bolt 0.17.1 → 0.17.2

data/lib/bolt/executor.rb

@@ -7,10 +7,6 @@ require 'bolt/result'
 require 'bolt/config'
 require 'bolt/notifier'
 require 'bolt/result_set'
-require 'bolt/transport/ssh'
-require 'bolt/transport/winrm'
-require 'bolt/transport/orch'
-require 'bolt/transport/local'
 
 module Bolt
   class Executor
@@ -21,12 +17,9 @@ module Bolt
       @config = config
       @logger = Logging.logger[self]
 
-      @transports = {
-        'ssh' => Concurrent::Delay.new { Bolt::Transport::SSH.new(config[:transports][:ssh] || {}) },
-        'winrm' => Concurrent::Delay.new { Bolt::Transport::WinRM.new(config[:transports][:winrm] || {}) },
-        'pcp' => Concurrent::Delay.new { Bolt::Transport::Orch.new(config[:transports][:pcp] || {}) },
-        'local' => Concurrent::Delay.new { Bolt::Transport::Local.new(config[:transports][:local] || {}) }
-      }
+      @transports = Bolt::TRANSPORTS.each_with_object({}) do |(key, val), coll|
+        coll[key.to_s] = Concurrent::Delay.new { val.new }
+      end
 
       # If a specific elevated log level has been requested, honor that.
       # Otherwise, escalate the log level to "info" if running in plan mode, so

data/lib/bolt/inventory.rb

@@ -5,6 +5,8 @@ require 'bolt/inventory/group'
 
 module Bolt
   class Inventory
+    ENVIRONMENT_VAR = 'BOLT_INVENTORY'.freeze
+
     class ValidationError < Bolt::Error
       attr_accessor :path
       def initialize(message, offending_group)
@@ -37,7 +39,19 @@ module Bolt
     end
 
     def self.from_config(config)
-      data = Bolt::Util.read_config_file(config[:inventoryfile], default_paths, 'inventory')
+      if ENV.include?(ENVIRONMENT_VAR)
+        begin
+          # rubocop:disable YAMLLoad
+          data = YAML.load(ENV[ENVIRONMENT_VAR])
+        # In older releases of psych SyntaxError is not a subclass of Exception
+        rescue Psych::SyntaxError
+          raise Bolt::CLIError, "Could not parse inventory from $#{ENVIRONMENT_VAR}"
+        rescue Psych::Exception
+          raise Bolt::CLIError, "Could not parse inventory from $#{ENVIRONMENT_VAR}"
+        end
+      else
+        data = Bolt::Util.read_config_file(config[:inventoryfile], default_paths, 'inventory')
+      end
 
       inventory = new(data, config)
       inventory.validate

data/lib/bolt/puppetdb.rb

@@ -0,0 +1,11 @@
+require 'bolt/error'
+require 'bolt/puppetdb/client'
+require 'bolt/puppetdb/config'
+
+module Bolt
+  class PuppetDBError < Bolt::Error
+    def initialize(msg)
+      super(msg, "bolt/puppetdb-error")
+    end
+  end
+end

data/lib/bolt/puppetdb/client.rb

@@ -0,0 +1,68 @@
+require 'json'
+require 'uri'
+require 'httpclient'
+
+module Bolt
+  module PuppetDB
+    class Client
+      def self.from_config(config)
+        uri = if config['server_urls'].is_a? String
+                config['server_urls']
+              else
+                config['server_urls'].first
+              end
+        uri = URI.parse(uri)
+        uri.port ||= 8081
+
+        cacert = File.expand_path(config['cacert'])
+        token = config.token
+
+        cert = config['cert']
+        key = config['key']
+
+        new(uri, cacert, token: token, cert: cert, key: key)
+      end
+
+      def initialize(uri, cacert, token: nil, cert: nil, key: nil)
+        @uri = uri
+        @cacert = cacert
+        @token = token
+        @cert = cert
+        @key = key
+      end
+
+      def query_certnames(query)
+        return [] unless query
+
+        body = JSON.generate(query: query)
+
+        response = http_client.post("#{@uri}/pdb/query/v4", body: body, header: headers)
+        if response.code != 200
+          raise Bolt::PuppetDBError, "Failed to query PuppetDB: #{response.body}"
+        else
+          results = JSON.parse(response.body)
+          if results.first && !results.first.key?('certname')
+            fields = results.first.keys
+            raise Bolt::PuppetDBError, "Query results did not contain a 'certname' field: got #{fields.join(', ')}"
+          end
+          results.map { |result| result['certname'] }.uniq
+        end
+      end
+
+      def http_client
+        return @http if @http
+        @http = HTTPClient.new
+        @http.ssl_config.set_client_cert_file(@cert, @key)
+        @http.ssl_config.add_trust_ca(@cacert)
+
+        @http
+      end
+
+      def headers
+        headers = { 'Content-Type' => 'application/json' }
+        headers['X-Authentication'] = @token if @token
+        headers
+      end
+    end
+  end
+end

data/lib/bolt/puppetdb/config.rb

@@ -0,0 +1,76 @@
+require 'json'
+
+module Bolt
+  module PuppetDB
+    class Config
+      DEFAULT_TOKEN = File.expand_path('~/.puppetlabs/token')
+      DEFAULT_CONFIG = File.expand_path('~/.puppetlabs/client-tools/puppetdb.conf')
+
+      def initialize(config_file, options)
+        @settings = load_config(config_file)
+        @settings.merge!(options)
+
+        expand_paths
+        validate
+      end
+
+      def load_config(filename)
+        if filename
+          if File.exist?(filename)
+            config = JSON.parse(File.read(filename))
+          else
+            raise Bolt::PuppetDBError, "config file #{filename} does not exist"
+          end
+        elsif File.exist?(DEFAULT_CONFIG)
+          config = JSON.parse(File.read(DEFAULT_CONFIG))
+        else
+          config = {}
+        end
+        config.fetch('puppetdb', {})
+      end
+
+      def token
+        return @token if @token
+        if @settings['token']
+          File.read(@settings['token'])
+        elsif File.exist?(DEFAULT_TOKEN)
+          File.read(DEFAULT_TOKEN)
+        end
+      end
+
+      def [](key)
+        @settings[key]
+      end
+
+      def expand_paths
+        %w[cacert cert key token].each do |file|
+          @settings[file] = File.expand_path(@settings[file]) if @settings[file]
+        end
+      end
+
+      def validate_file_exists(file)
+        if @settings[file] && !File.exist?(@settings[file])
+          raise Bolt::PuppetDBError, "#{file} file #{@settings[file]} does not exist"
+        end
+      end
+
+      def validate
+        unless @settings['server_urls']
+          raise Bolt::PuppetDBError, "server_urls must be specified"
+        end
+        unless @settings['cacert']
+          raise Bolt::PuppetDBError, "cacert must be specified"
+        end
+
+        if (@settings['cert'] && !@settings['key']) ||
+           (!@settings['cert'] && @settings['key'])
+          raise Bolt::PuppetDBError, "cert and key must be specified together"
+        end
+
+        validate_file_exists('cacert')
+        validate_file_exists('cert')
+        validate_file_exists('key')
+      end
+    end
+  end
+end

data/lib/bolt/target.rb

@@ -14,6 +14,7 @@ module Bolt
       @uri = uri
       @uri_obj = parse(uri)
       @options = options || {}
+      @options.freeze
     end
 
     def update_conf(conf)
@@ -21,11 +22,11 @@ module Bolt
 
       t_conf = conf[:transports][protocol.to_sym]
       # Override url methods
-      url_keys = %i[user password port]
-      @user = t_conf[:user]
-      @password = t_conf[:password]
-      @port = t_conf[:port]
+      @user = t_conf['user']
+      @password = t_conf['password']
+      @port = t_conf['port']
 
+      url_keys = %w[user password port]
       @options = t_conf.reject { |k, _| url_keys.include?(k) }.merge(@options)
 
       self

data/lib/bolt/transport/base.rb

@@ -39,7 +39,16 @@ module Bolt
 
       attr_reader :logger
 
-      def initialize(_config)
+      # Returns options this transport supports
+      def self.options
+        raise NotImplementedError, "self.options() must be implemented by the transport class"
+      end
+
+      def self.validate(_options)
+        raise NotImplementedError, "self.validate() must be implemented by the transport class"
+      end
+
+      def initialize
         @logger = Logging.logger[self]
       end
 
@@ -57,7 +66,7 @@ module Bolt
       end
 
       def filter_options(target, options)
-        if target.options[:run_as]
+        if target.options['run-as']
           options.reject { |k, _v| k == '_run_as' }
         else
           options

data/lib/bolt/transport/local.rb

@@ -7,8 +7,14 @@ require 'bolt/result'
 module Bolt
   module Transport
     class Local < Base
-      def initialize(config = nil)
-        super(config)
+      def self.options
+        %w[tmpdir]
+      end
+
+      def self.validate(_options); end
+
+      def initialize
+        super
 
         if Gem.win_platform?
           raise NotImplementedError, "The local transport is not yet implemented on Windows"
@@ -51,14 +57,14 @@ module Bolt
       end
 
       def run_command(target, command, _options = {})
-        in_tmpdir(target.options[:tmpdir]) do |_|
+        in_tmpdir(target.options['tmpdir']) do |_|
           output = @conn.execute(command, {})
           Bolt::Result.for_command(target, output.stdout.string, output.stderr.string, output.exit_code)
         end
       end
 
       def run_script(target, script, arguments, _options = {})
-        with_tmpscript(File.absolute_path(script), target.options[:tmpdir]) do |file|
+        with_tmpscript(File.absolute_path(script), target.options['tmpdir']) do |file|
           logger.debug "Running '#{file}' with #{arguments}"
 
           if arguments.empty?
@@ -76,7 +82,7 @@ module Bolt
         stdin = STDIN_METHODS.include?(input_method) ? JSON.dump(arguments) : nil
         env = ENVIRONMENT_METHODS.include?(input_method) ? arguments : nil
 
-        with_tmpscript(task.executable, target.options[:tmpdir]) do |script|
+        with_tmpscript(task.executable, target.options['tmpdir']) do |script|
           logger.debug("Running '#{script}' with #{arguments}")
 
           output = @conn.execute(script, stdin: stdin, env: env)

data/lib/bolt/transport/orch.rb

@@ -11,6 +11,17 @@ module Bolt
       CONF_FILE = File.expand_path('~/.puppetlabs/client-tools/orchestrator.conf')
       BOLT_MOCK_TASK = Struct.new(:name, :executable).new('bolt', 'bolt/tasks/init').freeze
 
+      def self.options
+        %w[service-url cacert token-file task-environment local-validation]
+      end
+
+      def self.validate(options)
+        validation_flag = options['local-validation']
+        unless !!validation_flag == validation_flag
+          raise Bolt::CLIError, 'local-validation option must be a Boolean true or false'
+        end
+      end
+
       def create_client(opts)
         client_keys = %i[service-url token-file cacert]
         client_opts = opts.reduce({}) do |acc, (k, v)|
@@ -20,14 +31,14 @@ module Bolt
             acc
           end
         end
-        @logger.debug("Creating orchestrator client for #{client_opts}")
+        logger.debug("Creating orchestrator client for #{client_opts}")
 
         OrchestratorClient.new(client_opts, true)
       end
 
       def build_request(targets, task, arguments)
         { task: task.name,
-          environment: targets.first.options[:"task-environment"],
+          environment: targets.first.options["task-environment"],
           noop: arguments['_noop'],
           params: arguments.reject { |k, _| k == '_noop' },
           scope: {
@@ -117,9 +128,9 @@ module Bolt
 
       def batches(targets)
         targets.group_by do |target|
-          [target.options[:"task-environment"],
-           target.options[:"service-url"],
-           target.options[:"token-file"]]
+          [target.options['task-environment'],
+           target.options['service-url'],
+           target.options['token-file']]
         end.values
       end
 

data/lib/bolt/transport/ssh.rb

@@ -6,7 +6,38 @@ require 'shellwords'
 module Bolt
   module Transport
     class SSH < Base
-      def initialize(_config)
+      def self.options
+        %w[port user password sudo-password private-key host-key-check connect-timeout tmpdir run-as]
+      end
+
+      def self.validate(options)
+        logger = Logging.logger[self]
+
+        if options['sudo-password'] && options['run-as'].nil?
+          logger.warn("--sudo-password will not be used without specifying a " \
+                       "user to escalate to with --run-as")
+        end
+
+        host_key = options['host-key-check']
+        unless !!host_key == host_key
+          raise Bolt::CLIError, 'host-key-check option must be a Boolean true or false'
+        end
+
+        if (key_opt = options['private-key'])
+          unless key_opt.instance_of?(String) || (key_opt.instance_of?(Hash) && key_opt.include?('key-data'))
+            raise Bolt::CLIError,
+                  "private-key option must be the path to a private key file or a hash containing the 'key-data'"
+          end
+        end
+
+        timeout_value = options['connect-timeout']
+        unless timeout_value.is_a?(Integer) || timeout_value.nil?
+          error_msg = "connect-timeout value must be an Integer, received #{timeout_value}:#{timeout_value.class}"
+          raise Bolt::CLIError, error_msg
+        end
+      end
+
+      def initialize
         super
 
         require 'net/ssh'

data/lib/bolt/transport/ssh/connection.rb

@@ -68,15 +68,22 @@ module Bolt
             non_interactive: true
           }
 
+          if (key = target.options['private-key'])
+            if key.instance_of?(String)
+              options[:keys] = key
+            else
+              options[:key_data] = [key['key-data']]
+            end
+          end
+
           options[:port] = target.port if target.port
           options[:password] = target.password if target.password
-          options[:keys] = target.options[:key] if target.options[:key]
-          options[:verify_host_key] = if target.options[:host_key_check]
+          options[:verify_host_key] = if target.options['host-key-check']
                                         Net::SSH::Verifiers::Secure.new
                                       else
                                         Net::SSH::Verifiers::Lenient.new
                                       end
-          options[:timeout] = target.options[:connect_timeout] if target.options[:connect_timeout]
+          options[:timeout] = target.options['connect-timeout'] if target.options['connect-timeout']
 
           # Mirroring:
           # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/authentication/agent.rb#L80
@@ -108,7 +115,7 @@ module Bolt
           )
         rescue Net::SSH::ConnectionTimeout
           raise Bolt::Node::ConnectError.new(
-            "Timeout after #{target.options[:connect_timeout]} seconds connecting to #{target.uri}",
+            "Timeout after #{target.options['connect-timeout']} seconds connecting to #{target.uri}",
             'CONNECT_ERROR'
           )
         rescue StandardError => e
@@ -129,7 +136,7 @@ module Bolt
         # override for the user to run as. When @run_as is unset, the user
         # specified on the target will be used.
         def run_as
-          @run_as || target.options[:run_as]
+          @run_as || target.options['run-as']
         end
 
         # Run as the specified user for the duration of the block.
@@ -146,8 +153,8 @@ module Bolt
 
         def handled_sudo(channel, data)
           if data.lines.include?(sudo_prompt)
-            if target.options[:sudo_password]
-              channel.send_data "#{target.options[:sudo_password]}\n"
+            if target.options['sudo-password']
+              channel.send_data "#{target.options['sudo-password']}\n"
               channel.wait
               return true
             else
@@ -196,7 +203,7 @@ module Bolt
 
           session_channel = @session.open_channel do |channel|
             # Request a pseudo tty
-            channel.request_pty if target.options[:tty]
+            channel.request_pty if target.options['tty']
 
             channel.exec(command_str) do |_, success|
               unless success
@@ -247,8 +254,8 @@ module Bolt
         end
 
         def make_tempdir
-          if target.options[:tmpdir]
-            tmppath = "#{target.options[:tmpdir]}/#{SecureRandom.uuid}"
+          if target.options['tmpdir']
+            tmppath = "#{target.options['tmpdir']}/#{SecureRandom.uuid}"
             command = ['mkdir', '-m', 700, tmppath]
           else
             command = ['mktemp', '-d']