bolt 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5955d8922691cc5c2875f1614d69181289c0ba9561e6016fb8c18bcecd09391a
-  data.tar.gz: 0077fbd497fbbabf23c72a7916517b660a9c21553e8a6bc04ffaddc8cc283e53
+  metadata.gz: ca6e259cbc835ea3d8b4f5f67d2b199faf19adfeb2a2d9b0b999582b919a863a
+  data.tar.gz: 2152f34ff150aaaf2d1c0a6fb114d401ef3ddf5c2da5a739e8f2fa22ab5565cf
 SHA512:
-  metadata.gz: a92a53a9e95ff635ff3adf36e594d6ba38d130cbfd117ecfe7111404cba7f453c63e483269120ecf51d1cd1b58f96cd8bfa6087d88e4ed3c1692c7dfe804ece9
-  data.tar.gz: f2df408dcd301c87b0d598b0f5848576b832a815f2bf13aa5784e85a2384a098b3a34a0b12e3b7b1d80292e334913ab553848826a52e712cb563fc3814abc24d
+  metadata.gz: 69fe10cdd01be7f4965a8e6cca73aa9c65f449b94bb35909399839ca4c506107b611df43f3a0e27fe9fce896d3e63261f3dc90ce329d257583ff427e6c712eb3
+  data.tar.gz: 400b7ef4c9b01ad6c5464481ac73f5c3b7774e25aa6780f1aa404e3e6504091c57828d9a0bdaf7a3f4effecd08ff1b35cae4dd8e5b7dd6b6329267805ce0ef77

data/lib/bolt/applicator.rb

@@ -133,7 +133,13 @@ module Bolt
       %w[trusted server_facts facts].each { |k| plan_vars.delete(k) }
 
       targets = @inventory.get_targets(args[0])
+
       ast = Puppet::Pops::Serialization::ToDataConverter.convert(apply_body, rich_data: true, symbol_to_string: true)
+
+      apply_ast(ast, targets, options, plan_vars)
+    end
+
+    def apply_ast(ast, targets, options, plan_vars = {})
       notify = proc { |_| nil }
 
       r = @executor.log_action('apply catalog', targets) do

data/lib/bolt/bolt_option_parser.rb

@@ -30,6 +30,7 @@ Available subcommands:
   bolt plan show                   Show list of available plans
   bolt plan show <plan>            Show details for plan
   bolt plan run <plan> [params]    Run a Puppet task plan
+  bolt apply <manifest>            Apply Puppet manifest code
   bolt puppetfile install          Install modules from a Puppetfile into a Boltdir
 
 Run `bolt <subcommand> --help` to view specific examples.
@@ -107,6 +108,13 @@ Install modules into the local Boltdir
 Available options are:
     HELP
 
+    APPLY_HELP = <<-HELP
+Usage: bolt apply <manifest.pp> [options]
+
+#{examples('apply site.pp', 'apply a manifest on')}
+  bolt apply site.pp --nodes foo.example.com,bar.example.com
+    HELP
+
     # A helper mixin for OptionParser::Switch instances which will allow
     # us to show/hide particular switch in the help message produced by
     # the OptionParser#help method on demand.
@@ -150,6 +158,10 @@ Available options are:
              "Parameters to a task or plan as json, a json file '@<file>', or on stdin '-'") do |params|
         @options[:task_options] = parse_params(params)
       end
+      @execute = define('-e', '--execute CODE',
+                        "Puppet manifest code to apply to the targets") do |code|
+        @options[:code] = code
+      end.extend(SwitchHider)
 
       separator 'Authentication:'
       define('-u', '--user USER', 'User to authenticate as') do |user|
@@ -270,6 +282,8 @@ Available options are:
     def update
       # show the --nodes and --query switches by default
       @nodes.hide = @query.hide = false
+      # Don't show the --execute switch except for `apply`
+      @execute.hide = true
 
       # Update the banner according to the subcommand
       self.banner = case @options[:subcommand]
@@ -287,6 +301,9 @@ Available options are:
                       FILE_HELP
                     when 'puppetfile'
                       PUPPETFILE_HELP
+                    when 'apply'
+                      @execute.hide = false
+                      APPLY_HELP
                     else
                       BANNER
                     end

data/lib/bolt/catalog.rb

@@ -33,11 +33,11 @@ module Bolt
       end
     end
 
-    def generate_ast(code)
+    def generate_ast(code, filename = nil)
       with_puppet_settings do
         Puppet::Pal.in_tmp_environment("bolt_parse") do |pal|
           pal.with_catalog_compiler do |compiler|
-            ast = compiler.parse_string(code)
+            ast = compiler.parse_string(code, filename)
             Puppet::Pops::Serialization::ToDataConverter.convert(ast,
                                                                  rich_data: true,
                                                                  symbol_to_string: true)

data/lib/bolt/cli.rb

@@ -9,7 +9,6 @@ require 'json'
 require 'io/console'
 require 'logging'
 require 'optparse'
-require 'r10k/action/puppetfile/install'
 require 'bolt/analytics'
 require 'bolt/bolt_option_parser'
 require 'bolt/config'
@@ -20,19 +19,19 @@ require 'bolt/logger'
 require 'bolt/outputter'
 require 'bolt/puppetdb'
 require 'bolt/pal'
-require 'bolt/r10k_log_proxy'
 require 'bolt/target'
 require 'bolt/version'
 
 module Bolt
   class CLIExit < StandardError; end
   class CLI
-    COMMANDS = { 'command'    => %w[run],
-                 'script'     => %w[run],
-                 'task'       => %w[show run],
-                 'plan'       => %w[show run],
-                 'file'       => %w[upload],
-                 'puppetfile' => %w[install] }.freeze
+    COMMANDS = { 'command' => %w[run],
+                 'script' => %w[run],
+                 'task' => %w[show run],
+                 'plan' => %w[show run],
+                 'file' => %w[upload],
+                 'puppetfile' => %w[install],
+                 'apply' => %w[] }.freeze
 
     attr_reader :config, :options
 
@@ -80,7 +79,10 @@ module Bolt
 
       # This section handles parsing non-flag options which are
       # subcommand specific rather then part of the config
-      options[:action] = remaining.shift
+      actions = COMMANDS[options[:subcommand]]
+      if actions && !actions.empty?
+        options[:action] = remaining.shift
+      end
       options[:object] = remaining.shift
 
       task_options, remaining = remaining.partition { |s| s =~ /.+=/ }
@@ -140,16 +142,18 @@ module Bolt
               "#{COMMANDS.keys.join(', ')}"
       end
 
-      if options[:action].nil?
-        raise Bolt::CLIError,
-              "Expected an action of the form 'bolt #{options[:subcommand]} <action>'"
-      end
-
       actions = COMMANDS[options[:subcommand]]
-      unless actions.include?(options[:action])
-        raise Bolt::CLIError,
-              "Expected action '#{options[:action]}' to be one of " \
-              "#{actions.join(', ')}"
+      if actions.any?
+        if options[:action].nil?
+          raise Bolt::CLIError,
+                "Expected an action of the form 'bolt #{options[:subcommand]} <action>'"
+        end
+
+        unless actions.include?(options[:action])
+          raise Bolt::CLIError,
+                "Expected action '#{options[:action]}' to be one of " \
+                "#{actions.join(', ')}"
+        end
       end
 
       if options[:subcommand] != 'file' && options[:subcommand] != 'script' &&
@@ -181,9 +185,18 @@ module Bolt
         raise Bolt::CLIError, "Only one of '--boltdir' or '--configfile' may be specified"
       end
 
-      if options[:noop] && (options[:subcommand] != 'task' || options[:action] != 'run')
+      if options[:noop] &&
+         !(options[:subcommand] == 'task' && options[:action] == 'run') && options[:subcommand] != 'apply'
         raise Bolt::CLIError,
-              "Option '--noop' may only be specified when running a task"
+              "Option '--noop' may only be specified when running a task or applying manifest code"
+      end
+
+      if options[:subcommand] == 'apply' && (options[:object] && options[:code])
+        raise Bolt::CLIError, "--execute is unsupported when specifying a manifest file"
+      end
+
+      if options[:subcommand] == 'apply' && (!options[:object] && !options[:code])
+        raise Bolt::CLIError, "a manifest file or --execute is required"
       end
     end
 
@@ -254,10 +267,17 @@ module Bolt
         options[:task_options] = pal.parse_params(options[:subcommand], options[:object], options[:task_options])
       end
 
-      if options[:subcommand] == 'plan'
+      case options[:subcommand]
+      when 'plan'
         code = run_plan(options[:object], options[:task_options], options[:nodes], options)
-      elsif options[:subcommand] == 'puppetfile'
+      when 'puppetfile'
         code = install_puppetfile(@config.puppetfile, @config.modulepath)
+      when 'apply'
+        if options[:object]
+          validate_file('manifest', options[:object])
+          options[:code] = File.read(File.expand_path(options[:object]))
+        end
+        code = apply_manifest(options[:code], options[:targets], options[:object], options[:noop])
       else
         executor = Bolt::Executor.new(config.concurrency, @analytics, options[:noop], bundled_content: bundled_content)
         targets = options[:targets]
@@ -364,7 +384,30 @@ module Bolt
       result.ok? ? 0 : 1
     end
 
+    def apply_manifest(code, targets, filename = nil, noop = false)
+      ast = pal.parse_manifest(code, filename)
+
+      executor = Bolt::Executor.new(config.concurrency, @analytics, noop, bundled_content: bundled_content)
+      # Call start_plan just to enable plan_logging
+      executor.start_plan(nil)
+
+      pal.in_plan_compiler(executor, inventory, puppetdb_client) do |compiler|
+        compiler.call_function('apply_prep', targets)
+      end
+
+      results = pal.with_bolt_executor(executor, inventory, puppetdb_client) do
+        Puppet.lookup(:apply_executor).apply_ast(ast, targets, '_catch_errors' => true, '_noop' => noop)
+      end
+
+      outputter.print_apply_result(results)
+
+      results.ok ? 0 : 1
+    end
+
     def install_puppetfile(puppetfile, modulepath)
+      require 'r10k/action/puppetfile/install'
+      require 'bolt/r10k_log_proxy'
+
       if puppetfile.exist?
         moduledir = modulepath.first.to_s
         r10k_config = {

data/lib/bolt/error.rb

@@ -17,7 +17,7 @@ module Bolt
     end
 
     def to_h
-      h = { 'kind' =>  kind,
+      h = { 'kind' => kind,
             'msg' => message,
             'details' => details }
       h['issue_code'] = issue_code if issue_code
@@ -53,7 +53,7 @@ module Bolt
     def initialize(result_set, action, object)
       details = {
         'action' => action,
-        'object' =>  object,
+        'object' => object,
         'result_set' => result_set
       }
       message = "Plan aborted: #{action} '#{object}' failed on #{result_set.error_set.length} nodes"

data/lib/bolt/inventory/group.rb

@@ -118,19 +118,19 @@ module Bolt
       end
 
       def group_data
-        { 'config'   => @config,
-          'vars'     => @vars,
-          'facts'    => @facts,
+        { 'config' => @config,
+          'vars' => @vars,
+          'facts' => @facts,
           'features' => @features,
-          'groups'   => [@name] }
+          'groups' => [@name] }
       end
 
       def empty_data
-        { 'config'   => {},
-          'vars'     => {},
-          'facts'    => {},
+        { 'config' => {},
+          'vars' => {},
+          'facts' => {},
           'features' => [],
-          'groups'   => [] }
+          'groups' => [] }
       end
 
       def data_merge(data1, data2)
@@ -143,8 +143,8 @@ module Bolt
           # Shallow merge instead of deep merge so that vars with a hash value
           # are assigned a new hash, rather than merging the existing value
           # with the value meant to replace it
-          'vars'   => data1['vars'].merge(data2['vars']),
-          'facts'  => Bolt::Util.deep_merge(data1['facts'], data2['facts']),
+          'vars' => data1['vars'].merge(data2['vars']),
+          'facts' => Bolt::Util.deep_merge(data1['facts'], data2['facts']),
           'features' => data1['features'] | data2['features'],
           'groups' => data2['groups'] + data1['groups']
         }

data/lib/bolt/outputter/human.rb

@@ -177,6 +177,12 @@ module Bolt
         @stream.puts(plan_info)
       end
 
+      # @param [Bolt::ResultSet] apply_result A ResultSet object representing the result of a `bolt apply`
+      def print_apply_result(apply_result)
+        apply_result.each { |result| print_result(result) }
+        print_summary(apply_result)
+      end
+
       # @param [Bolt::PlanResult] plan_result A PlanResult object
       def print_plan_result(plan_result)
         value = plan_result.value

data/lib/bolt/outputter/json.rb

@@ -63,6 +63,10 @@ module Bolt
         @stream.puts plan.to_json
       end
 
+      def print_apply_result(apply_result)
+        @stream.puts apply_result.to_json
+      end
+
       def print_plan_result(result)
         # Ruby JSON patches most objects to have a to_json method.
         @stream.puts result.to_json

data/lib/bolt/pal.rb

@@ -57,6 +57,7 @@ module Bolt
 
     # Puppet logging is global so this is class method to avoid confusion
     def self.configure_logging
+      Puppet::Util::Log.destinations.clear
       Puppet::Util::Log.newdestination(Logging.logger['Puppet'])
       # Defer all log level decisions to the Logging library by telling Puppet
       # to log everything
@@ -176,6 +177,15 @@ module Bolt
       end
     end
 
+    # Parses a snippet of Puppet manifest code and returns the AST represented
+    # in JSON.
+    def parse_manifest(code, filename)
+      raw_ast = Puppet::Pops::Parser::EvaluatingParser.new.parse_string(code, filename)
+      Puppet::Pops::Serialization::ToDataConverter.convert(raw_ast, rich_data: true, symbol_to_string: true)
+    rescue Puppet::Error => e
+      raise Bolt::PAL::PALError, "Failed to parse manifest: #{e}"
+    end
+
     def list_tasks
       in_bolt_compiler do |compiler|
         tasks = compiler.list_tasks

data/lib/bolt/target.rb

@@ -8,6 +8,8 @@ module Bolt
     attr_reader :uri, :options
     attr_writer :inventory
 
+    PRINT_OPTS ||= %w[host user port protocol].freeze
+
     # Satisfies the Puppet datatypes API
     def self.from_asserted_hash(hash)
       new(hash['uri'], hash['options'])
@@ -79,7 +81,8 @@ module Bolt
     end
 
     def to_s
-      "Target('#{@uri}', #{@options})"
+      opts = @options.select { |k, _| PRINT_OPTS.include? k }
+      "Target('#{@uri}', #{opts})"
     end
 
     def host

data/lib/bolt/task/puppet_server.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'bolt/task'
+
+module Bolt
+  class Task
+    class PuppetServer < Bolt::Task
+      def initialize(task_data, file_cache)
+        @file_cache = file_cache
+        task_data = update_file_data(task_data)
+        super(task_data)
+      end
+
+      # puppetserver file entries have 'filename' rather then 'name'
+      def update_file_data(task_data)
+        task_data['files'].each { |f| f['name'] = f['filename'] }
+        task_data
+      end
+
+      # Compute local path and download files from puppetserver as needed
+      def file_path(file_name)
+        file = file_map[file_name]
+        file['path'] ||= @file_cache.update_file(file)
+      end
+    end
+  end
+end

data/lib/bolt/task.rb

@@ -32,26 +32,39 @@ module Bolt
       metadata['supports_noop']
     end
 
+    def module_name
+      name.split('::').first
+    end
+
+    def tasks_dir
+      File.join(module_name, 'tasks')
+    end
+
     def file_map
-      @file_map ||= files.each_with_object({}) { |file, hsh| hsh[file['name']] = file['path'] }
+      @file_map ||= files.each_with_object({}) { |file, hsh| hsh[file['name']] = file }
     end
     private :file_map
 
+    # This provides a method we can override in subclasses if the 'path' needs
+    # to be fetched or computed.
+    def file_path(file_name)
+      file_map[file_name]['path']
+    end
+
     # Returns a hash of implementation name, path to executable, input method (if defined),
     # and any additional files (name and path)
     def select_implementation(target, additional_features = [])
-      raise 'select_implementation only supported with multiple files' if files.nil? || files.empty?
-
       impl = if (impls = metadata['implementations'])
                available_features = target.features + additional_features
                impl = impls.find { |imp| Set.new(imp['requirements']).subset?(available_features) }
                raise "No suitable implementation of #{name} for #{target.name}" unless impl
                impl = impl.dup
-               impl['path'] = file_map[impl['name']]
+               impl['path'] = file_path(impl['name'])
                impl.delete('requirements')
                impl
              else
-               files.first.dup
+               name = files.first['name']
+               { 'name' => name, 'path' => file_path(name) }
              end
 
       inmethod = impl['input_method'] || metadata['input_method']
@@ -60,15 +73,16 @@ module Bolt
       mfiles = impl.fetch('files', []) + metadata.fetch('files', [])
       dirnames, filenames = mfiles.partition { |file| file.end_with?('/') }
       impl['files'] = filenames.map do |file|
-        path = file_map[file]
+        path = file_path(file)
         raise "No file found for reference #{file}" if path.nil?
         { 'name' => file, 'path' => path }
       end
 
       unless dirnames.empty?
         files.each do |file|
-          if dirnames.any? { |dirname| file['name'].start_with?(dirname) }
-            impl['files'] << file
+          name = file['name']
+          if dirnames.any? { |dirname| name.start_with?(dirname) }
+            impl['files'] << { 'name' => name, 'path' => file_path(name) }
           end
         end
       end

data/lib/bolt/transport/base.rb

@@ -162,10 +162,6 @@ module Bolt
         targets.map { |target| [target] }
       end
 
-      def from_api?(task)
-        !task.file.nil?
-      end
-
       # Transports should override this method with their own implementation of running a command.
       def run_command(*_args)
         raise NotImplementedError, "run_command() must be implemented by the transport class"

data/lib/bolt/transport/local.rb

@@ -85,17 +85,25 @@ module Bolt
         input_method = implementation['input_method'] || 'both'
         extra_files = implementation['files']
 
-        with_tmpscript(executable, target.options['tmpdir']) do |script, dir|
-          unless extra_files.empty?
-            installdir = File.join(dir, '_installdir')
-            arguments['_installdir'] = installdir
-            FileUtils.mkdir_p(extra_files.map { |file| File.join(installdir, File.dirname(file['name'])) })
-
+        in_tmpdir(target.options['tmpdir']) do |dir|
+          if extra_files.empty?
+            script = File.join(dir, File.basename(executable))
+          else
+            arguments['_installdir'] = dir
+            script_dest = File.join(dir, task.tasks_dir)
+            FileUtils.mkdir_p([script_dest] + extra_files.map { |file| File.join(dir, File.dirname(file['name'])) })
+
+            script = File.join(script_dest, File.basename(executable))
             extra_files.each do |file|
-              copy_file(file['path'], File.join(installdir, file['name']))
+              dest = File.join(dir, file['name'])
+              copy_file(file['path'], dest)
+              File.chmod(0o750, dest)
             end
           end
 
+          copy_file(executable, script)
+          File.chmod(0o750, script)
+
           # unpack any Sensitive data, write it to a separate variable because
           # we log 'arguments' below
           unwrapped_arguments = unwrap_sensitive_args(arguments)

data/lib/bolt/transport/ssh.rb

@@ -122,17 +122,10 @@ module Bolt
       end
 
       def run_task(target, task, arguments, options = {})
-        if from_api?(task)
-          executable = task.file['filename']
-          file_content = Base64.decode64(task.file['file_content'])
-          input_method = task.metadata['input_method']
-          extra_files = []
-        else
-          implementation = task.select_implementation(target, PROVIDED_FEATURES)
-          executable = implementation['path']
-          input_method = implementation['input_method']
-          extra_files = implementation['files']
-        end
+        implementation = task.select_implementation(target, PROVIDED_FEATURES)
+        executable = implementation['path']
+        input_method = implementation['input_method']
+        extra_files = implementation['files']
         input_method ||= 'both'
 
         # unpack any Sensitive data
@@ -144,22 +137,20 @@ module Bolt
             execute_options = {}
 
             conn.with_remote_tempdir do |dir|
-              remote_task_path = if from_api?(task)
-                                   conn.write_executable_from_content(dir, file_content, executable)
-                                 else
-                                   conn.write_remote_executable(dir, executable)
-                                 end
-
-              unless extra_files.empty?
+              if extra_files.empty?
+                task_dir = dir
+              else
                 # TODO: optimize upload of directories
-                installdir = File.join(dir.to_s, '_installdir')
-                arguments['_installdir'] = installdir
-                dir.mkdirs(extra_files.map { |file| File.join('_installdir', File.dirname(file['name'])) })
+                arguments['_installdir'] = dir.to_s
+                task_dir = File.join(dir.to_s, task.tasks_dir)
+                dir.mkdirs([task.tasks_dir] + extra_files.map { |file| File.dirname(file['name']) })
                 extra_files.each do |file|
-                  conn.write_remote_file(file['path'], File.join(installdir, file['name']))
+                  conn.write_remote_file(file['path'], File.join(dir.to_s, file['name']))
                 end
               end
 
+              remote_task_path = conn.write_remote_executable(task_dir, executable)
+
               if STDIN_METHODS.include?(input_method)
                 stdin = JSON.dump(arguments)
               end

data/lib/bolt/transport/winrm.rb

@@ -108,39 +108,30 @@ catch
       end
 
       def run_task(target, task, arguments, _options = {})
-        if from_api?(task)
-          executable = task.file['filename']
-          file_content = StringIO.new(Base64.decode64(task.file['file_content']))
-          input_method = task.metadata['input_method']
-          extra_files = []
-        else
-          implementation = task.select_implementation(target, PROVIDED_FEATURES)
-          executable = implementation['path']
-          input_method = implementation['input_method']
-          extra_files = implementation['files']
-        end
+        implementation = task.select_implementation(target, PROVIDED_FEATURES)
+        executable = implementation['path']
+        input_method = implementation['input_method']
+        extra_files = implementation['files']
         input_method ||= powershell_file?(executable) ? 'powershell' : 'both'
 
         # unpack any Sensitive data
         arguments = unwrap_sensitive_args(arguments)
         with_connection(target) do |conn|
           conn.with_remote_tempdir do |dir|
-            remote_task_path = if from_api?(task)
-                                 conn.write_executable_from_content(dir, file_content, executable)
-                               else
-                                 conn.write_remote_executable(dir, executable)
-                               end
-
-            unless extra_files.empty?
+            if extra_files.empty?
+              task_dir = dir
+            else
               # TODO: optimize upload of directories
-              installdir = File.join(dir, '_installdir')
-              arguments['_installdir'] = installdir
-              conn.mkdirs(extra_files.map { |file| File.join(installdir, File.dirname(file['name'])) })
+              arguments['_installdir'] = dir
+              task_dir = File.join(dir, task.tasks_dir)
+              conn.mkdirs([task_dir] + extra_files.map { |file| File.join(dir, File.dirname(file['name'])) })
               extra_files.each do |file|
-                conn.write_remote_file(file['path'], File.join(installdir, file['name']))
+                conn.write_remote_file(file['path'], File.join(dir, file['name']))
               end
             end
 
+            remote_task_path = conn.write_remote_executable(task_dir, executable)
+
             if STDIN_METHODS.include?(input_method)
               stdin = JSON.dump(arguments)
             end

data/lib/bolt/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bolt
-  VERSION = '1.1.0'
+  VERSION = '1.2.0'
 end

data/lib/bolt_server/acl.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'rails/auth/rack'
+
+module BoltServer
+  class ACL < Rails::Auth::ErrorPage::Middleware
+    class X509Matcher
+      def initialize(options)
+        @options = options.freeze
+      end
+
+      def match(env)
+        certificate = Rails::Auth::X509::Certificate.new(env['puma.peercert'])
+        # This can be extended fairly easily to search OpenSSL::X509::Certificate#extensions for subjectAltNames.
+        @options.all? { |name, value| certificate[name] == value }
+      end
+    end
+
+    def initialize(app, whitelist)
+      acls = []
+      whitelist.each do |entry|
+        acls << {
+          'resources' => [
+            {
+              'method' => 'ALL',
+              'path' => '/.*'
+            }
+          ],
+          'allow_x509_subject' => {
+            'cn' => entry
+          }
+        }
+      end
+      acl = Rails::Auth::ACL.new(acls, matchers: { allow_x509_subject: X509Matcher })
+      mid = Rails::Auth::ACL::Middleware.new(app, acl: acl)
+      super(mid, page_body: 'Access denied')
+    end
+  end
+end