bolt 1.23.0 → 1.24.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c0387b7b6348b7003f02a2433a92e90c73464ac6a7d1cf135c847142bc44cb52
-  data.tar.gz: 502dc3c14c15925ff40604763b4cf5dc1e83d222e37b6c0a47cb5827f696e236
+  metadata.gz: cc4db252a26ca2d1f05bddfa9b4affaece04baf3d2324e37b29e7f3579301640
+  data.tar.gz: 963c29e99b6389113a6ed9e8bc1bbe5209d5b7f9a1d0492f0d56af5a88d25f17
 SHA512:
-  metadata.gz: 8c89fe321fc1c14d00cc011fa346241aa140d5da3cce8f6ea9624e46df8e35a61a5cc4055371d94b61b2d53c46868f1a8dcbdf69ac1f05e065955b65ad36c3dd
-  data.tar.gz: 4a1ed6da115e53825f75f5a27a7452e57037874d0665244d8bf2a35aa7ab591765bbc8a879d3bbcf8737b20500b29dca1a60f7a46860bc22a71047f48a248fe9
+  metadata.gz: 11d6586b4ee6b03471749c629fc1ac2c342025b707b5bf443044f7f01ee930d1ab1c678655e827452c800df149e998d0b256e4f11e5bae194cd88eba6eb5847b
+  data.tar.gz: 9775e66c5a65810e72e129787976f98d7725f64a293ccf80237372c90b8db149ca94d991afbc0779d26dab228e3c9a72ac884ad32b1d180c33a03582c57aeab0

data/bolt-modules/boltlib/lib/puppet/functions/run_plan.rb

@@ -6,6 +6,7 @@ require 'bolt/error'
 #
 # **NOTE:** Not available in apply block
 Puppet::Functions.create_function(:run_plan, Puppet::Functions::InternalFunction) do
+  # Run a plan
   # @param plan_name The plan to run.
   # @param named_args Arguments to the plan. Can also include additional options: '_catch_errors', '_run_as'.
   # @return [PlanResult] The result of running the plan. Undef if plan does not explicitly return results.
@@ -18,6 +19,31 @@ Puppet::Functions.create_function(:run_plan, Puppet::Functions::InternalFunction
     return_type 'Boltlib::PlanResult'
   end
 
+  # Run a plan, specifying $nodes as a positional argument.
+  # @param plan_name The plan to run.
+  # @param named_args Arguments to the plan. Can also include additional options: '_catch_errors', '_run_as'.
+  # @param targets A pattern identifying zero or more targets. See {get_targets} for accepted patterns.
+  # @return [PlanResult] The result of running the plan. Undef if plan does not explicitly return results.
+  # @example Run a plan
+  #   run_plan('canary', $nodes, 'command' => 'false')
+  dispatch :run_plan_with_targetspec do
+    scope_param
+    param 'String', :plan_name
+    param 'Boltlib::TargetSpec', :targets
+    optional_param 'Hash', :named_args
+    return_type 'Boltlib::PlanResult'
+  end
+
+  def run_plan_with_targetspec(scope, plan_name, targets, named_args = {})
+    unless named_args['nodes'].nil?
+      raise ArgumentError,
+            "A plan's 'nodes' parameter may be specified as the second positional argument to " \
+            "run_plan(), but in that case 'nodes' must not be specified in the named arguments " \
+            "hash."
+    end
+    run_plan(scope, plan_name, named_args.merge('nodes' => targets))
+  end
+
   def run_plan(scope, plan_name, named_args = {})
     unless Puppet[:tasks]
       raise Puppet::ParseErrorWithIssue

data/lib/bolt/bolt_option_parser.rb

@@ -6,6 +6,79 @@ require 'optparse'
 
 module Bolt
   class BoltOptionParser < OptionParser
+    OPTIONS = { inventory: %w[nodes targets query rerun description],
+                authentication: %w[user password private-key host-key-check ssl ssl-verify],
+                escalation: %w[run-as sudo-password],
+                run_context: %w[concurrency inventoryfile save-rerun],
+                global_config_setters: %w[modulepath boltdir configfile],
+                transports: %w[transport connect-timeout tty],
+                display: %w[format color verbose trace],
+                global: %w[help version debug] }.freeze
+
+    ACTION_OPTS = OPTIONS.values.flatten.freeze
+
+    def get_help_text(subcommand, action = nil)
+      case subcommand
+      when 'apply'
+        { flags: ACTION_OPTS + %w[noop execute compile-concurrency],
+          banner: APPLY_HELP }
+      when 'command'
+        { flags: ACTION_OPTS,
+          banner: COMMAND_HELP }
+      when 'file'
+        { flags: ACTION_OPTS + %w[tmpdir],
+          banner: FILE_HELP }
+      when 'plan'
+        case action
+        when 'convert'
+          { flags: OPTIONS[:global] + OPTIONS[:global_config_setters],
+            banner: PLAN_CONVERT_HELP }
+        when 'show'
+          { flags: OPTIONS[:global] + OPTIONS[:global_config_setters],
+            banner: PLAN_SHOW_HELP }
+        when 'run'
+          { flags: ACTION_OPTS + %w[params compile-concurrency tmpdir],
+            banner: PLAN_RUN_HELP }
+        else
+          { flags: ACTION_OPTS + %w[params compile-concurrency tmpdir],
+            banner: PLAN_HELP }
+        end
+      when 'puppetfile'
+        case action
+        when 'install'
+          { flags: OPTIONS[:global] + OPTIONS[:global_config_setters],
+            banner: PUPPETFILE_INSTALL_HELP }
+        when 'show-modules'
+          { flags: OPTIONS[:global] + OPTIONS[:global_config_setters],
+            banner: PUPPETFILE_SHOWMODULES_HELP }
+        else
+          { flags: OPTIONS[:global] + OPTIONS[:global_config_setters],
+            banner: PUPPETFILE_HELP }
+        end
+      when 'script'
+        { flags: ACTION_OPTS + %w[tmpdir],
+          banner: SCRIPT_HELP }
+      when 'secret'
+        { flags: OPTIONS[:global] + OPTIONS[:global_config_setters],
+          banner: SECRET_HELP }
+      when 'task'
+        case action
+        when 'show'
+          { flags: OPTIONS[:global] + OPTIONS[:global_config_setters],
+            banner: TASK_SHOW_HELP }
+        when 'run'
+          { flags: ACTION_OPTS + %w[params tmpdir],
+            banner: TASK_RUN_HELP }
+        else
+          { flags: ACTION_OPTS + %w[params tmpdir],
+            banner: TASK_HELP }
+        end
+      else
+        { flags: OPTIONS[:global],
+          banner: BANNER }
+      end
+    end
+
     def self.examples(cmd, desc)
       <<-EXAMP
 #{desc} a Windows host via WinRM, providing for the password
@@ -18,7 +91,7 @@ EXAMP
     end
 
     BANNER = <<-HELP
-Usage: bolt <subcommand> <action> [options]
+Usage: bolt <subcommand> <action>
 
 Available subcommands:
   bolt command run <command>       Run a command remotely
@@ -34,19 +107,41 @@ Available subcommands:
   bolt apply <manifest>            Apply Puppet manifest code
   bolt puppetfile install          Install modules from a Puppetfile into a Boltdir
   bolt puppetfile show-modules     List modules available to Bolt
+  bolt secret createkeys           Create new encryption keys
+  bolt secret encrypt <plaintext>  Encrypt a value
+  bolt secret decrypt <encrypted>  Decrypt a value
 
 Run `bolt <subcommand> --help` to view specific examples.
 
-where [options] are:
+Available options are:
     HELP
 
     TASK_HELP = <<-HELP
-Usage: bolt task <action> <task> [options] [parameters]
+Usage: bolt task <action> <task> [parameters]
 
 Available actions are:
   show                             Show list of available tasks
   show <task>                      Show documentation for task
-  run                              Run a Puppet task
+  run <task>                       Run a Puppet task
+
+Parameters are of the form <parameter>=<value>.
+
+#{examples('task run facts', 'run facter on')}
+Available options are:
+    HELP
+
+    TASK_SHOW_HELP = <<-HELP
+Usage: bolt task show <task>
+
+Available actions are:
+  show                             Show list of available tasks
+  show <task>                      Show documentation for task
+
+Available options are:
+    HELP
+
+    TASK_RUN_HELP = <<-HELP
+Usage: bolt task run <task> [parameters]
 
 Parameters are of the form <parameter>=<value>.
 
@@ -55,7 +150,7 @@ Available options are:
     HELP
 
     COMMAND_HELP = <<-HELP
-Usage: bolt command <action> <command> [options]
+Usage: bolt command <action> <command>
 
 Available actions are:
   run                              Run a command remotely
@@ -65,7 +160,7 @@ Available options are:
     HELP
 
     SCRIPT_HELP = <<-HELP
-Usage: bolt script <action> <script> [[arg1] ... [argN]] [options]
+Usage: bolt script <action> <script> [[arg1] ... [argN]]
 
 Available actions are:
   run                              Upload a local script and run it remotely
@@ -75,7 +170,7 @@ Available options are:
     HELP
 
     PLAN_HELP = <<-HELP
-Usage: bolt plan <action> <plan> [options] [parameters]
+Usage: bolt plan <action> <plan> [parameters]
 
 Available actions are:
   convert <plan_path>              Convert a YAML plan to a Puppet plan
@@ -85,12 +180,37 @@ Available actions are:
 
 Parameters are of the form <parameter>=<value>.
 
+#{examples('plan run canary command=hostname', 'run the canary plan on')}
+Available options are:
+    HELP
+
+    PLAN_CONVERT_HELP = <<-HELP
+Usage: bolt plan convert <plan_path>
+
+Available options are:
+    HELP
+
+    PLAN_SHOW_HELP = <<-HELP
+Usage: bolt plan show <plan>
+
+Available actions are:
+  show                             Show list of available plans
+  show <plan>                      Show details for plan
+
+Available options are:
+    HELP
+
+    PLAN_RUN_HELP = <<-HELP
+Usage: bolt plan run <plan> [parameters]
+
+Parameters are of the form <parameter>=<value>.
+
 #{examples('plan run canary command=hostname', 'run the canary plan on')}
 Available options are:
     HELP
 
     FILE_HELP = <<-HELP
-Usage: bolt file <action> [options]
+Usage: bolt file <action>
 
 Available actions are:
   upload <src> <dest>              Upload local file or directory <src> to <dest> on each node
@@ -100,7 +220,7 @@ Available options are:
     HELP
 
     PUPPETFILE_HELP = <<-HELP
-Usage: bolt puppetfile <action> [options]
+Usage: bolt puppetfile <action>
 
 Available actions are:
   install                          Install modules from a Puppetfile into a Boltdir
@@ -109,60 +229,75 @@ Available actions are:
 Install modules into the local Boltdir
   bolt puppetfile install
 
+Available options are:
+    HELP
+
+    PUPPETFILE_INSTALL_HELP = <<-HELP
+Usage: bolt puppetfile install
+
+Install modules into the local Boltdir
+  bolt puppetfile install
+
+Available options are:
+    HELP
+
+    PUPPETFILE_SHOWMODULES_HELP = <<-HELP
+Usage: bolt puppetfile show-modules
+
 Available options are:
     HELP
 
     APPLY_HELP = <<-HELP
-Usage: bolt apply <manifest.pp> [options]
+Usage: bolt apply <manifest.pp>
 
 #{examples('apply site.pp', 'apply a manifest on')}
   bolt apply site.pp --nodes foo.example.com,bar.example.com
+
+Available options are:
     HELP
 
-    # A helper mixin for OptionParser::Switch instances which will allow
-    # us to show/hide particular switch in the help message produced by
-    # the OptionParser#help method on demand.
-    module SwitchHider
-      attr_accessor :hide
+    SECRET_HELP = <<~SECRET_HELP
+      Manage secrets for inventory and hiera data.
 
-      def summarize(*args)
-        return self if hide
-        super
-      end
-    end
+      Available actions are:
+        createkeys               Create new encryption keys
+        encrypt                  Encrypt a value
+        decrypt                  Decrypt a value
+      Available options are:
+    SECRET_HELP
 
     def initialize(options)
       super()
 
       @options = options
 
-      @nodes = define('-n', '--nodes NODES',
-                      'Alias for --targets') do |nodes|
+      define('-n', '--nodes NODES',
+             'Alias for --targets') do |nodes|
         @options [:nodes] ||= []
         @options[:nodes] << get_arg_input(nodes)
-      end.extend(SwitchHider)
-      @targets = define('-t', '--targets TARGETS',
-                        'Identifies the targets of command.',
-                        'Enter a comma-separated list of target URIs or group names.',
-                        "Or read a target list from an input file '@<file>' or stdin '-'.",
-                        'Example: --targets localhost,node_group,ssh://nix.com:23,winrm://windows.puppet.com',
-                        'URI format is [protocol://]host[:port]',
-                        "SSH is the default protocol; may be #{TRANSPORTS.keys.join(', ')}",
-                        'For Windows targets, specify the winrm:// protocol if it has not be configured',
-                        'For SSH, port defaults to `22`',
-                        'For WinRM, port defaults to `5985` or `5986` based on the --[no-]ssl setting') do |targets|
+      end
+      define('-t', '--targets TARGETS',
+             'Identifies the targets of command.',
+             'Enter a comma-separated list of target URIs or group names.',
+             "Or read a target list from an input file '@<file>' or stdin '-'.",
+             'Example: --targets localhost,node_group,ssh://nix.com:23,winrm://windows.puppet.com',
+             'URI format is [protocol://]host[:port]',
+             "SSH is the default protocol; may be #{TRANSPORTS.keys.join(', ')}",
+             'For Windows targets, specify the winrm:// protocol if it has not be configured',
+             'For SSH, port defaults to `22`',
+             'For WinRM, port defaults to `5985` or `5986` based on the --[no-]ssl setting') do |targets|
         @options[:targets] ||= []
         @options[:targets] << get_arg_input(targets)
-      end.extend(SwitchHider)
-      @query = define('-q', '--query QUERY', 'Query PuppetDB to determine the targets') do |query|
+      end
+      define('-q', '--query QUERY', 'Query PuppetDB to determine the targets') do |query|
         @options[:query] = query
-      end.extend(SwitchHider)
-      @rerun = define('--rerun FILTER', 'Retry on nodes from the last run',
-                      "'all' all nodes that were part of the last run.",
-                      "'failure' nodes that failed in the last run.",
-                      "'success' nodes that succeeded in the last run.") do |rerun|
+      end
+      define('--rerun FILTER', 'Retry on nodes from the last run',
+             "'all' all nodes that were part of the last run.",
+             "'failure' nodes that failed in the last run.",
+             "'success' nodes that succeeded in the last run.") do |rerun|
         @options[:rerun] = rerun
-      end.extend(SwitchHider)
+      end
       define('--noop', 'Execute a task that supports it in noop mode') do |_|
         @options[:noop] = true
       end
@@ -174,12 +309,12 @@ Usage: bolt apply <manifest.pp> [options]
              "Parameters to a task or plan as json, a json file '@<file>', or on stdin '-'") do |params|
         @options[:task_options] = parse_params(params)
       end
-      @execute = define('-e', '--execute CODE',
-                        "Puppet manifest code to apply to the targets") do |code|
+      define('-e', '--execute CODE',
+             "Puppet manifest code to apply to the targets") do |code|
         @options[:code] = code
-      end.extend(SwitchHider)
+      end
 
-      separator 'Authentication:'
+      separator "\nAuthentication:"
       define('-u', '--user USER', 'User to authenticate as') do |user|
         @options[:user] = user
       end
@@ -206,7 +341,7 @@ Usage: bolt apply <manifest.pp> [options]
         @options[:'ssl-verify'] = ssl_verify
       end
 
-      separator 'Escalation:'
+      separator "\nEscalation:"
       define('--run-as USER', 'User to run as using privilege escalation') do |user|
         @options[:'run-as'] = user
       end
@@ -221,7 +356,7 @@ Usage: bolt apply <manifest.pp> [options]
         end
       end
 
-      separator 'Run context:'
+      separator "\nRun context:"
       define('-c', '--concurrency CONCURRENCY', Integer,
              'Maximum number of simultaneous connections (default: 100)') do |concurrency|
         @options[:concurrency] = concurrency
@@ -256,7 +391,7 @@ Usage: bolt apply <manifest.pp> [options]
         @options[:'save-rerun'] = save
       end
 
-      separator 'Transports:'
+      separator "\nTransports:"
       define('--transport TRANSPORT', TRANSPORTS.keys.map(&:to_s),
              "Specify a default transport: #{TRANSPORTS.keys.join(', ')}") do |t|
         @options[:transport] = t
@@ -271,65 +406,52 @@ Usage: bolt apply <manifest.pp> [options]
         @options[:tmpdir] = tmpdir
       end
 
-      separator 'Display:'
+      separator "\nDisplay:"
       define('--format FORMAT', 'Output format to use: human or json') do |format|
         @options[:format] = format
       end
       define('--[no-]color', 'Whether to show output in color') do |color|
         @options[:color] = color
       end
-      define('-h', '--help', 'Display help') do |_|
-        @options[:help] = true
-      end
       define('-v', '--[no-]verbose', 'Display verbose logging') do |value|
         @options[:verbose] = value
       end
-      define('--debug', 'Display debug logging') do |_|
-        @options[:debug] = true
-      end
       define('--trace', 'Display error stack traces') do |_|
         @options[:trace] = true
       end
+
+      separator "\nGlobal:"
+      define('-h', '--help', 'Display help') do |_|
+        @options[:help] = true
+      end
       define('--version', 'Display the version') do |_|
         puts Bolt::VERSION
         raise Bolt::CLIExit
       end
-
-      update
+      define('--debug', 'Display debug logging') do |_|
+        @options[:debug] = true
+      end
     end
 
-    def hide_target_opts(toggle = true)
-      @nodes.hide = @query.hide = @rerun.hide = @targets.hide = toggle
+    def remove_excluded_opts(option_list)
+      # Remove any options that are not available for the specified subcommand
+      top.list.delete_if do |opt|
+        opt.respond_to?(:switch_name) && !option_list.include?(opt.switch_name)
+      end
+      # Remove any separators if all options of that type have been removed
+      top.list.delete_if do |opt|
+        i = top.list.index(opt)
+        opt.is_a?(String) && top.list[i + 1].is_a?(String)
+      end
     end
 
     def update
-      # show the --nodes, --query, and --rerun switches by default
-      hide_target_opts(false)
-      # Don't show the --execute switch except for `apply`
-      @execute.hide = true
-
+      help_text = get_help_text(@options[:subcommand], @options[:action])
       # Update the banner according to the subcommand
-      self.banner = case @options[:subcommand]
-                    when 'plan'
-                      PLAN_HELP
-                    when 'command'
-                      COMMAND_HELP
-                    when 'script'
-                      SCRIPT_HELP
-                    when 'task'
-                      TASK_HELP
-                    when 'file'
-                      FILE_HELP
-                    when 'puppetfile'
-                      # Don't show targeting options for puppetfile
-                      hide_target_opts
-                      PUPPETFILE_HELP
-                    when 'apply'
-                      @execute.hide = false
-                      APPLY_HELP
-                    else
-                      BANNER
-                    end
+      self.banner = help_text[:banner]
+      # Builds the option list for the specified subcommand and removes all excluded
+      # options from the help text
+      remove_excluded_opts(help_text[:flags])
     end
 
     def parse_params(params)

data/lib/bolt/cli.rb

@@ -23,6 +23,7 @@ require 'bolt/plugin'
 require 'bolt/pal'
 require 'bolt/target'
 require 'bolt/version'
+require 'bolt/secret'
 
 module Bolt
   class CLIExit < StandardError; end
@@ -33,6 +34,7 @@ module Bolt
                  'plan' => %w[show run convert],
                  'file' => %w[upload],
                  'puppetfile' => %w[install show-modules],
+                 'secret' => %w[encrypt decrypt createkeys],
                  'apply' => %w[] }.freeze
 
     attr_reader :config, :options
@@ -51,7 +53,7 @@ module Bolt
     end
     private :inventory
 
-    def help?(parser, remaining)
+    def help?(remaining)
       # Set the subcommand
       options[:subcommand] = remaining.shift
 
@@ -60,8 +62,12 @@ module Bolt
         options[:subcommand] = remaining.shift
       end
 
-      # Update the parser for the new subcommand
-      parser.update
+      # This section handles parsing non-flag options which are
+      # subcommand specific rather then part of the config
+      actions = COMMANDS[options[:subcommand]]
+      if actions && !actions.empty?
+        options[:action] = remaining.shift
+      end
 
       options[:help]
     end
@@ -72,17 +78,13 @@ module Bolt
 
       # This part aims to handle both `bolt <mode> --help` and `bolt help <mode>`.
       remaining = handle_parser_errors { parser.permute(@argv) } unless @argv.empty?
-      if @argv.empty? || help?(parser, remaining)
+      if @argv.empty? || help?(remaining)
+        # Update the parser for the subcommand (or lack thereof)
+        parser.update
         puts parser.help
         raise Bolt::CLIExit
       end
 
-      # This section handles parsing non-flag options which are
-      # subcommand specific rather then part of the config
-      actions = COMMANDS[options[:subcommand]]
-      if actions && !actions.empty?
-        options[:action] = remaining.shift
-      end
       options[:object] = remaining.shift
 
       task_options, remaining = remaining.partition { |s| s =~ /.+=/ }
@@ -120,6 +122,7 @@ module Bolt
       # options[:target_args] will contain a string/array version of the targetting options this is passed to plans
       # options[:targets] will contain a resolved set of Target objects
       unless options[:subcommand] == 'puppetfile' ||
+             options[:subcommand] == 'secret' ||
              options[:action] == 'show' ||
              options[:action] == 'convert'
 
@@ -311,6 +314,8 @@ module Bolt
         code = run_plan(options[:object], options[:task_options], options[:target_args], options)
       when 'puppetfile'
         code = install_puppetfile(@config.puppetfile_config, @config.puppetfile, @config.modulepath)
+      when 'secret'
+        code = Bolt::Secret.execute(plugins, outputter, options)
       when 'apply'
         if options[:object]
           validate_file('manifest', options[:object])

data/lib/bolt/config.rb

@@ -33,7 +33,7 @@ module Bolt
   class Config
     attr_accessor :concurrency, :format, :trace, :log, :puppetdb, :color, :save_rerun,
                   :transport, :transports, :inventoryfile, :compile_concurrency, :boltdir,
-                  :puppetfile_config
+                  :puppetfile_config, :plugins
     attr_writer :modulepath
 
     TRANSPORT_OPTIONS = %i[password run-as sudo-password extensions
@@ -70,6 +70,7 @@ module Bolt
       @color = true
       @save_rerun = true
       @puppetfile_config = {}
+      @plugins = {}
 
       # add an entry for the default console logger
       @log = { 'console' => {} }
@@ -158,6 +159,9 @@ module Bolt
 
       @save_rerun = data['save-rerun'] if data.key?('save-rerun')
 
+      # Plugins are only settable from config not inventory so we can overwrite
+      @plugins = data['plugins'] if data.key?('plugins')
+
       %w[concurrency format puppetdb color transport].each do |key|
         send("#{key}=", data[key]) if data.key?(key)
       end

data/lib/bolt/inventory/group2.rb

@@ -93,7 +93,10 @@ module Bolt
             unless (plugin = @plugins.by_name(value['_plugin']))
               raise ValidationError.new("unkown plugin: #{value['_plugin'].inspect}", nil)
             end
-            plugin.new.inventory_config_lookup(value)
+            plugin.validate_inventory_config_lookup(value) if plugin.respond_to?(:validate_inventory_config_lookup)
+            Concurrent::Delay.new do
+              plugin.inventory_config_lookup(value)
+            end
           else
             value
           end

data/lib/bolt/inventory/inventory2.rb

@@ -124,7 +124,8 @@ module Bolt
       def config_plugin(data)
         Bolt::Util.walk_vals(data) do |val|
           if val.is_a?(Concurrent::Delay)
-            val.value
+            # We should raise any error from the delay now
+            val.value!
           else
             val
           end

data/lib/bolt/plugin.rb

@@ -2,6 +2,7 @@
 
 require 'bolt/plugin/puppetdb'
 require 'bolt/plugin/terraform'
+require 'bolt/plugin/pkcs7'
 require 'bolt/plugin/prompt'
 
 module Bolt
@@ -10,7 +11,8 @@ module Bolt
       plugins = new(config)
       plugins.add_plugin(Bolt::Plugin::Puppetdb.new(pdb_client))
       plugins.add_plugin(Bolt::Plugin::Terraform.new)
-      plugins.add_plugin(Bolt::Plugin::Prompt)
+      plugins.add_plugin(Bolt::Plugin::Prompt.new)
+      plugins.add_plugin(Bolt::Plugin::Pkcs7.new(config.boltdir.path, config.plugins['pkcs7'] || {}))
       plugins
     end
 

data/lib/bolt/plugin/pkcs7.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require 'bolt/secret/base'
+require 'fileutils'
+
+module Bolt
+  class Plugin
+    class Pkcs7 < Bolt::Secret::Base
+      def self.validate_config(config)
+        known_keys = ['private-key', 'public-key', 'keysize']
+        known_keys.each do |key|
+          unless key.is_a? String
+            raise Bolt::ValidationError, "Invalid config for pkcs7 plugin: '#{key}' is not a String"
+          end
+        end
+
+        config.keys.each do |key|
+          unless known_keys.include?(key)
+            raise Bolt::ValidationError, "Unpexpected key in pkcs7 plugin config: #{key}"
+          end
+        end
+      end
+
+      def name
+        'pkcs7'
+      end
+
+      def initialize(boltdir, options)
+        self.class.validate_config(options)
+        require 'openssl'
+        @boltdir = boltdir
+        @options = options || {}
+        @logger = Logging.logger[self]
+      end
+
+      def private_key_path
+        path = @options['private-key'] || 'keys/private_key.pkcs7.pem'
+        path = File.absolute_path(path, @boltdir)
+        @logger.debug("Using private-key: #{path}")
+        path
+      end
+
+      def private_key
+        @private_key ||= OpenSSL::PKey::RSA.new(File.read(private_key_path))
+      end
+
+      def public_key_path
+        path = @options['public-key'] || 'keys/public_key.pkcs7.pem'
+        path = File.absolute_path(path, @boltdir)
+        @logger.debug("Using public-key: #{path}")
+        path
+      end
+
+      def public_key
+        @public_key ||= OpenSSL::X509::Certificate.new(File.read(public_key_path))
+      end
+
+      def keysize
+        @options['keysize'] || 2048
+      end
+
+      # The following implementations are intended to be compatible with hiera-eyaml
+      def encrypt_value(plaintext)
+        cipher = OpenSSL::Cipher::AES.new(256, :CBC)
+        OpenSSL::PKCS7.encrypt([public_key], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
+      end
+
+      def decrypt_value(ciphertext)
+        pkcs7 = OpenSSL::PKCS7.new(ciphertext)
+        pkcs7.decrypt(private_key, public_key)
+      end
+
+      def secret_createkeys
+        key = OpenSSL::PKey::RSA.new(keysize)
+
+        cert = OpenSSL::X509::Certificate.new
+        cert.subject = OpenSSL::X509::Name.parse('/')
+        cert.serial = 1
+        cert.version = 2
+        cert.not_before = Time.now
+        cert.not_after = Time.now + 50 * 365 * 24 * 60 * 60
+        cert.public_key = key.public_key
+        cert.sign(key, OpenSSL::Digest.new('SHA512'))
+
+        @logger.warn("Overwriting private-key '#{private_key_path}'") if File.exist?(private_key_path)
+        @logger.warn("Overwriting public-key '#{public_key_path}'") if File.exist?(public_key_path)
+
+        private_keydir = File.dirname(private_key_path)
+        FileUtils.mkdir_p(private_keydir) unless File.exist?(private_keydir)
+        FileUtils.touch(private_key_path)
+        File.chmod(0o600, private_key_path)
+        File.write(private_key_path, key.to_pem)
+
+        public_keydir = File.dirname(public_key_path)
+        FileUtils.mkdir_p(public_keydir) unless File.exist?(public_keydir)
+        File.write(public_key_path, cert.to_pem)
+      end
+    end
+  end
+end

data/lib/bolt/plugin/prompt.rb

@@ -9,7 +9,7 @@ module Bolt
         @logger = Logging.logger[self]
       end
 
-      def self.name
+      def name
         'prompt'
       end
 
@@ -17,15 +17,15 @@ module Bolt
         ['inventory_config_lookup']
       end
 
-      def inventory_config_lookup(opts)
+      def validate_inventory_config_lookup(opts)
         raise Bolt::ValidationError, "Prompt requires a 'message'" unless opts['message']
-        # Return a delay to only be evaluated when needed
-        Concurrent::Delay.new do
-          STDOUT.print "#{opts['message']}:"
-          value = STDIN.noecho(&:gets).chomp
-          STDOUT.puts
-          value
-        end
+      end
+
+      def inventory_config_lookup(opts)
+        STDOUT.print "#{opts['message']}:"
+        value = STDIN.noecho(&:gets).chomp
+        STDOUT.puts
+        value
       end
     end
   end

data/lib/bolt/secret.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Bolt
+  class Secret
+    def self.execute(plugins, outputter, options)
+      enc = plugins.by_name('pkcs7')
+      case options[:action]
+      when 'createkeys'
+        enc.secret_createkeys
+      when 'encrypt'
+        outputter.print_message(enc.secret_encrypt('plaintext-value' => options[:object]))
+      when 'decrypt'
+        outputter.print_message(enc.secret_decrypt('encrypted-value' => options[:object]))
+      end
+
+      0
+    end
+  end
+end

data/lib/bolt/secret/base.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Bolt
+  class Secret
+    class Base
+      def hooks
+        %w[inventory_config_lookup encrypt decrypt create_keys]
+      end
+
+      def encode(raw)
+        coded = Base64.encode64(raw).strip
+        "ENC[#{name.upcase},#{coded}]"
+      end
+
+      def decode(code)
+        format = %r{\AENC\[(?<plugin>\w+),(?<encoded>[\w\s+-=/]+)\]\s*\z}
+        match = format.match(code)
+
+        raise Bolt::ValidationError, "Could not parse as an encrypted value: #{code}" unless match
+
+        raw = Base64.decode64(match[:encoded])
+        [raw, match[:plugin]]
+      end
+
+      def secret_encrypt(opts)
+        encrypted = encrypt_value(opts['plaintext-value'])
+        encode(encrypted)
+      end
+
+      def secret_decrypt(opts)
+        raw, _plugin = decode(opts['encrypted-value'])
+        decrypt_value(raw)
+      end
+      alias inventory_config_lookup secret_decrypt
+
+      def validate_inventory_config_lookup(opts)
+        decode(opts['encrypted-value'])
+      end
+    end
+  end
+end

data/lib/bolt/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bolt
-  VERSION = '1.23.0'
+  VERSION = '1.24.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bolt
 version: !ruby/object:Gem::Version
-  version: 1.23.0
+  version: 1.24.0
 platform: ruby
 authors:
 - Puppet
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-06-14 00:00:00.000000000 Z
+date: 2019-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -274,28 +274,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.6'
+        version: '2.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.6'
+        version: '2.7'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -389,6 +389,7 @@ files:
 - lib/bolt/pal/yaml_plan/transpiler.rb
 - lib/bolt/plan_result.rb
 - lib/bolt/plugin.rb
+- lib/bolt/plugin/pkcs7.rb
 - lib/bolt/plugin/prompt.rb
 - lib/bolt/plugin/puppetdb.rb
 - lib/bolt/plugin/terraform.rb
@@ -399,6 +400,8 @@ files:
 - lib/bolt/rerun.rb
 - lib/bolt/result.rb
 - lib/bolt/result_set.rb
+- lib/bolt/secret.rb
+- lib/bolt/secret/base.rb
 - lib/bolt/target.rb
 - lib/bolt/task.rb
 - lib/bolt/task/puppet_server.rb