bolt 2.16.0 → 2.21.0

data/lib/bolt/pal/yaml_plan/step/message.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Bolt
+  class PAL
+    class YamlPlan
+      class Step
+        class Message < Step
+          def self.allowed_keys
+            super + Set['message']
+          end
+
+          def self.required_keys
+            Set['message']
+          end
+
+          def initialize(step_body)
+            super
+            @message = step_body['message']
+          end
+
+          def transpile
+            code = String.new("  ")
+            code << function_call('out::message', [@message])
+            code << "\n"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bolt/pal/yaml_plan/step/upload.rb

@@ -6,16 +6,16 @@ module Bolt
       class Step
         class Upload < Step
           def self.allowed_keys
-            super + Set['source', 'destination']
+            super + Set['source', 'destination', 'upload']
           end
 
           def self.required_keys
-            Set['destination', 'source', 'targets']
+            Set['upload', 'destination', 'targets']
           end
 
           def initialize(step_body)
             super
-            @source = step_body['source']
+            @source = step_body['upload'] || step_body['source']
             @destination = step_body['destination']
           end
 

data/lib/bolt/plugin/module.rb

@@ -184,12 +184,10 @@ module Bolt
       # Raises a deprecation warning if the pkcs7 plugin is using deprecated keys and
       # modifies the keys so they are the correct format
       def handle_deprecated_pkcs7_keys(params)
-        if (params.key?('private-key') || params.key?('public-key')) && !@deprecation_warning_issued
-          @deprecation_warning_issued = true
-
+        if params.key?('private-key') || params.key?('public-key')
           message = "pkcs7 keys 'private-key' and 'public-key' have been deprecated and will be "\
                     "removed in a future version of Bolt; use 'private_key' and 'public_key' instead."
-          Logging.logger[self].warn(message)
+          Bolt::Logger.deprecation_warning('PKCS7 keys using hyphens, not underscores', message)
         end
 
         params['private_key'] = params.delete('private-key') if params.key?('private-key')

data/lib/bolt/plugin/puppetdb.rb

@@ -85,7 +85,8 @@ module Bolt
 
       def resolve_facts(config, certname, target_data)
         Bolt::Util.walk_vals(config) do |value|
-          if value.is_a?(String)
+          case value
+          when String
             if value == 'certname'
               certname
             else
@@ -94,7 +95,7 @@ module Bolt
               # If there's no fact data this will be nil
               data&.fetch('value', nil)
             end
-          elsif value.is_a?(Array) || value.is_a?(Hash)
+          when Array, Hash
             value
           else
             raise FactLookupError.new(value, "fact lookups must be a string")

data/lib/bolt/project.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 require 'pathname'
-require 'bolt/pal'
 require 'bolt/config'
+require 'bolt/pal'
 
 module Bolt
   class Project
@@ -16,7 +16,8 @@ module Bolt
     }.freeze
 
     attr_reader :path, :data, :config_file, :inventory_file, :modulepath, :hiera_config,
-                :puppetfile, :rerunfile, :type, :resource_types, :warnings, :project_file
+                :puppetfile, :rerunfile, :type, :resource_types, :warnings, :project_file,
+                :deprecations, :downloads
 
     def self.default_project
       create_project(File.expand_path(File.join('~', '.puppetlabs', 'bolt')), 'user')
@@ -31,6 +32,7 @@ module Bolt
     # hierarchy, falling back to the default if we reach the root.
     def self.find_boltdir(dir)
       dir = Pathname.new(dir)
+
       if (dir + BOLTDIR_NAME).directory?
         create_project(dir + BOLTDIR_NAME, 'embedded')
       elsif (dir + 'bolt.yaml').file? || (dir + 'bolt-project.yaml').file?
@@ -44,6 +46,15 @@ module Bolt
 
     def self.create_project(path, type = 'option')
       fullpath = Pathname.new(path).expand_path
+
+      if !Bolt::Util.windows? && type != 'environment' && fullpath.world_writable?
+        raise Bolt::Error.new(
+          "Project directory '#{fullpath}' is world-writable which poses a security risk. Set "\
+          "BOLT_PROJECT='#{fullpath}' to force the use of this project directory.",
+          "bolt/world-writable-error"
+        )
+      end
+
       project_file = File.join(fullpath, 'bolt-project.yaml')
       data = Bolt::Util.read_optional_yaml_hash(File.expand_path(project_file), 'project')
       new(data, path, type)
@@ -51,14 +62,16 @@ module Bolt
 
     def initialize(raw_data, path, type = 'option')
       @path = Pathname.new(path).expand_path
+
       @project_file = @path + 'bolt-project.yaml'
 
       @warnings = []
+      @deprecations = []
       if (@path + 'bolt.yaml').file? && project_file?
         msg = "Project-level configuration in bolt.yaml is deprecated if using bolt-project.yaml. "\
           "Transport config should be set in inventory.yaml, all other config should be set in "\
           "bolt-project.yaml."
-        @warnings << { msg: msg }
+        @deprecations << { type: 'Using bolt.yaml for project configuration', msg: msg }
       end
 
       @inventory_file = @path + 'inventory.yaml'
@@ -68,6 +81,7 @@ module Bolt
       @rerunfile = @path + '.rerun.json'
       @resource_types = @path + '.resource_types'
       @type = type
+      @downloads = @path + 'downloads'
 
       tc = Bolt::Config::INVENTORY_OPTIONS.keys & raw_data.keys
       if tc.any?
@@ -98,7 +112,7 @@ module Bolt
     # This API is used to prepend the project as a module to Puppet's internal
     # module_references list. CHANGE AT YOUR OWN RISK
     def to_h
-      { path: @path, name: name }
+      { path: @path.to_s, name: name }
     end
 
     def eql?(other)
@@ -147,8 +161,8 @@ module Bolt
 
     def check_deprecated_file
       if (@path + 'project.yaml').file?
-        logger = Logging.logger[self]
-        logger.warn "Project configuration file 'project.yaml' is deprecated; use 'bolt-project.yaml' instead."
+        msg = "Project configuration file 'project.yaml' is deprecated; use 'bolt-project.yaml' instead."
+        Bolt::Logger.deprecation_warning('Using project.yaml instead of bolt-project.yaml', msg)
       end
     end
   end

data/lib/bolt/puppetdb/client.rb

@@ -96,6 +96,8 @@ module Bolt
         @http = HTTPClient.new
         @http.ssl_config.set_client_cert_file(@config.cert, @config.key) if @config.cert
         @http.ssl_config.add_trust_ca(@config.cacert)
+        @http.connect_timeout = @config.connect_timeout if @config.connect_timeout
+        @http.receive_timeout = @config.read_timeout if @config.read_timeout
 
         @http
       end

data/lib/bolt/puppetdb/config.rb

@@ -132,6 +132,22 @@ module Bolt
         end
       end
 
+      def connect_timeout
+        validate_timeout('connect_timeout')
+        @settings['connect_timeout']
+      end
+
+      def read_timeout
+        validate_timeout('read_timeout')
+        @settings['read_timeout']
+      end
+
+      def validate_timeout(timeout)
+        unless @settings[timeout].nil? || (@settings[timeout].is_a?(Integer) && @settings[timeout] > 0)
+          raise Bolt::PuppetDBError, "#{timeout} must be a positive integer, received #{@settings[timeout]}"
+        end
+      end
+
       def to_hash
         @settings.dup
       end

data/lib/bolt/result.rb

@@ -79,6 +79,13 @@ module Bolt
       new(target, message: "Uploaded '#{source}' to '#{target.host}:#{destination}'", action: 'upload', object: source)
     end
 
+    def self.for_download(target, source, destination, download)
+      msg   = "Downloaded '#{target.host}:#{source}' to '#{destination}'"
+      value = { 'path' => download }
+
+      new(target, value: value, message: msg, action: 'download', object: source)
+    end
+
     # Satisfies the Puppet datatypes API
     def self.from_asserted_args(target, value)
       new(target, value: value)

data/lib/bolt/shell/bash.rb

@@ -23,7 +23,7 @@ module Bolt
 
       def run_command(command, options = {})
         running_as(options[:run_as]) do
-          output = execute(command, sudoable: true)
+          output = execute(command, environment: options[:env_vars], sudoable: true)
           Bolt::Result.for_command(target,
                                    output.stdout.string,
                                    output.stderr.string,
@@ -37,7 +37,7 @@ module Bolt
           with_tmpdir do |dir|
             basename = File.basename(source)
             tmpfile = File.join(dir.to_s, basename)
-            conn.copy_file(source, tmpfile)
+            conn.upload_file(source, tmpfile)
             # pass over file ownership if we're using run-as to be a different user
             dir.chown(run_as)
             result = execute(['mv', '-f', tmpfile, destination], sudoable: true)
@@ -50,6 +50,27 @@ module Bolt
         end
       end
 
+      def download(source, destination, options = {})
+        running_as(options[:run_as]) do
+          # Target OS may be either Unix or Windows. Without knowing the target OS before-hand
+          # we can't assume whether the path separator is '/' or '\'. Assume we're connecting
+          # to a target with Unix and then check if the path exists after downloading.
+          download = File.join(destination, Bolt::Util.unix_basename(source))
+
+          conn.download_file(source, destination, download)
+
+          # If the download path doesn't exist, then the file was likely downloaded from Windows
+          # using a source path with backslashes (e.g. 'C:\Users\Administrator\foo'). The file
+          # should be saved to the expected location, so update the download path assuming a
+          # Windows basename so the result shows the correct local path.
+          unless File.exist?(download)
+            download = File.join(destination, Bolt::Util.windows_basename(source))
+          end
+
+          Bolt::Result.for_download(target, source, destination, download)
+        end
+      end
+
       def run_script(script, arguments, options = {})
         # unpack any Sensitive data
         arguments = unwrap_sensitive_args(arguments)
@@ -58,7 +79,7 @@ module Bolt
           with_tmpdir do |dir|
             path = write_executable(dir.to_s, script)
             dir.chown(run_as)
-            output = execute([path, *arguments], sudoable: true)
+            output = execute([path, *arguments], environment: options[:env_vars], sudoable: true)
             Bolt::Result.for_command(target,
                                      output.stdout.string,
                                      output.stderr.string,
@@ -95,7 +116,7 @@ module Bolt
               task_dir = File.join(dir.to_s, task.tasks_dir)
               dir.mkdirs([task.tasks_dir] + extra_files.map { |file| File.dirname(file['name']) })
               extra_files.each do |file|
-                conn.copy_file(file['path'], File.join(dir.to_s, file['name']))
+                conn.upload_file(file['path'], File.join(dir.to_s, file['name']))
               end
             end
 
@@ -170,7 +191,7 @@ module Bolt
       def check_sudo(out, inp, stdin)
         buffer = out.readpartial(CHUNK_SIZE)
         # Split on newlines, including the newline
-        lines = buffer.split(/(?<=[\n])/)
+        lines = buffer.split(/(?<=\n)/)
         # handle_sudo will return the line if it is not a sudo prompt or error
         lines.map! { |line| handle_sudo(inp, line, stdin) }
         lines.join("")
@@ -257,7 +278,7 @@ module Bolt
       def write_executable(dir, file, filename = nil)
         filename ||= File.basename(file)
         remote_path = File.join(dir.to_s, filename)
-        conn.copy_file(file, remote_path)
+        conn.upload_file(file, remote_path)
         make_executable(remote_path)
         remote_path
       end
@@ -277,31 +298,8 @@ module Bolt
         end
       end
 
-      # In the case where a task is run with elevated privilege and needs stdin
-      # a random string is echoed to stderr indicating that the stdin is available
-      # for task input data because the sudo password has already either been
-      # provided on stdin or was not needed.
-      def prepend_sudo_success(sudo_id, command_str)
-        command_str = "cd; #{command_str}" if conn.reset_cwd?
-        "sh -c #{Shellwords.shellescape("echo #{sudo_id} 1>&2; #{command_str}")}"
-      end
-
-      def prepend_chdir(command_str)
-        "sh -c #{Shellwords.shellescape("cd; #{command_str}")}"
-      end
-
-      # A helper to build up a single string that contains all of the options for
-      # privilege escalation. A wrapper script is used to direct task input to stdin
-      # when a tty is allocated and thus we do not need to prepend_sudo_success when
-      # using the wrapper or when the task does not require stdin data.
-      def build_sudoable_command_str(command_str, sudo_str, sudo_id, options)
-        if options[:stdin] && !options[:wrapper]
-          "#{sudo_str} #{prepend_sudo_success(sudo_id, command_str)}"
-        elsif conn.reset_cwd?
-          "#{sudo_str} #{prepend_chdir(command_str)}"
-        else
-          "#{sudo_str} #{command_str}"
-        end
+      def sudo_success(sudo_id)
+        "echo #{sudo_id} 1>&2"
       end
 
       # Returns string with the interpreter conditionally prepended
@@ -322,27 +320,37 @@ module Bolt
         escalate = sudoable && run_as && conn.user != run_as
         use_sudo = escalate && @target.options['run-as-command'].nil?
 
-        command_str = inject_interpreter(options[:interpreter], command)
+        # Depending on the transport, whether we're using sudo and whether
+        # there are environment variables to set, we may need to stitch
+        # together multiple commands into a single sh invocation
+        commands = [inject_interpreter(options[:interpreter], command)]
 
         if options[:environment]
-          env_decls = options[:environment].map do |env, val|
+          env_decl = options[:environment].map do |env, val|
             "#{env}=#{Shellwords.shellescape(val)}"
-          end
-          command_str = "#{env_decls.join(' ')} #{command_str}"
+          end.join(' ')
         end
 
         if escalate
           sudo_str = if use_sudo
                        sudo_exec = target.options['sudo-executable'] || "sudo"
                        sudo_flags = [sudo_exec, "-S", "-H", "-u", run_as, "-p", sudo_prompt]
-                       sudo_flags += ["-E"] if options[:environment]
                        Shellwords.shelljoin(sudo_flags)
                      else
                        Shellwords.shelljoin(@target.options['run-as-command'] + [run_as])
                      end
-          command_str = build_sudoable_command_str(command_str, sudo_str, @sudo_id, options)
+          commands.unshift('cd') if conn.reset_cwd?
+          commands.unshift(sudo_success(@sudo_id)) if options[:stdin] && !options[:wrapper]
         end
 
+        command_str = if sudo_str || env_decl
+                        "sh -c #{Shellwords.shellescape(commands.join('; '))}"
+                      else
+                        commands.last
+                      end
+
+        command_str = [sudo_str, env_decl, command_str].compact.join(' ')
+
         @logger.debug { "Executing: #{command_str}" }
 
         in_buffer = if !use_sudo && options[:stdin]

data/lib/bolt/shell/powershell.rb

@@ -71,8 +71,10 @@ module Bolt
         end
       end
 
-      def set_env(arg, val)
-        "[Environment]::SetEnvironmentVariable('#{arg}', @'\n#{val}\n'@)"
+      def env_declarations(env_vars)
+        env_vars.map do |var, val|
+          "[Environment]::SetEnvironmentVariable('#{var}', @'\n#{val}\n'@)"
+        end
       end
 
       def quote_string(string)
@@ -83,7 +85,7 @@ module Bolt
         filename ||= File.basename(file)
         validate_extensions(File.extname(filename))
         destination = "#{dir}\\#{filename}"
-        conn.copy_file(file, destination)
+        conn.upload_file(file, destination)
         destination
       end
 
@@ -162,11 +164,19 @@ module Bolt
       end
 
       def upload(source, destination, _options = {})
-        conn.copy_file(source, destination)
+        conn.upload_file(source, destination)
         Bolt::Result.for_upload(target, source, destination)
       end
 
-      def run_command(command, _options = {})
+      def download(source, destination, _options = {})
+        download = File.join(destination, Bolt::Util.windows_basename(source))
+        conn.download_file(source, destination, download)
+        Bolt::Result.for_download(target, source, destination, download)
+      end
+
+      def run_command(command, options = {})
+        command = [*env_declarations(options[:env_vars]), command].join("\r\n") if options[:env_vars]
+
         output = execute(command)
         Bolt::Result.for_command(target,
                                  output.stdout.string,
@@ -175,7 +185,7 @@ module Bolt
                                  'command', command)
       end
 
-      def run_script(script, arguments, _options = {})
+      def run_script(script, arguments, options = {})
         # unpack any Sensitive data
         arguments = unwrap_sensitive_args(arguments)
         with_tmpdir do |dir|
@@ -187,6 +197,8 @@ module Bolt
                       args += escape_arguments(arguments)
                       execute_process(path, args)
                     end
+          command = [*env_declarations(options[:env_vars]), command].join("\r\n") if options[:env_vars]
+
           output = execute(command)
           Bolt::Result.for_command(target,
                                    output.stdout.string,
@@ -214,7 +226,7 @@ module Bolt
             task_dir = File.join(dir, task.tasks_dir)
             mkdirs([task_dir] + extra_files.map { |file| File.join(dir, File.dirname(file['name'])) })
             extra_files.each do |file|
-              conn.copy_file(file['path'], File.join(dir, file['name']))
+              conn.upload_file(file['path'], File.join(dir, file['name']))
             end
           end
 
@@ -237,9 +249,7 @@ module Bolt
                     end
 
           env_assignments = if Bolt::Task::ENVIRONMENT_METHODS.include?(input_method)
-                              envify_params(arguments).map do |(arg, val)|
-                                set_env(arg, val)
-                              end
+                              env_declarations(envify_params(arguments))
                             else
                               []
                             end
@@ -258,7 +268,7 @@ module Bolt
           return with_tmpdir do |dir|
             command += "\r\nif (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
             script_file = File.join(dir, "#{SecureRandom.uuid}_wrapper.ps1")
-            conn.copy_file(StringIO.new(command), script_file)
+            conn.upload_file(StringIO.new(command), script_file)
             args = escape_arguments([script_file])
             script_invocation = ['powershell.exe', *PS_ARGS, '-File', *args].join(' ')
             execute(script_invocation)