bolt 2.14.0 → 2.19.0

data/lib/bolt/logger.rb

@@ -15,6 +15,7 @@ module Bolt
       return if Logging.initialized?
 
       Logging.init :debug, :info, :notice, :warn, :error, :fatal, :any
+      @mutex = Mutex.new
 
       Logging.color_scheme(
         'bolt',
@@ -66,6 +67,10 @@ module Bolt
       end
     end
 
+    def self.analytics=(analytics)
+      @analytics = analytics
+    end
+
     def self.console_layout(color)
       color_scheme = :bolt if color
       Logging.layouts.pattern(
@@ -89,8 +94,10 @@ module Bolt
       :notice
     end
 
+    # Explicitly check the log level names instead of the log level number, as levels
+    # that are stringified integers (e.g. "level" => "42") will return a truthy value
     def self.valid_level?(level)
-      !Logging.level_num(level).nil?
+      Logging::LEVELS.include?(Logging.levelify(level))
     end
 
     def self.levels
@@ -100,5 +107,21 @@ module Bolt
     def self.reset_logging
       Logging.reset
     end
+
+    def self.warn_once(type, msg)
+      @mutex.synchronize {
+        @warnings ||= []
+        @logger ||= Logging.logger[self]
+        unless @warnings.include?(type)
+          @logger.warn(msg)
+          @warnings << type
+        end
+      }
+    end
+
+    def self.deprecation_warning(type, msg)
+      @analytics&.event('Warn', 'deprecation', label: type)
+      warn_once(type, msg)
+    end
   end
 end

data/lib/bolt/outputter.rb

@@ -8,6 +8,8 @@ module Bolt
         Bolt::Outputter::Human.new(color, verbose, trace)
       when 'json'
         Bolt::Outputter::JSON.new(color, verbose, trace)
+      when 'rainbow'
+        Bolt::Outputter::Rainbow.new(color, verbose, trace)
       when nil
         raise "Cannot use outputter before parsing."
       end
@@ -25,3 +27,4 @@ end
 require 'bolt/outputter/human'
 require 'bolt/outputter/json'
 require 'bolt/outputter/logger'
+require 'bolt/outputter/rainbow'

data/lib/bolt/outputter/rainbow.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require 'bolt/pal'
+
+module Bolt
+  class Outputter
+    class Rainbow < Bolt::Outputter::Human
+      def initialize(color, verbose, trace, stream = $stdout)
+        begin
+          require 'paint'
+          if Bolt::Util.windows?
+            # the Paint gem thinks that windows does not support ansi colors
+            # but windows 10 or later does
+            # we can display colors if we force mode to TRUE_COLOR
+            Paint.mode = 0xFFFFFF
+          end
+        rescue LoadError
+          raise "The 'paint' gem is required to use the rainbow outputter."
+        end
+        super
+        @line_color = 0
+        @color = 0
+        @state = :normal
+      end
+
+      # The algorithm is from lolcat (https://github.com/busyloop/lolcat)
+      # lolcat is released with WTFPL
+      def rainbow
+        red = Math.sin(0.3 * @color + 0) * 127 + 128
+        green = Math.sin(0.3 * @color + 2 * Math::PI / 3) * 127 + 128
+        blue  = Math.sin(0.3 * @color + 4 * Math::PI / 3) * 127 + 128
+        @color += 1 / 8.0
+        format("%<red>02X%<green>02X%<blue>02X", red: red, green: green, blue: blue)
+      end
+
+      def colorize(color, string)
+        if @color && @stream.isatty
+          if %i[green rainbow].include?(color)
+            a = string.chars.map do |c|
+              case @state
+              when :normal
+                if c == "\e"
+                  @state = :ansi
+                elsif c == "\n"
+                  @line_color += 1
+                  @color = @line_color
+                  c
+                else
+                  Paint[c, rainbow]
+                end
+              when :ansi
+                @state = :normal if c == 'm'
+              end
+            end
+            a.join('')
+          else
+            "\033[#{COLORS[color]}m#{string}\033[0m"
+          end
+        else
+          string
+        end
+      end
+
+      def print_summary(results, elapsed_time = nil)
+        ok_set = results.ok_set
+        unless ok_set.empty?
+          @stream.puts colorize(:rainbow, format('Successful on %<size>d target%<plural>s: %<names>s',
+                                                 size: ok_set.size,
+                                                 plural: ok_set.size == 1 ? '' : 's',
+                                                 names: ok_set.targets.map(&:safe_name).join(',')))
+        end
+
+        error_set = results.error_set
+        unless error_set.empty?
+          @stream.puts colorize(:red,
+                                format('Failed on %<size>d target%<plural>s: %<names>s',
+                                       size: error_set.size,
+                                       plural: error_set.size == 1 ? '' : 's',
+                                       names: error_set.targets.map(&:safe_name).join(',')))
+        end
+
+        total_msg = format('Ran on %<size>d target%<plural>s',
+                           size: results.size,
+                           plural: results.size == 1 ? '' : 's')
+        total_msg << " in #{duration_to_string(elapsed_time)}" unless elapsed_time.nil?
+        @stream.puts colorize(:rainbow, total_msg)
+      end
+    end
+  end
+end

data/lib/bolt/pal.rb

@@ -15,25 +15,36 @@ module Bolt
     # PALError is used to convert errors from executing puppet code into
     # Bolt::Errors
     class PALError < Bolt::Error
-      # Puppet sometimes rescues exceptions notes the location and reraises.
-      # Return the original error.
       def self.from_preformatted_error(err)
         if err.cause&.is_a? Bolt::Error
           err.cause
         else
-          from_error(err.cause || err)
+          from_error(err)
         end
       end
 
       # Generate a Bolt::Pal::PALError for non-bolt errors
       def self.from_error(err)
-        e = new(err.message)
+        # Use the original error message if available
+        message = err.cause ? err.cause.message : err.message
+
+        # Provide the location of an error if it came from a plan
+        details = if defined?(err.file) && err.file
+                    { file:   err.file,
+                      line:   err.line,
+                      column: err.pos }.compact
+                  else
+                    {}
+                  end
+
+        e = new(message, details)
+
         e.set_backtrace(err.backtrace)
         e
       end
 
-      def initialize(msg)
-        super(msg, 'bolt/pal-error')
+      def initialize(msg, details = {})
+        super(msg, 'bolt/pal-error', details)
       end
     end
 
@@ -137,7 +148,9 @@ module Bolt
       # TODO: If we always call this inside a bolt_executor we can remove this here
       setup
       r = Puppet::Pal.in_tmp_environment('bolt', modulepath: @modulepath, facts: {}) do |pal|
-        Puppet.override(bolt_project: @project,
+        # Only load the project if it a) exists, b) has a name it can be loaded with
+        bolt_project = @project if @project&.name
+        Puppet.override(bolt_project: bolt_project,
                         yaml_plan_instantiator: Bolt::PAL::YamlPlan::Loader) do
           pal.with_script_compiler do |compiler|
             alias_types(compiler)
@@ -157,8 +170,9 @@ module Bolt
               if e.issue_code == :UNKNOWN_VARIABLE &&
                  %w[facts trusted server_facts settings].include?(e.arguments[:name])
                 message = "Evaluation Error: Variable '#{e.arguments[:name]}' is not available in the current scope "\
-                  "unless explicitly defined. (file: #{e.file}, line: #{e.line}, column: #{e.pos})"
-                PALError.new(message)
+                          "unless explicitly defined."
+                details = { file: e.file, line: e.line, column: e.pos }
+                PALError.new(message, details)
               else
                 PALError.from_preformatted_error(e)
               end

data/lib/bolt/pal/yaml_plan/evaluator.rb

@@ -142,7 +142,7 @@ module Bolt
           if plan.steps.any? { |step| step.body.key?('target') }
             msg = "The 'target' parameter for YAML plan steps is deprecated and will be removed "\
                   "in a future version of Bolt. Use the 'targets' parameter instead."
-            @logger.warn(msg)
+            Bolt::Logger.deprecation_warning("Using 'target' parameter for YAML plan steps, not 'targets'", msg)
           end
 
           plan_result = closure_scope.with_local_scope(args_hash) do |scope|

data/lib/bolt/plugin/module.rb

@@ -184,12 +184,10 @@ module Bolt
       # Raises a deprecation warning if the pkcs7 plugin is using deprecated keys and
       # modifies the keys so they are the correct format
       def handle_deprecated_pkcs7_keys(params)
-        if (params.key?('private-key') || params.key?('public-key')) && !@deprecation_warning_issued
-          @deprecation_warning_issued = true
-
+        if params.key?('private-key') || params.key?('public-key')
           message = "pkcs7 keys 'private-key' and 'public-key' have been deprecated and will be "\
                     "removed in a future version of Bolt; use 'private_key' and 'public_key' instead."
-          Logging.logger[self].warn(message)
+          Bolt::Logger.deprecation_warning('PKCS7 keys using hyphens, not underscores', message)
         end
 
         params['private_key'] = params.delete('private-key') if params.key?('private-key')

data/lib/bolt/project.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'pathname'
+require 'bolt/config'
 require 'bolt/pal'
 
 module Bolt
@@ -8,26 +9,21 @@ module Bolt
     BOLTDIR_NAME = 'Boltdir'
     PROJECT_SETTINGS = {
       "name"  => "The name of the project",
-      "plans" => "An array of plan names to whitelist. Whitelisted plans are included in `bolt plan show` output",
-      "tasks" => "An array of task names to whitelist. Whitelisted plans are included in `bolt task show` output"
+      "plans" => "An array of plan names to show, if they exist in the project."\
+                 "These plans are included in `bolt plan show` output",
+      "tasks" => "An array of task names to show, if they exist in the project."\
+                 "These tasks are included in `bolt task show` output"
     }.freeze
 
     attr_reader :path, :data, :config_file, :inventory_file, :modulepath, :hiera_config,
-                :puppetfile, :rerunfile, :type, :resource_types, :warnings, :project_file
+                :puppetfile, :rerunfile, :type, :resource_types, :warnings, :project_file,
+                :deprecations
 
     def self.default_project
       create_project(File.expand_path(File.join('~', '.puppetlabs', 'bolt')), 'user')
     # If homedir isn't defined use the system config path
     rescue ArgumentError
-      create_project(system_path, 'system')
-    end
-
-    def self.system_path
-      if Bolt::Util.windows?
-        File.join(Dir::COMMON_APPDATA, 'PuppetLabs', 'bolt', 'etc')
-      else
-        File.join('/etc', 'puppetlabs', 'bolt')
-      end
+      create_project(Bolt::Config.system_path, 'system')
     end
 
     # Search recursively up the directory hierarchy for the Project. Look for a
@@ -36,6 +32,7 @@ module Bolt
     # hierarchy, falling back to the default if we reach the root.
     def self.find_boltdir(dir)
       dir = Pathname.new(dir)
+
       if (dir + BOLTDIR_NAME).directory?
         create_project(dir + BOLTDIR_NAME, 'embedded')
       elsif (dir + 'bolt.yaml').file? || (dir + 'bolt-project.yaml').file?
@@ -49,6 +46,15 @@ module Bolt
 
     def self.create_project(path, type = 'option')
       fullpath = Pathname.new(path).expand_path
+
+      if !Bolt::Util.windows? && type != 'environment' && fullpath.world_writable?
+        raise Bolt::Error.new(
+          "Project directory '#{fullpath}' is world-writable which poses a security risk. Set "\
+          "BOLT_PROJECT='#{fullpath}' to force the use of this project directory.",
+          "bolt/world-writable-error"
+        )
+      end
+
       project_file = File.join(fullpath, 'bolt-project.yaml')
       data = Bolt::Util.read_optional_yaml_hash(File.expand_path(project_file), 'project')
       new(data, path, type)
@@ -56,14 +62,16 @@ module Bolt
 
     def initialize(raw_data, path, type = 'option')
       @path = Pathname.new(path).expand_path
+
       @project_file = @path + 'bolt-project.yaml'
 
       @warnings = []
+      @deprecations = []
       if (@path + 'bolt.yaml').file? && project_file?
         msg = "Project-level configuration in bolt.yaml is deprecated if using bolt-project.yaml. "\
           "Transport config should be set in inventory.yaml, all other config should be set in "\
           "bolt-project.yaml."
-        @warnings << { msg: msg }
+        @deprecations << { type: 'Using bolt.yaml for project configuration', msg: msg }
       end
 
       @inventory_file = @path + 'inventory.yaml'
@@ -74,17 +82,17 @@ module Bolt
       @resource_types = @path + '.resource_types'
       @type = type
 
-      tc = Bolt::Config::CONFIG_IN_INVENTORY.keys & raw_data.keys
+      tc = Bolt::Config::INVENTORY_OPTIONS.keys & raw_data.keys
       if tc.any?
         msg = "Transport configuration isn't supported in bolt-project.yaml. Ignoring keys #{tc}"
         @warnings << { msg: msg }
       end
 
-      @data = raw_data.reject { |k, _| Bolt::Config::CONFIG_IN_INVENTORY.keys.include?(k) }
+      @data = raw_data.reject { |k, _| Bolt::Config::INVENTORY_OPTIONS.include?(k) }
 
       # Once bolt.yaml deprecation is removed, this attribute should be removed
       # and replaced with .project_file in lib/bolt/config.rb
-      @config_file = if (Bolt::Config::OPTIONS.keys & @data.keys).any?
+      @config_file = if (Bolt::Config::BOLT_OPTIONS & @data.keys).any?
                        if (@path + 'bolt.yaml').file?
                          msg = "bolt-project.yaml contains valid config keys, bolt.yaml will be ignored"
                          @warnings << { msg: msg }
@@ -103,7 +111,7 @@ module Bolt
     # This API is used to prepend the project as a module to Puppet's internal
     # module_references list. CHANGE AT YOUR OWN RISK
     def to_h
-      { path: @path, name: name }
+      { path: @path.to_s, name: name }
     end
 
     def eql?(other)
@@ -116,10 +124,7 @@ module Bolt
     end
 
     def name
-      # If the project is in mymod/Boltdir/bolt-project.yaml, use mymod as the project name
-      dirname = @path.basename.to_s == 'Boltdir' ? @path.parent.basename.to_s : @path.basename.to_s
-      pname = @data['name'] || dirname
-      pname.include?('-') ? pname.split('-', 2)[1] : pname
+      @data['name']
     end
 
     def tasks
@@ -130,36 +135,20 @@ module Bolt
       @data['plans']
     end
 
-    def project_directory_name?(name)
-      # it must match an installed project name according to forge validator
-      name =~ /^[a-z][a-z0-9_]*$/
-    end
-
-    def project_namespaced_name?(name)
-      # it must match the full project name according to forge validator
-      name =~ /^[a-zA-Z0-9]+[-][a-z][a-z0-9_]*$/
-    end
-
     def validate
-      n = @data['name']
-      if n && !project_directory_name?(n) && !project_namespaced_name?(n)
-        raise Bolt::ValidationError, <<~ERROR_STRING
-        Invalid project name '#{n}' in bolt-project.yaml; project names must match either:
-        An installed project name (ex. projectname) matching the expression /^[a-z][a-z0-9_]*$/ -or-
-        A namespaced project name (ex. author-projectname) matching the expression /^[a-zA-Z0-9]+[-][a-z][a-z0-9_]*$/
-        ERROR_STRING
-      elsif !project_directory_name?(name) && !project_namespaced_name?(name)
-        raise Bolt::ValidationError, <<~ERROR_STRING
-        Invalid project name '#{name}'; project names must match either:
-        A project name (ex. projectname) matching the expression /^[a-z][a-z0-9_]*$/ -or-
-        A namespaced project name (ex. author-projectname) matching the expression /^[a-zA-Z0-9]+[-][a-z][a-z0-9_]*$/
-
-        Configure project name in <project_dir>/bolt-project.yaml
-        ERROR_STRING
-      # If the project name is the same as one of the built-in modules raise a warning
-      elsif Dir.children(Bolt::PAL::BOLTLIB_PATH).include?(name)
-        raise Bolt::ValidationError, "The project '#{name}' will not be loaded. The project name conflicts "\
-          "with a built-in Bolt module of the same name."
+      if name
+        name_regex = /^[a-z][a-z0-9_]*$/
+        if name !~ name_regex
+          raise Bolt::ValidationError, <<~ERROR_STRING
+          Invalid project name '#{name}' in bolt-project.yaml; project name must match #{name_regex.inspect}
+          ERROR_STRING
+        elsif Dir.children(Bolt::PAL::BOLTLIB_PATH).include?(name)
+          raise Bolt::ValidationError, "The project '#{name}' will not be loaded. The project name conflicts "\
+            "with a built-in Bolt module of the same name."
+        end
+      else
+        message = "No project name is specified in bolt-project.yaml. Project-level content will not be available."
+        @warnings << { msg: message }
       end
 
       %w[tasks plans].each do |conf|
@@ -171,8 +160,8 @@ module Bolt
 
     def check_deprecated_file
       if (@path + 'project.yaml').file?
-        logger = Logging.logger[self]
-        logger.warn "Project configuration file 'project.yaml' is deprecated; use 'bolt-project.yaml' instead."
+        msg = "Project configuration file 'project.yaml' is deprecated; use 'bolt-project.yaml' instead."
+        Bolt::Logger.deprecation_warning('Using project.yaml instead of bolt-project.yaml', msg)
       end
     end
   end

data/lib/bolt/shell/bash.rb

@@ -23,7 +23,7 @@ module Bolt
 
       def run_command(command, options = {})
         running_as(options[:run_as]) do
-          output = execute(command, sudoable: true)
+          output = execute(command, environment: options[:env_vars], sudoable: true)
           Bolt::Result.for_command(target,
                                    output.stdout.string,
                                    output.stderr.string,
@@ -35,7 +35,7 @@ module Bolt
       def upload(source, destination, options = {})
         running_as(options[:run_as]) do
           with_tmpdir do |dir|
-            basename = File.basename(destination)
+            basename = File.basename(source)
             tmpfile = File.join(dir.to_s, basename)
             conn.copy_file(source, tmpfile)
             # pass over file ownership if we're using run-as to be a different user
@@ -58,7 +58,7 @@ module Bolt
           with_tmpdir do |dir|
             path = write_executable(dir.to_s, script)
             dir.chown(run_as)
-            output = execute([path, *arguments], sudoable: true)
+            output = execute([path, *arguments], environment: options[:env_vars], sudoable: true)
             Bolt::Result.for_command(target,
                                      output.stdout.string,
                                      output.stderr.string,
@@ -170,7 +170,7 @@ module Bolt
       def check_sudo(out, inp, stdin)
         buffer = out.readpartial(CHUNK_SIZE)
         # Split on newlines, including the newline
-        lines = buffer.split(/(?<=[\n])/)
+        lines = buffer.split(/(?<=\n)/)
         # handle_sudo will return the line if it is not a sudo prompt or error
         lines.map! { |line| handle_sudo(inp, line, stdin) }
         lines.join("")
@@ -277,31 +277,8 @@ module Bolt
         end
       end
 
-      # In the case where a task is run with elevated privilege and needs stdin
-      # a random string is echoed to stderr indicating that the stdin is available
-      # for task input data because the sudo password has already either been
-      # provided on stdin or was not needed.
-      def prepend_sudo_success(sudo_id, command_str)
-        command_str = "cd; #{command_str}" if conn.reset_cwd?
-        "sh -c #{Shellwords.shellescape("echo #{sudo_id} 1>&2; #{command_str}")}"
-      end
-
-      def prepend_chdir(command_str)
-        "sh -c #{Shellwords.shellescape("cd; #{command_str}")}"
-      end
-
-      # A helper to build up a single string that contains all of the options for
-      # privilege escalation. A wrapper script is used to direct task input to stdin
-      # when a tty is allocated and thus we do not need to prepend_sudo_success when
-      # using the wrapper or when the task does not require stdin data.
-      def build_sudoable_command_str(command_str, sudo_str, sudo_id, options)
-        if options[:stdin] && !options[:wrapper]
-          "#{sudo_str} #{prepend_sudo_success(sudo_id, command_str)}"
-        elsif conn.reset_cwd?
-          "#{sudo_str} #{prepend_chdir(command_str)}"
-        else
-          "#{sudo_str} #{command_str}"
-        end
+      def sudo_success(sudo_id)
+        "echo #{sudo_id} 1>&2"
       end
 
       # Returns string with the interpreter conditionally prepended
@@ -322,27 +299,38 @@ module Bolt
         escalate = sudoable && run_as && conn.user != run_as
         use_sudo = escalate && @target.options['run-as-command'].nil?
 
-        command_str = inject_interpreter(options[:interpreter], command)
+        # Depending on the transport, whether we're using sudo and whether
+        # there are environment variables to set, we may need to stitch
+        # together multiple commands into a single sh invocation
+        commands = [inject_interpreter(options[:interpreter], command)]
 
         if options[:environment]
-          env_decls = options[:environment].map do |env, val|
+          env_decl = options[:environment].map do |env, val|
             "#{env}=#{Shellwords.shellescape(val)}"
-          end
-          command_str = "#{env_decls.join(' ')} #{command_str}"
+          end.join(' ')
         end
 
         if escalate
-          if use_sudo
-            sudo_exec = target.options['sudo-executable'] || "sudo"
-            sudo_flags = [sudo_exec, "-S", "-H", "-u", run_as, "-p", sudo_prompt]
-            sudo_flags += ["-E"] if options[:environment]
-            sudo_str = Shellwords.shelljoin(sudo_flags)
-          else
-            sudo_str = Shellwords.shelljoin(@target.options['run-as-command'] + [run_as])
-          end
-          command_str = build_sudoable_command_str(command_str, sudo_str, @sudo_id, options)
+          sudo_str = if use_sudo
+                       sudo_exec = target.options['sudo-executable'] || "sudo"
+                       sudo_flags = [sudo_exec, "-S", "-H", "-u", run_as, "-p", sudo_prompt]
+                       sudo_flags += ["-E"] if options[:environment]
+                       Shellwords.shelljoin(sudo_flags)
+                     else
+                       Shellwords.shelljoin(@target.options['run-as-command'] + [run_as])
+                     end
+          commands.unshift('cd') if conn.reset_cwd?
+          commands.unshift(sudo_success(@sudo_id)) if options[:stdin] && !options[:wrapper]
         end
 
+        command_str = if sudo_str || env_decl
+                        "sh -c #{Shellwords.shellescape(commands.join('; '))}"
+                      else
+                        commands.last
+                      end
+
+        command_str = [sudo_str, env_decl, command_str].compact.join(' ')
+
         @logger.debug { "Executing: #{command_str}" }
 
         in_buffer = if !use_sudo && options[:stdin]