bolt 2.7.0 → 2.8.0

data/lib/bolt/config/transport/base.rb

@@ -9,12 +9,12 @@ module Bolt
       class Base
         attr_reader :input
 
-        def initialize(data = {}, boltdir = nil)
+        def initialize(data = {}, project = nil)
           assert_hash_or_config(data)
           @input    = data
           @resolved = !Bolt::Util.references?(input)
           @config   = resolved? ? Bolt::Util.deep_merge(defaults, filter(input)) : defaults
-          @boltdir  = boltdir
+          @project  = project
 
           validate if resolved?
         end
@@ -62,7 +62,7 @@ module Bolt
             Bolt::Util.deep_merge(acc, layer_data)
           end
 
-          self.class.new(merged, @boltdir)
+          self.class.new(merged, @project)
         end
 
         # Resolve any references in the input data, then remerge it with the defaults

data/lib/bolt/config/transport/orch.rb

@@ -32,12 +32,12 @@ module Bolt
           super
 
           if @config['cacert']
-            @config['cacert'] = File.expand_path(@config['cacert'], @boltdir)
+            @config['cacert'] = File.expand_path(@config['cacert'], @project)
             Bolt::Util.validate_file('cacert', @config['cacert'])
           end
 
           if @config['token-file']
-            @config['token-file'] = File.expand_path(@config['token-file'], @boltdir)
+            @config['token-file'] = File.expand_path(@config['token-file'], @project)
             Bolt::Util.validate_file('token-file', @config['token-file'])
           end
         end

data/lib/bolt/config/transport/ssh.rb

@@ -99,7 +99,7 @@ module Bolt
             end
 
             if key_opt.instance_of?(String)
-              @config['private-key'] = File.expand_path(key_opt, @boltdir)
+              @config['private-key'] = File.expand_path(key_opt, @project)
             end
           end
 

data/lib/bolt/config/transport/winrm.rb

@@ -71,7 +71,7 @@ module Bolt
             end
 
             if @config['cacert']
-              @config['cacert'] = File.expand_path(@config['cacert'], @boltdir)
+              @config['cacert'] = File.expand_path(@config['cacert'], @project)
               Bolt::Util.validate_file('cacert', @config['cacert'])
             end
           end

data/lib/bolt/executor.rb

@@ -278,6 +278,22 @@ module Bolt
       end
     end
 
+    def run_task_with(target_mapping, task, options = {})
+      targets = target_mapping.keys
+      description = options.fetch(:description, "task #{task.name}")
+
+      log_action(description, targets) do
+        options[:run_as] = run_as if run_as && !options.key?(:run_as)
+        target_mapping.each_value { |arguments| arguments['_task'] = task.name }
+
+        batch_execute(targets) do |transport, batch|
+          with_node_logging("Running task #{task.name}'", batch) do
+            transport.batch_task_with(batch, task, target_mapping, options, &method(:publish_event))
+          end
+        end
+      end
+    end
+
     def upload_file(targets, source, destination, options = {})
       description = options.fetch(:description, "file upload from #{source} to #{destination}")
       log_action(description, targets) do

data/lib/bolt/pal.rb

@@ -40,7 +40,7 @@ module Bolt
     attr_reader :modulepath
 
     def initialize(modulepath, hiera_config, resource_types, max_compiles = Etc.nprocessors,
-                   trusted_external = nil, apply_settings = {})
+                   trusted_external = nil, apply_settings = {}, project = nil)
       # Nothing works without initialized this global state. Reinitializing
       # is safe and in practice only happens in tests
       self.class.load_puppet
@@ -52,6 +52,7 @@ module Bolt
       @apply_settings = apply_settings
       @max_compiles = max_compiles
       @resource_types = resource_types
+      @project = project
 
       @logger = Logging.logger[self]
       if modulepath && !modulepath.empty?
@@ -114,7 +115,7 @@ module Bolt
       compiler.evaluate_string('type PlanResult = Boltlib::PlanResult')
     end
 
-    # Register all resource types defined in $Boltdir/.resource_types as well as
+    # Register all resource types defined in $Project/.resource_types as well as
     # the built in types registered with the runtime_3_init method.
     def register_resource_types(loaders)
       static_loader = loaders.static_loader
@@ -136,19 +137,34 @@ module Bolt
       # TODO: If we always call this inside a bolt_executor we can remove this here
       setup
       r = Puppet::Pal.in_tmp_environment('bolt', modulepath: @modulepath, facts: {}) do |pal|
-        pal.with_script_compiler do |compiler|
-          alias_types(compiler)
-          register_resource_types(Puppet.lookup(:loaders)) if @resource_types
-          begin
-            Puppet.override(yaml_plan_instantiator: Bolt::PAL::YamlPlan::Loader) do
+        Puppet.override(bolt_project: @project,
+                        yaml_plan_instantiator: Bolt::PAL::YamlPlan::Loader) do
+          pal.with_script_compiler do |compiler|
+            alias_types(compiler)
+            register_resource_types(Puppet.lookup(:loaders)) if @resource_types
+            begin
               yield compiler
+            rescue Bolt::Error => e
+              e
+            rescue Puppet::DataBinding::LookupError => e
+              if e.issue_code == :HIERA_UNDEFINED_VARIABLE
+                message = "Interpolations are not supported in lookups outside of an apply block: #{e.message}"
+                PALError.new(message)
+              else
+                PALError.from_preformatted_error(e)
+              end
+            rescue Puppet::PreformattedError => e
+              if e.issue_code == :UNKNOWN_VARIABLE &&
+                 %w[facts trusted server_facts settings].include?(e.arguments[:name])
+                message = "Evaluation Error: Variable '#{e.arguments[:name]}' is not available in the current scope "\
+                  "unless explicitly defined. (file: #{e.file}, line: #{e.line}, column: #{e.pos})"
+                PALError.new(message)
+              else
+                PALError.from_preformatted_error(e)
+              end
+            rescue StandardError => e
+              PALError.from_preformatted_error(e)
             end
-          rescue Bolt::Error => e
-            e
-          rescue Puppet::PreformattedError => e
-            PALError.from_preformatted_error(e)
-          rescue StandardError => e
-            PALError.from_preformatted_error(e)
           end
         end
       end
@@ -215,6 +231,7 @@ module Bolt
         Puppet.initialize_settings(cli)
         Puppet::GettextConfig.create_default_text_domain
         Puppet[:trusted_external_command] = @trusted_external
+        Puppet.settings[:hiera_config] = @hiera_config
         self.class.configure_logging
         yield
       end

data/lib/bolt/plugin.rb

@@ -115,7 +115,7 @@ module Bolt
       end
 
       def boltdir
-        @config.boltdir.path
+        @config.project.path
       end
     end
 
@@ -142,7 +142,7 @@ module Bolt
       plugins
     end
 
-    RUBY_PLUGINS = %w[task pkcs7 prompt env_var].freeze
+    RUBY_PLUGINS = %w[task prompt env_var].freeze
     BUILTIN_PLUGINS = %w[task terraform pkcs7 prompt vault aws_inventory puppetdb azure_inventory
                          yaml env_var gcloud_inventory].freeze
     DEFAULT_PLUGIN_HOOKS = { 'puppet_library' => { 'plugin' => 'puppet_agent', 'stop_service' => true } }.freeze

data/lib/bolt/plugin/module.rb

@@ -30,6 +30,10 @@ module Bolt
         @module = mod
         @config = config
         @context = context
+
+        if @module.name == 'pkcs7'
+          @config = handle_deprecated_pkcs7_keys(@config)
+        end
       end
 
       # This method interacts with the module on disk so it's separate from initialize
@@ -155,7 +159,21 @@ module Bolt
         # handled previously. That may not always be the case so filter them
         # out now.
         meta, params = opts.partition { |key, _val| key.start_with?('_') }.map(&:to_h)
-        params = config.merge(params)
+
+        if task.module_name == 'pkcs7'
+          params = handle_deprecated_pkcs7_keys(params)
+        end
+
+        # Reject parameters from config that are not accepted by the task and
+        # merge in parameter defaults
+        params = if task.parameters
+                   task.parameter_defaults
+                       .merge(config.slice(*task.parameters.keys))
+                       .merge(params)
+                 else
+                   config.merge(params)
+                 end
+
         validate_params(task, params)
 
         meta['_boltdir'] = @context.boltdir.to_s
@@ -163,6 +181,23 @@ module Bolt
         [params, meta]
       end
 
+      # Raises a deprecation warning if the pkcs7 plugin is using deprecated keys and
+      # modifies the keys so they are the correct format
+      def handle_deprecated_pkcs7_keys(params)
+        if (params.key?('private-key') || params.key?('public-key')) && !@deprecation_warning_issued
+          @deprecation_warning_issued = true
+
+          message = "pkcs7 keys 'private-key' and 'public-key' have been deprecated and will be "\
+                    "removed in a future version of Bolt; use 'private_key' and 'public_key' instead."
+          Logging.logger[self].warn(message)
+        end
+
+        params['private_key'] = params.delete('private-key') if params.key?('private-key')
+        params['public_key'] = params.delete('public-key') if params.key?('public-key')
+
+        params
+      end
+
       def extract_task_parameter_schema
         # Get the intersection of expected types (using Set)
         type_set = @hook_map.each_with_object({}) do |(_hook, task), acc|
@@ -220,13 +255,11 @@ module Bolt
       end
 
       def validate_resolve_reference(opts)
-        # Merge config with params
-        merged = @config.merge(opts)
-        params = merged.reject { |k, _v| k.start_with?('_') }
+        task = @hook_map[:resolve_reference]['task']
+        params, _metaparams = process_params(task, opts)
 
-        sig = @hook_map[:resolve_reference]['task']
-        if sig
-          validate_params(sig, params)
+        if task
+          validate_params(task, params)
         end
 
         if @hook_map.include?(:validate_resolve_reference)

data/lib/bolt/project.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+require 'pathname'
+require 'bolt/pal'
+
+module Bolt
+  class Project
+    BOLTDIR_NAME = 'Boltdir'
+    PROJECT_SETTINGS = {
+      "name"  => "The name of the project",
+      "plans" => "An array of plan names to whitelist. Whitelisted plans are included in `bolt plan show` output",
+      "tasks" => "An array of task names to whitelist. Whitelisted plans are included in `bolt task show` output"
+    }.freeze
+
+    attr_reader :path, :config_file, :inventory_file, :modulepath, :hiera_config,
+                :puppetfile, :rerunfile, :type, :resource_types
+
+    def self.default_project
+      Project.new(File.join('~', '.puppetlabs', 'bolt'), 'user')
+    end
+
+    # Search recursively up the directory hierarchy for the Project. Look for a
+    # directory called Boltdir or a file called bolt.yaml (for a control repo
+    # type Project). Otherwise, repeat the check on each directory up the
+    # hierarchy, falling back to the default if we reach the root.
+    def self.find_boltdir(dir)
+      dir = Pathname.new(dir)
+      if (dir + BOLTDIR_NAME).directory?
+        new(dir + BOLTDIR_NAME, 'embedded')
+      elsif (dir + 'bolt.yaml').file?
+        new(dir, 'local')
+      elsif dir.root?
+        default_project
+      else
+        find_boltdir(dir.parent)
+      end
+    end
+
+    def initialize(path, type = 'option')
+      @path = Pathname.new(path).expand_path
+      @config_file = @path + 'bolt.yaml'
+      @inventory_file = @path + 'inventory.yaml'
+      @modulepath = [(@path + 'modules').to_s, (@path + 'site-modules').to_s, (@path + 'site').to_s]
+      @hiera_config = @path + 'hiera.yaml'
+      @puppetfile = @path + 'Puppetfile'
+      @rerunfile = @path + '.rerun.json'
+      @resource_types = @path + '.resource_types'
+      @type = type
+
+      @project_file = @path + 'project.yaml'
+      @data = Bolt::Util.read_optional_yaml_hash(File.expand_path(@project_file), 'project') || {}
+      validate if load_as_module?
+    end
+
+    def to_s
+      @path.to_s
+    end
+
+    # This API is used to prepend the project as a module to Puppet's internal
+    # module_references list. CHANGE AT YOUR OWN RISK
+    def to_h
+      { path: @path, name: name }
+    end
+
+    def eql?(other)
+      path == other.path
+    end
+    alias == eql?
+
+    def load_as_module?
+      @project_file.file?
+    end
+
+    def name
+      # If the project is in mymod/Boltdir/project.yaml, use mymod as the project name
+      dirname = @path.basename.to_s == 'Boltdir' ? @path.parent.basename.to_s : @path.basename.to_s
+      pname = @data['name'] || dirname
+      pname.include?('-') ? pname.split('-', 2)[1] : pname
+    end
+
+    def tasks
+      @data['tasks']
+    end
+
+    def plans
+      @data['plans']
+    end
+
+    def project_directory_name?(name)
+      # it must match an installed project name according to forge validator
+      name =~ /^[a-z][a-z0-9_]*$/
+    end
+
+    def project_namespaced_name?(name)
+      # it must match the full project name according to forge validator
+      name =~ /^[a-zA-Z0-9]+[-][a-z][a-z0-9_]*$/
+    end
+
+    def validate
+      n = @data['name']
+      if n && !project_directory_name?(n) && !project_namespaced_name?(n)
+        raise Bolt::ValidationError, <<~ERROR_STRING
+        Invalid project name '#{n}' in project.yaml; project names must match either:
+        An installed project name (ex. projectname) matching the expression /^[a-z][a-z0-9_]*$/ -or-
+        A namespaced project name (ex. author-projectname) matching the expression /^[a-zA-Z0-9]+[-][a-z][a-z0-9_]*$/
+        ERROR_STRING
+      elsif !project_directory_name?(name) && !project_namespaced_name?(name)
+        raise Bolt::ValidationError, <<~ERROR_STRING
+        Invalid project name '#{name}'; project names must match either:
+        A project name (ex. projectname) matching the expression /^[a-z][a-z0-9_]*$/ -or-
+        A namespaced project name (ex. author-projectname) matching the expression /^[a-zA-Z0-9]+[-][a-z][a-z0-9_]*$/
+
+        Configure project name in <project_dir>/project.yaml
+        ERROR_STRING
+      # If the project name is the same as one of the built-in modules raise a warning
+      elsif Dir.children(Bolt::PAL::BOLTLIB_PATH).include?(name)
+        raise Bolt::ValidationError, "The project '#{name}' will not be loaded. The project name conflicts "\
+          "with a built-in Bolt module of the same name."
+      end
+
+      %w[tasks plans].each do |conf|
+        unless @data.fetch(conf, []).is_a?(Array)
+          raise Bolt::ValidationError, "'#{conf}' in project.yaml must be an array"
+        end
+      end
+    end
+  end
+end

data/lib/bolt/puppetdb/config.rb

@@ -22,7 +22,7 @@ module Bolt
         File.expand_path(File.join(Dir::COMMON_APPDATA, 'PuppetLabs/client-tools/puppetdb.conf'))
       end
 
-      def self.load_config(filename, options, boltdir_path = nil)
+      def self.load_config(filename, options, project_path = nil)
         config = {}
         global_path = Bolt::Util.windows? ? default_windows_config : DEFAULT_CONFIG[:global]
         if filename
@@ -46,12 +46,12 @@ module Bolt
         end
 
         config = config.fetch('puppetdb', {})
-        new(config.merge(options), boltdir_path)
+        new(config.merge(options), project_path)
       end
 
-      def initialize(settings, boltdir_path = nil)
+      def initialize(settings, project_path = nil)
         @settings = settings
-        @boltdir_path = boltdir_path
+        @project_path = project_path
         expand_paths
       end
 
@@ -71,8 +71,8 @@ module Bolt
       def expand_paths
         %w[cacert cert key token].each do |file|
           next unless @settings[file]
-          @settings[file] = if @boltdir_path
-                              File.expand_path(@settings[file], @boltdir_path)
+          @settings[file] = if @project_path
+                              File.expand_path(@settings[file], @project_path)
                             else
                               File.expand_path(@settings[file])
                             end

data/lib/bolt/secret.rb

@@ -1,17 +1,33 @@
 # frozen_string_literal: true
 
+require 'bolt/plugin'
+
 module Bolt
   class Secret
+    KNOWN_KEYS = {
+      'createkeys' => %w[keysize private_key public_key],
+      'encrypt'    => %w[public_key],
+      'decrypt'    => %w[private_key public_key]
+    }.freeze
+
     def self.execute(plugins, outputter, options)
-      plugin = options[:plugin] || 'pkcs7'
+      name   = options[:plugin] || 'pkcs7'
+      plugin = plugins.by_name(name)
+
+      unless plugin
+        raise Bolt::Plugin::PluginError::Unknown, name
+      end
+
       case options[:action]
       when 'createkeys'
-        plugins.get_hook(plugin, :secret_createkeys).call
+        opts = { 'force' => options[:force] }.compact
+        result = plugins.get_hook(name, :secret_createkeys).call(opts)
+        outputter.print_message(result)
       when 'encrypt'
-        encrypted = plugins.get_hook(plugin, :secret_encrypt).call('plaintext_value' => options[:object])
+        encrypted = plugins.get_hook(name, :secret_encrypt).call('plaintext_value' => options[:object])
         outputter.print_message(encrypted)
       when 'decrypt'
-        decrypted = plugins.get_hook(plugin, :secret_decrypt).call('encrypted_value' => options[:object])
+        decrypted = plugins.get_hook(name, :secret_decrypt).call('encrypted_value' => options[:object])
         outputter.print_message(decrypted)
       end