bolt 0.21.8 → 0.22.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 22fb0de3f6560ee5c6e57d1f0344e9994d93ae5a638531afde4586b619f137de
-  data.tar.gz: c2e8780f18783e570e1d9cd44f52f722cce1329fcdfb3c32c3028b22d718f81e
+  metadata.gz: fe765b38afea737ae2308098b790fde05b73da5d4eaa661c2121313ccb675d48
+  data.tar.gz: 3280f5388127bce11a71f3aed0db819e7869f0d6751dedb3d0ec815c83623674
 SHA512:
-  metadata.gz: e007695b192c794a2d391d9b2e2dbb2a732374e2aa5b7639ad31e0db7a98dfd5f64b08710dfb958ec7af0e56adb2628f7ef40380f9ad951f505231c303467441
-  data.tar.gz: 78a3c221d8c45bc584b477071e47c9a402d0a99867db696eae6201edc739367b2f49a9ad7c465b9292ae4dbcaa1bd692df6dab878b90183e0e2e276af9d7b739
+  metadata.gz: 50c22855422b4a2cba254cb43647c8ead003b53816b082173a4383f143cf44e3b6a9ca20ff1792d986597e7256fffe875a7130fe036689860f8931f7c5622b29
+  data.tar.gz: 101c06ea0ad6836d3c773ab877fbc74f972f38c14a33d92f00d0da52e83cd797c58a1b502fc79c0b8edd85df3cccc9bfbbb972ce54d64d09de4a6d7ca1a1f31f

data/bolt-modules/boltlib/lib/puppet/functions/file_upload.rb

@@ -1,93 +1,16 @@
 # frozen_string_literal: true
 
-require 'bolt/error'
-
-# Uploads the given file or directory to the given set of targets and returns the result from each upload.
-# This function does nothing if the list of targets is empty.
+# This function wraps the upload_file function with a deprecation warning, for backward compatibility.
 Puppet::Functions.create_function(:file_upload, Puppet::Functions::InternalFunction) do
-  # Upload a file.
-  # @param source A source path, either an absolute path or a modulename/filename selector for a file in
-  #               <moduleroot>/files.
-  # @param destination An absolute path on the target(s).
-  # @param targets A pattern identifying zero or more targets. See {get_targets} for accepted patterns.
-  # @param options Additional options: '_catch_errors', '_run_as'.
-  # @return A list of results, one entry per target.
-  # @example Upload a local file to Linux targets and change owner to 'root'
-  #   file_upload('/var/tmp/payload.tgz', '/tmp/payload.tgz', $targets, '_run_as' => 'root')
-  # @example Upload a module file to a Windows target
-  #   file_upload('postgres/default.conf', 'C:/ProgramData/postgres/default.conf', $target)
-  dispatch :file_upload do
-    scope_param
-    param 'String[1]', :source
-    param 'String[1]', :destination
-    param 'Boltlib::TargetSpec', :targets
-    optional_param 'Hash[String[1], Any]', :options
-    return_type 'ResultSet'
-  end
-
-  # Upload a file, logging the provided description.
-  # @param source A source path, either an absolute path or a modulename/filename selector for a file in
-  #               <moduleroot>/files.
-  # @param destination An absolute path on the target(s).
-  # @param targets A pattern identifying zero or more targets. See {get_targets} for accepted patterns.
-  # @param description A description to be output when calling this function.
-  # @param options Additional options: '_catch_errors', '_run_as'.
-  # @return A list of results, one entry per target.
-  # @example Upload a file
-  #   file_upload('/var/tmp/payload.tgz', '/tmp/payload.tgz', $targets, 'Uploading payload to unpack')
-  dispatch :file_upload_with_description do
-    scope_param
-    param 'String[1]', :source
-    param 'String[1]', :destination
-    param 'Boltlib::TargetSpec', :targets
-    param 'String', :description
-    optional_param 'Hash[String[1], Any]', :options
-    return_type 'ResultSet'
-  end
-
-  def file_upload(scope, source, destination, targets, options = nil)
-    file_upload_with_description(scope, source, destination, targets, nil, options)
-  end
-
-  def file_upload_with_description(scope, source, destination, targets, description = nil, options = nil)
-    options ||= {}
-    options = options.merge('_description' => description) if description
-
-    unless Puppet[:tasks]
-      raise Puppet::ParseErrorWithIssue.from_issue_and_stack(
-        Puppet::Pops::Issues::TASK_OPERATION_NOT_SUPPORTED_WHEN_COMPILING, operation: 'file_upload'
-      )
-    end
-
+  def file_upload(*args)
     executor = Puppet.lookup(:bolt_executor) { nil }
-    inventory = Puppet.lookup(:bolt_inventory) { nil }
-    unless executor && inventory && Puppet.features.bolt?
-      raise Puppet::ParseErrorWithIssue.from_issue_and_stack(
-        Puppet::Pops::Issues::TASK_MISSING_BOLT, action: _('do file uploads')
-      )
-    end
-
-    executor.report_function_call('file_upload')
+    executor&.report_function_call('file_upload')
 
-    found = Puppet::Parser::Files.find_file(source, scope.compiler.environment)
-    unless found && Puppet::FileSystem.exist?(found)
-      raise Puppet::ParseErrorWithIssue.from_issue_and_stack(
-        Puppet::Pops::Issues::NO_SUCH_FILE_OR_DIRECTORY, file: source
-      )
-    end
+    file, line = Puppet::Pops::PuppetStack.top_of_stack
 
-    # Ensure that that given targets are all Target instances
-    targets = inventory.get_targets(targets)
-    if targets.empty?
-      call_function('debug', "Simulating file upload of '#{found}' - no targets given - no action taken")
-      r = Bolt::ResultSet.new([])
-    else
-      r = executor.file_upload(targets, found, destination, options)
-    end
+    msg = "The file_upload function is deprecated and will be removed; use upload_file instead"
+    Puppet.puppet_deprecation_warning(msg, key: 'bolt-function/file_upload', file: file, line: line)
 
-    if !r.ok && !options['_catch_errors']
-      raise Bolt::RunFailure.new(r, 'upload_file', source)
-    end
-    r
+    call_function('upload_file', *args)
   end
 end

data/bolt-modules/boltlib/lib/puppet/functions/run_script.rb

@@ -13,7 +13,7 @@ Puppet::Functions.create_function(:run_script, Puppet::Functions::InternalFuncti
   # @example Run a local script on Linux targets as 'root'
   #   run_script('/var/tmp/myscript', $targets, '_run_as' => 'root')
   # @example Run a module-provided script with arguments
-  #   file_upload('iis/setup.ps1', $target, 'arguments' => ['/u', 'Administrator'])
+  #   run_script('iis/setup.ps1', $target, 'arguments' => ['/u', 'Administrator'])
   dispatch :run_script do
     scope_param
     param 'String[1]', :script
@@ -31,7 +31,7 @@ Puppet::Functions.create_function(:run_script, Puppet::Functions::InternalFuncti
   #                Additional options: '_catch_errors', '_run_as'.
   # @return A list of results, one entry per target.
   # @example Run a script
-  #   file_upload('/var/tmp/myscript', $targets, 'Downloading my application')
+  #   run_script('/var/tmp/myscript', $targets, 'Downloading my application')
   dispatch :run_script_with_description do
     scope_param
     param 'String[1]', :script

data/bolt-modules/boltlib/lib/puppet/functions/run_task.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'bolt/error'
+require 'bolt/pal'
 
 # Runs a given instance of a `Task` on the given set of targets and returns the result from each.
 # This function does nothing if the list of targets is empty.
@@ -120,7 +121,24 @@ Puppet::Functions.create_function(:run_task) do
     end
 
     unless Puppet::Pops::Types::TypeFactory.data.instance?(use_args)
-      raise with_stack(:TYPE_NOT_DATA, 'Task parameters is not of type Data')
+      # generate a helpful error message about the type-mismatch between the type Data
+      # and the actual type of use_args
+      use_args_t = Puppet::Pops::Types::TypeCalculator.infer_set(use_args)
+      desc = Puppet::Pops::Types::TypeMismatchDescriber.singleton.describe_mismatch(
+        'Task parameters are not of type Data. run_task()',
+        Puppet::Pops::Types::TypeFactory.data, use_args_t
+      )
+      raise with_stack(:TYPE_NOT_DATA, desc)
+    end
+
+    # Wrap parameters marked with '"sensitive": true' in the task metadata with a
+    # Sensitive wrapper type. This way it's not shown in logs.
+    if task.parameters
+      use_args.each do |k, v|
+        if task.parameters[k] && task.parameters[k]['sensitive']
+          use_args[k] = Puppet::Pops::Types::PSensitiveType::Sensitive.new(v)
+        end
+      end
     end
 
     if executor.noop

data/bolt-modules/boltlib/lib/puppet/functions/upload_file.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require 'bolt/error'
+
+# Uploads the given file or directory to the given set of targets and returns the result from each upload.
+# This function does nothing if the list of targets is empty.
+Puppet::Functions.create_function(:upload_file, Puppet::Functions::InternalFunction) do
+  # Upload a file.
+  # @param source A source path, either an absolute path or a modulename/filename selector for a file in
+  #               <moduleroot>/files.
+  # @param destination An absolute path on the target(s).
+  # @param targets A pattern identifying zero or more targets. See {get_targets} for accepted patterns.
+  # @param options Additional options: '_catch_errors', '_run_as'.
+  # @return A list of results, one entry per target.
+  # @example Upload a local file to Linux targets and change owner to 'root'
+  #   upload_file('/var/tmp/payload.tgz', '/tmp/payload.tgz', $targets, '_run_as' => 'root')
+  # @example Upload a module file to a Windows target
+  #   upload_file('postgres/default.conf', 'C:/ProgramData/postgres/default.conf', $target)
+  dispatch :upload_file do
+    scope_param
+    param 'String[1]', :source
+    param 'String[1]', :destination
+    param 'Boltlib::TargetSpec', :targets
+    optional_param 'Hash[String[1], Any]', :options
+    return_type 'ResultSet'
+  end
+
+  # Upload a file, logging the provided description.
+  # @param source A source path, either an absolute path or a modulename/filename selector for a file in
+  #               <moduleroot>/files.
+  # @param destination An absolute path on the target(s).
+  # @param targets A pattern identifying zero or more targets. See {get_targets} for accepted patterns.
+  # @param description A description to be output when calling this function.
+  # @param options Additional options: '_catch_errors', '_run_as'.
+  # @return A list of results, one entry per target.
+  # @example Upload a file
+  #   upload_file('/var/tmp/payload.tgz', '/tmp/payload.tgz', $targets, 'Uploading payload to unpack')
+  dispatch :upload_file_with_description do
+    scope_param
+    param 'String[1]', :source
+    param 'String[1]', :destination
+    param 'Boltlib::TargetSpec', :targets
+    param 'String', :description
+    optional_param 'Hash[String[1], Any]', :options
+    return_type 'ResultSet'
+  end
+
+  def upload_file(scope, source, destination, targets, options = nil)
+    upload_file_with_description(scope, source, destination, targets, nil, options)
+  end
+
+  def upload_file_with_description(scope, source, destination, targets, description = nil, options = nil)
+    options ||= {}
+    options = options.merge('_description' => description) if description
+
+    unless Puppet[:tasks]
+      raise Puppet::ParseErrorWithIssue.from_issue_and_stack(
+        Puppet::Pops::Issues::TASK_OPERATION_NOT_SUPPORTED_WHEN_COMPILING, operation: 'upload_file'
+      )
+    end
+
+    executor = Puppet.lookup(:bolt_executor) { nil }
+    inventory = Puppet.lookup(:bolt_inventory) { nil }
+    unless executor && inventory && Puppet.features.bolt?
+      raise Puppet::ParseErrorWithIssue.from_issue_and_stack(
+        Puppet::Pops::Issues::TASK_MISSING_BOLT, action: _('do file uploads')
+      )
+    end
+
+    executor.report_function_call('upload_file')
+
+    found = Puppet::Parser::Files.find_file(source, scope.compiler.environment)
+    unless found && Puppet::FileSystem.exist?(found)
+      raise Puppet::ParseErrorWithIssue.from_issue_and_stack(
+        Puppet::Pops::Issues::NO_SUCH_FILE_OR_DIRECTORY, file: source
+      )
+    end
+
+    # Ensure that that given targets are all Target instances
+    targets = inventory.get_targets(targets)
+    if targets.empty?
+      call_function('debug', "Simulating file upload of '#{found}' - no targets given - no action taken")
+      r = Bolt::ResultSet.new([])
+    else
+      r = executor.upload_file(targets, found, destination, options)
+    end
+
+    if !r.ok && !options['_catch_errors']
+      raise Bolt::RunFailure.new(r, 'upload_file', source)
+    end
+    r
+  end
+end

data/exe/bolt-server

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'puma/cli'
+cli = Puma::CLI.new ARGV
+cli.run

data/lib/bolt/applicator.rb

@@ -7,11 +7,10 @@ require 'json'
 require 'logging'
 require 'minitar'
 require 'open3'
+require 'bolt/task'
 require 'bolt/util/puppet_log_level'
 
 module Bolt
-  Task = Struct.new(:name, :implementations, :input_method)
-
   class Applicator
     def initialize(inventory, executor, modulepath, pdb_client, hiera_config, max_compiles)
       @inventory = inventory
@@ -41,7 +40,7 @@ module Bolt
       @custom_facts_task ||= begin
         path = File.join(libexec, 'custom_facts.rb')
         impl = { 'name' => 'custom_facts.rb', 'path' => path, 'requirements' => [], 'supports_noop' => true }
-        Task.new('custom_facts', [impl], 'stdin')
+        Task.new(name: 'custom_facts', implementations: [impl], input_method: 'stdin')
       end
     end
 
@@ -49,7 +48,7 @@ module Bolt
       @catalog_apply_task ||= begin
         path = File.join(libexec, 'apply_catalog.rb')
         impl = { 'name' => 'apply_catalog.rb', 'path' => path, 'requirements' => [], 'supports_noop' => true }
-        Task.new('apply_catalog', [impl], 'stdin')
+        Task.new(name: 'apply_catalog', implementations: [impl], input_method: 'stdin')
       end
     end
 
@@ -121,7 +120,9 @@ module Bolt
             'msg' => "Puppet is not installed on the target, please install it to enable 'apply'",
             'kind' => 'bolt/apply-error'
           })
-      elsif exit_code == 1 && error_hash['msg'] =~ /Could not find executable 'ruby.exe'/
+      elsif exit_code == 1 &&
+            (error_hash['msg'] =~ /Could not find executable 'ruby.exe'/ ||
+             error_hash['msg'] =~ /The term 'ruby.exe' is not recognized as the name of a cmdlet/)
         # Windows does not have Ruby present
         Result.new(result.target, error:
           {

data/lib/bolt/bolt_option_parser.rb

@@ -306,7 +306,7 @@ Available options are:
     end
 
     def read_arg_file(file)
-      File.read(file)
+      File.read(File.expand_path(file))
     rescue StandardError => err
       raise Bolt::FileError.new("Error attempting to read #{file}: #{err}", file)
     end

data/lib/bolt/cli.rb

@@ -296,7 +296,7 @@ module Bolt
                 raise Bolt::CLIError, "A destination path must be specified"
               end
               validate_file('source file', src)
-              executor.file_upload(targets, src, dest, executor_opts) do |event|
+              executor.upload_file(targets, src, dest, executor_opts) do |event|
                 outputter.print_event(event)
               end
             end

data/lib/bolt/executor.rb

@@ -18,14 +18,18 @@ module Bolt
     attr_reader :noop, :transports
     attr_accessor :run_as
 
+    # FIXME: There must be a better way
+    # https://makandracards.com/makandra/36011-ruby-do-not-mix-optional-and-keyword-arguments
     def initialize(concurrency = 1,
                    analytics = Bolt::Analytics::NoopClient.new,
                    noop = nil,
-                   bundled_content: nil)
+                   bundled_content: nil,
+                   load_config: true)
       @analytics = analytics
       @bundled_content = bundled_content
       @logger = Logging.logger[self]
       @plan_logging = false
+      @load_config = load_config
 
       @transports = Bolt::TRANSPORTS.each_with_object({}) do |(key, val), coll|
         coll[key.to_s] = Concurrent::Delay.new do
@@ -212,6 +216,7 @@ module Bolt
       log_action(description, targets) do
         notify = proc { |event| @notifier.notify(callback, event) if callback }
         options = { '_run_as' => run_as }.merge(options) if run_as
+        options = options.merge('_load_config' => @load_config)
         arguments['_task'] = task.name
 
         results = batch_execute(targets) do |transport, batch|
@@ -225,7 +230,7 @@ module Bolt
       end
     end
 
-    def file_upload(targets, source, destination, options = {}, &callback)
+    def upload_file(targets, source, destination, options = {}, &callback)
       description = options.fetch('_description', "file upload from #{source} to #{destination}")
       log_action(description, targets) do
         notify = proc { |event| @notifier.notify(callback, event) if callback }

data/lib/bolt/puppetdb/config.rb

@@ -6,10 +6,18 @@ require 'bolt/util'
 module Bolt
   module PuppetDB
     class Config
-      DEFAULT_TOKEN = File.expand_path('~/.puppetlabs/token')
-      DEFAULT_CONFIG = { user: File.expand_path('~/.puppetlabs/client-tools/puppetdb.conf'),
-                         global: '/etc/puppetlabs/client-tools/puppetdb.conf',
-                         win_global: 'C:/ProgramData/PuppetLabs/client-tools/puppetdb.conf' }.freeze
+      if !ENV['HOME'].nil?
+        DEFAULT_TOKEN = File.expand_path('~/.puppetlabs/token')
+        DEFAULT_CONFIG = { user: File.expand_path('~/.puppetlabs/client-tools/puppetdb.conf'),
+                           global: '/etc/puppetlabs/client-tools/puppetdb.conf',
+                           win_global: 'C:/ProgramData/PuppetLabs/client-tools/puppetdb.conf' }.freeze
+      else
+        DEFAULT_TOKEN = Bolt::Util.windows? ? 'nul' : '/dev/null'
+        DEFAULT_CONFIG = { user: '/etc/puppetlabs/puppet/puppetdb.conf',
+                           global: '/etc/puppetlabs/puppet/puppetdb.conf',
+                           win_global: 'C:/ProgramData/PuppetLabs/client-tools/puppetdb.conf' }.freeze
+
+      end
 
       def self.load_config(filename, options)
         global_path = Bolt::Util.windows? ? DEFAULT_CONFIG[:win_global] : DEFAULT_CONFIG[:global]

data/lib/bolt/target.rb

@@ -18,6 +18,22 @@ module Bolt
       @uri_obj = parse(uri)
       @options = options || {}
       @options.freeze
+
+      if @options['user']
+        @user = @options['user']
+      end
+
+      if @options['password']
+        @password = @options['password']
+      end
+
+      if @options['port']
+        @port = @options['port']
+      end
+
+      if @options['protocol']
+        @protocol = @options['protocol']
+      end
     end
 
     def update_conf(conf)

data/lib/bolt/task.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Bolt
+  Task = Struct.new(
+    :name,
+    :implementations,
+    :input_method,
+    :file,
+    :metadata
+  ) do
+
+    TASK_DEFAULTS = {
+      implementations: {},
+      input_method: 'both',
+      metadata: {}
+    }.freeze
+
+    def initialize(task)
+      super()
+      TASK_DEFAULTS.merge(task).each { |k, v| self[k] = v }
+    end
+  end
+end

data/lib/bolt/transport/base.rb

@@ -75,6 +75,15 @@ module Bolt
         end
       end
 
+      # Transform a parameter map to an environment variable map, with parameter names prefixed
+      # with 'PT_' and values transformed to JSON unless they're strings.
+      def envify_params(params)
+        params.each_with_object({}) do |(k, v), h|
+          v = v.to_json unless v.is_a?(String)
+          h["PT_#{k}"] = v
+        end
+      end
+
       # Raises an error if more than one target was given in the batch.
       #
       # The default implementations of batch_* strictly assume the transport is
@@ -152,6 +161,15 @@ module Bolt
         targets.map { |target| [target] }
       end
 
+      def from_api?(task)
+        if task.respond_to? :file
+          unless task.file.nil?
+            return true
+          end
+        end
+        false
+      end
+
       # Transports should override this method with their own implementation of running a command.
       def run_command(*_args)
         raise NotImplementedError, "run_command() must be implemented by the transport class"
@@ -171,6 +189,33 @@ module Bolt
       def upload(*_args)
         raise NotImplementedError, "upload() must be implemented by the transport class"
       end
+
+      # Unwraps any Sensitive data in an arguments Hash, so the plain-text is passed
+      # to the Task/Script.
+      #
+      # This works on deeply nested data structures composed of Hashes, Arrays, and
+      # and plain-old data types (int, string, etc).
+      def unwrap_sensitive_args(arguments)
+        # Skip this if Puppet isn't loaded
+        return arguments unless defined?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+
+        case arguments
+        when Array
+          # iterate over the array, unwrapping all elements
+          arguments.map { |x| unwrap_sensitive_args(x) }
+        when Hash
+          # iterate over the arguments hash and unwrap all keys and values
+          arguments.each_with_object({}) { |(k, v), h|
+            h[unwrap_sensitive_args(k)] = unwrap_sensitive_args(v)
+          }
+        when Puppet::Pops::Types::PSensitiveType::Sensitive
+          # this value is Sensitive, unwrap it
+          unwrap_sensitive_args(arguments.unwrap)
+        else
+          # unknown data type, just return it
+          arguments
+        end
+      end
     end
   end
 end

data/lib/bolt/transport/local.rb

@@ -70,6 +70,8 @@ module Bolt
         with_tmpscript(File.absolute_path(script), target.options['tmpdir']) do |file|
           logger.debug "Running '#{file}' with #{arguments}"
 
+          # unpack any Sensitive data AFTER we log
+          arguments = unwrap_sensitive_args(arguments)
           if arguments.empty?
             # We will always provide separated arguments, so work-around Open3's handling of a single
             # argument as the entire command string for script paths containing spaces.
@@ -84,11 +86,15 @@ module Bolt
         executable = target.select_impl(task, PROVIDED_FEATURES)
         raise "No suitable implementation of #{task.name} for #{target.name}" unless executable
 
+        # unpack any Sensitive data, write it to a separate variable because
+        # we log 'arguments' below
+        unwrapped_arguments = unwrap_sensitive_args(arguments)
         input_method = task.input_method || "both"
-        stdin = STDIN_METHODS.include?(input_method) ? JSON.dump(arguments) : nil
-        env = ENVIRONMENT_METHODS.include?(input_method) ? arguments : nil
+        stdin = STDIN_METHODS.include?(input_method) ? JSON.dump(unwrapped_arguments) : nil
+        env = ENVIRONMENT_METHODS.include?(input_method) ? envify_params(unwrapped_arguments) : nil
 
         with_tmpscript(executable, target.options['tmpdir']) do |script|
+          # log the arguments with sensitive data redacted, do NOT log unwrapped_arguments
           logger.debug("Running '#{script}' with #{arguments}")
 
           output = @conn.execute(script, stdin: stdin, env: env)

data/lib/bolt/transport/local/shell.rb

@@ -8,10 +8,7 @@ module Bolt
     class Local
       class Shell
         def execute(*command, options)
-          if options[:env]
-            env = options[:env].each_with_object({}) { |(k, v), h| h["PT_#{k}"] = v.to_s }
-            command = [env] + command
-          end
+          command = [options[:env]] + command if options[:env]
 
           if options[:stdin]
             stdout, stderr, rc = Open3.capture3(*command, stdin_data: options[:stdin])

data/lib/bolt/transport/orch.rb

@@ -11,7 +11,11 @@ require 'bolt/result'
 module Bolt
   module Transport
     class Orch < Base
-      CONF_FILE = File.expand_path('~/.puppetlabs/client-tools/orchestrator.conf')
+      CONF_FILE = if !ENV['HOME'].nil?
+                    File.expand_path('~/.puppetlabs/client-tools/orchestrator.conf')
+                  else
+                    '/etc/puppetlabs/client-tools/orchestrator.conf'
+                  end
       BOLT_COMMAND_TASK = Struct.new(:name).new('bolt_shim::command').freeze
       BOLT_SCRIPT_TASK = Struct.new(:name).new('bolt_shim::script').freeze
       BOLT_UPLOAD_TASK = Struct.new(:name).new('bolt_shim::upload').freeze
@@ -149,6 +153,8 @@ module Bolt
         end
 
         begin
+          # unpack any Sensitive data
+          arguments = unwrap_sensitive_args(arguments)
           results = get_connection(targets.first.options).run_task(targets, task, arguments, options)
 
           process_run_results(targets, results)

data/lib/bolt/transport/ssh.rb

@@ -63,8 +63,8 @@ module Bolt
         @transport_logger.level = :warn
       end
 
-      def with_connection(target)
-        conn = Connection.new(target, @transport_logger)
+      def with_connection(target, load_config = true)
+        conn = Connection.new(target, @transport_logger, load_config)
         conn.connect
         yield conn
       ensure
@@ -105,6 +105,9 @@ module Bolt
       end
 
       def run_script(target, script, arguments, options = {})
+        # unpack any Sensitive data
+        arguments = unwrap_sensitive_args(arguments)
+
         with_connection(target) do |conn|
           conn.running_as(options['_run_as']) do
             conn.with_remote_tempdir do |dir|
@@ -118,11 +121,10 @@ module Bolt
       end
 
       def run_task(target, task, arguments, options = {})
-        executable = target.select_impl(task, PROVIDED_FEATURES)
-        raise "No suitable implementation of #{task.name} for #{target.name}" unless executable
-
+        # unpack any Sensitive data
+        arguments = unwrap_sensitive_args(arguments)
         input_method = task.input_method || "both"
-        with_connection(target) do |conn|
+        with_connection(target, options.fetch('_load_config', true)) do |conn|
           conn.running_as(options['_run_as']) do
             stdin, output = nil
 
@@ -134,15 +136,21 @@ module Bolt
             end
 
             if ENVIRONMENT_METHODS.include?(input_method)
-              environment = arguments.inject({}) do |env, (param, val)|
-                val = val.to_json unless val.is_a?(String)
-                env.merge("PT_#{param}" => val)
-              end
-              execute_options[:environment] = environment
+              execute_options[:environment] = envify_params(arguments)
             end
 
             conn.with_remote_tempdir do |dir|
-              remote_task_path = conn.write_remote_executable(dir, executable)
+              if from_api?(task)
+                filename = task.file['filename']
+                remote_task_path = conn.write_executable_from_content(dir,
+                                                                      Base64.decode64(task.file['file_content']),
+                                                                      filename)
+              else
+                executable = target.select_impl(task, PROVIDED_FEATURES)
+                raise "No suitable implementation of #{task.name} for #{target.name}" unless executable
+
+                remote_task_path = conn.write_remote_executable(dir, executable)
+              end
               if conn.run_as && stdin
                 wrapper = make_wrapper_stringio(remote_task_path, stdin)
                 remote_wrapper_path = conn.write_remote_executable(dir, wrapper, 'wrapper.sh')

data/lib/bolt/transport/ssh/connection.rb

@@ -54,10 +54,12 @@ module Bolt
         attr_reader :logger, :user, :target
         attr_writer :run_as
 
-        def initialize(target, transport_logger)
+        def initialize(target, transport_logger, load_config = true)
           @target = target
+          @load_config = load_config
 
-          @user = @target.user || Net::SSH::Config.for(target.host)[:user] || Etc.getlogin
+          ssh_user = load_config ? Net::SSH::Config.for(target.host)[:user] : nil
+          @user = @target.user || ssh_user || Etc.getlogin
           @run_as = nil
 
           @logger = Logging.logger[@target.host]
@@ -97,20 +99,26 @@ module Bolt
                                       end
           options[:timeout] = target.options['connect-timeout'] if target.options['connect-timeout']
 
-          # Mirroring:
-          # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/authentication/agent.rb#L80
-          # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/authentication/pageant.rb#L403
-          if defined?(UNIXSocket) && UNIXSocket
-            if ENV['SSH_AUTH_SOCK'].to_s.empty?
-              @logger.debug { "Disabling use_agent in net-ssh: ssh-agent is not available" }
-              options[:use_agent] = false
-            end
-          elsif Bolt::Util.windows?
-            pageant_wide = 'Pageant'.encode('UTF-16LE')
-            if Win.FindWindow(pageant_wide, pageant_wide).to_i == 0
-              @logger.debug { "Disabling use_agent in net-ssh: pageant process not running" }
-              options[:use_agent] = false
+          if @load_config
+            # Mirroring:
+            # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/authentication/agent.rb#L80
+            # https://github.com/net-ssh/net-ssh/blob/master/lib/net/ssh/authentication/pageant.rb#L403
+            if defined?(UNIXSocket) && UNIXSocket
+              if ENV['SSH_AUTH_SOCK'].to_s.empty?
+                @logger.debug { "Disabling use_agent in net-ssh: ssh-agent is not available" }
+                options[:use_agent] = false
+              end
+            elsif Bolt::Util.windows?
+              pageant_wide = 'Pageant'.encode('UTF-16LE')
+              if Win.FindWindow(pageant_wide, pageant_wide).to_i == 0
+                @logger.debug { "Disabling use_agent in net-ssh: pageant process not running" }
+                options[:use_agent] = false
+              end
             end
+          else
+            # Disable ssh config and ssh-agent if requested via load_config
+            options[:config] = false
+            options[:use_agent] = false
           end
 
           @session = Net::SSH.start(target.host, @user, options)
@@ -302,12 +310,19 @@ module Bolt
 
         def write_remote_executable(dir, file, filename = nil)
           filename ||= File.basename(file)
-          remote_path = "#{dir}/#{filename}"
+          remote_path = File.join(dir.to_s, filename)
           write_remote_file(file, remote_path)
           make_executable(remote_path)
           remote_path
         end
 
+        def write_executable_from_content(dest, content, filename)
+          remote_path = File.join(dest.to_s, filename)
+          @session.scp.upload!(StringIO.new(content), remote_path)
+          make_executable(remote_path)
+          remote_path
+        end
+
         def make_executable(path)
           result = execute(['chmod', 'u+x', path])
           if result.exit_code != 0

data/lib/bolt/transport/winrm.rb

@@ -69,6 +69,9 @@ module Bolt
       end
 
       def run_script(target, script, arguments, _options = {})
+        # unpack any Sensitive data
+        arguments = unwrap_sensitive_args(arguments)
+
         with_connection(target) do |conn|
           conn.with_remote_file(script) do |remote_path|
             if powershell_file?(remote_path)
@@ -103,8 +106,21 @@ catch
       end
 
       def run_task(target, task, arguments, _options = {})
-        executable = target.select_impl(task, PROVIDED_FEATURES)
-        raise "No suitable implementation of #{task.name} for #{target.name}" unless executable
+        if from_api?(task)
+          # TODO: Remove as part of BOLT-664
+          dir = Dir.mktmpdir
+          executable = File.join(dir, task.file['filename'])
+          File.open(executable, 'w') { |f|
+            f.write(Base64.decode64(task.file['file_content']))
+          }
+          task.input_method = powershell_file?(executable) ? 'powershell' : 'both'
+        else
+          executable = target.select_impl(task, PROVIDED_FEATURES)
+          raise "No suitable implementation of #{task.name} for #{target.name}" unless executable
+        end
+
+        # unpack any Sensitive data
+        arguments = unwrap_sensitive_args(arguments)
 
         input_method = task.input_method
         input_method ||= powershell_file?(executable) ? 'powershell' : 'both'
@@ -114,12 +130,11 @@ catch
           end
 
           if ENVIRONMENT_METHODS.include?(input_method)
-            arguments.each do |(arg, val)|
-              val = val.to_json unless val.is_a?(String)
-              cmd = "[Environment]::SetEnvironmentVariable('PT_#{arg}', @'\n#{val}\n'@)"
+            envify_params(arguments).each do |(arg, val)|
+              cmd = "[Environment]::SetEnvironmentVariable('#{arg}', @'\n#{val}\n'@)"
               result = conn.execute(cmd)
               if result.exit_code != 0
-                raise EnvironmentVarError(var, value)
+                raise Bolt::Node::EnvironmentVarError.new(arg, val)
               end
             end
           end
@@ -147,6 +162,10 @@ try { & "#{remote_path}" @taskArgs } catch { Write-Error $_.Exception; exit 1 }
                 path, args = *process_from_extension(remote_path)
                 conn.execute_process(path, args, stdin)
               end
+
+            if from_api?(task)
+              FileUtils.remove_entry dir
+            end
             Bolt::Result.for_task(target, output.stdout.string,
                                   output.stderr.string,
                                   output.exit_code)

data/lib/bolt/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bolt
-  VERSION = '0.21.8'
+  VERSION = '0.22.0'
 end

data/lib/bolt_ext/server.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require 'sinatra'
+require 'bolt'
+require 'bolt/task'
+require 'json'
+
+class TransportAPI < Sinatra::Base
+  # This disables Sinatra's error page generation
+  set :show_exceptions, false
+
+  get '/' do
+    200
+  end
+
+  get '/500_error' do
+    raise 'Unexpected error'
+  end
+
+  post '/ssh/run_task' do
+    content_type :json
+
+    body = JSON.parse(request.body.read)
+    keys = %w[user password port ssh-key-content connect-timeout run-as-command run-as
+              tmpdir host-key-check known-hosts-content private-key-content sudo-password]
+    opts = body['target'].select { |k, _| keys.include? k }
+
+    if opts['private-key-content'] && opts['password']
+      return [400, "Only include one of 'password' and 'private-key-content'"]
+    end
+    if opts['private-key-content']
+      opts['private-key'] = { 'key-data' => opts['private-key-content'] }
+      opts.delete('private-key-content')
+    end
+
+    target = [Bolt::Target.new(body['target']['hostname'], opts)]
+    task = Bolt::Task.new(body['task'])
+    parameters = body['parameters'] || {}
+
+    executor = Bolt::Executor.new(load_config: false)
+
+    # Since this will only be on one node we can just return the first result
+    results = executor.run_task(target, task, parameters)
+    [200, results.first.to_json]
+  end
+
+  post '/winrm/run_task' do
+    content_type :json
+
+    body = JSON.parse(request.body.read)
+    keys = %w[user password port connect-timeout ssl ssl-verify tmpdir cacert extensions]
+    opts = body['target'].select { |k, _| keys.include? k }
+    opts['protocol'] = 'winrm'
+    target = [Bolt::Target.new(body['target']['hostname'], opts)]
+    task = Bolt::Task.new(body['task'])
+    parameters = body['parameters'] || {}
+
+    executor = Bolt::Executor.new(load_config: false)
+
+    # Since this will only be on one node we can just return the first result
+    results = executor.run_task(target, task, parameters)
+    [200, results.first.to_json]
+  end
+
+  error 404 do
+    [404, "Could not find route #{request.path}"]
+  end
+
+  error 500 do
+    e = env['sinatra.error']
+    [500, "500: Unknown error: #{e.message}"]
+  end
+end

data/lib/bolt_ext/server_acl.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'rails/auth/rack'
+
+class TransportACL < Rails::Auth::ErrorPage::Middleware
+  class X509Matcher
+    def initialize(options)
+      @options = options.freeze
+    end
+
+    def match(env)
+      certificate = Rails::Auth::X509::Certificate.new(env['puma.peercert'])
+      # This can be extended fairly easily to search OpenSSL::X509::Certificate#extensions for subjectAltNames.
+      @options.all? { |name, value| certificate[name] == value }
+    end
+  end
+
+  def initialize(app, whitelist)
+    acls = []
+    whitelist.each do |entry|
+      acls << {
+        'resources' => [
+          {
+            'method' => 'ALL',
+            'path' => '/.*'
+          }
+        ],
+        'allow_x509_subject' => {
+          'cn' => entry
+        }
+      }
+    end
+    acl = Rails::Auth::ACL.new(acls, matchers: { allow_x509_subject: X509Matcher })
+    mid = Rails::Auth::ACL::Middleware.new(app, acl: acl)
+    super(mid, page_body: 'Access denied')
+  end
+end

data/lib/bolt_ext/server_config.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require 'hocon'
+
+class TransportConfig
+  attr_accessor :host, :port, :ssl_cert, :ssl_key, :ssl_ca_cert, :ssl_cipher_suites,
+                :loglevel, :logfile, :whitelist, :concurrency
+
+  def initialize(global = nil, local = nil)
+    @host = '127.0.0.1'
+    @port = 62658
+    @ssl_cert = nil
+    @ssl_key = nil
+    @ssl_ca_cert = nil
+    @ssl_cipher_suites = ['ECDHE-ECDSA-AES256-GCM-SHA384',
+                          'ECDHE-RSA-AES256-GCM-SHA384',
+                          'ECDHE-ECDSA-CHACHA20-POLY1305',
+                          'ECDHE-RSA-CHACHA20-POLY1305',
+                          'ECDHE-ECDSA-AES128-GCM-SHA256',
+                          'ECDHE-RSA-AES128-GCM-SHA256',
+                          'ECDHE-ECDSA-AES256-SHA384',
+                          'ECDHE-RSA-AES256-SHA384',
+                          'ECDHE-ECDSA-AES128-SHA256',
+                          'ECDHE-RSA-AES128-SHA256']
+
+    @loglevel = 'notice'
+    @logfile = nil
+    @whitelist = nil
+    @concurrency = 100
+
+    global_path = global || '/etc/puppetlabs/bolt-server/conf.d/bolt-server.conf'
+    local_path = local || File.join(ENV['HOME'].to_s, ".puppetlabs", "bolt-server.conf")
+
+    load_config(global_path)
+    load_config(local_path)
+    validate
+  end
+
+  def load_config(path)
+    begin
+      parsed_hocon = Hocon.load(path)['bolt-server']
+    rescue Hocon::ConfigError => e
+      raise "Hocon data in '#{path}' failed to load.\n Error: '#{e.message}'"
+    rescue Errno::EACCES
+      raise "Your user doesn't have permission to read #{path}"
+    end
+
+    unless parsed_hocon.nil?
+      %w[host port ssl-cert ssl-key ssl-ca-cert ssl-cipher-suites loglevel logfile whitelist concurrency].each do |key|
+        varname = '@' + key.tr('-', '_')
+        instance_variable_set(varname, parsed_hocon[key]) if parsed_hocon.key?(key)
+      end
+    end
+  end
+
+  def validate
+    required_keys = %w[ssl_cert ssl_key ssl_ca_cert]
+    ssl_keys = %w[ssl_cert ssl_key ssl_ca_cert]
+    required_keys.each do |k|
+      next unless send(k).nil?
+      raise Bolt::ValidationError, <<-MSG
+You must configure #{k} in either /etc/puppetlabs/bolt-server/conf.d/bolt-server.conf or ~/.puppetlabs/bolt-server.conf
+      MSG
+    end
+
+    unless @port.is_a?(Integer) && @port > 0
+      raise Bolt::ValidationError, "Configured 'port' must be a valid integer greater than 0"
+    end
+    ssl_keys.each do |sk|
+      unless File.file?(send(sk)) && File.readable?(send(sk))
+        raise Bolt::ValidationError, "Configured #{sk} must be a valid filepath"
+      end
+    end
+
+    unless @ssl_cipher_suites.is_a?(Array)
+      raise Bolt::ValidationError, "Configured 'ssl-cipher-suites' must be an array of cipher suite names"
+    end
+
+    unless @whitelist.nil? || @whitelist.is_a?(Array)
+      raise Bolt::ValidationError, "Configured 'whitelist' must be an array of names"
+    end
+
+    unless @concurrency.is_a?(Integer) && @concurrency.positive?
+      raise Bolt::ValidationError, "Configured 'concurrency' must be a positive integer"
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bolt
 version: !ruby/object:Gem::Version
-  version: 0.21.8
+  version: 0.22.0
 platform: ruby
 authors:
 - Puppet
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-08-23 00:00:00.000000000 Z
+date: 2018-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -282,6 +282,7 @@ email:
 executables:
 - bolt
 - bolt-inventory-pdb
+- bolt-server
 extensions: []
 extra_rdoc_files: []
 files:
@@ -302,12 +303,14 @@ files:
 - bolt-modules/boltlib/lib/puppet/functions/run_task.rb
 - bolt-modules/boltlib/lib/puppet/functions/set_feature.rb
 - bolt-modules/boltlib/lib/puppet/functions/set_var.rb
+- bolt-modules/boltlib/lib/puppet/functions/upload_file.rb
 - bolt-modules/boltlib/lib/puppet/functions/vars.rb
 - bolt-modules/boltlib/lib/puppet/functions/without_default_logging.rb
 - bolt-modules/boltlib/types/planresult.pp
 - bolt-modules/boltlib/types/targetspec.pp
 - exe/bolt
 - exe/bolt-inventory-pdb
+- exe/bolt-server
 - lib/bolt.rb
 - lib/bolt/analytics.rb
 - lib/bolt/applicator.rb
@@ -340,6 +343,7 @@ files:
 - lib/bolt/result.rb
 - lib/bolt/result_set.rb
 - lib/bolt/target.rb
+- lib/bolt/task.rb
 - lib/bolt/transport/base.rb
 - lib/bolt/transport/local.rb
 - lib/bolt/transport/local/shell.rb
@@ -353,6 +357,9 @@ files:
 - lib/bolt/util/puppet_log_level.rb
 - lib/bolt/version.rb
 - lib/bolt_ext/puppetdb_inventory.rb
+- lib/bolt_ext/server.rb
+- lib/bolt_ext/server_acl.rb
+- lib/bolt_ext/server_config.rb
 - lib/bolt_spec/plans.rb
 - lib/bolt_spec/plans/mock_executor.rb
 - lib/bolt_spec/run.rb