bolt 1.15.0 → 1.16.0

data/lib/bolt/task.rb

@@ -72,9 +72,9 @@ module Bolt
 
     # Returns a hash of implementation name, path to executable, input method (if defined),
     # and any additional files (name and path)
-    def select_implementation(target, additional_features = [])
+    def select_implementation(target, provided_features = [])
       impl = if (impls = implementations)
-               available_features = target.features + additional_features
+               available_features = target.features + provided_features
                impl = impls.find do |imp|
                  remote_impl = imp['remote']
                  remote_impl = metadata['remote'] if remote_impl.nil?

data/lib/bolt/transport/base.rb

@@ -69,8 +69,8 @@ module Bolt
 
         result = begin
                    yield
-                 rescue StandardError, NotImplementedError => ex
-                   Bolt::Result.from_exception(target, ex)
+                 rescue StandardError, NotImplementedError => e
+                   Bolt::Result.from_exception(target, e)
                  end
 
         callback&.call(type: :node_result, result: result)

data/lib/bolt/transport/docker.rb

@@ -8,7 +8,7 @@ module Bolt
   module Transport
     class Docker < Base
       def self.options
-        %w[service-url service-options tmpdir interpreters]
+        %w[host service-url service-options tmpdir interpreters]
       end
 
       def provided_features

data/lib/bolt/transport/docker/connection.rb

@@ -11,6 +11,8 @@ module Bolt
           # lazy-load expensive gem code
           require 'docker'
 
+          raise Bolt::ValidationError, "Target #{target.name} does not have a host" unless target.host
+
           @target = target
           @logger = Logging.logger[target.host]
         end

data/lib/bolt/transport/local.rb

@@ -1,196 +1,24 @@
 # frozen_string_literal: true
 
-require 'json'
-require 'fileutils'
-require 'tmpdir'
-require 'bolt/transport/base'
-require 'bolt/transport/powershell'
-require 'bolt/util'
-
 module Bolt
   module Transport
-    class Local < Base
+    class Local < Sudoable
       def self.options
-        %w[tmpdir interpreters]
-      end
-
-      def self.default_options
-        {
-          'interpreters' => { '.rb' => RbConfig.ruby }
-        }
+        %w[tmpdir interpreters sudo-password run-as run-as-command]
       end
 
       def provided_features
-        if Bolt::Util.windows?
-          ['powershell']
-        else
-          ['shell']
-        end
-      end
-
-      def default_input_method(executable)
-        input_method ||= Powershell.powershell_file?(executable) ? 'powershell' : 'both'
-        input_method
-      end
-
-      def self.validate(_options); end
-
-      def initialize
-        super
-        @conn = Shell.new
-      end
-
-      def in_tmpdir(base)
-        args = base ? [nil, base] : []
-        dir = begin
-                Dir.mktmpdir(*args)
-              rescue StandardError => e
-                raise Bolt::Node::FileError.new("Could not make tempdir: #{e.message}", 'TEMPDIR_ERROR')
-              end
-
-        yield dir
-      ensure
-        FileUtils.remove_entry dir if dir
+        ['shell']
       end
-      private :in_tmpdir
 
-      def copy_file(source, destination)
-        FileUtils.cp_r(source, destination, remove_destination: true)
-      rescue StandardError => e
-        raise Bolt::Node::FileError.new(e.message, 'WRITE_ERROR')
+      def self.validate(options)
+        logger = Logging.logger[self]
+        validate_sudo_options(options, logger)
       end
 
-      def with_tmpscript(script, base)
-        in_tmpdir(base) do |dir|
-          dest = File.join(dir, File.basename(script))
-          copy_file(script, dest)
-          File.chmod(0o750, dest)
-          yield dest, dir
-        end
-      end
-      private :with_tmpscript
-
-      def upload(target, source, destination, _options = {})
-        copy_file(source, destination)
-        Bolt::Result.for_upload(target, source, destination)
-      end
-
-      def run_command(target, command, _options = {})
-        in_tmpdir(target.options['tmpdir']) do |dir|
-          output = @conn.execute(command, dir: dir)
-          Bolt::Result.for_command(target,
-                                   output.stdout.string,
-                                   output.stderr.string,
-                                   output.exit_code,
-                                   'command', command)
-        end
-      end
-
-      def run_script(target, script, arguments, _options = {})
-        with_tmpscript(File.absolute_path(script), target.options['tmpdir']) do |file, dir|
-          logger.debug "Running '#{file}' with #{arguments}"
-
-          # unpack any Sensitive data AFTER we log
-          arguments = unwrap_sensitive_args(arguments)
-          if Bolt::Util.windows?
-            if Powershell.powershell_file?(file)
-              command = Powershell.run_script(arguments, file)
-              output = @conn.execute(command, dir: dir, env: "powershell.exe")
-            else
-              path, args = *Powershell.process_from_extension(file)
-              args += Powershell.escape_arguments(arguments)
-              command = args.unshift(path).join(' ')
-              output = @conn.execute(command, dir: dir)
-            end
-          else
-            if arguments.empty?
-              # We will always provide separated arguments, so work-around Open3's handling of a single
-              # argument as the entire command string for script paths containing spaces.
-              arguments = ['']
-            end
-            output = @conn.execute(file, *arguments, dir: dir)
-          end
-          Bolt::Result.for_command(target,
-                                   output.stdout.string,
-                                   output.stderr.string,
-                                   output.exit_code,
-                                   'script', script)
-        end
-      end
-
-      def run_task(target, task, arguments, _options = {})
-        implementation = select_implementation(target, task)
-        executable = implementation['path']
-        input_method = implementation['input_method']
-        extra_files = implementation['files']
-
-        in_tmpdir(target.options['tmpdir']) do |dir|
-          if extra_files.empty?
-            script = File.join(dir, File.basename(executable))
-          else
-            arguments['_installdir'] = dir
-            script_dest = File.join(dir, task.tasks_dir)
-            FileUtils.mkdir_p([script_dest] + extra_files.map { |file| File.join(dir, File.dirname(file['name'])) })
-
-            script = File.join(script_dest, File.basename(executable))
-            extra_files.each do |file|
-              dest = File.join(dir, file['name'])
-              copy_file(file['path'], dest)
-              File.chmod(0o750, dest)
-            end
-          end
-
-          copy_file(executable, script)
-          File.chmod(0o750, script)
-
-          interpreter = select_interpreter(script, target.options['interpreters'])
-          interpreter_debug = interpreter ? " using '#{interpreter}' interpreter" : nil
-          # log the arguments with sensitive data redacted, do NOT log unwrapped_arguments
-          logger.debug("Running '#{script}' with #{arguments}#{interpreter_debug}")
-          unwrapped_arguments = unwrap_sensitive_args(arguments)
-
-          stdin = STDIN_METHODS.include?(input_method) ? JSON.dump(unwrapped_arguments) : nil
-
-          if Bolt::Util.windows?
-            # WINDOWS
-            if ENVIRONMENT_METHODS.include?(input_method)
-              environment_params = envify_params(unwrapped_arguments).each_with_object([]) do |(arg, val), list|
-                list << Powershell.set_env(arg, val)
-              end
-              environment_params = environment_params.join("\n") + "\n"
-            else
-              environment_params = ""
-            end
-
-            if Powershell.powershell_file?(script) && stdin.nil?
-              command = Powershell.run_ps_task(arguments, script, input_method)
-              command = environment_params + Powershell.shell_init + command
-              interpreter ||= 'powershell.exe'
-              output =
-                if input_method == 'powershell'
-                  @conn.execute(command, dir: dir, interpreter: interpreter)
-                else
-                  @conn.execute(command, dir: dir, stdin: stdin, interpreter: interpreter)
-                end
-            end
-            unless output
-              if interpreter
-                env = ENVIRONMENT_METHODS.include?(input_method) ? envify_params(unwrapped_arguments) : nil
-                output = @conn.execute(script, stdin: stdin, env: env, dir: dir, interpreter: interpreter)
-              else
-                path, args = *Powershell.process_from_extension(script)
-                command = args.unshift(path).join(' ')
-                command = environment_params + Powershell.shell_init + command
-                output = @conn.execute(command, dir: dir, stdin: stdin, interpreter: 'powershell.exe')
-              end
-            end
-          else
-            # POSIX
-            env = ENVIRONMENT_METHODS.include?(input_method) ? envify_params(unwrapped_arguments) : nil
-            output = @conn.execute(script, stdin: stdin, env: env, dir: dir, interpreter: interpreter)
-          end
-          Bolt::Result.for_task(target, output.stdout.string, output.stderr.string, output.exit_code, task.name)
-        end
+      def with_connection(target, *_args)
+        conn = Shell.new(target)
+        yield conn
       end
 
       def connected?(_targets)

data/lib/bolt/transport/local/shell.rb

@@ -1,26 +1,216 @@
 # frozen_string_literal: true
 
 require 'open3'
+require 'fileutils'
 require 'bolt/node/output'
+require 'bolt/util'
 
 module Bolt
   module Transport
-    class Local
-      class Shell
-        def execute(*command, options)
-          command.unshift(options[:interpreter]) if options[:interpreter]
-          command = [options[:env]] + command if options[:env]
-
-          if options[:stdin]
-            stdout, stderr, rc = Open3.capture3(*command, stdin_data: options[:stdin], chdir: options[:dir])
+    class Local < Sudoable
+      class Shell < Sudoable::Connection
+        attr_accessor :user, :logger, :target
+        attr_writer :run_as
+
+        CHUNK_SIZE = 4096
+
+        def initialize(target)
+          @target = target
+          # The familiar problem: Etc.getlogin is broken on osx
+          @user = ENV['USER'] || Etc.getlogin
+          @run_as = target.options['run-as']
+          @logger = Logging.logger[self]
+        end
+
+        # If prompted for sudo password, send password to stdin and return an
+        # empty string. Otherwise, check for sudo errors and raise Bolt error.
+        # If error is not sudo-related, return the stderr string to be added to
+        # node output
+        def handle_sudo(stdin, err, pid)
+          if err.include?(Sudoable.sudo_prompt)
+            # A wild sudo prompt has appeared!
+            if @target.options['sudo-password']
+              # Hopefully no one's sudo-password is > 64kb
+              stdin.write("#{@target.options['sudo-password']}\n")
+              ''
+            else
+              raise Bolt::Node::EscalateError.new(
+                "Sudo password for user #{@user} was not provided for localhost",
+                'NO_PASSWORD'
+              )
+            end
+          else
+            handle_sudo_errors(err, pid)
+          end
+        end
+
+        def handle_sudo_errors(err, pid)
+          if err =~ /^#{@user} is not in the sudoers file\./
+            @logger.debug { err }
+            raise Bolt::Node::EscalateError.new(
+              "User #{@user} does not have sudo permission on localhost",
+              'SUDO_DENIED'
+            )
+          elsif err =~ /^Sorry, try again\./
+            @logger.debug { err }
+            # CODEREVIEW can we kill a sudo process without sudo password?
+            Process.kill('TERM', pid)
+            raise Bolt::Node::EscalateError.new(
+              "Sudo password for user #{@user} not recognized on localhost",
+              'BAD_PASSWORD'
+            )
+          else
+            # No need to raise an error - just return the string
+            err
+          end
+        end
+
+        def copy_file(source, dest)
+          if source.is_a?(StringIO)
+            File.open("tempfile", "w") { |f| f.write(source.read) }
+            execute(['mv', 'tempfile', dest])
           else
-            stdout, stderr, rc = Open3.capture3(*command, chdir: options[:dir])
+            # Mimic the behavior of `cp --remove-destination`
+            # since the flag isn't supported on MacOS
+            result = execute(['rm', '-rf', dest])
+            if result.exit_code != 0
+              message = "Could not remove existing file #{dest}: #{result.stderr.string}"
+              raise Bolt::Node::FileError.new(message, 'REMOVE_ERROR')
+            end
+
+            result = execute(['cp', '-r', source, dest])
+            if result.exit_code != 0
+              message = "Could not copy file to #{dest}: #{result.stderr.string}"
+              raise Bolt::Node::FileError.new(message, 'COPY_ERROR')
+            end
+          end
+        end
+
+        def with_tmpscript(script)
+          with_tempdir do |dir|
+            dest = File.join(dir.to_s, File.basename(script))
+            copy_file(script, dest)
+            yield dest, dir
+          end
+        end
+
+        # See if there's a sudo prompt in the output
+        # If not, return the output
+        def check_sudo(out, inp, pid)
+          buffer = out.readpartial(CHUNK_SIZE)
+          # Split on newlines, including the newline
+          lines = buffer.split(/(?<=[\n])/)
+          # handle_sudo will return the line if it is not a sudo prompt or error
+          lines.map! { |line| handle_sudo(inp, line, pid) }
+          lines.join("")
+        # If stream has reached EOF, no password prompt is expected
+        # return an empty string
+        rescue EOFError
+          ''
+        end
+
+        def execute(command, sudoable: true, **options)
+          run_as = options[:run_as] || self.run_as
+          escalate = sudoable && run_as && @user != run_as
+          use_sudo = escalate && @target.options['run-as-command'].nil?
+
+          if options[:interpreter]
+            if command.is_a?(Array)
+              command.unshift(options[:interpreter])
+            else
+              command = [options[:interpreter], command]
+            end
           end
 
+          command_str = command.is_a?(String) ? command : Shellwords.shelljoin(command)
+
+          if escalate
+            if use_sudo
+              sudo_flags = ["sudo", "-k", "-S", "-u", run_as, "-p", Sudoable.sudo_prompt]
+              sudo_flags += ["-E"] if options[:environment]
+              sudo_str = Shellwords.shelljoin(sudo_flags)
+              command_str = "#{sudo_str} #{command_str}"
+            else
+              run_as_str = Shellwords.shelljoin(@target.options['run-as-command'] + [run_as])
+              command_str = "#{run_as_str} #{command_str}"
+            end
+          end
+
+          command_arr = options[:environment].nil? ? [command_str] : [options[:environment], command_str]
+
+          # Prepare the variables!
           result_output = Bolt::Node::Output.new
-          result_output.stdout << stdout unless stdout.nil?
-          result_output.stderr << stderr unless stderr.nil?
-          result_output.exit_code = rc.exitstatus
+          in_buffer = options[:stdin] || ''
+          # Chunks of this size will be read in one iteration
+          index = 0
+          timeout = 0.1
+
+          inp, out, err, t = Open3.popen3(*command_arr)
+          read_streams = { out => String.new,
+                           err => String.new }
+          write_stream = in_buffer.empty? ? [] : [inp]
+
+          # See if there's a sudo prompt
+          if use_sudo
+            ready_read = select([err], nil, nil, timeout * 5)
+            read_streams[err] << check_sudo(err, inp, t.pid) if ready_read
+          end
+
+          # True while the process is running or waiting for IO input
+          while t.alive?
+            # See if we can read from out or err, or write to in
+            ready_read, ready_write, = select(read_streams.keys, write_stream, nil, timeout)
+
+            # Read from out and err
+            ready_read&.each do |stream|
+              begin
+                # Check for sudo prompt
+                read_streams[stream] << if use_sudo
+                                          check_sudo(stream, inp, t.pid)
+                                        else
+                                          stream.readpartial(CHUNK_SIZE)
+                                        end
+              rescue EOFError
+              end
+            end
+
+            # select will either return an empty array if there are no
+            # writable streams or nil if no IO object is available before the
+            # timeout is reached.
+            writable = if ready_write.respond_to?(:empty?)
+                         !ready_write.empty?
+                       else
+                         !ready_write.nil?
+                       end
+
+            begin
+              if writable && index < in_buffer.length
+                to_print = in_buffer[index..-1]
+                written = inp.write_nonblock to_print
+                index += written
+
+                if index >= in_buffer.length && !write_stream.empty?
+                  inp.close
+                  write_stream = []
+                end
+              end
+              # If a task has stdin as an input_method but doesn't actually
+              # read from stdin, the task may return and close the input stream
+            rescue Errno::EPIPE
+              write_stream = []
+            end
+          end
+          # Read any remaining data in the pipe. Do not wait for
+          # EOF in case the pipe is inherited by a child process.
+          read_streams.each do |stream, _|
+            begin
+              loop { read_streams[stream] << stream.read_nonblock(CHUNK_SIZE) }
+            rescue Errno::EAGAIN, EOFError
+            end
+          end
+          result_output.stdout << read_streams[out]
+          result_output.stderr << read_streams[err]
+          result_output.exit_code = t.value.exitstatus
           result_output
         end
       end