proc) {
492 if (strlcpy(iclient.repo_name, proc->repo_path,
493 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
494 return got_error_msg(GOT_ERR_NO_SPACE,
495 "repo name too long");
497 if (client_is_writing(client))
498 iclient.is_writing = 1;
501 iclient.state = client->state;
502 iclient.ncapabilities = client->ncapabilities;
504 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
505 &iclient, sizeof(iclient)) == -1) {
506 err = got_error_from_errno("imsg compose INFO_CLIENT");
507 if (err)
508 return err;
511 for (i = 0; i < client->ncapabilities; i++) {
512 struct gotd_client_capability *capa;
513 capa = &client->capabilities[i];
514 err = send_capability(capa, iev);
515 if (err)
516 return err;
519 return NULL;
522 static const struct got_error *
523 send_info(struct gotd_client *client)
525 const struct got_error *err = NULL;
526 struct gotd_imsg_info info;
527 uint64_t slot;
528 struct gotd_repo *repo;
530 info.pid = gotd.pid;
531 info.verbosity = gotd.verbosity;
532 info.nrepos = gotd.nrepos;
533 info.nclients = client_cnt - 1;
535 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
536 &info, sizeof(info)) == -1) {
537 err = got_error_from_errno("imsg compose INFO");
538 if (err)
539 return err;
542 TAILQ_FOREACH(repo, &gotd.repos, entry) {
543 err = send_repo_info(&client->iev, repo);
544 if (err)
545 return err;
548 for (slot = 0; slot < nitems(gotd_clients); slot++) {
549 struct gotd_client *c;
550 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
551 if (c->id == client->id)
552 continue;
553 err = send_client_info(&client->iev, c);
554 if (err)
555 return err;
559 return NULL;
562 static const struct got_error *
563 stop_gotd(struct gotd_client *client)
566 if (client->euid != 0)
567 return got_error_set_errno(EPERM, "stop");
569 gotd_shutdown();
570 /* NOTREACHED */
571 return NULL;
574 static struct gotd_repo *
575 find_repo_by_name(const char *repo_name)
577 struct gotd_repo *repo;
578 size_t namelen;
580 TAILQ_FOREACH(repo, &gotd.repos, entry) {
581 namelen = strlen(repo->name);
582 if (strncmp(repo->name, repo_name, namelen) != 0)
583 continue;
584 if (repo_name[namelen] == '\0' ||
585 strcmp(&repo_name[namelen], ".git") == 0)
586 return repo;
589 return NULL;
592 static const struct got_error *
593 start_client_session(struct gotd_client *client, struct imsg *imsg)
595 const struct got_error *err;
596 struct gotd_imsg_list_refs ireq;
597 struct gotd_repo *repo = NULL;
598 size_t datalen;
600 log_debug("list-refs request from uid %d", client->euid);
602 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
603 if (datalen != sizeof(ireq))
604 return got_error(GOT_ERR_PRIVSEP_LEN);
606 memcpy(&ireq, imsg->data, datalen);
608 if (ireq.client_is_reading) {
609 err = ensure_client_is_not_writing(client);
610 if (err)
611 return err;
612 repo = find_repo_by_name(ireq.repo_name);
613 if (repo == NULL)
614 return got_error(GOT_ERR_NOT_GIT_REPO);
615 err = start_auth_child(client, GOTD_AUTH_READ, repo,
616 gotd.argv0, gotd.confpath, gotd.daemonize,
617 gotd.verbosity);
618 if (err)
619 return err;
620 } else {
621 err = ensure_client_is_not_reading(client);
622 if (err)
623 return err;
624 repo = find_repo_by_name(ireq.repo_name);
625 if (repo == NULL)
626 return got_error(GOT_ERR_NOT_GIT_REPO);
627 err = start_auth_child(client,
628 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
629 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
630 gotd.verbosity);
631 if (err)
632 return err;
635 /* Flow continues upon authentication successs/failure or timeout. */
636 return NULL;
639 static const struct got_error *
640 forward_want(struct gotd_client *client, struct imsg *imsg)
642 struct gotd_imsg_want ireq;
643 struct gotd_imsg_want iwant;
644 size_t datalen;
646 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
647 if (datalen != sizeof(ireq))
648 return got_error(GOT_ERR_PRIVSEP_LEN);
650 memcpy(&ireq, imsg->data, datalen);
652 memset(&iwant, 0, sizeof(iwant));
653 memcpy(iwant.object_id, ireq.object_id, SHA1_DIGEST_LENGTH);
654 iwant.client_id = client->id;
656 if (gotd_imsg_compose_event(&client->repo_read->iev, GOTD_IMSG_WANT,
657 PROC_GOTD, -1, &iwant, sizeof(iwant)) == -1)
658 return got_error_from_errno("imsg compose WANT");
660 return NULL;
663 static const struct got_error *
664 forward_ref_update(struct gotd_client *client, struct imsg *imsg)
666 const struct got_error *err = NULL;
667 struct gotd_imsg_ref_update ireq;
668 struct gotd_imsg_ref_update *iref = NULL;
669 size_t datalen;
671 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
672 if (datalen < sizeof(ireq))
673 return got_error(GOT_ERR_PRIVSEP_LEN);
674 memcpy(&ireq, imsg->data, sizeof(ireq));
675 if (datalen != sizeof(ireq) + ireq.name_len)
676 return got_error(GOT_ERR_PRIVSEP_LEN);
678 iref = malloc(datalen);
679 if (iref == NULL)
680 return got_error_from_errno("malloc");
681 memcpy(iref, imsg->data, datalen);
683 iref->client_id = client->id;
684 if (gotd_imsg_compose_event(&client->repo_write->iev,
685 GOTD_IMSG_REF_UPDATE, PROC_GOTD, -1, iref, datalen) == -1)
686 err = got_error_from_errno("imsg compose REF_UPDATE");
687 free(iref);
688 return err;
691 static const struct got_error *
692 forward_have(struct gotd_client *client, struct imsg *imsg)
694 struct gotd_imsg_have ireq;
695 struct gotd_imsg_have ihave;
696 size_t datalen;
698 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
699 if (datalen != sizeof(ireq))
700 return got_error(GOT_ERR_PRIVSEP_LEN);
702 memcpy(&ireq, imsg->data, datalen);
704 memset(&ihave, 0, sizeof(ihave));
705 memcpy(ihave.object_id, ireq.object_id, SHA1_DIGEST_LENGTH);
706 ihave.client_id = client->id;
708 if (gotd_imsg_compose_event(&client->repo_read->iev, GOTD_IMSG_HAVE,
709 PROC_GOTD, -1, &ihave, sizeof(ihave)) == -1)
710 return got_error_from_errno("imsg compose HAVE");
712 return NULL;
715 static int
716 client_has_capability(struct gotd_client *client, const char *capastr)
718 struct gotd_client_capability *capa;
719 size_t i;
721 if (client->ncapabilities == 0)
722 return 0;
724 for (i = 0; i < client->ncapabilities; i++) {
725 capa = &client->capabilities[i];
726 if (strcmp(capa->key, capastr) == 0)
727 return 1;
730 return 0;
733 static const struct got_error *
734 recv_capabilities(struct gotd_client *client, struct imsg *imsg)
736 struct gotd_imsg_capabilities icapas;
737 size_t datalen;
739 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
740 if (datalen != sizeof(icapas))
741 return got_error(GOT_ERR_PRIVSEP_LEN);
742 memcpy(&icapas, imsg->data, sizeof(icapas));
744 client->ncapa_alloc = icapas.ncapabilities;
745 client->capabilities = calloc(client->ncapa_alloc,
746 sizeof(*client->capabilities));
747 if (client->capabilities == NULL) {
748 client->ncapa_alloc = 0;
749 return got_error_from_errno("calloc");
752 log_debug("expecting %zu capabilities from uid %d",
753 client->ncapa_alloc, client->euid);
754 return NULL;
757 static const struct got_error *
758 recv_capability(struct gotd_client *client, struct imsg *imsg)
760 struct gotd_imsg_capability icapa;
761 struct gotd_client_capability *capa;
762 size_t datalen;
763 char *key, *value = NULL;
765 if (client->capabilities == NULL ||
766 client->ncapabilities >= client->ncapa_alloc) {
767 return got_error_msg(GOT_ERR_BAD_REQUEST,
768 "unexpected capability received");
771 memset(&icapa, 0, sizeof(icapa));
773 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
774 if (datalen < sizeof(icapa))
775 return got_error(GOT_ERR_PRIVSEP_LEN);
776 memcpy(&icapa, imsg->data, sizeof(icapa));
778 if (datalen != sizeof(icapa) + icapa.key_len + icapa.value_len)
779 return got_error(GOT_ERR_PRIVSEP_LEN);
781 key = malloc(icapa.key_len + 1);
782 if (key == NULL)
783 return got_error_from_errno("malloc");
784 if (icapa.value_len > 0) {
785 value = malloc(icapa.value_len + 1);
786 if (value == NULL) {
787 free(key);
788 return got_error_from_errno("malloc");
792 memcpy(key, imsg->data + sizeof(icapa), icapa.key_len);
793 key[icapa.key_len] = '\0';
794 if (value) {
795 memcpy(value, imsg->data + sizeof(icapa) + icapa.key_len,
796 icapa.value_len);
797 value[icapa.value_len] = '\0';
800 capa = &client->capabilities[client->ncapabilities++];
801 capa->key = key;
802 capa->value = value;
804 if (value)
805 log_debug("uid %d: capability %s=%s", client->euid, key, value);
806 else
807 log_debug("uid %d: capability %s", client->euid, key);
809 return NULL;
812 static const struct got_error *
813 send_packfile(struct gotd_client *client)
815 const struct got_error *err = NULL;
816 struct gotd_imsg_send_packfile ipack;
817 struct gotd_imsg_packfile_pipe ipipe;
818 int pipe[2];
820 if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, pipe) == -1)
821 return got_error_from_errno("socketpair");
823 memset(&ipack, 0, sizeof(ipack));
824 memset(&ipipe, 0, sizeof(ipipe));
826 ipack.client_id = client->id;
827 if (client_has_capability(client, GOT_CAPA_SIDE_BAND_64K))
828 ipack.report_progress = 1;
830 client->delta_cache_fd = got_opentempfd();
831 if (client->delta_cache_fd == -1)
832 return got_error_from_errno("got_opentempfd");
834 if (gotd_imsg_compose_event(&client->repo_read->iev,
835 GOTD_IMSG_SEND_PACKFILE, PROC_GOTD, client->delta_cache_fd,
836 &ipack, sizeof(ipack)) == -1) {
837 err = got_error_from_errno("imsg compose SEND_PACKFILE");
838 close(pipe[0]);
839 close(pipe[1]);
840 return err;
843 ipipe.client_id = client->id;
845 /* Send pack pipe end 0 to repo_read. */
846 if (gotd_imsg_compose_event(&client->repo_read->iev,
847 GOTD_IMSG_PACKFILE_PIPE, PROC_GOTD, pipe[0],
848 &ipipe, sizeof(ipipe)) == -1) {
849 err = got_error_from_errno("imsg compose PACKFILE_PIPE");
850 close(pipe[1]);
851 return err;
854 /* Send pack pipe end 1 to gotsh(1) (expects just an fd, no data). */
855 if (gotd_imsg_compose_event(&client->iev,
856 GOTD_IMSG_PACKFILE_PIPE, PROC_GOTD, pipe[1], NULL, 0) == -1)
857 err = got_error_from_errno("imsg compose PACKFILE_PIPE");
859 return err;
862 static const struct got_error *
863 recv_packfile(struct gotd_client *client)
865 const struct got_error *err = NULL;
866 struct gotd_imsg_recv_packfile ipack;
867 struct gotd_imsg_packfile_pipe ipipe;
868 struct gotd_imsg_packidx_file ifile;
869 char *basepath = NULL, *pack_path = NULL, *idx_path = NULL;
870 int packfd = -1, idxfd = -1;
871 int pipe[2] = { -1, -1 };
873 if (client->packfile_path) {
874 return got_error_fmt(GOT_ERR_PRIVSEP_MSG,
875 "uid %d already has a pack file", client->euid);
878 if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, pipe) == -1)
879 return got_error_from_errno("socketpair");
881 memset(&ipipe, 0, sizeof(ipipe));
882 ipipe.client_id = client->id;
884 /* Send pack pipe end 0 to repo_write. */
885 if (gotd_imsg_compose_event(&client->repo_write->iev,
886 GOTD_IMSG_PACKFILE_PIPE, PROC_GOTD, pipe[0],
887 &ipipe, sizeof(ipipe)) == -1) {
888 err = got_error_from_errno("imsg compose PACKFILE_PIPE");
889 pipe[0] = -1;
890 goto done;
892 pipe[0] = -1;
894 /* Send pack pipe end 1 to gotsh(1) (expects just an fd, no data). */
895 if (gotd_imsg_compose_event(&client->iev,
896 GOTD_IMSG_PACKFILE_PIPE, PROC_GOTD, pipe[1], NULL, 0) == -1)
897 err = got_error_from_errno("imsg compose PACKFILE_PIPE");
898 pipe[1] = -1;
900 if (asprintf(&basepath, "%s/%s/receiving-from-uid-%d.pack",
901 client->repo_write->repo_path, GOT_OBJECTS_PACK_DIR,
902 client->euid) == -1) {
903 err = got_error_from_errno("asprintf");
904 goto done;
907 err = got_opentemp_named_fd(&pack_path, &packfd, basepath, "");
908 if (err)
909 goto done;
911 free(basepath);
912 if (asprintf(&basepath, "%s/%s/receiving-from-uid-%d.idx",
913 client->repo_write->repo_path, GOT_OBJECTS_PACK_DIR,
914 client->euid) == -1) {
915 err = got_error_from_errno("asprintf");
916 basepath = NULL;
917 goto done;
919 err = got_opentemp_named_fd(&idx_path, &idxfd, basepath, "");
920 if (err)
921 goto done;
923 memset(&ifile, 0, sizeof(ifile));
924 ifile.client_id = client->id;
925 if (gotd_imsg_compose_event(&client->repo_write->iev,
926 GOTD_IMSG_PACKIDX_FILE, PROC_GOTD, idxfd,
927 &ifile, sizeof(ifile)) == -1) {
928 err = got_error_from_errno("imsg compose PACKIDX_FILE");
929 idxfd = -1;
930 goto done;
932 idxfd = -1;
934 memset(&ipack, 0, sizeof(ipack));
935 ipack.client_id = client->id;
936 if (client_has_capability(client, GOT_CAPA_REPORT_STATUS))
937 ipack.report_status = 1;
939 if (gotd_imsg_compose_event(&client->repo_write->iev,
940 GOTD_IMSG_RECV_PACKFILE, PROC_GOTD, packfd,
941 &ipack, sizeof(ipack)) == -1) {
942 err = got_error_from_errno("imsg compose RECV_PACKFILE");
943 packfd = -1;
944 goto done;
946 packfd = -1;
948 done:
949 free(basepath);
950 if (pipe[0] != -1 && close(pipe[0]) == -1 && err == NULL)
951 err = got_error_from_errno("close");
952 if (pipe[1] != -1 && close(pipe[1]) == -1 && err == NULL)
953 err = got_error_from_errno("close");
954 if (packfd != -1 && close(packfd) == -1 && err == NULL)
955 err = got_error_from_errno("close");
956 if (idxfd != -1 && close(idxfd) == -1 && err == NULL)
957 err = got_error_from_errno("close");
958 if (err) {
959 free(pack_path);
960 free(idx_path);
961 } else {
962 client->packfile_path = pack_path;
963 client->packidx_path = idx_path;
965 return err;
968 static void
969 gotd_request(int fd, short events, void *arg)
971 struct gotd_imsgev *iev = arg;
972 struct imsgbuf *ibuf = &iev->ibuf;
973 struct gotd_client *client = iev->handler_arg;
974 const struct got_error *err = NULL;
975 struct imsg imsg;
976 ssize_t n;
978 if (events & EV_WRITE) {
979 while (ibuf->w.queued) {
980 n = msgbuf_write(&ibuf->w);
981 if (n == -1 && errno == EPIPE) {
982 /*
983 * The client has closed its socket.
984 * This can happen when Git clients are
985 * done sending pack file data.
986 */
987 msgbuf_clear(&ibuf->w);
988 continue;
989 } else if (n == -1 && errno != EAGAIN) {
990 err = got_error_from_errno("imsg_flush");
991 disconnect_on_error(client, err);
992 return;
994 if (n == 0) {
995 /* Connection closed. */
996 err = got_error(GOT_ERR_EOF);
997 disconnect_on_error(client, err);
998 return;
1002 /* Disconnect gotctl(8) now that messages have been sent. */
1003 if (!client_is_reading(client) && !client_is_writing(client)) {
1004 disconnect(client);
1005 return;
1009 if ((events & EV_READ) == 0)
1010 return;
1012 memset(&imsg, 0, sizeof(imsg));
1014 while (err == NULL) {
1015 err = gotd_imsg_recv(&imsg, ibuf, 0);
1016 if (err) {
1017 if (err->code == GOT_ERR_PRIVSEP_READ)
1018 err = NULL;
1019 break;
1022 evtimer_del(&client->tmo);
1024 switch (imsg.hdr.type) {
1025 case GOTD_IMSG_INFO:
1026 err = send_info(client);
1027 break;
1028 case GOTD_IMSG_STOP:
1029 err = stop_gotd(client);
1030 break;
1031 case GOTD_IMSG_LIST_REFS:
1032 if (client->state != GOTD_STATE_EXPECT_LIST_REFS) {
1033 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1034 "unexpected list-refs request received");
1035 break;
1037 err = start_client_session(client, &imsg);
1038 if (err)
1039 break;
1040 break;
1041 case GOTD_IMSG_CAPABILITIES:
1042 if (client->state != GOTD_STATE_EXPECT_CAPABILITIES) {
1043 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1044 "unexpected capabilities received");
1045 break;
1047 log_debug("receiving capabilities from uid %d",
1048 client->euid);
1049 err = recv_capabilities(client, &imsg);
1050 break;
1051 case GOTD_IMSG_CAPABILITY:
1052 if (client->state != GOTD_STATE_EXPECT_CAPABILITIES) {
1053 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1054 "unexpected capability received");
1055 break;
1057 err = recv_capability(client, &imsg);
1058 if (err || client->ncapabilities < client->ncapa_alloc)
1059 break;
1060 if (client_is_reading(client)) {
1061 client->state = GOTD_STATE_EXPECT_WANT;
1062 log_debug("uid %d: expecting want-lines",
1063 client->euid);
1064 } else if (client_is_writing(client)) {
1065 client->state = GOTD_STATE_EXPECT_REF_UPDATE;
1066 log_debug("uid %d: expecting ref-update-lines",
1067 client->euid);
1068 } else
1069 fatalx("client %d is both reading and writing",
1070 client->euid);
1071 break;
1072 case GOTD_IMSG_WANT:
1073 if (client->state != GOTD_STATE_EXPECT_WANT) {
1074 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1075 "unexpected want-line received");
1076 break;
1078 log_debug("received want-line from uid %d",
1079 client->euid);
1080 err = ensure_client_is_reading(client);
1081 if (err)
1082 break;
1083 err = forward_want(client, &imsg);
1084 break;
1085 case GOTD_IMSG_REF_UPDATE:
1086 if (client->state != GOTD_STATE_EXPECT_REF_UPDATE) {
1087 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1088 "unexpected ref-update-line received");
1089 break;
1091 log_debug("received ref-update-line from uid %d",
1092 client->euid);
1093 err = ensure_client_is_writing(client);
1094 if (err)
1095 break;
1096 err = forward_ref_update(client, &imsg);
1097 if (err)
1098 break;
1099 client->state = GOTD_STATE_EXPECT_MORE_REF_UPDATES;
1100 break;
1101 case GOTD_IMSG_HAVE:
1102 if (client->state != GOTD_STATE_EXPECT_HAVE) {
1103 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1104 "unexpected have-line received");
1105 break;
1107 log_debug("received have-line from uid %d",
1108 client->euid);
1109 err = ensure_client_is_reading(client);
1110 if (err)
1111 break;
1112 err = forward_have(client, &imsg);
1113 if (err)
1114 break;
1115 break;
1116 case GOTD_IMSG_FLUSH:
1117 if (client->state == GOTD_STATE_EXPECT_WANT ||
1118 client->state == GOTD_STATE_EXPECT_HAVE) {
1119 err = ensure_client_is_reading(client);
1120 if (err)
1121 break;
1122 } else if (client->state ==
1123 GOTD_STATE_EXPECT_MORE_REF_UPDATES) {
1124 err = ensure_client_is_writing(client);
1125 if (err)
1126 break;
1127 } else {
1128 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1129 "unexpected flush-pkt received");
1130 break;
1132 log_debug("received flush-pkt from uid %d",
1133 client->euid);
1134 if (client->state == GOTD_STATE_EXPECT_WANT) {
1135 client->state = GOTD_STATE_EXPECT_HAVE;
1136 log_debug("uid %d: expecting have-lines",
1137 client->euid);
1138 } else if (client->state == GOTD_STATE_EXPECT_HAVE) {
1139 client->state = GOTD_STATE_EXPECT_DONE;
1140 log_debug("uid %d: expecting 'done'",
1141 client->euid);
1142 } else if (client->state ==
1143 GOTD_STATE_EXPECT_MORE_REF_UPDATES) {
1144 client->state = GOTD_STATE_EXPECT_PACKFILE;
1145 log_debug("uid %d: expecting packfile",
1146 client->euid);
1147 err = recv_packfile(client);
1148 } else {
1149 /* should not happen, see above */
1150 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1151 "unexpected client state");
1152 break;
1154 break;
1155 case GOTD_IMSG_DONE:
1156 if (client->state != GOTD_STATE_EXPECT_HAVE &&
1157 client->state != GOTD_STATE_EXPECT_DONE) {
1158 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1159 "unexpected flush-pkt received");
1160 break;
1162 log_debug("received 'done' from uid %d", client->euid);
1163 err = ensure_client_is_reading(client);
1164 if (err)
1165 break;
1166 client->state = GOTD_STATE_DONE;
1167 err = send_packfile(client);
1168 break;
1169 default:
1170 err = got_error(GOT_ERR_PRIVSEP_MSG);
1171 break;
1174 imsg_free(&imsg);
1177 if (err) {
1178 if (err->code != GOT_ERR_EOF ||
1179 client->state != GOTD_STATE_EXPECT_PACKFILE)
1180 disconnect_on_error(client, err);
1181 } else {
1182 gotd_imsg_event_add(&client->iev);
1183 if (client->state == GOTD_STATE_EXPECT_LIST_REFS)
1184 evtimer_add(&client->tmo, &auth_timeout);
1185 else
1186 evtimer_add(&client->tmo, &gotd.request_timeout);
1190 static void
1191 gotd_request_timeout(int fd, short events, void *arg)
1193 struct gotd_client *client = arg;
1195 log_debug("disconnecting uid %d due to timeout", client->euid);
1196 disconnect(client);
1199 static const struct got_error *
1200 recv_connect(uint32_t *client_id, struct imsg *imsg)
1202 const struct got_error *err = NULL;
1203 struct gotd_imsg_connect iconnect;
1204 size_t datalen;
1205 int s = -1;
1206 struct gotd_client *client = NULL;
1208 *client_id = 0;
1210 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1211 if (datalen != sizeof(iconnect))
1212 return got_error(GOT_ERR_PRIVSEP_LEN);
1213 memcpy(&iconnect, imsg->data, sizeof(iconnect));
1215 s = imsg->fd;
1216 if (s == -1) {
1217 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
1218 goto done;
1221 if (find_client(iconnect.client_id)) {
1222 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
1223 goto done;
1226 client = calloc(1, sizeof(*client));
1227 if (client == NULL) {
1228 err = got_error_from_errno("calloc");
1229 goto done;
1232 *client_id = iconnect.client_id;
1234 client->state = GOTD_STATE_EXPECT_LIST_REFS;
1235 client->id = iconnect.client_id;
1236 client->fd = s;
1237 s = -1;
1238 client->delta_cache_fd = -1;
1239 /* The auth process will verify UID/GID for us. */
1240 client->euid = iconnect.euid;
1241 client->egid = iconnect.egid;
1242 client->nref_updates = -1;
1244 imsg_init(&client->iev.ibuf, client->fd);
1245 client->iev.handler = gotd_request;
1246 client->iev.events = EV_READ;
1247 client->iev.handler_arg = client;
1249 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
1250 &client->iev);
1251 gotd_imsg_event_add(&client->iev);
1253 evtimer_set(&client->tmo, gotd_request_timeout, client);
1255 add_client(client);
1256 log_debug("%s: new client uid %d connected on fd %d", __func__,
1257 client->euid, client->fd);
1258 done:
1259 if (err) {
1260 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
1261 struct gotd_imsg_disconnect idisconnect;
1263 idisconnect.client_id = client->id;
1264 if (gotd_imsg_compose_event(&listen_proc->iev,
1265 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
1266 &idisconnect, sizeof(idisconnect)) == -1)
1267 log_warn("imsg compose DISCONNECT");
1269 if (s != -1)
1270 close(s);
1273 return err;
1276 static const char *gotd_proc_names[PROC_MAX] = {
1277 "parent",
1278 "listen",
1279 "auth",
1280 "repo_read",
1281 "repo_write"
1284 static void
1285 kill_proc(struct gotd_child_proc *proc, int fatal)
1287 if (fatal) {
1288 log_warnx("sending SIGKILL to PID %d", proc->pid);
1289 kill(proc->pid, SIGKILL);
1290 } else
1291 kill(proc->pid, SIGTERM);
1294 static void
1295 gotd_shutdown(void)
1297 struct gotd_child_proc *proc;
1298 uint64_t slot;
1300 for (slot = 0; slot < nitems(gotd_clients); slot++) {
1301 struct gotd_client *c, *tmp;
1303 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
1304 disconnect(c);
1307 proc = &gotd.listen_proc;
1308 msgbuf_clear(&proc->iev.ibuf.w);
1309 close(proc->iev.ibuf.fd);
1310 kill_proc(proc, 0);
1311 wait_for_child(proc->pid);
1313 log_info("terminating");
1314 exit(0);
1317 void
1318 gotd_sighdlr(int sig, short event, void *arg)
1321 * Normal signal handler rules don't apply because libevent
1322 * decouples for us.
1325 switch (sig) {
1326 case SIGHUP:
1327 log_info("%s: ignoring SIGHUP", __func__);
1328 break;
1329 case SIGUSR1:
1330 log_info("%s: ignoring SIGUSR1", __func__);
1331 break;
1332 case SIGTERM:
1333 case SIGINT:
1334 gotd_shutdown();
1335 log_warnx("gotd terminating");
1336 exit(0);
1337 break;
1338 default:
1339 fatalx("unexpected signal");
1343 static const struct got_error *
1344 ensure_proc_is_reading(struct gotd_client *client,
1345 struct gotd_child_proc *proc)
1347 if (!client_is_reading(client)) {
1348 kill_proc(proc, 1);
1349 return got_error_fmt(GOT_ERR_BAD_PACKET,
1350 "PID %d handled a read-request for uid %d but this "
1351 "user is not reading from a repository", proc->pid,
1352 client->euid);
1355 return NULL;
1358 static const struct got_error *
1359 ensure_proc_is_writing(struct gotd_client *client,
1360 struct gotd_child_proc *proc)
1362 if (!client_is_writing(client)) {
1363 kill_proc(proc, 1);
1364 return got_error_fmt(GOT_ERR_BAD_PACKET,
1365 "PID %d handled a write-request for uid %d but this "
1366 "user is not writing to a repository", proc->pid,
1367 client->euid);
1370 return NULL;
1373 static int
1374 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
1375 struct imsg *imsg)
1377 const struct got_error *err;
1378 struct gotd_child_proc *client_proc;
1379 int ret = 0;
1381 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
1382 client_proc = get_client_proc(client);
1383 if (client_proc == NULL)
1384 fatalx("no process found for uid %d", client->euid);
1385 if (proc->pid != client_proc->pid) {
1386 kill_proc(proc, 1);
1387 log_warnx("received message from PID %d for uid %d, "
1388 "while PID %d is the process serving this user",
1389 proc->pid, client->euid, client_proc->pid);
1390 return 0;
1394 switch (imsg->hdr.type) {
1395 case GOTD_IMSG_ERROR:
1396 ret = 1;
1397 break;
1398 case GOTD_IMSG_CONNECT:
1399 if (proc->type != PROC_LISTEN) {
1400 err = got_error_fmt(GOT_ERR_BAD_PACKET,
1401 "new connection for uid %d from PID %d "
1402 "which is not the listen process",
1403 proc->pid, client->euid);
1404 } else
1405 ret = 1;
1406 break;
1407 case GOTD_IMSG_ACCESS_GRANTED:
1408 if (proc->type != PROC_AUTH) {
1409 err = got_error_fmt(GOT_ERR_BAD_PACKET,
1410 "authentication of uid %d from PID %d "
1411 "which is not the auth process",
1412 proc->pid, client->euid);
1413 } else
1414 ret = 1;
1415 break;
1416 case GOTD_IMSG_REPO_CHILD_READY:
1417 if (proc->type != PROC_REPO_READ &&
1418 proc->type != PROC_REPO_WRITE) {
1419 err = got_error_fmt(GOT_ERR_BAD_PACKET,
1420 "unexpected \"ready\" signal from PID %d",
1421 proc->pid);
1422 } else
1423 ret = 1;
1424 break;
1425 case GOTD_IMSG_PACKFILE_DONE:
1426 err = ensure_proc_is_reading(client, proc);
1427 if (err)
1428 log_warnx("uid %d: %s", client->euid, err->msg);
1429 else
1430 ret = 1;
1431 break;
1432 case GOTD_IMSG_PACKFILE_INSTALL:
1433 case GOTD_IMSG_REF_UPDATES_START:
1434 case GOTD_IMSG_REF_UPDATE:
1435 err = ensure_proc_is_writing(client, proc);
1436 if (err)
1437 log_warnx("uid %d: %s", client->euid, err->msg);
1438 else
1439 ret = 1;
1440 break;
1441 default:
1442 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
1443 break;
1446 return ret;
1449 static const struct got_error *
1450 list_refs_request(struct gotd_client *client, struct gotd_imsgev *iev)
1452 static const struct got_error *err;
1453 struct gotd_imsg_list_refs_internal ilref;
1454 int fd;
1456 memset(&ilref, 0, sizeof(ilref));
1457 ilref.client_id = client->id;
1459 fd = dup(client->fd);
1460 if (fd == -1)
1461 return got_error_from_errno("dup");
1463 if (gotd_imsg_compose_event(iev, GOTD_IMSG_LIST_REFS_INTERNAL,
1464 PROC_GOTD, fd, &ilref, sizeof(ilref)) == -1) {
1465 err = got_error_from_errno("imsg compose WANT");
1466 close(fd);
1467 return err;
1470 client->state = GOTD_STATE_EXPECT_CAPABILITIES;
1471 log_debug("uid %d: expecting capabilities", client->euid);
1472 return NULL;
1475 static const struct got_error *
1476 recv_packfile_done(uint32_t *client_id, struct imsg *imsg)
1478 struct gotd_imsg_packfile_done idone;
1479 size_t datalen;
1481 log_debug("packfile-done received");
1483 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1484 if (datalen != sizeof(idone))
1485 return got_error(GOT_ERR_PRIVSEP_LEN);
1486 memcpy(&idone, imsg->data, sizeof(idone));
1488 *client_id = idone.client_id;
1489 return NULL;
1492 static const struct got_error *
1493 recv_packfile_install(uint32_t *client_id, struct imsg *imsg)
1495 struct gotd_imsg_packfile_install inst;
1496 size_t datalen;
1498 log_debug("packfile-install received");
1500 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1501 if (datalen != sizeof(inst))
1502 return got_error(GOT_ERR_PRIVSEP_LEN);
1503 memcpy(&inst, imsg->data, sizeof(inst));
1505 *client_id = inst.client_id;
1506 return NULL;
1509 static const struct got_error *
1510 recv_ref_updates_start(uint32_t *client_id, struct imsg *imsg)
1512 struct gotd_imsg_ref_updates_start istart;
1513 size_t datalen;
1515 log_debug("ref-updates-start received");
1517 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1518 if (datalen != sizeof(istart))
1519 return got_error(GOT_ERR_PRIVSEP_LEN);
1520 memcpy(&istart, imsg->data, sizeof(istart));
1522 *client_id = istart.client_id;
1523 return NULL;
1526 static const struct got_error *
1527 recv_ref_update(uint32_t *client_id, struct imsg *imsg)
1529 struct gotd_imsg_ref_update iref;
1530 size_t datalen;
1532 log_debug("ref-update received");
1534 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1535 if (datalen < sizeof(iref))
1536 return got_error(GOT_ERR_PRIVSEP_LEN);
1537 memcpy(&iref, imsg->data, sizeof(iref));
1539 *client_id = iref.client_id;
1540 return NULL;
1543 static const struct got_error *
1544 send_ref_update_ok(struct gotd_client *client,
1545 struct gotd_imsg_ref_update *iref, const char *refname)
1547 struct gotd_imsg_ref_update_ok iok;
1548 struct ibuf *wbuf;
1549 size_t len;
1551 memset(&iok, 0, sizeof(iok));
1552 iok.client_id = client->id;
1553 memcpy(iok.old_id, iref->old_id, SHA1_DIGEST_LENGTH);
1554 memcpy(iok.new_id, iref->new_id, SHA1_DIGEST_LENGTH);
1555 iok.name_len = strlen(refname);
1557 len = sizeof(iok) + iok.name_len;
1558 wbuf = imsg_create(&client->iev.ibuf, GOTD_IMSG_REF_UPDATE_OK,
1559 PROC_GOTD, gotd.pid, len);
1560 if (wbuf == NULL)
1561 return got_error_from_errno("imsg_create REF_UPDATE_OK");
1563 if (imsg_add(wbuf, &iok, sizeof(iok)) == -1)
1564 return got_error_from_errno("imsg_add REF_UPDATE_OK");
1565 if (imsg_add(wbuf, refname, iok.name_len) == -1)
1566 return got_error_from_errno("imsg_add REF_UPDATE_OK");
1568 wbuf->fd = -1;
1569 imsg_close(&client->iev.ibuf, wbuf);
1570 gotd_imsg_event_add(&client->iev);
1571 return NULL;
1574 static void
1575 send_refs_updated(struct gotd_client *client)
1577 if (gotd_imsg_compose_event(&client->iev,
1578 GOTD_IMSG_REFS_UPDATED, PROC_GOTD, -1, NULL, 0) == -1)
1579 log_warn("imsg compose REFS_UPDATED");
1582 static const struct got_error *
1583 send_ref_update_ng(struct gotd_client *client,
1584 struct gotd_imsg_ref_update *iref, const char *refname,
1585 const char *reason)
1587 const struct got_error *ng_err;
1588 struct gotd_imsg_ref_update_ng ing;
1589 struct ibuf *wbuf;
1590 size_t len;
1592 memset(&ing, 0, sizeof(ing));
1593 ing.client_id = client->id;
1594 memcpy(ing.old_id, iref->old_id, SHA1_DIGEST_LENGTH);
1595 memcpy(ing.new_id, iref->new_id, SHA1_DIGEST_LENGTH);
1596 ing.name_len = strlen(refname);
1598 ng_err = got_error_fmt(GOT_ERR_REF_BUSY, "%s", reason);
1599 ing.reason_len = strlen(ng_err->msg);
1601 len = sizeof(ing) + ing.name_len + ing.reason_len;
1602 wbuf = imsg_create(&client->iev.ibuf, GOTD_IMSG_REF_UPDATE_NG,
1603 PROC_GOTD, gotd.pid, len);
1604 if (wbuf == NULL)
1605 return got_error_from_errno("imsg_create REF_UPDATE_NG");
1607 if (imsg_add(wbuf, &ing, sizeof(ing)) == -1)
1608 return got_error_from_errno("imsg_add REF_UPDATE_NG");
1609 if (imsg_add(wbuf, refname, ing.name_len) == -1)
1610 return got_error_from_errno("imsg_add REF_UPDATE_NG");
1611 if (imsg_add(wbuf, ng_err->msg, ing.reason_len) == -1)
1612 return got_error_from_errno("imsg_add REF_UPDATE_NG");
1614 wbuf->fd = -1;
1615 imsg_close(&client->iev.ibuf, wbuf);
1616 gotd_imsg_event_add(&client->iev);
1617 return NULL;
1620 static const struct got_error *
1621 install_pack(struct gotd_client *client, const char *repo_path,
1622 struct imsg *imsg)
1624 const struct got_error *err = NULL;
1625 struct gotd_imsg_packfile_install inst;
1626 char hex[SHA1_DIGEST_STRING_LENGTH];
1627 size_t datalen;
1628 char *packfile_path = NULL, *packidx_path = NULL;
1630 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1631 if (datalen != sizeof(inst))
1632 return got_error(GOT_ERR_PRIVSEP_LEN);
1633 memcpy(&inst, imsg->data, sizeof(inst));
1635 if (client->packfile_path == NULL)
1636 return got_error_msg(GOT_ERR_BAD_REQUEST,
1637 "client has no pack file");
1638 if (client->packidx_path == NULL)
1639 return got_error_msg(GOT_ERR_BAD_REQUEST,
1640 "client has no pack file index");
1642 if (got_sha1_digest_to_str(inst.pack_sha1, hex, sizeof(hex)) == NULL)
1643 return got_error_msg(GOT_ERR_NO_SPACE,
1644 "could not convert pack file SHA1 to hex");
1646 if (asprintf(&packfile_path, "/%s/%s/pack-%s.pack",
1647 repo_path, GOT_OBJECTS_PACK_DIR, hex) == -1) {
1648 err = got_error_from_errno("asprintf");
1649 goto done;
1652 if (asprintf(&packidx_path, "/%s/%s/pack-%s.idx",
1653 repo_path, GOT_OBJECTS_PACK_DIR, hex) == -1) {
1654 err = got_error_from_errno("asprintf");
1655 goto done;
1658 if (rename(client->packfile_path, packfile_path) == -1) {
1659 err = got_error_from_errno3("rename", client->packfile_path,
1660 packfile_path);
1661 goto done;
1664 free(client->packfile_path);
1665 client->packfile_path = NULL;
1667 if (rename(client->packidx_path, packidx_path) == -1) {
1668 err = got_error_from_errno3("rename", client->packidx_path,
1669 packidx_path);
1670 goto done;
1673 free(client->packidx_path);
1674 client->packidx_path = NULL;
1675 done:
1676 free(packfile_path);
1677 free(packidx_path);
1678 return err;
1681 static const struct got_error *
1682 begin_ref_updates(struct gotd_client *client, struct imsg *imsg)
1684 struct gotd_imsg_ref_updates_start istart;
1685 size_t datalen;
1687 if (client->nref_updates != -1)
1688 return got_error(GOT_ERR_PRIVSEP_MSG);
1690 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1691 if (datalen != sizeof(istart))
1692 return got_error(GOT_ERR_PRIVSEP_LEN);
1693 memcpy(&istart, imsg->data, sizeof(istart));
1695 if (istart.nref_updates <= 0)
1696 return got_error(GOT_ERR_PRIVSEP_MSG);
1698 client->nref_updates = istart.nref_updates;
1699 return NULL;
1702 static const struct got_error *
1703 update_ref(struct gotd_client *client, const char *repo_path,
1704 struct imsg *imsg)
1706 const struct got_error *err = NULL;
1707 struct got_repository *repo = NULL;
1708 struct got_reference *ref = NULL;
1709 struct gotd_imsg_ref_update iref;
1710 struct got_object_id old_id, new_id;
1711 struct got_object_id *id = NULL;
1712 struct got_object *obj = NULL;
1713 char *refname = NULL;
1714 size_t datalen;
1715 int locked = 0;
1717 log_debug("update-ref from uid %d", client->euid);
1719 if (client->nref_updates <= 0)
1720 return got_error(GOT_ERR_PRIVSEP_MSG);
1722 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1723 if (datalen < sizeof(iref))
1724 return got_error(GOT_ERR_PRIVSEP_LEN);
1725 memcpy(&iref, imsg->data, sizeof(iref));
1726 if (datalen != sizeof(iref) + iref.name_len)
1727 return got_error(GOT_ERR_PRIVSEP_LEN);
1728 refname = malloc(iref.name_len + 1);
1729 if (refname == NULL)
1730 return got_error_from_errno("malloc");
1731 memcpy(refname, imsg->data + sizeof(iref), iref.name_len);
1732 refname[iref.name_len] = '\0';
1734 log_debug("updating ref %s for uid %d", refname, client->euid);
1736 err = got_repo_open(&repo, repo_path, NULL, NULL);
1737 if (err)
1738 goto done;
1740 memcpy(old_id.sha1, iref.old_id, SHA1_DIGEST_LENGTH);
1741 memcpy(new_id.sha1, iref.new_id, SHA1_DIGEST_LENGTH);
1742 err = got_object_open(&obj, repo, &new_id);
1743 if (err)
1744 goto done;
1746 if (iref.ref_is_new) {
1747 err = got_ref_open(&ref, repo, refname, 0);
1748 if (err) {
1749 if (err->code != GOT_ERR_NOT_REF)
1750 goto done;
1751 err = got_ref_alloc(&ref, refname, &new_id);
1752 if (err)
1753 goto done;
1754 err = got_ref_write(ref, repo); /* will lock/unlock */
1755 if (err)
1756 goto done;
1757 } else {
1758 err = got_error_fmt(GOT_ERR_REF_BUSY,
1759 "%s has been created by someone else "
1760 "while transaction was in progress",
1761 got_ref_get_name(ref));
1762 goto done;
1764 } else {
1765 err = got_ref_open(&ref, repo, refname, 1 /* lock */);
1766 if (err)
1767 goto done;
1768 locked = 1;
1770 err = got_ref_resolve(&id, repo, ref);
1771 if (err)
1772 goto done;
1774 if (got_object_id_cmp(id, &old_id) != 0) {
1775 err = got_error_fmt(GOT_ERR_REF_BUSY,
1776 "%s has been modified by someone else "
1777 "while transaction was in progress",
1778 got_ref_get_name(ref));
1779 goto done;
1782 err = got_ref_change_ref(ref, &new_id);
1783 if (err)
1784 goto done;
1786 err = got_ref_write(ref, repo);
1787 if (err)
1788 goto done;
1790 free(id);
1791 id = NULL;
1793 done:
1794 if (err) {
1795 if (err->code == GOT_ERR_LOCKFILE_TIMEOUT) {
1796 err = got_error_fmt(GOT_ERR_LOCKFILE_TIMEOUT,
1797 "could not acquire exclusive file lock for %s",
1798 refname);
1800 send_ref_update_ng(client, &iref, refname, err->msg);
1801 } else
1802 send_ref_update_ok(client, &iref, refname);
1804 if (client->nref_updates > 0) {
1805 client->nref_updates--;
1806 if (client->nref_updates == 0)
1807 send_refs_updated(client);
1810 if (locked) {
1811 const struct got_error *unlock_err;
1812 unlock_err = got_ref_unlock(ref);
1813 if (unlock_err && err == NULL)
1814 err = unlock_err;
1816 if (ref)
1817 got_ref_close(ref);
1818 if (obj)
1819 got_object_close(obj);
1820 if (repo)
1821 got_repo_close(repo);
1822 free(refname);
1823 free(id);
1824 return err;
1827 static void
1828 gotd_dispatch_listener(int fd, short event, void *arg)
1830 struct gotd_imsgev *iev = arg;
1831 struct imsgbuf *ibuf = &iev->ibuf;
1832 struct gotd_child_proc *proc = &gotd.listen_proc;
1833 ssize_t n;
1834 int shut = 0;
1835 struct imsg imsg;
1837 if (proc->iev.ibuf.fd != fd)
1838 fatalx("%s: unexpected fd %d", __func__, fd);
1840 if (event & EV_READ) {
1841 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1842 fatal("imsg_read error");
1843 if (n == 0) {
1844 /* Connection closed. */
1845 shut = 1;
1846 goto done;
1850 if (event & EV_WRITE) {
1851 n = msgbuf_write(&ibuf->w);
1852 if (n == -1 && errno != EAGAIN)
1853 fatal("msgbuf_write");
1854 if (n == 0) {
1855 /* Connection closed. */
1856 shut = 1;
1857 goto done;
1861 for (;;) {
1862 const struct got_error *err = NULL;
1863 struct gotd_client *client = NULL;
1864 uint32_t client_id = 0;
1865 int do_disconnect = 0;
1867 if ((n = imsg_get(ibuf, &imsg)) == -1)
1868 fatal("%s: imsg_get error", __func__);
1869 if (n == 0) /* No more messages. */
1870 break;
1872 switch (imsg.hdr.type) {
1873 case GOTD_IMSG_ERROR:
1874 do_disconnect = 1;
1875 err = gotd_imsg_recv_error(&client_id, &imsg);
1876 break;
1877 case GOTD_IMSG_CONNECT:
1878 err = recv_connect(&client_id, &imsg);
1879 break;
1880 default:
1881 log_debug("unexpected imsg %d", imsg.hdr.type);
1882 break;
1885 client = find_client(client_id);
1886 if (client == NULL) {
1887 log_warnx("%s: client not found", __func__);
1888 imsg_free(&imsg);
1889 continue;
1892 if (err)
1893 log_warnx("uid %d: %s", client->euid, err->msg);
1895 if (do_disconnect) {
1896 if (err)
1897 disconnect_on_error(client, err);
1898 else
1899 disconnect(client);
1902 imsg_free(&imsg);
1904 done:
1905 if (!shut) {
1906 gotd_imsg_event_add(iev);
1907 } else {
1908 /* This pipe is dead. Remove its event handler */
1909 event_del(&iev->ev);
1910 event_loopexit(NULL);
1914 static void
1915 gotd_dispatch_auth_child(int fd, short event, void *arg)
1917 const struct got_error *err = NULL;
1918 struct gotd_imsgev *iev = arg;
1919 struct imsgbuf *ibuf = &iev->ibuf;
1920 struct gotd_client *client;
1921 struct gotd_repo *repo = NULL;
1922 ssize_t n;
1923 int shut = 0;
1924 struct imsg imsg;
1925 uint32_t client_id = 0;
1926 int do_disconnect = 0;
1927 enum gotd_procid proc_type;
1929 client = find_client_by_proc_fd(fd);
1930 if (client == NULL)
1931 fatalx("cannot find client for fd %d", fd);
1933 if (client->auth == NULL)
1934 fatalx("cannot find auth child process for fd %d", fd);
1936 if (event & EV_READ) {
1937 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1938 fatal("imsg_read error");
1939 if (n == 0) {
1940 /* Connection closed. */
1941 shut = 1;
1942 goto done;
1946 if (event & EV_WRITE) {
1947 n = msgbuf_write(&ibuf->w);
1948 if (n == -1 && errno != EAGAIN)
1949 fatal("msgbuf_write");
1950 if (n == 0) {
1951 /* Connection closed. */
1952 shut = 1;
1954 goto done;
1957 if (client->auth->iev.ibuf.fd != fd)
1958 fatalx("%s: unexpected fd %d", __func__, fd);
1960 if ((n = imsg_get(ibuf, &imsg)) == -1)
1961 fatal("%s: imsg_get error", __func__);
1962 if (n == 0) /* No more messages. */
1963 return;
1965 evtimer_del(&client->tmo);
1967 switch (imsg.hdr.type) {
1968 case GOTD_IMSG_ERROR:
1969 do_disconnect = 1;
1970 err = gotd_imsg_recv_error(&client_id, &imsg);
1971 break;
1972 case GOTD_IMSG_ACCESS_GRANTED:
1973 break;
1974 default:
1975 do_disconnect = 1;
1976 log_debug("unexpected imsg %d", imsg.hdr.type);
1977 break;
1980 if (!verify_imsg_src(client, client->auth, &imsg)) {
1981 do_disconnect = 1;
1982 log_debug("dropping imsg type %d from PID %d",
1983 imsg.hdr.type, client->auth->pid);
1985 imsg_free(&imsg);
1987 if (do_disconnect) {
1988 if (err)
1989 disconnect_on_error(client, err);
1990 else
1991 disconnect(client);
1992 goto done;
1995 repo = find_repo_by_name(client->auth->repo_name);
1996 if (repo == NULL) {
1997 err = got_error(GOT_ERR_NOT_GIT_REPO);
1998 goto done;
2000 kill_auth_proc(client);
2002 log_info("authenticated uid %d for repository %s\n",
2003 client->euid, repo->name);
2005 if (client->required_auth & GOTD_AUTH_WRITE)
2006 proc_type = PROC_REPO_WRITE;
2007 else
2008 proc_type = PROC_REPO_READ;
2010 err = start_repo_child(client, proc_type, repo, gotd.argv0,
2011 gotd.confpath, gotd.daemonize, gotd.verbosity);
2012 done:
2013 if (err)
2014 log_warnx("uid %d: %s", client->euid, err->msg);
2016 /* We might have killed the auth process by now. */
2017 if (client->auth != NULL) {
2018 if (!shut) {
2019 gotd_imsg_event_add(iev);
2020 } else {
2021 /* This pipe is dead. Remove its event handler */
2022 event_del(&iev->ev);
2027 static void
2028 gotd_dispatch_repo_child(int fd, short event, void *arg)
2030 struct gotd_imsgev *iev = arg;
2031 struct imsgbuf *ibuf = &iev->ibuf;
2032 struct gotd_child_proc *proc = NULL;
2033 struct gotd_client *client = NULL;
2034 ssize_t n;
2035 int shut = 0;
2036 struct imsg imsg;
2038 if (event & EV_READ) {
2039 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
2040 fatal("imsg_read error");
2041 if (n == 0) {
2042 /* Connection closed. */
2043 shut = 1;
2044 goto done;
2048 if (event & EV_WRITE) {
2049 n = msgbuf_write(&ibuf->w);
2050 if (n == -1 && errno != EAGAIN)
2051 fatal("msgbuf_write");
2052 if (n == 0) {
2053 /* Connection closed. */
2054 shut = 1;
2055 goto done;
2059 client = find_client_by_proc_fd(fd);
2060 if (client == NULL)
2061 fatalx("cannot find client for fd %d", fd);
2063 proc = get_client_proc(client);
2064 if (proc == NULL)
2065 fatalx("cannot find child process for fd %d", fd);
2067 for (;;) {
2068 const struct got_error *err = NULL;
2069 uint32_t client_id = 0;
2070 int do_disconnect = 0;
2071 int do_list_refs = 0, do_ref_updates = 0, do_ref_update = 0;
2072 int do_packfile_install = 0;
2074 if ((n = imsg_get(ibuf, &imsg)) == -1)
2075 fatal("%s: imsg_get error", __func__);
2076 if (n == 0) /* No more messages. */
2077 break;
2079 switch (imsg.hdr.type) {
2080 case GOTD_IMSG_ERROR:
2081 do_disconnect = 1;
2082 err = gotd_imsg_recv_error(&client_id, &imsg);
2083 break;
2084 case GOTD_IMSG_REPO_CHILD_READY:
2085 do_list_refs = 1;
2086 break;
2087 case GOTD_IMSG_PACKFILE_DONE:
2088 do_disconnect = 1;
2089 err = recv_packfile_done(&client_id, &imsg);
2090 break;
2091 case GOTD_IMSG_PACKFILE_INSTALL:
2092 err = recv_packfile_install(&client_id, &imsg);
2093 if (err == NULL)
2094 do_packfile_install = 1;
2095 break;
2096 case GOTD_IMSG_REF_UPDATES_START:
2097 err = recv_ref_updates_start(&client_id, &imsg);
2098 if (err == NULL)
2099 do_ref_updates = 1;
2100 break;
2101 case GOTD_IMSG_REF_UPDATE:
2102 err = recv_ref_update(&client_id, &imsg);
2103 if (err == NULL)
2104 do_ref_update = 1;
2105 break;
2106 default:
2107 log_debug("unexpected imsg %d", imsg.hdr.type);
2108 break;
2111 if (!verify_imsg_src(client, proc, &imsg)) {
2112 log_debug("dropping imsg type %d from PID %d",
2113 imsg.hdr.type, proc->pid);
2114 imsg_free(&imsg);
2115 continue;
2117 if (err)
2118 log_warnx("uid %d: %s", client->euid, err->msg);
2120 if (do_disconnect) {
2121 if (err)
2122 disconnect_on_error(client, err);
2123 else
2124 disconnect(client);
2125 } else {
2126 if (do_list_refs)
2127 err = list_refs_request(client, iev);
2128 else if (do_packfile_install)
2129 err = install_pack(client, proc->repo_path,
2130 &imsg);
2131 else if (do_ref_updates)
2132 err = begin_ref_updates(client, &imsg);
2133 else if (do_ref_update)
2134 err = update_ref(client, proc->repo_path,
2135 &imsg);
2136 if (err)
2137 log_warnx("uid %d: %s", client->euid, err->msg);
2139 imsg_free(&imsg);
2141 done:
2142 if (!shut) {
2143 gotd_imsg_event_add(iev);
2144 } else {
2145 /* This pipe is dead. Remove its event handler */
2146 event_del(&iev->ev);
2147 event_loopexit(NULL);
2151 static pid_t
2152 start_child(enum gotd_procid proc_id, const char *repo_path,
2153 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
2155 char *argv[11];
2156 int argc = 0;
2157 pid_t pid;
2159 switch (pid = fork()) {
2160 case -1:
2161 fatal("cannot fork");
2162 case 0:
2163 break;
2164 default:
2165 close(fd);
2166 return pid;
2169 if (fd != GOTD_FILENO_MSG_PIPE) {
2170 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
2171 fatal("cannot setup imsg fd");
2172 } else if (fcntl(fd, F_SETFD, 0) == -1)
2173 fatal("cannot setup imsg fd");
2175 argv[argc++] = argv0;
2176 switch (proc_id) {
2177 case PROC_LISTEN:
2178 argv[argc++] = (char *)"-L";
2179 break;
2180 case PROC_AUTH:
2181 argv[argc++] = (char *)"-A";
2182 break;
2183 case PROC_REPO_READ:
2184 argv[argc++] = (char *)"-R";
2185 break;
2186 case PROC_REPO_WRITE:
2187 argv[argc++] = (char *)"-W";
2188 break;
2189 default:
2190 fatalx("invalid process id %d", proc_id);
2193 argv[argc++] = (char *)"-f";
2194 argv[argc++] = (char *)confpath;
2196 if (repo_path) {
2197 argv[argc++] = (char *)"-P";
2198 argv[argc++] = (char *)repo_path;
2201 if (!daemonize)
2202 argv[argc++] = (char *)"-d";
2203 if (verbosity > 0)
2204 argv[argc++] = (char *)"-v";
2205 if (verbosity > 1)
2206 argv[argc++] = (char *)"-v";
2207 argv[argc++] = NULL;
2209 execvp(argv0, argv);
2210 fatal("execvp");
2213 static void
2214 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
2216 struct gotd_child_proc *proc = &gotd.listen_proc;
2218 proc->type = PROC_LISTEN;
2220 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
2221 PF_UNSPEC, proc->pipe) == -1)
2222 fatal("socketpair");
2224 proc->pid = start_child(proc->type, NULL, argv0, confpath,
2225 proc->pipe[1], daemonize, verbosity);
2226 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
2227 proc->iev.handler = gotd_dispatch_listener;
2228 proc->iev.events = EV_READ;
2229 proc->iev.handler_arg = NULL;
2232 static const struct got_error *
2233 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
2234 struct gotd_repo *repo, char *argv0, const char *confpath,
2235 int daemonize, int verbosity)
2237 struct gotd_child_proc *proc;
2239 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
2240 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
2242 proc = calloc(1, sizeof(*proc));
2243 if (proc == NULL)
2244 return got_error_from_errno("calloc");
2246 proc->type = proc_type;
2247 if (strlcpy(proc->repo_name, repo->name,
2248 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
2249 fatalx("repository name too long: %s", repo->name);
2250 log_debug("starting %s for repository %s",
2251 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
2252 if (realpath(repo->path, proc->repo_path) == NULL)
2253 fatal("%s", repo->path);
2254 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
2255 PF_UNSPEC, proc->pipe) == -1)
2256 fatal("socketpair");
2257 proc->pid = start_child(proc->type, proc->repo_path, argv0,
2258 confpath, proc->pipe[1], daemonize, verbosity);
2259 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
2260 log_debug("proc %s %s is on fd %d",
2261 gotd_proc_names[proc->type], proc->repo_path,
2262 proc->pipe[0]);
2263 proc->iev.handler = gotd_dispatch_repo_child;
2264 proc->iev.events = EV_READ;
2265 proc->iev.handler_arg = NULL;
2266 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
2267 gotd_dispatch_repo_child, &proc->iev);
2268 gotd_imsg_event_add(&proc->iev);
2270 if (proc->type == PROC_REPO_READ)
2271 client->repo_read = proc;
2272 else
2273 client->repo_write = proc;
2275 return NULL;
2278 static const struct got_error *
2279 start_auth_child(struct gotd_client *client, int required_auth,
2280 struct gotd_repo *repo, char *argv0, const char *confpath,
2281 int daemonize, int verbosity)
2283 const struct got_error *err = NULL;
2284 struct gotd_child_proc *proc;
2285 struct gotd_imsg_auth iauth;
2286 int fd;
2288 memset(&iauth, 0, sizeof(iauth));
2290 fd = dup(client->fd);
2291 if (fd == -1)
2292 return got_error_from_errno("dup");
2294 proc = calloc(1, sizeof(*proc));
2295 if (proc == NULL) {
2296 err = got_error_from_errno("calloc");
2297 close(fd);
2298 return err;
2301 proc->type = PROC_AUTH;
2302 if (strlcpy(proc->repo_name, repo->name,
2303 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
2304 fatalx("repository name too long: %s", repo->name);
2305 log_debug("starting auth for uid %d repository %s",
2306 client->euid, repo->name);
2307 if (realpath(repo->path, proc->repo_path) == NULL)
2308 fatal("%s", repo->path);
2309 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
2310 PF_UNSPEC, proc->pipe) == -1)
2311 fatal("socketpair");
2312 proc->pid = start_child(proc->type, proc->repo_path, argv0,
2313 confpath, proc->pipe[1], daemonize, verbosity);
2314 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
2315 log_debug("proc %s %s is on fd %d",
2316 gotd_proc_names[proc->type], proc->repo_path,
2317 proc->pipe[0]);
2318 proc->iev.handler = gotd_dispatch_auth_child;
2319 proc->iev.events = EV_READ;
2320 proc->iev.handler_arg = NULL;
2321 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
2322 gotd_dispatch_auth_child, &proc->iev);
2323 gotd_imsg_event_add(&proc->iev);
2325 iauth.euid = client->euid;
2326 iauth.egid = client->egid;
2327 iauth.required_auth = required_auth;
2328 iauth.client_id = client->id;
2329 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
2330 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
2331 log_warn("imsg compose AUTHENTICATE");
2332 close(fd);
2333 /* Let the auth_timeout handler tidy up. */
2336 client->auth = proc;
2337 client->required_auth = required_auth;
2338 return NULL;
2341 static void
2342 apply_unveil_repo_readonly(const char *repo_path)
2344 if (unveil(repo_path, "r") == -1)
2345 fatal("unveil %s", repo_path);
2347 if (unveil(NULL, NULL) == -1)
2348 fatal("unveil");
2351 static void
2352 apply_unveil_none(void)
2354 if (unveil("/", "") == -1)
2355 fatal("unveil");
2357 if (unveil(NULL, NULL) == -1)
2358 fatal("unveil");
2361 static void
2362 apply_unveil(void)
2364 struct gotd_repo *repo;
2366 if (unveil(gotd.argv0, "x") == -1)
2367 fatal("unveil %s", gotd.argv0);
2369 TAILQ_FOREACH(repo, &gotd.repos, entry) {
2370 if (unveil(repo->path, "rwc") == -1)
2371 fatal("unveil %s", repo->path);
2374 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
2375 fatal("unveil %s", GOT_TMPDIR_STR);
2377 if (unveil(NULL, NULL) == -1)
2378 fatal("unveil");
2381 int
2382 main(int argc, char **argv)
2384 const struct got_error *error = NULL;
2385 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
2386 const char *confpath = GOTD_CONF_PATH;
2387 char *argv0 = argv[0];
2388 char title[2048];
2389 struct passwd *pw = NULL;
2390 char *repo_path = NULL;
2391 enum gotd_procid proc_id = PROC_GOTD;
2392 struct event evsigint, evsigterm, evsighup, evsigusr1;
2393 int *pack_fds = NULL, *temp_fds = NULL;
2395 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
2397 while ((ch = getopt(argc, argv, "Adf:LnP:RvW")) != -1) {
2398 switch (ch) {
2399 case 'A':
2400 proc_id = PROC_AUTH;
2401 break;
2402 case 'd':
2403 daemonize = 0;
2404 break;
2405 case 'f':
2406 confpath = optarg;
2407 break;
2408 case 'L':
2409 proc_id = PROC_LISTEN;
2410 break;
2411 case 'n':
2412 noaction = 1;
2413 break;
2414 case 'P':
2415 repo_path = realpath(optarg, NULL);
2416 if (repo_path == NULL)
2417 fatal("realpath '%s'", optarg);
2418 break;
2419 case 'R':
2420 proc_id = PROC_REPO_READ;
2421 break;
2422 case 'v':
2423 if (verbosity < 3)
2424 verbosity++;
2425 break;
2426 case 'W':
2427 proc_id = PROC_REPO_WRITE;
2428 break;
2429 default:
2430 usage();
2434 argc -= optind;
2435 argv += optind;
2437 if (argc != 0)
2438 usage();
2440 /* Require an absolute path in argv[0] for reliable re-exec. */
2441 if (!got_path_is_absolute(argv0))
2442 fatalx("bad path \"%s\": must be an absolute path", argv0);
2444 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
2445 fatalx("need root privileges");
2447 log_init(daemonize ? 0 : 1, LOG_DAEMON);
2448 log_setverbose(verbosity);
2450 if (parse_config(confpath, proc_id, &gotd) != 0)
2451 return 1;
2453 gotd.argv0 = argv0;
2454 gotd.daemonize = daemonize;
2455 gotd.verbosity = verbosity;
2456 gotd.confpath = confpath;
2458 if (proc_id == PROC_GOTD &&
2459 (gotd.nrepos == 0 || TAILQ_EMPTY(&gotd.repos)))
2460 fatalx("no repository defined in configuration file");
2462 pw = getpwnam(gotd.user_name);
2463 if (pw == NULL)
2464 fatalx("user %s not found", gotd.user_name);
2466 if (pw->pw_uid == 0) {
2467 fatalx("cannot run %s as %s: the user running %s "
2468 "must not be the superuser",
2469 getprogname(), pw->pw_name, getprogname());
2472 if (proc_id == PROC_LISTEN &&
2473 !got_path_is_absolute(gotd.unix_socket_path))
2474 fatalx("bad unix socket path \"%s\": must be an absolute path",
2475 gotd.unix_socket_path);
2477 if (noaction)
2478 return 0;
2480 if (proc_id == PROC_GOTD) {
2481 gotd.pid = getpid();
2482 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
2483 start_listener(argv0, confpath, daemonize, verbosity);
2484 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
2485 if (daemonize && daemon(1, 0) == -1)
2486 fatal("daemon");
2487 } else if (proc_id == PROC_LISTEN) {
2488 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
2489 if (verbosity) {
2490 log_info("socket: %s", gotd.unix_socket_path);
2491 log_info("user: %s", pw->pw_name);
2494 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
2495 pw->pw_gid);
2496 if (fd == -1) {
2497 fatal("cannot listen on unix socket %s",
2498 gotd.unix_socket_path);
2500 if (daemonize && daemon(0, 0) == -1)
2501 fatal("daemon");
2502 } else if (proc_id == PROC_AUTH) {
2503 snprintf(title, sizeof(title), "%s %s",
2504 gotd_proc_names[proc_id], repo_path);
2505 if (daemonize && daemon(0, 0) == -1)
2506 fatal("daemon");
2507 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE) {
2508 error = got_repo_pack_fds_open(&pack_fds);
2509 if (error != NULL)
2510 fatalx("cannot open pack tempfiles: %s", error->msg);
2511 error = got_repo_temp_fds_open(&temp_fds);
2512 if (error != NULL)
2513 fatalx("cannot open pack tempfiles: %s", error->msg);
2514 if (repo_path == NULL)
2515 fatalx("repository path not specified");
2516 snprintf(title, sizeof(title), "%s %s",
2517 gotd_proc_names[proc_id], repo_path);
2518 if (daemonize && daemon(0, 0) == -1)
2519 fatal("daemon");
2520 } else
2521 fatal("invalid process id %d", proc_id);
2523 setproctitle("%s", title);
2524 log_procinit(title);
2526 /* Drop root privileges. */
2527 if (setgid(pw->pw_gid) == -1)
2528 fatal("setgid %d failed", pw->pw_gid);
2529 if (setuid(pw->pw_uid) == -1)
2530 fatal("setuid %d failed", pw->pw_uid);
2532 event_init();
2534 switch (proc_id) {
2535 case PROC_GOTD:
2536 #ifndef PROFILE
2537 if (pledge("stdio rpath wpath cpath proc exec "
2538 "sendfd recvfd fattr flock unveil", NULL) == -1)
2539 err(1, "pledge");
2540 #endif
2541 break;
2542 case PROC_LISTEN:
2543 #ifndef PROFILE
2544 if (pledge("stdio sendfd unix", NULL) == -1)
2545 err(1, "pledge");
2546 #endif
2547 listen_main(title, fd, gotd.connection_limits,
2548 gotd.nconnection_limits);
2549 /* NOTREACHED */
2550 break;
2551 case PROC_AUTH:
2552 #ifndef PROFILE
2553 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
2554 err(1, "pledge");
2555 #endif
2557 * We need the "unix" pledge promise for getpeername(2) only.
2558 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
2559 * filesystem access via unveil(2). Access to password database
2560 * files will still work since "getpw" bypasses unveil(2).
2562 apply_unveil_none();
2564 auth_main(title, &gotd.repos, repo_path);
2565 /* NOTREACHED */
2566 break;
2567 case PROC_REPO_READ:
2568 #ifndef PROFILE
2569 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2570 err(1, "pledge");
2571 #endif
2572 apply_unveil_repo_readonly(repo_path);
2573 repo_read_main(title, repo_path, pack_fds, temp_fds);
2574 /* NOTREACHED */
2575 exit(0);
2576 case PROC_REPO_WRITE:
2577 #ifndef PROFILE
2578 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2579 err(1, "pledge");
2580 #endif
2581 apply_unveil_repo_readonly(repo_path);
2582 repo_write_main(title, repo_path, pack_fds, temp_fds);
2583 /* NOTREACHED */
2584 exit(0);
2585 default:
2586 fatal("invalid process id %d", proc_id);
2589 if (proc_id != PROC_GOTD)
2590 fatal("invalid process id %d", proc_id);
2592 apply_unveil();
2594 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
2595 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
2596 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
2597 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
2598 signal(SIGPIPE, SIG_IGN);
2600 signal_add(&evsigint, NULL);
2601 signal_add(&evsigterm, NULL);
2602 signal_add(&evsighup, NULL);
2603 signal_add(&evsigusr1, NULL);
2605 gotd_imsg_event_add(&gotd.listen_proc.iev);
2607 event_dispatch();
2609 if (pack_fds)
2610 got_repo_pack_fds_close(pack_fds);
2611 free(repo_path);
2612 return 0;