bolt 2.6.0 → 2.11.0

data/lib/bolt/config/transport/winrm.rb

@@ -7,11 +7,15 @@ module Bolt
   class Config
     module Transport
       class WinRM < Base
+        # NOTE: All transport configuration options should have a corresponding schema definition
+        #       in schemas/bolt-transport-definitions.json
         OPTIONS = {
           "basic-auth-only" => { type: TrueClass,
                                  desc: "Force basic authentication. This option is only available when using SSL." },
           "cacert"          => { type: String,
                                  desc: "The path to the CA certificate." },
+          "cleanup"         => { type: TrueClass,
+                                 desc: "Whether to clean up temporary files created on targets." },
           "connect-timeout" => { type: Integer,
                                  desc: "How long Bolt should wait when establishing connections." },
           "extensions"      => { type: Array,
@@ -53,6 +57,7 @@ module Bolt
 
         DEFAULTS = {
           "basic-auth-only" => false,
+          "cleanup"         => true,
           "connect-timeout" => 10,
           "ssl"             => true,
           "ssl-verify"      => true,
@@ -68,7 +73,7 @@ module Bolt
             end
 
             if @config['cacert']
-              @config['cacert'] = File.expand_path(@config['cacert'], @boltdir)
+              @config['cacert'] = File.expand_path(@config['cacert'], @project)
               Bolt::Util.validate_file('cacert', @config['cacert'])
             end
           end

data/lib/bolt/executor.rb

@@ -278,6 +278,22 @@ module Bolt
       end
     end
 
+    def run_task_with(target_mapping, task, options = {})
+      targets = target_mapping.keys
+      description = options.fetch(:description, "task #{task.name}")
+
+      log_action(description, targets) do
+        options[:run_as] = run_as if run_as && !options.key?(:run_as)
+        target_mapping.each_value { |arguments| arguments['_task'] = task.name }
+
+        batch_execute(targets) do |transport, batch|
+          with_node_logging("Running task #{task.name}'", batch) do
+            transport.batch_task_with(batch, task, target_mapping, options, &method(:publish_event))
+          end
+        end
+      end
+    end
+
     def upload_file(targets, source, destination, options = {})
       description = options.fetch(:description, "file upload from #{source} to #{destination}")
       log_action(description, targets) do
@@ -291,6 +307,10 @@ module Bolt
       end
     end
 
+    def run_plan(scope, plan, params)
+      plan.call_by_name_with_scope(scope, params, true)
+    end
+
     class TimeoutError < RuntimeError; end
 
     def wait_until_available(targets,
@@ -326,6 +346,24 @@ module Bolt
       end
     end
 
+    def prompt(prompt, options)
+      unless STDIN.tty?
+        raise Bolt::Error.new('STDIN is not a tty, unable to prompt', 'bolt/no-tty-error')
+      end
+
+      STDERR.print("#{prompt}: ")
+
+      value = if options[:sensitive]
+                STDIN.noecho(&:gets).to_s.chomp
+              else
+                STDIN.gets.to_s.chomp
+              end
+
+      STDERR.puts if options[:sensitive]
+
+      value
+    end
+
     # Plan context doesn't make sense for most transports but it is tightly
     # coupled with the orchestrator transport since the transport behaves
     # differently when a plan is running. In order to limit how much this

data/lib/bolt/inventory.rb

@@ -15,6 +15,7 @@ module Bolt
 
     class ValidationError < Bolt::Error
       attr_accessor :path
+
       def initialize(message, offending_group)
         super(message, 'bolt.inventory/validation-error')
         @_message = message
@@ -83,7 +84,7 @@ module Bolt
 
     def self.empty
       config  = Bolt::Config.default
-      plugins = Bolt::Plugin.setup(config, nil, nil, Bolt::Analytics::NoopClient)
+      plugins = Bolt::Plugin.setup(config, nil)
 
       create_version({}, config.transport, config.transports, plugins)
     end

data/lib/bolt/inventory/group.rb

@@ -12,6 +12,7 @@ module Bolt
       # Regex used to validate group names and target aliases.
       NAME_REGEX = /\A[a-z0-9_][a-z0-9_-]*\Z/.freeze
 
+      # NOTE: All keys should have a corresponding schema property in schemas/bolt-inventory.schema.json
       DATA_KEYS = %w[config facts vars features plugin_hooks].freeze
       TARGET_KEYS = DATA_KEYS + %w[name alias uri]
       GROUP_KEYS = DATA_KEYS + %w[name groups targets]

data/lib/bolt/inventory/inventory.rb

@@ -7,6 +7,7 @@ module Bolt
   class Inventory
     class Inventory
       attr_reader :targets, :plugins, :config, :transport
+
       class WildcardError < Bolt::Error
         def initialize(target)
           super("Found 0 targets matching wildcard pattern #{target}", 'bolt.inventory/wildcard-error')
@@ -50,6 +51,10 @@ module Bolt
         @group_lookup.keys
       end
 
+      def group_names_for(target_name)
+        group_data_for(target_name).fetch('groups', [])
+      end
+
       def target_names
         @groups.all_targets
       end
@@ -314,6 +319,10 @@ module Bolt
       def target_config(target)
         @targets[target.name].config
       end
+
+      def resources(target)
+        @targets[target.name].resources
+      end
     end
   end
 end

data/lib/bolt/inventory/target.rb

@@ -1,10 +1,12 @@
 # frozen_string_literal: true
 
+require 'bolt/resource_instance'
+
 module Bolt
   class Inventory
     # This class represents the active state of a target within the inventory.
     class Target
-      attr_reader :name, :uri, :safe_name, :target_alias
+      attr_reader :name, :uri, :safe_name, :target_alias, :resources
 
       def initialize(target_data, inventory)
         unless target_data['name'] || target_data['uri']
@@ -36,12 +38,26 @@ module Bolt
         # When alias is specified in a plan, the key will be `target_alias`, when
         # alias is specified in inventory the key will be `alias`.
         @target_alias = target_data['target_alias'] || target_data['alias'] || []
+        @resources = {}
 
         @inventory = inventory
 
         validate
       end
 
+      # rubocop:disable Naming/AccessorMethodName
+      def set_resource(resource)
+        if (existing_resource = resources[resource.reference])
+          existing_resource.overwrite_state(resource.state)
+          existing_resource.overwrite_desired_state(resource.desired_state)
+          existing_resource.events = existing_resource.events + resource.events
+          existing_resource
+        else
+          @resources[resource.reference] = resource
+        end
+      end
+      # rubocop:enable Naming/AccessorMethodName
+
       def vars
         group_cache['vars'].merge(@vars)
       end

data/lib/bolt/node/output.rb

@@ -12,7 +12,7 @@ module Bolt
       def initialize
         @stdout = StringIO.new
         @stderr = StringIO.new
-        @exit_code = 'unkown'
+        @exit_code = 'unknown'
       end
     end
   end

data/lib/bolt/outputter/human.rb

@@ -107,13 +107,14 @@ module Bolt
 
           # Use special handling if the result looks like a command or script result
           if result.generic_value.keys == %w[stdout stderr exit_code]
-            unless result['stdout'].strip.empty?
+            safe_value = result.safe_value
+            unless safe_value['stdout'].strip.empty?
               @stream.puts(indent(2, "STDOUT:"))
-              @stream.puts(indent(4, result['stdout']))
+              @stream.puts(indent(4, safe_value['stdout']))
             end
-            unless result['stderr'].strip.empty?
+            unless safe_value['stderr'].strip.empty?
               @stream.puts(indent(2, "STDERR:"))
-              @stream.puts(indent(4, result['stderr']))
+              @stream.puts(indent(4, safe_value['stderr']))
             end
           elsif result.generic_value.any?
             @stream.puts(indent(2, ::JSON.pretty_generate(result.generic_value)))

data/lib/bolt/outputter/json.rb

@@ -28,7 +28,7 @@ module Bolt
 
       def print_result(result)
         @stream.puts ',' if @preceding_item
-        @stream.puts result.status_hash.to_json
+        @stream.puts result.to_json
         @preceding_item = true
       end
 

data/lib/bolt/pal.rb

@@ -40,7 +40,7 @@ module Bolt
     attr_reader :modulepath
 
     def initialize(modulepath, hiera_config, resource_types, max_compiles = Etc.nprocessors,
-                   trusted_external = nil, apply_settings = {})
+                   trusted_external = nil, apply_settings = {}, project = nil)
       # Nothing works without initialized this global state. Reinitializing
       # is safe and in practice only happens in tests
       self.class.load_puppet
@@ -52,6 +52,7 @@ module Bolt
       @apply_settings = apply_settings
       @max_compiles = max_compiles
       @resource_types = resource_types
+      @project = project
 
       @logger = Logging.logger[self]
       if modulepath && !modulepath.empty?
@@ -114,7 +115,7 @@ module Bolt
       compiler.evaluate_string('type PlanResult = Boltlib::PlanResult')
     end
 
-    # Register all resource types defined in $Boltdir/.resource_types as well as
+    # Register all resource types defined in $Project/.resource_types as well as
     # the built in types registered with the runtime_3_init method.
     def register_resource_types(loaders)
       static_loader = loaders.static_loader
@@ -136,19 +137,34 @@ module Bolt
       # TODO: If we always call this inside a bolt_executor we can remove this here
       setup
       r = Puppet::Pal.in_tmp_environment('bolt', modulepath: @modulepath, facts: {}) do |pal|
-        pal.with_script_compiler do |compiler|
-          alias_types(compiler)
-          register_resource_types(Puppet.lookup(:loaders)) if @resource_types
-          begin
-            Puppet.override(yaml_plan_instantiator: Bolt::PAL::YamlPlan::Loader) do
+        Puppet.override(bolt_project: @project,
+                        yaml_plan_instantiator: Bolt::PAL::YamlPlan::Loader) do
+          pal.with_script_compiler do |compiler|
+            alias_types(compiler)
+            register_resource_types(Puppet.lookup(:loaders)) if @resource_types
+            begin
               yield compiler
+            rescue Bolt::Error => e
+              e
+            rescue Puppet::DataBinding::LookupError => e
+              if e.issue_code == :HIERA_UNDEFINED_VARIABLE
+                message = "Interpolations are not supported in lookups outside of an apply block: #{e.message}"
+                PALError.new(message)
+              else
+                PALError.from_preformatted_error(e)
+              end
+            rescue Puppet::PreformattedError => e
+              if e.issue_code == :UNKNOWN_VARIABLE &&
+                 %w[facts trusted server_facts settings].include?(e.arguments[:name])
+                message = "Evaluation Error: Variable '#{e.arguments[:name]}' is not available in the current scope "\
+                  "unless explicitly defined. (file: #{e.file}, line: #{e.line}, column: #{e.pos})"
+                PALError.new(message)
+              else
+                PALError.from_preformatted_error(e)
+              end
+            rescue StandardError => e
+              PALError.from_preformatted_error(e)
             end
-          rescue Bolt::Error => e
-            e
-          rescue Puppet::PreformattedError => e
-            PALError.from_preformatted_error(e)
-          rescue StandardError => e
-            PALError.from_preformatted_error(e)
           end
         end
       end
@@ -215,6 +231,7 @@ module Bolt
         Puppet.initialize_settings(cli)
         Puppet::GettextConfig.create_default_text_domain
         Puppet[:trusted_external_command] = @trusted_external
+        Puppet.settings[:hiera_config] = @hiera_config
         self.class.configure_logging
         yield
       end
@@ -312,7 +329,8 @@ module Bolt
         raise Bolt::Error.unknown_plan(plan_name)
       end
 
-      mod = plan_sig.instance_variable_get(:@plan_func).loader.parent.path
+      # path may be a Pathname object, so make sure to stringify it
+      mod = plan_sig.instance_variable_get(:@plan_func).loader.parent.path.to_s
 
       # If it's a Puppet language plan, use strings to extract data. The only
       # way to tell is to check which filename exists in the module.

data/lib/bolt/pal/yaml_plan.rb

@@ -99,6 +99,7 @@ module Bolt
       # logic.
       class EvaluableString
         attr_reader :value
+
         def initialize(value)
           @value = value
         end

data/lib/bolt/plugin.rb

@@ -115,17 +115,13 @@ module Bolt
       end
 
       def boltdir
-        @config.boltdir.path
+        @config.project.path
       end
     end
 
-    def self.setup(config, pal, pdb_client, analytics)
+    def self.setup(config, pal, analytics = Bolt::Analytics::NoopClient.new)
       plugins = new(config, pal, analytics)
 
-      # PDB is special because it needs the PDB client. Since it has no config,
-      # we can just add it first.
-      plugins.add_plugin(Bolt::Plugin::Puppetdb.new(pdb_client))
-
       # Initialize any plugins referenced in plugin config. This will also indirectly
       # initialize any plugins they depend on.
       if plugins.reference?(config.plugins)
@@ -142,7 +138,7 @@ module Bolt
       plugins
     end
 
-    RUBY_PLUGINS = %w[task pkcs7 prompt env_var].freeze
+    RUBY_PLUGINS = %w[task prompt env_var puppetdb].freeze
     BUILTIN_PLUGINS = %w[task terraform pkcs7 prompt vault aws_inventory puppetdb azure_inventory
                          yaml env_var gcloud_inventory].freeze
     DEFAULT_PLUGIN_HOOKS = { 'puppet_library' => { 'plugin' => 'puppet_agent', 'stop_service' => true } }.freeze
@@ -161,6 +157,13 @@ module Bolt
       @unknown = Set.new
       @resolution_stack = []
       @unresolved_plugin_configs = config.plugins.dup
+      # The puppetdb plugin config comes from the puppetdb section, not from
+      # the plugins section
+      if @unresolved_plugin_configs.key?('puppetdb')
+        msg = "Configuration for the PuppetDB plugin must be in the 'puppetdb' config section, not 'plugins'"
+        raise Bolt::Error.new(msg, 'bolt/plugin-error')
+      end
+      @unresolved_plugin_configs['puppetdb'] = config.puppetdb if config.puppetdb
       @plugin_hooks = DEFAULT_PLUGIN_HOOKS.dup
     end
 
@@ -168,7 +171,6 @@ module Bolt
       @modules ||= Bolt::Module.discover(@pal.modulepath)
     end
 
-    # Generally this is private. Puppetdb is special though
     def add_plugin(plugin)
       @plugins[plugin.name] = plugin
     end
@@ -235,6 +237,10 @@ module Bolt
       end
     end
 
+    def puppetdb_client
+      by_name('puppetdb').puppetdb_client
+    end
+
     # Evaluate all _plugin references in a data structure. Leaves are
     # evaluated and then their parents are evaluated with references replaced
     # by their values. If the result of a reference contains more references,

data/lib/bolt/plugin/env_var.rb

@@ -17,13 +17,14 @@ module Bolt
         unless opts['var']
           raise Bolt::ValidationError, "env_var plugin requires that the 'var' is specified"
         end
+        return if opts['optional'] || opts['default']
         unless ENV[opts['var']]
           raise Bolt::ValidationError, "env_var plugin requires that the var '#{opts['var']}' be set"
         end
       end
 
       def resolve_reference(opts)
-        ENV[opts['var']]
+        ENV[opts['var']] || opts['default']
       end
     end
   end

data/lib/bolt/plugin/module.rb

@@ -30,6 +30,10 @@ module Bolt
         @module = mod
         @config = config
         @context = context
+
+        if @module.name == 'pkcs7'
+          @config = handle_deprecated_pkcs7_keys(@config)
+        end
       end
 
       # This method interacts with the module on disk so it's separate from initialize
@@ -155,7 +159,21 @@ module Bolt
         # handled previously. That may not always be the case so filter them
         # out now.
         meta, params = opts.partition { |key, _val| key.start_with?('_') }.map(&:to_h)
-        params = config.merge(params)
+
+        if task.module_name == 'pkcs7'
+          params = handle_deprecated_pkcs7_keys(params)
+        end
+
+        # Reject parameters from config that are not accepted by the task and
+        # merge in parameter defaults
+        params = if task.parameters
+                   task.parameter_defaults
+                       .merge(config.slice(*task.parameters.keys))
+                       .merge(params)
+                 else
+                   config.merge(params)
+                 end
+
         validate_params(task, params)
 
         meta['_boltdir'] = @context.boltdir.to_s
@@ -163,6 +181,23 @@ module Bolt
         [params, meta]
       end
 
+      # Raises a deprecation warning if the pkcs7 plugin is using deprecated keys and
+      # modifies the keys so they are the correct format
+      def handle_deprecated_pkcs7_keys(params)
+        if (params.key?('private-key') || params.key?('public-key')) && !@deprecation_warning_issued
+          @deprecation_warning_issued = true
+
+          message = "pkcs7 keys 'private-key' and 'public-key' have been deprecated and will be "\
+                    "removed in a future version of Bolt; use 'private_key' and 'public_key' instead."
+          Logging.logger[self].warn(message)
+        end
+
+        params['private_key'] = params.delete('private-key') if params.key?('private-key')
+        params['public_key'] = params.delete('public-key') if params.key?('public-key')
+
+        params
+      end
+
       def extract_task_parameter_schema
         # Get the intersection of expected types (using Set)
         type_set = @hook_map.each_with_object({}) do |(_hook, task), acc|
@@ -220,13 +255,11 @@ module Bolt
       end
 
       def validate_resolve_reference(opts)
-        # Merge config with params
-        merged = @config.merge(opts)
-        params = merged.reject { |k, _v| k.start_with?('_') }
+        task = @hook_map[:resolve_reference]['task']
+        params, _metaparams = process_params(task, opts)
 
-        sig = @hook_map[:resolve_reference]['task']
-        if sig
-          validate_params(sig, params)
+        if task
+          validate_params(task, params)
         end
 
         if @hook_map.include?(:validate_resolve_reference)