bolt 1.30.1 → 1.31.0

data/lib/bolt/plugin/task.rb

@@ -4,41 +4,27 @@ module Bolt
   class Plugin
     class Task
       def hooks
-        %w[inventory_targets inventory_config]
+        %i[validate_resolve_reference puppet_library resolve_reference]
       end
 
       def name
         'task'
       end
 
-      # This creates it's own PAL so we don't have to pass a promise around
-      #
-      def initialize(config)
-        @config = config
-      end
-
-      attr_reader :config
+      attr_accessor :pal, :executor, :inventory
 
-      def pal
-        # Hiera config should not be used yet.
-        @pal ||= Bolt::PAL.new(config.modulepath, config.hiera_config)
+      def initialize(context:, **_opts)
+        @context = context
       end
 
-      def executor
-        # Analytics should be handled at a higher level so create a new executor.
-        @executor ||= Bolt::Executor.new
-      end
+      def run_task(opts)
+        params = opts['parameters'] || {}
+        options = { '_catch_errors' => true }
 
-      def inventory
-        @inventory ||= Bolt::Inventory.new({}, config)
-      end
+        raise Bolt::ValidationError, "Task plugin requires that the 'task' is specified" unless opts['task']
+        task = @context.get_validated_task(opts['task'], params)
 
-      def run_task(opts)
-        result = pal.run_task(opts['task'],
-                              'localhost',
-                              opts['parameters'] || {},
-                              executor,
-                              inventory).first
+        result = @context.run_local_task(task, params, options).first
 
         raise Bolt::Error.new(result.error_hash['msg'], result.error_hash['kind']) if result.error_hash
         result
@@ -46,45 +32,18 @@ module Bolt
 
       def validate_options(opts)
         raise Bolt::ValidationError, "Task plugin requires that the 'task' is specified" unless opts['task']
-
-        task = pal.task_signature(opts['task'])
-
-        raise Bolt::ValidationError, "Could not find task #{opts['task']}" unless task
-
-        errors = []
-        unless task.runnable_with?(opts['parameters'] || {}) { |msg| errors << msg }
-          # This relies on runnable with printing a partial message before the first real error
-          raise Bolt::ValidationError, "Invalid parameters for #{errors.join("\n")}"
-        end
+        @context.get_validated_task(opts['task'], opts['parameters'] || {})
       end
-      alias validate_inventory_config validate_options
+      alias validate_resolve_reference validate_options
 
-      def inventory_config(opts)
+      def resolve_reference(opts)
         result = run_task(opts)
 
-        unless result.value.include?('config')
-          raise Bolt::ValidationError, "Task result did not return 'config': #{result.value}"
-        end
-
-        result['config']
-      end
-
-      def inventory_targets(opts)
-        raise Bolt::ValidationError, "Task plugin requires that the 'task' is specified" unless opts['task']
-
-        result = run_task(opts)
-
-        targets = result['targets']
-        unless targets.is_a?(Array)
-          raise Bolt::ValidationError, "Task result did not return a targets array: #{result.value}"
-        end
-
-        unless targets.all? { |t| t.is_a?(Hash) }
-          msg = "All targets returned by an inventory targets task must be hashes, got: #{targets}"
-          raise Bolt::ValidationError, msg
+        unless result.value.include?('value')
+          raise Bolt::ValidationError, "Task result did not return 'value': #{result.value}"
         end
 
-        targets
+        result['value']
       end
 
       def puppet_library(opts, target, apply_prep)

data/lib/bolt/plugin/terraform.rb

@@ -9,7 +9,7 @@ module Bolt
                        'config', 'backend']
       REQ_KEYS = Set['dir', 'resource_type']
 
-      def initialize
+      def initialize(*_args)
         @logger = Logging.logger[self]
       end
 
@@ -18,7 +18,7 @@ module Bolt
       end
 
       def hooks
-        ['inventory_targets']
+        [:resolve_reference]
       end
 
       def warn_missing_property(name, property)
@@ -41,7 +41,7 @@ module Bolt
         end
       end
 
-      def inventory_targets(opts)
+      def resolve_reference(opts)
         validate_options(opts)
 
         state = load_statefile(opts)

data/lib/bolt/plugin/vault.rb

@@ -55,16 +55,16 @@ module Bolt
       end
 
       def hooks
-        ['inventory_config']
+        [:resolve_reference]
       end
 
-      def initialize(config)
+      def initialize(config:, **_opts)
         validate_config(config)
         @config = config
         @logger = Logging.logger[self]
       end
 
-      def inventory_config(opts)
+      def resolve_reference(opts)
         validate_options(opts)
 
         header = {

data/lib/bolt/secret.rb

@@ -3,14 +3,15 @@
 module Bolt
   class Secret
     def self.execute(plugins, outputter, options)
+      plugin = options[:plugin] || 'pkcs7'
       case options[:action]
       when 'createkeys'
-        plugins.get_hook('pkcs7', :secret_createkeys).call
+        plugins.get_hook(plugin, :secret_createkeys).call
       when 'encrypt'
-        encrypted = plugins.get_hook('pkcs7', :secret_encrypt).call('plaintext-value' => options[:object])
+        encrypted = plugins.get_hook(plugin, :secret_encrypt).call('plaintext_value' => options[:object])
         outputter.print_message(encrypted)
       when 'decrypt'
-        decrypted = plugins.get_hook('pkcs7', :secret_decrypt).call('encrypted-value' => options[:object])
+        decrypted = plugins.get_hook(plugin, :secret_decrypt).call('encrypted_value' => options[:object])
         outputter.print_message(decrypted)
       end
 

data/lib/bolt/secret/base.rb

@@ -4,7 +4,7 @@ module Bolt
   class Secret
     class Base
       def hooks
-        %w[inventory_config secret_encrypt secret_decrypt secret_createkeys]
+        %i[resolve_reference secret_encrypt secret_decrypt secret_createkeys validate_resolve_reference]
       end
 
       def encode(raw)
@@ -23,18 +23,22 @@ module Bolt
       end
 
       def secret_encrypt(opts)
-        encrypted = encrypt_value(opts['plaintext-value'])
+        encrypted = encrypt_value(opts['plaintext_value'])
         encode(encrypted)
       end
 
       def secret_decrypt(opts)
-        raw, _plugin = decode(opts['encrypted-value'])
+        raw, _plugin = decode(opts['encrypted_value'])
         decrypt_value(raw)
       end
-      alias inventory_config secret_decrypt
-
-      def validate_inventory_config(opts)
-        decode(opts['encrypted-value'])
+      alias resolve_reference secret_decrypt
+
+      def validate_resolve_reference(opts)
+        # TODO: Remove deprecation warning
+        if opts.include?('encrypted-value')
+          raise Bolt::ValidationError, "The 'encrypted-value' key is deprecated migrate to to 'encrypted_value'"
+        end
+        decode(opts['encrypted_value'])
       end
     end
   end

data/lib/bolt/task/run.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Bolt
+  class Task
+    module Run
+      module_function
+
+      # TODO: we should probably use a Bolt::Task for this
+      def validate_params(task_signature, params)
+        task_signature.runnable_with?(params) do |mismatch_message|
+          raise Bolt::ValidationError, mismatch_message
+        end || (raise Bolt::ValidationError, 'Task parameters do not match')
+
+        unless Puppet::Pops::Types::TypeFactory.data.instance?(params)
+          # generate a helpful error message about the type-mismatch between the type Data
+          # and the actual type of use_args
+          use_args_t = Puppet::Pops::Types::TypeCalculator.infer_set(params)
+          desc = Puppet::Pops::Types::TypeMismatchDescriber.singleton.describe_mismatch(
+            'Task parameters are not of type Data. run_task()',
+            Puppet::Pops::Types::TypeFactory.data, use_args_t
+          )
+          raise Bolt::ValidationError, desc
+        end
+        nil
+      end
+
+      def wrap_sensitive(task, params)
+        if (spec = task.metadata['parameters'])
+          params.each_with_object({}) do |(param, val), wrapped|
+            wrapped[param] = if spec.dig(param, 'sensitive')
+                               Puppet::Pops::Types::PSensitiveType::Sensitive.new(val)
+                             else
+                               val
+                             end
+          end
+        else
+          params
+        end
+      end
+
+      def run_task(task, targets, params, options, executor)
+        if targets.empty?
+          Bolt::ResultSet.new([])
+        else
+          result = executor.run_task(targets, task, params, options)
+
+          if !result.ok && !options['_catch_errors']
+            raise Bolt::RunFailure.new(result, 'run_task', task.name)
+          end
+          result
+        end
+      end
+    end
+  end
+end

data/lib/bolt/transport/orch/connection.rb

@@ -24,8 +24,10 @@ module Bolt
             acc[k] = opts[k] if opts.include?(k)
           end
           client_opts['User-Agent'] = "Bolt/#{VERSION}"
+          %w[token-file cacert].each do |f|
+            client_opts[f] = File.expand_path(client_opts[f]) if client_opts[f]
+          end
           logger.debug("Creating orchestrator client for #{client_opts}")
-
           @client = OrchestratorClient.new(client_opts, true)
           @plan_job = start_plan(plan_context)
           logger.debug("Started plan #{@plan_job}")

data/lib/bolt/transport/winrm.rb

@@ -42,6 +42,10 @@ module Bolt
           raise Bolt::ValidationError, 'SMB file transfers are not allowed with SSL enabled'
         end
 
+        if ssl_flag && (ca_path = options['cacert'])
+          Bolt::Util.validate_file('cacert', ca_path)
+        end
+
         ssl_verify_flag = options['ssl-verify']
         unless !!ssl_verify_flag == ssl_verify_flag
           raise Bolt::ValidationError, 'ssl-verify option must be a Boolean true or false'

data/lib/bolt/transport/winrm/connection.rb

@@ -41,13 +41,14 @@ module Bolt
 
           transport = :kerberos if target.options['realm']
           endpoint = "#{scheme}://#{target.host}:#{@port}/wsman"
+          cacert = target.options['cacert'] && target.options['ssl'] ? File.expand_path(target.options['cacert']) : nil
           options = { endpoint: endpoint,
                       # https://github.com/WinRb/WinRM/issues/270
                       user: target.options['realm'] ? 'dummy' : @user,
                       password: target.options['realm'] ? 'dummy' : target.password,
                       retry_limit: 1,
                       transport: transport,
-                      ca_trust_path: target.options['cacert'],
+                      ca_trust_path: cacert,
                       realm: target.options['realm'],
                       no_ssl_peer_verification: !target.options['ssl-verify'] }
 

data/lib/bolt/util.rb

@@ -184,6 +184,12 @@ module Bolt
         File.stat(File.expand_path(path))
       end
 
+      def class_name_to_file_name(cls_name)
+        # Note this turns Bolt::CLI -> 'bolt/cli' not 'bolt/c_l_i'
+        # this won't handle Bolt::Inventory2Foo
+        cls_name.gsub(/([a-z])([A-Z])/, '\1_\2').gsub('::', '/').downcase
+      end
+
       def validate_file(type, path, allow_dir = false)
         stat = file_stat(path)
 

data/lib/bolt/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bolt
-  VERSION = '1.30.1'
+  VERSION = '1.31.0'
 end

data/lib/bolt_server/file_cache.rb

@@ -27,17 +27,21 @@ module BoltServer
                    executor: Concurrent::SingleThreadExecutor.new,
                    purge_interval: PURGE_INTERVAL,
                    purge_timeout: PURGE_TIMEOUT,
-                   purge_ttl: PURGE_TTL)
+                   purge_ttl: PURGE_TTL,
+                   cache_dir_mutex: Concurrent::ReadWriteLock.new,
+                   do_purge: true)
       @executor = executor
       @cache_dir = config['cache-dir']
       @config = config
       @logger = Logging.logger[self]
-      @cache_dir_mutex = Concurrent::ReadWriteLock.new
+      @cache_dir_mutex = cache_dir_mutex
 
-      @purge = Concurrent::TimerTask.new(execution_interval: purge_interval,
-                                         timeout_interval: purge_timeout,
-                                         run_now: true) { expire(purge_ttl) }
-      @purge.execute
+      if do_purge
+        @purge = Concurrent::TimerTask.new(execution_interval: purge_interval,
+                                           timeout_interval: purge_timeout,
+                                           run_now: true) { expire(purge_ttl) }
+        @purge.execute
+      end
     end
 
     def tmppath

data/lib/bolt_server/schemas/action-run_script.json

@@ -0,0 +1,44 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "title": "run_script request",
+  "description": "POST <transport>/run_script request schema",
+  "type": "object",
+  "properties": {
+    "script": {
+      "type": "object",
+      "properties": {
+        "filename": {
+          "type": "string"
+        },
+        "uri": {
+          "type": "object",
+          "properties": {
+            "path": {
+              "type": "string"
+            },
+            "params": {
+              "type": "object"
+            }
+          },
+          "required": [
+            "path",
+            "params"
+          ]
+        },
+        "sha256": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "filename",
+        "uri",
+        "sha256"
+      ]
+    },
+    "arguments": {
+      "type": "string"
+    },
+    "target": { "$ref": "partial:target-any" }
+  },
+  "required": ["script", "target"]
+}

data/lib/bolt_server/transport_app.rb

@@ -23,6 +23,7 @@ module BoltServer
       action-check_node_connections
       action-run_command
       action-run_task
+      action-run_script
       action-upload_file
       transport-ssh
       transport-winrm
@@ -139,7 +140,7 @@ module BoltServer
           # but this is to be on the safe side.
           parent = File.dirname(path)
           FileUtils.mkdir_p(parent)
-          @file_cache.download_file(path, sha256, uri)
+          @file_cache.serial_execute { @file_cache.download_file(path, sha256, uri) }
         elsif kind == 'directory'
           # Create directory in cache so we can move files in.
           FileUtils.mkdir_p(path)
@@ -148,7 +149,28 @@ module BoltServer
                                        'boltserver/schema-error').to_json]
         end
       end
-      [@executor.upload_file(target, cache_dir, destination), nil]
+      # We need to special case the scenario where only one file was
+      # included in the request to download. Otherwise, the call to upload_file
+      # will attempt to upload with a directory as a source and potentially a
+      # filename as a destination on the host. In that case the end result will
+      # be the file downloaded to a directory with the same name as the source
+      # filename, rather than directly to the filename set in the destination.
+      upload_source = if files.size == 1 && files[0]['kind'] == 'file'
+                        File.join(cache_dir, files[0]['relative_path'])
+                      else
+                        cache_dir
+                      end
+      [@executor.upload_file(target, upload_source, destination), nil]
+    end
+
+    def run_script(target, body)
+      error = validate_schema(@schemas["action-run_script"], body)
+      return [], error unless error.nil?
+
+      # Download the file onto the machine.
+      file_location = @file_cache.update_file(body['script'])
+
+      [@executor.run_script(target, file_location, body['arguments'])]
     end
 
     get '/' do
@@ -174,6 +196,7 @@ module BoltServer
       check_node_connections
       run_command
       run_task
+      run_script
       upload_file
     ].freeze