2 * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/queue.h>
20 #include <sys/types.h>
22 #include <sys/socket.h>
43 #include "got_error.h"
44 #include "got_opentemp.h"
46 #include "got_repository.h"
47 #include "got_object.h"
48 #include "got_reference.h"
50 #include "got_lib_delta.h"
51 #include "got_lib_object.h"
52 #include "got_lib_object_cache.h"
53 #include "got_lib_sha1.h"
54 #include "got_lib_gitproto.h"
55 #include "got_lib_pack.h"
56 #include "got_lib_repository.h"
62 #include "repo_read.h"
63 #include "repo_write.h"
66 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
70 STAILQ_ENTRY(gotd_client) entry;
71 enum gotd_client_state state;
72 struct gotd_client_capability *capabilities;
78 struct gotd_imsgev iev;
82 struct gotd_child_proc *repo_read;
83 struct gotd_child_proc *repo_write;
84 struct gotd_child_proc *auth;
90 STAILQ_HEAD(gotd_clients, gotd_client);
92 static struct gotd_clients gotd_clients[GOTD_CLIENT_TABLE_SIZE];
93 static SIPHASH_KEY clients_hash_key;
94 volatile int client_cnt;
95 static struct timeval auth_timeout = { 5, 0 };
96 static struct gotd gotd;
98 void gotd_sighdlr(int sig, short event, void *arg);
99 static void gotd_shutdown(void);
100 static const struct got_error *start_repo_child(struct gotd_client *,
101 enum gotd_procid, struct gotd_repo *, char *, const char *, int, int);
102 static const struct got_error *start_auth_child(struct gotd_client *, int,
103 struct gotd_repo *, char *, const char *, int, int);
104 static void kill_proc(struct gotd_child_proc *, int);
109 fprintf(stderr, "usage: %s [-dv] [-f config-file]\n", getprogname());
114 unix_socket_listen(const char *unix_socket_path, uid_t uid, gid_t gid)
116 struct sockaddr_un sun;
118 mode_t old_umask, mode;
120 fd = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK| SOCK_CLOEXEC, 0);
126 sun.sun_family = AF_UNIX;
127 if (strlcpy(sun.sun_path, unix_socket_path,
128 sizeof(sun.sun_path)) >= sizeof(sun.sun_path)) {
129 log_warnx("%s: name too long", unix_socket_path);
134 if (unlink(unix_socket_path) == -1) {
135 if (errno != ENOENT) {
136 log_warn("unlink %s", unix_socket_path);
142 old_umask = umask(S_IXUSR|S_IXGRP|S_IWOTH|S_IROTH|S_IXOTH);
143 mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
145 if (bind(fd, (struct sockaddr *)&sun, sizeof(sun)) == -1) {
146 log_warn("bind: %s", unix_socket_path);
154 if (chmod(unix_socket_path, mode) == -1) {
155 log_warn("chmod %o %s", mode, unix_socket_path);
157 unlink(unix_socket_path);
161 if (chown(unix_socket_path, uid, gid) == -1) {
162 log_warn("chown %s uid=%d gid=%d", unix_socket_path, uid, gid);
164 unlink(unix_socket_path);
168 if (listen(fd, GOTD_UNIX_SOCKET_BACKLOG) == -1) {
171 unlink(unix_socket_path);
179 client_hash(uint32_t client_id)
181 return SipHash24(&clients_hash_key, &client_id, sizeof(client_id));
185 add_client(struct gotd_client *client)
187 uint64_t slot = client_hash(client->id) % nitems(gotd_clients);
188 STAILQ_INSERT_HEAD(&gotd_clients[slot], client, entry);
192 static struct gotd_client *
193 find_client(uint32_t client_id)
196 struct gotd_client *c;
198 slot = client_hash(client_id) % nitems(gotd_clients);
199 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
200 if (c->id == client_id)
207 static struct gotd_child_proc *
208 get_client_proc(struct gotd_client *client)
210 if (client->repo_read && client->repo_write) {
211 fatalx("uid %d is reading and writing in the same session",
216 if (client->repo_read)
217 return client->repo_read;
218 else if (client->repo_write)
219 return client->repo_write;
224 static struct gotd_client *
225 find_client_by_proc_fd(int fd)
229 for (slot = 0; slot < nitems(gotd_clients); slot++) {
230 struct gotd_client *c;
232 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
233 struct gotd_child_proc *proc = get_client_proc(c);
234 if (proc && proc->iev.ibuf.fd == fd)
236 if (c->auth && c->auth->iev.ibuf.fd == fd)
245 client_is_reading(struct gotd_client *client)
247 return client->repo_read != NULL;
251 client_is_writing(struct gotd_client *client)
253 return client->repo_write != NULL;
256 static const struct got_error *
257 ensure_client_is_reading(struct gotd_client *client)
259 if (!client_is_reading(client)) {
260 return got_error_fmt(GOT_ERR_BAD_PACKET,
261 "uid %d made a read-request but is not reading from "
262 "a repository", client->euid);
268 static const struct got_error *
269 ensure_client_is_writing(struct gotd_client *client)
271 if (!client_is_writing(client)) {
272 return got_error_fmt(GOT_ERR_BAD_PACKET,
273 "uid %d made a write-request but is not writing to "
274 "a repository", client->euid);
280 static const struct got_error *
281 ensure_client_is_not_writing(struct gotd_client *client)
283 if (client_is_writing(client)) {
284 return got_error_fmt(GOT_ERR_BAD_PACKET,
285 "uid %d made a read-request but is writing to "
286 "a repository", client->euid);
292 static const struct got_error *
293 ensure_client_is_not_reading(struct gotd_client *client)
295 if (client_is_reading(client)) {
296 return got_error_fmt(GOT_ERR_BAD_PACKET,
297 "uid %d made a write-request but is reading from "
298 "a repository", client->euid);
305 wait_for_child(pid_t child_pid)
310 log_debug("waiting for child PID %ld to terminate",
314 pid = waitpid(child_pid, &status, WNOHANG);
316 if (errno != EINTR && errno != ECHILD)
318 } else if (WIFSIGNALED(status)) {
319 log_warnx("child PID %ld terminated; signal %d",
320 (long)pid, WTERMSIG(status));
322 } while (pid != -1 || (pid == -1 && errno == EINTR));
326 kill_auth_proc(struct gotd_client *client)
328 struct gotd_child_proc *proc;
330 if (client->auth == NULL)
336 event_del(&proc->iev.ev);
337 msgbuf_clear(&proc->iev.ibuf.w);
338 close(proc->iev.ibuf.fd);
340 wait_for_child(proc->pid);
345 disconnect(struct gotd_client *client)
347 struct gotd_imsg_disconnect idisconnect;
348 struct gotd_child_proc *proc = get_client_proc(client);
349 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
352 log_debug("uid %d: disconnecting", client->euid);
354 kill_auth_proc(client);
356 idisconnect.client_id = client->id;
358 if (gotd_imsg_compose_event(&proc->iev,
359 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
360 &idisconnect, sizeof(idisconnect)) == -1)
361 log_warn("imsg compose DISCONNECT");
363 msgbuf_clear(&proc->iev.ibuf.w);
364 close(proc->iev.ibuf.fd);
366 wait_for_child(proc->pid);
371 if (gotd_imsg_compose_event(&listen_proc->iev,
372 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
373 &idisconnect, sizeof(idisconnect)) == -1)
374 log_warn("imsg compose DISCONNECT");
376 slot = client_hash(client->id) % nitems(gotd_clients);
377 STAILQ_REMOVE(&gotd_clients[slot], client, gotd_client, entry);
378 imsg_clear(&client->iev.ibuf);
379 event_del(&client->iev.ev);
380 evtimer_del(&client->tmo);
382 if (client->delta_cache_fd != -1)
383 close(client->delta_cache_fd);
384 if (client->packfile_path) {
385 if (unlink(client->packfile_path) == -1 && errno != ENOENT)
386 log_warn("unlink %s: ", client->packfile_path);
387 free(client->packfile_path);
389 if (client->packidx_path) {
390 if (unlink(client->packidx_path) == -1 && errno != ENOENT)
391 log_warn("unlink %s: ", client->packidx_path);
392 free(client->packidx_path);
394 free(client->capabilities);
400 disconnect_on_error(struct gotd_client *client, const struct got_error *err)
404 log_warnx("uid %d: %s", client->euid, err->msg);
405 if (err->code != GOT_ERR_EOF) {
406 imsg_init(&ibuf, client->fd);
407 gotd_imsg_send_error(&ibuf, 0, PROC_GOTD, err);
413 static const struct got_error *
414 send_repo_info(struct gotd_imsgev *iev, struct gotd_repo *repo)
416 const struct got_error *err = NULL;
417 struct gotd_imsg_info_repo irepo;
419 memset(&irepo, 0, sizeof(irepo));
421 if (strlcpy(irepo.repo_name, repo->name, sizeof(irepo.repo_name))
422 >= sizeof(irepo.repo_name))
423 return got_error_msg(GOT_ERR_NO_SPACE, "repo name too long");
424 if (strlcpy(irepo.repo_path, repo->path, sizeof(irepo.repo_path))
425 >= sizeof(irepo.repo_path))
426 return got_error_msg(GOT_ERR_NO_SPACE, "repo path too long");
428 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_REPO, PROC_GOTD, -1,
429 &irepo, sizeof(irepo)) == -1) {
430 err = got_error_from_errno("imsg compose INFO_REPO");
438 static const struct got_error *
439 send_capability(struct gotd_client_capability *capa, struct gotd_imsgev* iev)
441 const struct got_error *err = NULL;
442 struct gotd_imsg_capability icapa;
446 memset(&icapa, 0, sizeof(icapa));
448 icapa.key_len = strlen(capa->key);
449 len = sizeof(icapa) + icapa.key_len;
451 icapa.value_len = strlen(capa->value);
452 len += icapa.value_len;
455 wbuf = imsg_create(&iev->ibuf, GOTD_IMSG_CAPABILITY, 0, 0, len);
457 err = got_error_from_errno("imsg_create CAPABILITY");
461 if (imsg_add(wbuf, &icapa, sizeof(icapa)) == -1)
462 return got_error_from_errno("imsg_add CAPABILITY");
463 if (imsg_add(wbuf, capa->key, icapa.key_len) == -1)
464 return got_error_from_errno("imsg_add CAPABILITY");
466 if (imsg_add(wbuf, capa->value, icapa.value_len) == -1)
467 return got_error_from_errno("imsg_add CAPABILITY");
471 imsg_close(&iev->ibuf, wbuf);
473 gotd_imsg_event_add(iev);
478 static const struct got_error *
479 send_client_info(struct gotd_imsgev *iev, struct gotd_client *client)
481 const struct got_error *err = NULL;
482 struct gotd_imsg_info_client iclient;
483 struct gotd_child_proc *proc;
486 memset(&iclient, 0, sizeof(iclient));
487 iclient.euid = client->euid;
488 iclient.egid = client->egid;
490 proc = get_client_proc(client);
492 if (strlcpy(iclient.repo_name, proc->repo_path,
493 sizeof(iclient.repo_name)) >= sizeof(iclient.repo_name)) {
494 return got_error_msg(GOT_ERR_NO_SPACE,
495 "repo name too long");
497 if (client_is_writing(client))
498 iclient.is_writing = 1;
501 iclient.state = client->state;
502 iclient.ncapabilities = client->ncapabilities;
504 if (gotd_imsg_compose_event(iev, GOTD_IMSG_INFO_CLIENT, PROC_GOTD, -1,
505 &iclient, sizeof(iclient)) == -1) {
506 err = got_error_from_errno("imsg compose INFO_CLIENT");
511 for (i = 0; i < client->ncapabilities; i++) {
512 struct gotd_client_capability *capa;
513 capa = &client->capabilities[i];
514 err = send_capability(capa, iev);
522 static const struct got_error *
523 send_info(struct gotd_client *client)
525 const struct got_error *err = NULL;
526 struct gotd_imsg_info info;
528 struct gotd_repo *repo;
530 if (client->euid != 0)
531 return got_error_set_errno(EPERM, "info");
534 info.verbosity = gotd.verbosity;
535 info.nrepos = gotd.nrepos;
536 info.nclients = client_cnt - 1;
538 if (gotd_imsg_compose_event(&client->iev, GOTD_IMSG_INFO, PROC_GOTD, -1,
539 &info, sizeof(info)) == -1) {
540 err = got_error_from_errno("imsg compose INFO");
545 TAILQ_FOREACH(repo, &gotd.repos, entry) {
546 err = send_repo_info(&client->iev, repo);
551 for (slot = 0; slot < nitems(gotd_clients); slot++) {
552 struct gotd_client *c;
553 STAILQ_FOREACH(c, &gotd_clients[slot], entry) {
554 if (c->id == client->id)
556 err = send_client_info(&client->iev, c);
565 static const struct got_error *
566 stop_gotd(struct gotd_client *client)
569 if (client->euid != 0)
570 return got_error_set_errno(EPERM, "stop");
577 static struct gotd_repo *
578 find_repo_by_name(const char *repo_name)
580 struct gotd_repo *repo;
583 TAILQ_FOREACH(repo, &gotd.repos, entry) {
584 namelen = strlen(repo->name);
585 if (strncmp(repo->name, repo_name, namelen) != 0)
587 if (repo_name[namelen] == '\0' ||
588 strcmp(&repo_name[namelen], ".git") == 0)
595 static const struct got_error *
596 start_client_session(struct gotd_client *client, struct imsg *imsg)
598 const struct got_error *err;
599 struct gotd_imsg_list_refs ireq;
600 struct gotd_repo *repo = NULL;
603 log_debug("list-refs request from uid %d", client->euid);
605 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
606 if (datalen != sizeof(ireq))
607 return got_error(GOT_ERR_PRIVSEP_LEN);
609 memcpy(&ireq, imsg->data, datalen);
611 if (ireq.client_is_reading) {
612 err = ensure_client_is_not_writing(client);
615 repo = find_repo_by_name(ireq.repo_name);
617 return got_error(GOT_ERR_NOT_GIT_REPO);
618 err = start_auth_child(client, GOTD_AUTH_READ, repo,
619 gotd.argv0, gotd.confpath, gotd.daemonize,
624 err = ensure_client_is_not_reading(client);
627 repo = find_repo_by_name(ireq.repo_name);
629 return got_error(GOT_ERR_NOT_GIT_REPO);
630 err = start_auth_child(client,
631 GOTD_AUTH_READ | GOTD_AUTH_WRITE,
632 repo, gotd.argv0, gotd.confpath, gotd.daemonize,
638 /* Flow continues upon authentication successs/failure or timeout. */
642 static const struct got_error *
643 forward_want(struct gotd_client *client, struct imsg *imsg)
645 struct gotd_imsg_want ireq;
646 struct gotd_imsg_want iwant;
649 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
650 if (datalen != sizeof(ireq))
651 return got_error(GOT_ERR_PRIVSEP_LEN);
653 memcpy(&ireq, imsg->data, datalen);
655 memset(&iwant, 0, sizeof(iwant));
656 memcpy(iwant.object_id, ireq.object_id, SHA1_DIGEST_LENGTH);
657 iwant.client_id = client->id;
659 if (gotd_imsg_compose_event(&client->repo_read->iev, GOTD_IMSG_WANT,
660 PROC_GOTD, -1, &iwant, sizeof(iwant)) == -1)
661 return got_error_from_errno("imsg compose WANT");
666 static const struct got_error *
667 forward_ref_update(struct gotd_client *client, struct imsg *imsg)
669 const struct got_error *err = NULL;
670 struct gotd_imsg_ref_update ireq;
671 struct gotd_imsg_ref_update *iref = NULL;
674 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
675 if (datalen < sizeof(ireq))
676 return got_error(GOT_ERR_PRIVSEP_LEN);
677 memcpy(&ireq, imsg->data, sizeof(ireq));
678 if (datalen != sizeof(ireq) + ireq.name_len)
679 return got_error(GOT_ERR_PRIVSEP_LEN);
681 iref = malloc(datalen);
683 return got_error_from_errno("malloc");
684 memcpy(iref, imsg->data, datalen);
686 iref->client_id = client->id;
687 if (gotd_imsg_compose_event(&client->repo_write->iev,
688 GOTD_IMSG_REF_UPDATE, PROC_GOTD, -1, iref, datalen) == -1)
689 err = got_error_from_errno("imsg compose REF_UPDATE");
694 static const struct got_error *
695 forward_have(struct gotd_client *client, struct imsg *imsg)
697 struct gotd_imsg_have ireq;
698 struct gotd_imsg_have ihave;
701 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
702 if (datalen != sizeof(ireq))
703 return got_error(GOT_ERR_PRIVSEP_LEN);
705 memcpy(&ireq, imsg->data, datalen);
707 memset(&ihave, 0, sizeof(ihave));
708 memcpy(ihave.object_id, ireq.object_id, SHA1_DIGEST_LENGTH);
709 ihave.client_id = client->id;
711 if (gotd_imsg_compose_event(&client->repo_read->iev, GOTD_IMSG_HAVE,
712 PROC_GOTD, -1, &ihave, sizeof(ihave)) == -1)
713 return got_error_from_errno("imsg compose HAVE");
719 client_has_capability(struct gotd_client *client, const char *capastr)
721 struct gotd_client_capability *capa;
724 if (client->ncapabilities == 0)
727 for (i = 0; i < client->ncapabilities; i++) {
728 capa = &client->capabilities[i];
729 if (strcmp(capa->key, capastr) == 0)
736 static const struct got_error *
737 recv_capabilities(struct gotd_client *client, struct imsg *imsg)
739 struct gotd_imsg_capabilities icapas;
742 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
743 if (datalen != sizeof(icapas))
744 return got_error(GOT_ERR_PRIVSEP_LEN);
745 memcpy(&icapas, imsg->data, sizeof(icapas));
747 client->ncapa_alloc = icapas.ncapabilities;
748 client->capabilities = calloc(client->ncapa_alloc,
749 sizeof(*client->capabilities));
750 if (client->capabilities == NULL) {
751 client->ncapa_alloc = 0;
752 return got_error_from_errno("calloc");
755 log_debug("expecting %zu capabilities from uid %d",
756 client->ncapa_alloc, client->euid);
760 static const struct got_error *
761 recv_capability(struct gotd_client *client, struct imsg *imsg)
763 struct gotd_imsg_capability icapa;
764 struct gotd_client_capability *capa;
766 char *key, *value = NULL;
768 if (client->capabilities == NULL ||
769 client->ncapabilities >= client->ncapa_alloc) {
770 return got_error_msg(GOT_ERR_BAD_REQUEST,
771 "unexpected capability received");
774 memset(&icapa, 0, sizeof(icapa));
776 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
777 if (datalen < sizeof(icapa))
778 return got_error(GOT_ERR_PRIVSEP_LEN);
779 memcpy(&icapa, imsg->data, sizeof(icapa));
781 if (datalen != sizeof(icapa) + icapa.key_len + icapa.value_len)
782 return got_error(GOT_ERR_PRIVSEP_LEN);
784 key = malloc(icapa.key_len + 1);
786 return got_error_from_errno("malloc");
787 if (icapa.value_len > 0) {
788 value = malloc(icapa.value_len + 1);
791 return got_error_from_errno("malloc");
795 memcpy(key, imsg->data + sizeof(icapa), icapa.key_len);
796 key[icapa.key_len] = '\0';
798 memcpy(value, imsg->data + sizeof(icapa) + icapa.key_len,
800 value[icapa.value_len] = '\0';
803 capa = &client->capabilities[client->ncapabilities++];
808 log_debug("uid %d: capability %s=%s", client->euid, key, value);
810 log_debug("uid %d: capability %s", client->euid, key);
815 static const struct got_error *
816 send_packfile(struct gotd_client *client)
818 const struct got_error *err = NULL;
819 struct gotd_imsg_send_packfile ipack;
820 struct gotd_imsg_packfile_pipe ipipe;
823 if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, pipe) == -1)
824 return got_error_from_errno("socketpair");
826 memset(&ipack, 0, sizeof(ipack));
827 memset(&ipipe, 0, sizeof(ipipe));
829 ipack.client_id = client->id;
830 if (client_has_capability(client, GOT_CAPA_SIDE_BAND_64K))
831 ipack.report_progress = 1;
833 client->delta_cache_fd = got_opentempfd();
834 if (client->delta_cache_fd == -1)
835 return got_error_from_errno("got_opentempfd");
837 if (gotd_imsg_compose_event(&client->repo_read->iev,
838 GOTD_IMSG_SEND_PACKFILE, PROC_GOTD, client->delta_cache_fd,
839 &ipack, sizeof(ipack)) == -1) {
840 err = got_error_from_errno("imsg compose SEND_PACKFILE");
846 ipipe.client_id = client->id;
848 /* Send pack pipe end 0 to repo_read. */
849 if (gotd_imsg_compose_event(&client->repo_read->iev,
850 GOTD_IMSG_PACKFILE_PIPE, PROC_GOTD, pipe[0],
851 &ipipe, sizeof(ipipe)) == -1) {
852 err = got_error_from_errno("imsg compose PACKFILE_PIPE");
857 /* Send pack pipe end 1 to gotsh(1) (expects just an fd, no data). */
858 if (gotd_imsg_compose_event(&client->iev,
859 GOTD_IMSG_PACKFILE_PIPE, PROC_GOTD, pipe[1], NULL, 0) == -1)
860 err = got_error_from_errno("imsg compose PACKFILE_PIPE");
865 static const struct got_error *
866 recv_packfile(struct gotd_client *client)
868 const struct got_error *err = NULL;
869 struct gotd_imsg_recv_packfile ipack;
870 struct gotd_imsg_packfile_pipe ipipe;
871 struct gotd_imsg_packidx_file ifile;
872 char *basepath = NULL, *pack_path = NULL, *idx_path = NULL;
873 int packfd = -1, idxfd = -1;
874 int pipe[2] = { -1, -1 };
876 if (client->packfile_path) {
877 return got_error_fmt(GOT_ERR_PRIVSEP_MSG,
878 "uid %d already has a pack file", client->euid);
881 if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, pipe) == -1)
882 return got_error_from_errno("socketpair");
884 memset(&ipipe, 0, sizeof(ipipe));
885 ipipe.client_id = client->id;
887 if (gotd_imsg_compose_event(&client->repo_write->iev,
888 GOTD_IMSG_PACKFILE_PIPE, PROC_GOTD, pipe[0],
889 &ipipe, sizeof(ipipe)) == -1) {
890 err = got_error_from_errno("imsg compose PACKFILE_PIPE");
896 if (gotd_imsg_compose_event(&client->repo_write->iev,
897 GOTD_IMSG_PACKFILE_PIPE, PROC_GOTD, pipe[1],
898 &ipipe, sizeof(ipipe)) == -1)
899 err = got_error_from_errno("imsg compose PACKFILE_PIPE");
902 if (asprintf(&basepath, "%s/%s/receiving-from-uid-%d.pack",
903 client->repo_write->repo_path, GOT_OBJECTS_PACK_DIR,
904 client->euid) == -1) {
905 err = got_error_from_errno("asprintf");
909 err = got_opentemp_named_fd(&pack_path, &packfd, basepath, "");
914 if (asprintf(&basepath, "%s/%s/receiving-from-uid-%d.idx",
915 client->repo_write->repo_path, GOT_OBJECTS_PACK_DIR,
916 client->euid) == -1) {
917 err = got_error_from_errno("asprintf");
921 err = got_opentemp_named_fd(&idx_path, &idxfd, basepath, "");
925 memset(&ifile, 0, sizeof(ifile));
926 ifile.client_id = client->id;
927 if (gotd_imsg_compose_event(&client->repo_write->iev,
928 GOTD_IMSG_PACKIDX_FILE, PROC_GOTD, idxfd,
929 &ifile, sizeof(ifile)) == -1) {
930 err = got_error_from_errno("imsg compose PACKIDX_FILE");
936 memset(&ipack, 0, sizeof(ipack));
937 ipack.client_id = client->id;
938 if (client_has_capability(client, GOT_CAPA_REPORT_STATUS))
939 ipack.report_status = 1;
941 if (gotd_imsg_compose_event(&client->repo_write->iev,
942 GOTD_IMSG_RECV_PACKFILE, PROC_GOTD, packfd,
943 &ipack, sizeof(ipack)) == -1) {
944 err = got_error_from_errno("imsg compose RECV_PACKFILE");
952 if (pipe[0] != -1 && close(pipe[0]) == -1 && err == NULL)
953 err = got_error_from_errno("close");
954 if (pipe[1] != -1 && close(pipe[1]) == -1 && err == NULL)
955 err = got_error_from_errno("close");
956 if (packfd != -1 && close(packfd) == -1 && err == NULL)
957 err = got_error_from_errno("close");
958 if (idxfd != -1 && close(idxfd) == -1 && err == NULL)
959 err = got_error_from_errno("close");
964 client->packfile_path = pack_path;
965 client->packidx_path = idx_path;
971 gotd_request(int fd, short events, void *arg)
973 struct gotd_imsgev *iev = arg;
974 struct imsgbuf *ibuf = &iev->ibuf;
975 struct gotd_client *client = iev->handler_arg;
976 const struct got_error *err = NULL;
980 if (events & EV_WRITE) {
981 while (ibuf->w.queued) {
982 n = msgbuf_write(&ibuf->w);
983 if (n == -1 && errno == EPIPE) {
985 * The client has closed its socket.
986 * This can happen when Git clients are
987 * done sending pack file data.
989 msgbuf_clear(&ibuf->w);
991 } else if (n == -1 && errno != EAGAIN) {
992 err = got_error_from_errno("imsg_flush");
993 disconnect_on_error(client, err);
997 /* Connection closed. */
998 err = got_error(GOT_ERR_EOF);
999 disconnect_on_error(client, err);
1004 /* Disconnect gotctl(8) now that messages have been sent. */
1005 if (!client_is_reading(client) && !client_is_writing(client)) {
1011 if ((events & EV_READ) == 0)
1014 memset(&imsg, 0, sizeof(imsg));
1016 while (err == NULL) {
1017 err = gotd_imsg_recv(&imsg, ibuf, 0);
1019 if (err->code == GOT_ERR_PRIVSEP_READ)
1024 evtimer_del(&client->tmo);
1026 switch (imsg.hdr.type) {
1027 case GOTD_IMSG_INFO:
1028 err = send_info(client);
1030 case GOTD_IMSG_STOP:
1031 err = stop_gotd(client);
1033 case GOTD_IMSG_LIST_REFS:
1034 if (client->state != GOTD_STATE_EXPECT_LIST_REFS) {
1035 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1036 "unexpected list-refs request received");
1039 err = start_client_session(client, &imsg);
1043 case GOTD_IMSG_CAPABILITIES:
1044 if (client->state != GOTD_STATE_EXPECT_CAPABILITIES) {
1045 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1046 "unexpected capabilities received");
1049 log_debug("receiving capabilities from uid %d",
1051 err = recv_capabilities(client, &imsg);
1053 case GOTD_IMSG_CAPABILITY:
1054 if (client->state != GOTD_STATE_EXPECT_CAPABILITIES) {
1055 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1056 "unexpected capability received");
1059 err = recv_capability(client, &imsg);
1060 if (err || client->ncapabilities < client->ncapa_alloc)
1062 if (client_is_reading(client)) {
1063 client->state = GOTD_STATE_EXPECT_WANT;
1064 log_debug("uid %d: expecting want-lines",
1066 } else if (client_is_writing(client)) {
1067 client->state = GOTD_STATE_EXPECT_REF_UPDATE;
1068 log_debug("uid %d: expecting ref-update-lines",
1071 fatalx("client %d is both reading and writing",
1074 case GOTD_IMSG_WANT:
1075 if (client->state != GOTD_STATE_EXPECT_WANT) {
1076 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1077 "unexpected want-line received");
1080 log_debug("received want-line from uid %d",
1082 err = ensure_client_is_reading(client);
1085 err = forward_want(client, &imsg);
1087 case GOTD_IMSG_REF_UPDATE:
1088 if (client->state != GOTD_STATE_EXPECT_REF_UPDATE) {
1089 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1090 "unexpected ref-update-line received");
1093 log_debug("received ref-update-line from uid %d",
1095 err = ensure_client_is_writing(client);
1098 err = forward_ref_update(client, &imsg);
1101 client->state = GOTD_STATE_EXPECT_MORE_REF_UPDATES;
1103 case GOTD_IMSG_HAVE:
1104 if (client->state != GOTD_STATE_EXPECT_HAVE) {
1105 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1106 "unexpected have-line received");
1109 log_debug("received have-line from uid %d",
1111 err = ensure_client_is_reading(client);
1114 err = forward_have(client, &imsg);
1118 case GOTD_IMSG_FLUSH:
1119 if (client->state == GOTD_STATE_EXPECT_WANT ||
1120 client->state == GOTD_STATE_EXPECT_HAVE) {
1121 err = ensure_client_is_reading(client);
1124 } else if (client->state ==
1125 GOTD_STATE_EXPECT_MORE_REF_UPDATES) {
1126 err = ensure_client_is_writing(client);
1130 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1131 "unexpected flush-pkt received");
1134 log_debug("received flush-pkt from uid %d",
1136 if (client->state == GOTD_STATE_EXPECT_WANT) {
1137 client->state = GOTD_STATE_EXPECT_HAVE;
1138 log_debug("uid %d: expecting have-lines",
1140 } else if (client->state == GOTD_STATE_EXPECT_HAVE) {
1141 client->state = GOTD_STATE_EXPECT_DONE;
1142 log_debug("uid %d: expecting 'done'",
1144 } else if (client->state ==
1145 GOTD_STATE_EXPECT_MORE_REF_UPDATES) {
1146 client->state = GOTD_STATE_EXPECT_PACKFILE;
1147 log_debug("uid %d: expecting packfile",
1149 err = recv_packfile(client);
1151 /* should not happen, see above */
1152 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1153 "unexpected client state");
1157 case GOTD_IMSG_DONE:
1158 if (client->state != GOTD_STATE_EXPECT_HAVE &&
1159 client->state != GOTD_STATE_EXPECT_DONE) {
1160 err = got_error_msg(GOT_ERR_BAD_REQUEST,
1161 "unexpected flush-pkt received");
1164 log_debug("received 'done' from uid %d", client->euid);
1165 err = ensure_client_is_reading(client);
1168 client->state = GOTD_STATE_DONE;
1169 err = send_packfile(client);
1172 err = got_error(GOT_ERR_PRIVSEP_MSG);
1180 if (err->code != GOT_ERR_EOF ||
1181 client->state != GOTD_STATE_EXPECT_PACKFILE)
1182 disconnect_on_error(client, err);
1184 gotd_imsg_event_add(&client->iev);
1185 if (client->state == GOTD_STATE_EXPECT_LIST_REFS)
1186 evtimer_add(&client->tmo, &auth_timeout);
1188 evtimer_add(&client->tmo, &gotd.request_timeout);
1193 gotd_request_timeout(int fd, short events, void *arg)
1195 struct gotd_client *client = arg;
1197 log_debug("disconnecting uid %d due to timeout", client->euid);
1201 static const struct got_error *
1202 recv_connect(uint32_t *client_id, struct imsg *imsg)
1204 const struct got_error *err = NULL;
1205 struct gotd_imsg_connect iconnect;
1208 struct gotd_client *client = NULL;
1212 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1213 if (datalen != sizeof(iconnect))
1214 return got_error(GOT_ERR_PRIVSEP_LEN);
1215 memcpy(&iconnect, imsg->data, sizeof(iconnect));
1219 err = got_error(GOT_ERR_PRIVSEP_NO_FD);
1223 if (find_client(iconnect.client_id)) {
1224 err = got_error_msg(GOT_ERR_CLIENT_ID, "duplicate client ID");
1228 client = calloc(1, sizeof(*client));
1229 if (client == NULL) {
1230 err = got_error_from_errno("calloc");
1234 *client_id = iconnect.client_id;
1236 client->state = GOTD_STATE_EXPECT_LIST_REFS;
1237 client->id = iconnect.client_id;
1240 client->delta_cache_fd = -1;
1241 /* The auth process will verify UID/GID for us. */
1242 client->euid = iconnect.euid;
1243 client->egid = iconnect.egid;
1244 client->nref_updates = -1;
1246 imsg_init(&client->iev.ibuf, client->fd);
1247 client->iev.handler = gotd_request;
1248 client->iev.events = EV_READ;
1249 client->iev.handler_arg = client;
1251 event_set(&client->iev.ev, client->fd, EV_READ, gotd_request,
1253 gotd_imsg_event_add(&client->iev);
1255 evtimer_set(&client->tmo, gotd_request_timeout, client);
1258 log_debug("%s: new client uid %d connected on fd %d", __func__,
1259 client->euid, client->fd);
1262 struct gotd_child_proc *listen_proc = &gotd.listen_proc;
1263 struct gotd_imsg_disconnect idisconnect;
1265 idisconnect.client_id = client->id;
1266 if (gotd_imsg_compose_event(&listen_proc->iev,
1267 GOTD_IMSG_DISCONNECT, PROC_GOTD, -1,
1268 &idisconnect, sizeof(idisconnect)) == -1)
1269 log_warn("imsg compose DISCONNECT");
1278 static const char *gotd_proc_names[PROC_MAX] = {
1287 kill_proc(struct gotd_child_proc *proc, int fatal)
1290 log_warnx("sending SIGKILL to PID %d", proc->pid);
1291 kill(proc->pid, SIGKILL);
1293 kill(proc->pid, SIGTERM);
1299 struct gotd_child_proc *proc;
1302 for (slot = 0; slot < nitems(gotd_clients); slot++) {
1303 struct gotd_client *c, *tmp;
1305 STAILQ_FOREACH_SAFE(c, &gotd_clients[slot], entry, tmp)
1309 proc = &gotd.listen_proc;
1310 msgbuf_clear(&proc->iev.ibuf.w);
1311 close(proc->iev.ibuf.fd);
1313 wait_for_child(proc->pid);
1315 log_info("terminating");
1320 gotd_sighdlr(int sig, short event, void *arg)
1323 * Normal signal handler rules don't apply because libevent
1329 log_info("%s: ignoring SIGHUP", __func__);
1332 log_info("%s: ignoring SIGUSR1", __func__);
1339 fatalx("unexpected signal");
1343 static const struct got_error *
1344 ensure_proc_is_reading(struct gotd_client *client,
1345 struct gotd_child_proc *proc)
1347 if (!client_is_reading(client)) {
1349 return got_error_fmt(GOT_ERR_BAD_PACKET,
1350 "PID %d handled a read-request for uid %d but this "
1351 "user is not reading from a repository", proc->pid,
1358 static const struct got_error *
1359 ensure_proc_is_writing(struct gotd_client *client,
1360 struct gotd_child_proc *proc)
1362 if (!client_is_writing(client)) {
1364 return got_error_fmt(GOT_ERR_BAD_PACKET,
1365 "PID %d handled a write-request for uid %d but this "
1366 "user is not writing to a repository", proc->pid,
1374 verify_imsg_src(struct gotd_client *client, struct gotd_child_proc *proc,
1377 const struct got_error *err;
1378 struct gotd_child_proc *client_proc;
1381 if (proc->type == PROC_REPO_READ || proc->type == PROC_REPO_WRITE) {
1382 client_proc = get_client_proc(client);
1383 if (client_proc == NULL)
1384 fatalx("no process found for uid %d", client->euid);
1385 if (proc->pid != client_proc->pid) {
1387 log_warnx("received message from PID %d for uid %d, "
1388 "while PID %d is the process serving this user",
1389 proc->pid, client->euid, client_proc->pid);
1394 switch (imsg->hdr.type) {
1395 case GOTD_IMSG_ERROR:
1398 case GOTD_IMSG_CONNECT:
1399 if (proc->type != PROC_LISTEN) {
1400 err = got_error_fmt(GOT_ERR_BAD_PACKET,
1401 "new connection for uid %d from PID %d "
1402 "which is not the listen process",
1403 proc->pid, client->euid);
1407 case GOTD_IMSG_ACCESS_GRANTED:
1408 if (proc->type != PROC_AUTH) {
1409 err = got_error_fmt(GOT_ERR_BAD_PACKET,
1410 "authentication of uid %d from PID %d "
1411 "which is not the auth process",
1412 proc->pid, client->euid);
1416 case GOTD_IMSG_REPO_CHILD_READY:
1417 if (proc->type != PROC_REPO_READ &&
1418 proc->type != PROC_REPO_WRITE) {
1419 err = got_error_fmt(GOT_ERR_BAD_PACKET,
1420 "unexpected \"ready\" signal from PID %d",
1425 case GOTD_IMSG_PACKFILE_DONE:
1426 err = ensure_proc_is_reading(client, proc);
1428 log_warnx("uid %d: %s", client->euid, err->msg);
1432 case GOTD_IMSG_PACKFILE_INSTALL:
1433 case GOTD_IMSG_REF_UPDATES_START:
1434 case GOTD_IMSG_REF_UPDATE:
1435 err = ensure_proc_is_writing(client, proc);
1437 log_warnx("uid %d: %s", client->euid, err->msg);
1442 log_debug("%s: unexpected imsg %d", __func__, imsg->hdr.type);
1449 static const struct got_error *
1450 list_refs_request(struct gotd_client *client, struct gotd_imsgev *iev)
1452 static const struct got_error *err;
1453 struct gotd_imsg_list_refs_internal ilref;
1456 memset(&ilref, 0, sizeof(ilref));
1457 ilref.client_id = client->id;
1459 fd = dup(client->fd);
1461 return got_error_from_errno("dup");
1463 if (gotd_imsg_compose_event(iev, GOTD_IMSG_LIST_REFS_INTERNAL,
1464 PROC_GOTD, fd, &ilref, sizeof(ilref)) == -1) {
1465 err = got_error_from_errno("imsg compose WANT");
1470 client->state = GOTD_STATE_EXPECT_CAPABILITIES;
1471 log_debug("uid %d: expecting capabilities", client->euid);
1475 static const struct got_error *
1476 recv_packfile_done(uint32_t *client_id, struct imsg *imsg)
1478 struct gotd_imsg_packfile_done idone;
1481 log_debug("packfile-done received");
1483 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1484 if (datalen != sizeof(idone))
1485 return got_error(GOT_ERR_PRIVSEP_LEN);
1486 memcpy(&idone, imsg->data, sizeof(idone));
1488 *client_id = idone.client_id;
1492 static const struct got_error *
1493 recv_packfile_install(uint32_t *client_id, struct imsg *imsg)
1495 struct gotd_imsg_packfile_install inst;
1498 log_debug("packfile-install received");
1500 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1501 if (datalen != sizeof(inst))
1502 return got_error(GOT_ERR_PRIVSEP_LEN);
1503 memcpy(&inst, imsg->data, sizeof(inst));
1505 *client_id = inst.client_id;
1509 static const struct got_error *
1510 recv_ref_updates_start(uint32_t *client_id, struct imsg *imsg)
1512 struct gotd_imsg_ref_updates_start istart;
1515 log_debug("ref-updates-start received");
1517 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1518 if (datalen != sizeof(istart))
1519 return got_error(GOT_ERR_PRIVSEP_LEN);
1520 memcpy(&istart, imsg->data, sizeof(istart));
1522 *client_id = istart.client_id;
1526 static const struct got_error *
1527 recv_ref_update(uint32_t *client_id, struct imsg *imsg)
1529 struct gotd_imsg_ref_update iref;
1532 log_debug("ref-update received");
1534 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1535 if (datalen < sizeof(iref))
1536 return got_error(GOT_ERR_PRIVSEP_LEN);
1537 memcpy(&iref, imsg->data, sizeof(iref));
1539 *client_id = iref.client_id;
1543 static const struct got_error *
1544 send_ref_update_ok(struct gotd_client *client,
1545 struct gotd_imsg_ref_update *iref, const char *refname)
1547 struct gotd_imsg_ref_update_ok iok;
1551 memset(&iok, 0, sizeof(iok));
1552 iok.client_id = client->id;
1553 memcpy(iok.old_id, iref->old_id, SHA1_DIGEST_LENGTH);
1554 memcpy(iok.new_id, iref->new_id, SHA1_DIGEST_LENGTH);
1555 iok.name_len = strlen(refname);
1557 len = sizeof(iok) + iok.name_len;
1558 wbuf = imsg_create(&client->iev.ibuf, GOTD_IMSG_REF_UPDATE_OK,
1559 PROC_GOTD, gotd.pid, len);
1561 return got_error_from_errno("imsg_create REF_UPDATE_OK");
1563 if (imsg_add(wbuf, &iok, sizeof(iok)) == -1)
1564 return got_error_from_errno("imsg_add REF_UPDATE_OK");
1565 if (imsg_add(wbuf, refname, iok.name_len) == -1)
1566 return got_error_from_errno("imsg_add REF_UPDATE_OK");
1569 imsg_close(&client->iev.ibuf, wbuf);
1570 gotd_imsg_event_add(&client->iev);
1575 send_refs_updated(struct gotd_client *client)
1577 if (gotd_imsg_compose_event(&client->iev,
1578 GOTD_IMSG_REFS_UPDATED, PROC_GOTD, -1, NULL, 0) == -1)
1579 log_warn("imsg compose REFS_UPDATED");
1582 static const struct got_error *
1583 send_ref_update_ng(struct gotd_client *client,
1584 struct gotd_imsg_ref_update *iref, const char *refname,
1587 const struct got_error *ng_err;
1588 struct gotd_imsg_ref_update_ng ing;
1592 memset(&ing, 0, sizeof(ing));
1593 ing.client_id = client->id;
1594 memcpy(ing.old_id, iref->old_id, SHA1_DIGEST_LENGTH);
1595 memcpy(ing.new_id, iref->new_id, SHA1_DIGEST_LENGTH);
1596 ing.name_len = strlen(refname);
1598 ng_err = got_error_fmt(GOT_ERR_REF_BUSY, "%s", reason);
1599 ing.reason_len = strlen(ng_err->msg);
1601 len = sizeof(ing) + ing.name_len + ing.reason_len;
1602 wbuf = imsg_create(&client->iev.ibuf, GOTD_IMSG_REF_UPDATE_NG,
1603 PROC_GOTD, gotd.pid, len);
1605 return got_error_from_errno("imsg_create REF_UPDATE_NG");
1607 if (imsg_add(wbuf, &ing, sizeof(ing)) == -1)
1608 return got_error_from_errno("imsg_add REF_UPDATE_NG");
1609 if (imsg_add(wbuf, refname, ing.name_len) == -1)
1610 return got_error_from_errno("imsg_add REF_UPDATE_NG");
1611 if (imsg_add(wbuf, ng_err->msg, ing.reason_len) == -1)
1612 return got_error_from_errno("imsg_add REF_UPDATE_NG");
1615 imsg_close(&client->iev.ibuf, wbuf);
1616 gotd_imsg_event_add(&client->iev);
1620 static const struct got_error *
1621 install_pack(struct gotd_client *client, const char *repo_path,
1624 const struct got_error *err = NULL;
1625 struct gotd_imsg_packfile_install inst;
1626 char hex[SHA1_DIGEST_STRING_LENGTH];
1628 char *packfile_path = NULL, *packidx_path = NULL;
1630 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1631 if (datalen != sizeof(inst))
1632 return got_error(GOT_ERR_PRIVSEP_LEN);
1633 memcpy(&inst, imsg->data, sizeof(inst));
1635 if (client->packfile_path == NULL)
1636 return got_error_msg(GOT_ERR_BAD_REQUEST,
1637 "client has no pack file");
1638 if (client->packidx_path == NULL)
1639 return got_error_msg(GOT_ERR_BAD_REQUEST,
1640 "client has no pack file index");
1642 if (got_sha1_digest_to_str(inst.pack_sha1, hex, sizeof(hex)) == NULL)
1643 return got_error_msg(GOT_ERR_NO_SPACE,
1644 "could not convert pack file SHA1 to hex");
1646 if (asprintf(&packfile_path, "/%s/%s/pack-%s.pack",
1647 repo_path, GOT_OBJECTS_PACK_DIR, hex) == -1) {
1648 err = got_error_from_errno("asprintf");
1652 if (asprintf(&packidx_path, "/%s/%s/pack-%s.idx",
1653 repo_path, GOT_OBJECTS_PACK_DIR, hex) == -1) {
1654 err = got_error_from_errno("asprintf");
1658 if (rename(client->packfile_path, packfile_path) == -1) {
1659 err = got_error_from_errno3("rename", client->packfile_path,
1664 free(client->packfile_path);
1665 client->packfile_path = NULL;
1667 if (rename(client->packidx_path, packidx_path) == -1) {
1668 err = got_error_from_errno3("rename", client->packidx_path,
1673 free(client->packidx_path);
1674 client->packidx_path = NULL;
1676 free(packfile_path);
1681 static const struct got_error *
1682 begin_ref_updates(struct gotd_client *client, struct imsg *imsg)
1684 struct gotd_imsg_ref_updates_start istart;
1687 if (client->nref_updates != -1)
1688 return got_error(GOT_ERR_PRIVSEP_MSG);
1690 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1691 if (datalen != sizeof(istart))
1692 return got_error(GOT_ERR_PRIVSEP_LEN);
1693 memcpy(&istart, imsg->data, sizeof(istart));
1695 if (istart.nref_updates <= 0)
1696 return got_error(GOT_ERR_PRIVSEP_MSG);
1698 client->nref_updates = istart.nref_updates;
1702 static const struct got_error *
1703 update_ref(struct gotd_client *client, const char *repo_path,
1706 const struct got_error *err = NULL;
1707 struct got_repository *repo = NULL;
1708 struct got_reference *ref = NULL;
1709 struct gotd_imsg_ref_update iref;
1710 struct got_object_id old_id, new_id;
1711 struct got_object_id *id = NULL;
1712 struct got_object *obj = NULL;
1713 char *refname = NULL;
1717 log_debug("update-ref from uid %d", client->euid);
1719 if (client->nref_updates <= 0)
1720 return got_error(GOT_ERR_PRIVSEP_MSG);
1722 datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
1723 if (datalen < sizeof(iref))
1724 return got_error(GOT_ERR_PRIVSEP_LEN);
1725 memcpy(&iref, imsg->data, sizeof(iref));
1726 if (datalen != sizeof(iref) + iref.name_len)
1727 return got_error(GOT_ERR_PRIVSEP_LEN);
1728 refname = malloc(iref.name_len + 1);
1729 if (refname == NULL)
1730 return got_error_from_errno("malloc");
1731 memcpy(refname, imsg->data + sizeof(iref), iref.name_len);
1732 refname[iref.name_len] = '\0';
1734 log_debug("updating ref %s for uid %d", refname, client->euid);
1736 err = got_repo_open(&repo, repo_path, NULL, NULL);
1740 memcpy(old_id.sha1, iref.old_id, SHA1_DIGEST_LENGTH);
1741 memcpy(new_id.sha1, iref.new_id, SHA1_DIGEST_LENGTH);
1742 err = got_object_open(&obj, repo, &new_id);
1746 if (iref.ref_is_new) {
1747 err = got_ref_open(&ref, repo, refname, 0);
1749 if (err->code != GOT_ERR_NOT_REF)
1751 err = got_ref_alloc(&ref, refname, &new_id);
1754 err = got_ref_write(ref, repo); /* will lock/unlock */
1758 err = got_error_fmt(GOT_ERR_REF_BUSY,
1759 "%s has been created by someone else "
1760 "while transaction was in progress",
1761 got_ref_get_name(ref));
1765 err = got_ref_open(&ref, repo, refname, 1 /* lock */);
1770 err = got_ref_resolve(&id, repo, ref);
1774 if (got_object_id_cmp(id, &old_id) != 0) {
1775 err = got_error_fmt(GOT_ERR_REF_BUSY,
1776 "%s has been modified by someone else "
1777 "while transaction was in progress",
1778 got_ref_get_name(ref));
1782 err = got_ref_change_ref(ref, &new_id);
1786 err = got_ref_write(ref, repo);
1795 if (err->code == GOT_ERR_LOCKFILE_TIMEOUT) {
1796 err = got_error_fmt(GOT_ERR_LOCKFILE_TIMEOUT,
1797 "could not acquire exclusive file lock for %s",
1800 send_ref_update_ng(client, &iref, refname, err->msg);
1802 send_ref_update_ok(client, &iref, refname);
1804 if (client->nref_updates > 0) {
1805 client->nref_updates--;
1806 if (client->nref_updates == 0)
1807 send_refs_updated(client);
1811 const struct got_error *unlock_err;
1812 unlock_err = got_ref_unlock(ref);
1813 if (unlock_err && err == NULL)
1819 got_object_close(obj);
1821 got_repo_close(repo);
1828 gotd_dispatch_listener(int fd, short event, void *arg)
1830 struct gotd_imsgev *iev = arg;
1831 struct imsgbuf *ibuf = &iev->ibuf;
1832 struct gotd_child_proc *proc = &gotd.listen_proc;
1837 if (proc->iev.ibuf.fd != fd)
1838 fatalx("%s: unexpected fd %d", __func__, fd);
1840 if (event & EV_READ) {
1841 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1842 fatal("imsg_read error");
1844 /* Connection closed. */
1850 if (event & EV_WRITE) {
1851 n = msgbuf_write(&ibuf->w);
1852 if (n == -1 && errno != EAGAIN)
1853 fatal("msgbuf_write");
1855 /* Connection closed. */
1862 const struct got_error *err = NULL;
1863 struct gotd_client *client = NULL;
1864 uint32_t client_id = 0;
1865 int do_disconnect = 0;
1867 if ((n = imsg_get(ibuf, &imsg)) == -1)
1868 fatal("%s: imsg_get error", __func__);
1869 if (n == 0) /* No more messages. */
1872 switch (imsg.hdr.type) {
1873 case GOTD_IMSG_ERROR:
1875 err = gotd_imsg_recv_error(&client_id, &imsg);
1877 case GOTD_IMSG_CONNECT:
1878 err = recv_connect(&client_id, &imsg);
1881 log_debug("unexpected imsg %d", imsg.hdr.type);
1885 client = find_client(client_id);
1886 if (client == NULL) {
1887 log_warnx("%s: client not found", __func__);
1893 log_warnx("uid %d: %s", client->euid, err->msg);
1895 if (do_disconnect) {
1897 disconnect_on_error(client, err);
1906 gotd_imsg_event_add(iev);
1908 /* This pipe is dead. Remove its event handler */
1909 event_del(&iev->ev);
1910 event_loopexit(NULL);
1915 gotd_dispatch_auth_child(int fd, short event, void *arg)
1917 const struct got_error *err = NULL;
1918 struct gotd_imsgev *iev = arg;
1919 struct imsgbuf *ibuf = &iev->ibuf;
1920 struct gotd_client *client;
1921 struct gotd_repo *repo = NULL;
1925 uint32_t client_id = 0;
1926 int do_disconnect = 0;
1927 enum gotd_procid proc_type;
1929 client = find_client_by_proc_fd(fd);
1931 fatalx("cannot find client for fd %d", fd);
1933 if (client->auth == NULL)
1934 fatalx("cannot find auth child process for fd %d", fd);
1936 if (event & EV_READ) {
1937 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
1938 fatal("imsg_read error");
1940 /* Connection closed. */
1946 if (event & EV_WRITE) {
1947 n = msgbuf_write(&ibuf->w);
1948 if (n == -1 && errno != EAGAIN)
1949 fatal("msgbuf_write");
1951 /* Connection closed. */
1957 if (client->auth->iev.ibuf.fd != fd)
1958 fatalx("%s: unexpected fd %d", __func__, fd);
1960 if ((n = imsg_get(ibuf, &imsg)) == -1)
1961 fatal("%s: imsg_get error", __func__);
1962 if (n == 0) /* No more messages. */
1965 evtimer_del(&client->tmo);
1967 switch (imsg.hdr.type) {
1968 case GOTD_IMSG_ERROR:
1970 err = gotd_imsg_recv_error(&client_id, &imsg);
1972 case GOTD_IMSG_ACCESS_GRANTED:
1976 log_debug("unexpected imsg %d", imsg.hdr.type);
1980 if (!verify_imsg_src(client, client->auth, &imsg)) {
1982 log_debug("dropping imsg type %d from PID %d",
1983 imsg.hdr.type, client->auth->pid);
1987 if (do_disconnect) {
1989 disconnect_on_error(client, err);
1995 repo = find_repo_by_name(client->auth->repo_name);
1997 err = got_error(GOT_ERR_NOT_GIT_REPO);
2000 kill_auth_proc(client);
2002 log_info("authenticated uid %d for repository %s\n",
2003 client->euid, repo->name);
2005 if (client->required_auth & GOTD_AUTH_WRITE)
2006 proc_type = PROC_REPO_WRITE;
2008 proc_type = PROC_REPO_READ;
2010 err = start_repo_child(client, proc_type, repo, gotd.argv0,
2011 gotd.confpath, gotd.daemonize, gotd.verbosity);
2014 log_warnx("uid %d: %s", client->euid, err->msg);
2016 /* We might have killed the auth process by now. */
2017 if (client->auth != NULL) {
2019 gotd_imsg_event_add(iev);
2021 /* This pipe is dead. Remove its event handler */
2022 event_del(&iev->ev);
2028 gotd_dispatch_repo_child(int fd, short event, void *arg)
2030 struct gotd_imsgev *iev = arg;
2031 struct imsgbuf *ibuf = &iev->ibuf;
2032 struct gotd_child_proc *proc = NULL;
2033 struct gotd_client *client = NULL;
2038 if (event & EV_READ) {
2039 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
2040 fatal("imsg_read error");
2042 /* Connection closed. */
2048 if (event & EV_WRITE) {
2049 n = msgbuf_write(&ibuf->w);
2050 if (n == -1 && errno != EAGAIN)
2051 fatal("msgbuf_write");
2053 /* Connection closed. */
2059 client = find_client_by_proc_fd(fd);
2061 fatalx("cannot find client for fd %d", fd);
2063 proc = get_client_proc(client);
2065 fatalx("cannot find child process for fd %d", fd);
2068 const struct got_error *err = NULL;
2069 uint32_t client_id = 0;
2070 int do_disconnect = 0;
2071 int do_list_refs = 0, do_ref_updates = 0, do_ref_update = 0;
2072 int do_packfile_install = 0;
2074 if ((n = imsg_get(ibuf, &imsg)) == -1)
2075 fatal("%s: imsg_get error", __func__);
2076 if (n == 0) /* No more messages. */
2079 switch (imsg.hdr.type) {
2080 case GOTD_IMSG_ERROR:
2082 err = gotd_imsg_recv_error(&client_id, &imsg);
2084 case GOTD_IMSG_REPO_CHILD_READY:
2087 case GOTD_IMSG_PACKFILE_DONE:
2089 err = recv_packfile_done(&client_id, &imsg);
2091 case GOTD_IMSG_PACKFILE_INSTALL:
2092 err = recv_packfile_install(&client_id, &imsg);
2094 do_packfile_install = 1;
2096 case GOTD_IMSG_REF_UPDATES_START:
2097 err = recv_ref_updates_start(&client_id, &imsg);
2101 case GOTD_IMSG_REF_UPDATE:
2102 err = recv_ref_update(&client_id, &imsg);
2107 log_debug("unexpected imsg %d", imsg.hdr.type);
2111 if (!verify_imsg_src(client, proc, &imsg)) {
2112 log_debug("dropping imsg type %d from PID %d",
2113 imsg.hdr.type, proc->pid);
2118 log_warnx("uid %d: %s", client->euid, err->msg);
2120 if (do_disconnect) {
2122 disconnect_on_error(client, err);
2127 err = list_refs_request(client, iev);
2128 else if (do_packfile_install)
2129 err = install_pack(client, proc->repo_path,
2131 else if (do_ref_updates)
2132 err = begin_ref_updates(client, &imsg);
2133 else if (do_ref_update)
2134 err = update_ref(client, proc->repo_path,
2137 log_warnx("uid %d: %s", client->euid, err->msg);
2143 gotd_imsg_event_add(iev);
2145 /* This pipe is dead. Remove its event handler */
2146 event_del(&iev->ev);
2147 event_loopexit(NULL);
2152 start_child(enum gotd_procid proc_id, const char *repo_path,
2153 char *argv0, const char *confpath, int fd, int daemonize, int verbosity)
2159 switch (pid = fork()) {
2161 fatal("cannot fork");
2169 if (fd != GOTD_FILENO_MSG_PIPE) {
2170 if (dup2(fd, GOTD_FILENO_MSG_PIPE) == -1)
2171 fatal("cannot setup imsg fd");
2172 } else if (fcntl(fd, F_SETFD, 0) == -1)
2173 fatal("cannot setup imsg fd");
2175 argv[argc++] = argv0;
2178 argv[argc++] = (char *)"-L";
2181 argv[argc++] = (char *)"-A";
2183 case PROC_REPO_READ:
2184 argv[argc++] = (char *)"-R";
2186 case PROC_REPO_WRITE:
2187 argv[argc++] = (char *)"-W";
2190 fatalx("invalid process id %d", proc_id);
2193 argv[argc++] = (char *)"-f";
2194 argv[argc++] = (char *)confpath;
2197 argv[argc++] = (char *)"-P";
2198 argv[argc++] = (char *)repo_path;
2202 argv[argc++] = (char *)"-d";
2204 argv[argc++] = (char *)"-v";
2206 argv[argc++] = (char *)"-v";
2207 argv[argc++] = NULL;
2209 execvp(argv0, argv);
2214 start_listener(char *argv0, const char *confpath, int daemonize, int verbosity)
2216 struct gotd_child_proc *proc = &gotd.listen_proc;
2218 proc->type = PROC_LISTEN;
2220 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
2221 PF_UNSPEC, proc->pipe) == -1)
2222 fatal("socketpair");
2224 proc->pid = start_child(proc->type, NULL, argv0, confpath,
2225 proc->pipe[1], daemonize, verbosity);
2226 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
2227 proc->iev.handler = gotd_dispatch_listener;
2228 proc->iev.events = EV_READ;
2229 proc->iev.handler_arg = NULL;
2232 static const struct got_error *
2233 start_repo_child(struct gotd_client *client, enum gotd_procid proc_type,
2234 struct gotd_repo *repo, char *argv0, const char *confpath,
2235 int daemonize, int verbosity)
2237 struct gotd_child_proc *proc;
2239 if (proc_type != PROC_REPO_READ && proc_type != PROC_REPO_WRITE)
2240 return got_error_msg(GOT_ERR_NOT_IMPL, "bad process type");
2242 proc = calloc(1, sizeof(*proc));
2244 return got_error_from_errno("calloc");
2246 proc->type = proc_type;
2247 if (strlcpy(proc->repo_name, repo->name,
2248 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
2249 fatalx("repository name too long: %s", repo->name);
2250 log_debug("starting %s for repository %s",
2251 proc->type == PROC_REPO_READ ? "reader" : "writer", repo->name);
2252 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
2253 sizeof(proc->repo_path))
2254 fatalx("repository path too long: %s", repo->path);
2255 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
2256 PF_UNSPEC, proc->pipe) == -1)
2257 fatal("socketpair");
2258 proc->pid = start_child(proc->type, proc->repo_path, argv0,
2259 confpath, proc->pipe[1], daemonize, verbosity);
2260 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
2261 log_debug("proc %s %s is on fd %d",
2262 gotd_proc_names[proc->type], proc->repo_path,
2264 proc->iev.handler = gotd_dispatch_repo_child;
2265 proc->iev.events = EV_READ;
2266 proc->iev.handler_arg = NULL;
2267 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
2268 gotd_dispatch_repo_child, &proc->iev);
2269 gotd_imsg_event_add(&proc->iev);
2271 if (proc->type == PROC_REPO_READ)
2272 client->repo_read = proc;
2274 client->repo_write = proc;
2279 static const struct got_error *
2280 start_auth_child(struct gotd_client *client, int required_auth,
2281 struct gotd_repo *repo, char *argv0, const char *confpath,
2282 int daemonize, int verbosity)
2284 const struct got_error *err = NULL;
2285 struct gotd_child_proc *proc;
2286 struct gotd_imsg_auth iauth;
2289 memset(&iauth, 0, sizeof(iauth));
2291 fd = dup(client->fd);
2293 return got_error_from_errno("dup");
2295 proc = calloc(1, sizeof(*proc));
2297 err = got_error_from_errno("calloc");
2302 proc->type = PROC_AUTH;
2303 if (strlcpy(proc->repo_name, repo->name,
2304 sizeof(proc->repo_name)) >= sizeof(proc->repo_name))
2305 fatalx("repository name too long: %s", repo->name);
2306 log_debug("starting auth for uid %d repository %s",
2307 client->euid, repo->name);
2308 if (strlcpy(proc->repo_path, repo->path, sizeof(proc->repo_path)) >=
2309 sizeof(proc->repo_path))
2310 fatalx("repository path too long: %s", repo->path);
2311 if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK,
2312 PF_UNSPEC, proc->pipe) == -1)
2313 fatal("socketpair");
2314 proc->pid = start_child(proc->type, proc->repo_path, argv0,
2315 confpath, proc->pipe[1], daemonize, verbosity);
2316 imsg_init(&proc->iev.ibuf, proc->pipe[0]);
2317 log_debug("proc %s %s is on fd %d",
2318 gotd_proc_names[proc->type], proc->repo_path,
2320 proc->iev.handler = gotd_dispatch_auth_child;
2321 proc->iev.events = EV_READ;
2322 proc->iev.handler_arg = NULL;
2323 event_set(&proc->iev.ev, proc->iev.ibuf.fd, EV_READ,
2324 gotd_dispatch_auth_child, &proc->iev);
2325 gotd_imsg_event_add(&proc->iev);
2327 iauth.euid = client->euid;
2328 iauth.egid = client->egid;
2329 iauth.required_auth = required_auth;
2330 iauth.client_id = client->id;
2331 if (gotd_imsg_compose_event(&proc->iev, GOTD_IMSG_AUTHENTICATE,
2332 PROC_GOTD, fd, &iauth, sizeof(iauth)) == -1) {
2333 log_warn("imsg compose AUTHENTICATE");
2335 /* Let the auth_timeout handler tidy up. */
2338 client->auth = proc;
2339 client->required_auth = required_auth;
2344 apply_unveil_repo_readonly(const char *repo_path)
2346 if (unveil(repo_path, "r") == -1)
2347 fatal("unveil %s", repo_path);
2349 if (unveil(NULL, NULL) == -1)
2354 apply_unveil_none(void)
2356 if (unveil("/", "") == -1)
2359 if (unveil(NULL, NULL) == -1)
2366 struct gotd_repo *repo;
2368 if (unveil(gotd.argv0, "x") == -1)
2369 fatal("unveil %s", gotd.argv0);
2371 TAILQ_FOREACH(repo, &gotd.repos, entry) {
2372 if (unveil(repo->path, "rwc") == -1)
2373 fatal("unveil %s", repo->path);
2376 if (unveil(GOT_TMPDIR_STR, "rwc") == -1)
2377 fatal("unveil %s", GOT_TMPDIR_STR);
2379 if (unveil(NULL, NULL) == -1)
2384 main(int argc, char **argv)
2386 const struct got_error *error = NULL;
2387 int ch, fd = -1, daemonize = 1, verbosity = 0, noaction = 0;
2388 const char *confpath = GOTD_CONF_PATH;
2389 char *argv0 = argv[0];
2391 struct passwd *pw = NULL;
2392 char *repo_path = NULL;
2393 enum gotd_procid proc_id = PROC_GOTD;
2394 struct event evsigint, evsigterm, evsighup, evsigusr1;
2395 int *pack_fds = NULL, *temp_fds = NULL;
2397 log_init(1, LOG_DAEMON); /* Log to stderr until daemonized. */
2399 while ((ch = getopt(argc, argv, "Adf:LnP:RvW")) != -1) {
2402 proc_id = PROC_AUTH;
2411 proc_id = PROC_LISTEN;
2417 repo_path = realpath(optarg, NULL);
2418 if (repo_path == NULL)
2419 fatal("realpath '%s'", optarg);
2422 proc_id = PROC_REPO_READ;
2429 proc_id = PROC_REPO_WRITE;
2442 /* Require an absolute path in argv[0] for reliable re-exec. */
2443 if (!got_path_is_absolute(argv0))
2444 fatalx("bad path \"%s\": must be an absolute path", argv0);
2446 if (geteuid() && (proc_id == PROC_GOTD || proc_id == PROC_LISTEN))
2447 fatalx("need root privileges");
2449 log_init(daemonize ? 0 : 1, LOG_DAEMON);
2450 log_setverbose(verbosity);
2452 if (parse_config(confpath, proc_id, &gotd) != 0)
2456 gotd.daemonize = daemonize;
2457 gotd.verbosity = verbosity;
2458 gotd.confpath = confpath;
2460 if (proc_id == PROC_GOTD &&
2461 (gotd.nrepos == 0 || TAILQ_EMPTY(&gotd.repos)))
2462 fatalx("no repository defined in configuration file");
2464 pw = getpwnam(gotd.user_name);
2466 fatalx("user %s not found", gotd.user_name);
2468 if (pw->pw_uid == 0) {
2469 fatalx("cannot run %s as %s: the user running %s "
2470 "must not be the superuser",
2471 getprogname(), pw->pw_name, getprogname());
2474 if (proc_id == PROC_LISTEN &&
2475 !got_path_is_absolute(gotd.unix_socket_path))
2476 fatalx("bad unix socket path \"%s\": must be an absolute path",
2477 gotd.unix_socket_path);
2482 if (proc_id == PROC_GOTD) {
2483 gotd.pid = getpid();
2484 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
2485 start_listener(argv0, confpath, daemonize, verbosity);
2486 arc4random_buf(&clients_hash_key, sizeof(clients_hash_key));
2487 if (daemonize && daemon(1, 0) == -1)
2489 } else if (proc_id == PROC_LISTEN) {
2490 snprintf(title, sizeof(title), "%s", gotd_proc_names[proc_id]);
2492 log_info("socket: %s", gotd.unix_socket_path);
2493 log_info("user: %s", pw->pw_name);
2496 fd = unix_socket_listen(gotd.unix_socket_path, pw->pw_uid,
2499 fatal("cannot listen on unix socket %s",
2500 gotd.unix_socket_path);
2502 if (daemonize && daemon(0, 0) == -1)
2504 } else if (proc_id == PROC_AUTH) {
2505 snprintf(title, sizeof(title), "%s %s",
2506 gotd_proc_names[proc_id], repo_path);
2507 if (daemonize && daemon(0, 0) == -1)
2509 } else if (proc_id == PROC_REPO_READ || proc_id == PROC_REPO_WRITE) {
2510 error = got_repo_pack_fds_open(&pack_fds);
2512 fatalx("cannot open pack tempfiles: %s", error->msg);
2513 error = got_repo_temp_fds_open(&temp_fds);
2515 fatalx("cannot open pack tempfiles: %s", error->msg);
2516 if (repo_path == NULL)
2517 fatalx("repository path not specified");
2518 snprintf(title, sizeof(title), "%s %s",
2519 gotd_proc_names[proc_id], repo_path);
2520 if (daemonize && daemon(0, 0) == -1)
2523 fatal("invalid process id %d", proc_id);
2525 setproctitle("%s", title);
2526 log_procinit(title);
2528 /* Drop root privileges. */
2529 if (setgid(pw->pw_gid) == -1)
2530 fatal("setgid %d failed", pw->pw_gid);
2531 if (setuid(pw->pw_uid) == -1)
2532 fatal("setuid %d failed", pw->pw_uid);
2539 if (pledge("stdio rpath wpath cpath proc exec "
2540 "sendfd recvfd fattr flock unveil", NULL) == -1)
2546 if (pledge("stdio sendfd unix unveil", NULL) == -1)
2550 * Ensure that AF_UNIX bind(2) cannot be used with any other
2551 * sockets by revoking all filesystem access via unveil(2).
2553 apply_unveil_none();
2555 listen_main(title, fd, gotd.connection_limits,
2556 gotd.nconnection_limits);
2561 if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
2565 * We need the "unix" pledge promise for getpeername(2) only.
2566 * Ensure that AF_UNIX bind(2) cannot be used by revoking all
2567 * filesystem access via unveil(2). Access to password database
2568 * files will still work since "getpw" bypasses unveil(2).
2570 apply_unveil_none();
2572 auth_main(title, &gotd.repos, repo_path);
2575 case PROC_REPO_READ:
2577 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2580 apply_unveil_repo_readonly(repo_path);
2581 repo_read_main(title, repo_path, pack_fds, temp_fds);
2584 case PROC_REPO_WRITE:
2586 if (pledge("stdio rpath recvfd unveil", NULL) == -1)
2589 apply_unveil_repo_readonly(repo_path);
2590 repo_write_main(title, repo_path, pack_fds, temp_fds);
2594 fatal("invalid process id %d", proc_id);
2597 if (proc_id != PROC_GOTD)
2598 fatal("invalid process id %d", proc_id);
2602 signal_set(&evsigint, SIGINT, gotd_sighdlr, NULL);
2603 signal_set(&evsigterm, SIGTERM, gotd_sighdlr, NULL);
2604 signal_set(&evsighup, SIGHUP, gotd_sighdlr, NULL);
2605 signal_set(&evsigusr1, SIGUSR1, gotd_sighdlr, NULL);
2606 signal(SIGPIPE, SIG_IGN);
2608 signal_add(&evsigint, NULL);
2609 signal_add(&evsigterm, NULL);
2610 signal_add(&evsighup, NULL);
2611 signal_add(&evsigusr1, NULL);
2613 gotd_imsg_event_add(&gotd.listen_proc.iev);
2618 got_repo_pack_fds_close(pack_fds);
