bolt 3.23.1 → 3.26.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67f08b10db67ef79aadf22a542f6564aa502743f53619f41c40aff4761e2e0c0
-  data.tar.gz: 81d8b927c1349299ba568358a2f155d624fb28f7b65ae5985bcfc8b6fe24eb6b
+  metadata.gz: '0591d13a9aa93f3c96585985ffdf1619c29f3f13130cbde98e1b24a1a357b84b'
+  data.tar.gz: 3fe46914478ad07fab90348eb0464a5e45f5c10fa5f921baf3fa089f8d17cad3
 SHA512:
-  metadata.gz: a3e66f8d5adc727228b09e212de34c7de796c556a0d91153e1599cbf619b30b98c9358ea3683c2e00650375ecac8745fdf7a79977a42d6761967ce98c5c2ac71
-  data.tar.gz: a6dedd218bc2db8e5365906366a1cbeef5e99b02f606c80677081eccc71172fa7f15f3798630847239228feafc861278938044e98b2107429c8e34cea7143f9c
+  metadata.gz: a12e686a2ce4a3a15f22e2d45f8210eb6211c910e49e59377e37165554ae5f776c4827dfdb93984d8acdd6295cb7c31f49a090a4239ecc2150bff27f2aeb2bbc
+  data.tar.gz: 5f6ccddd83c3026b1a34be7ab439d800f82cb997f179ab9967ead53c87b5141f2419dce5ae0a29ad17fc4257b294856e39aa61916fca4cbb907919520ad8fbf3

data/Puppetfile

@@ -1,12 +1,12 @@
 # frozen_string_literal: true
 
-forge "http://forge.puppetlabs.com"
+forge 'https://forge.puppetlabs.com'
 
 moduledir File.join(File.dirname(__FILE__), 'modules')
 
 # Core modules used by 'apply'
 mod 'puppetlabs-service', '2.2.0'
-mod 'puppetlabs-puppet_agent', '4.11.0'
+mod 'puppetlabs-puppet_agent', '4.12.1'
 mod 'puppetlabs-facts', '1.4.0'
 
 # Core types and providers for Puppet 6
@@ -23,13 +23,16 @@ mod 'puppetlabs-zone_core', '1.0.3'
 
 # Useful additional modules
 mod 'puppetlabs-package', '2.2.0'
-mod 'puppetlabs-powershell_task_helper', '0.1.0'
 mod 'puppetlabs-puppet_conf', '1.3.0'
-mod 'puppetlabs-python_task_helper', '0.5.0'
-mod 'puppetlabs-reboot', '4.1.0'
+mod 'puppetlabs-reboot', '4.2.0'
+mod 'puppetlabs-stdlib', '8.4.0'
+
+# Task helpers
+mod 'puppetlabs-powershell_task_helper', '0.1.0'
 mod 'puppetlabs-ruby_task_helper', '0.6.1'
 mod 'puppetlabs-ruby_plugin_helper', '0.2.0'
-mod 'puppetlabs-stdlib', '8.2.0'
+mod 'puppetlabs-python_task_helper', '0.5.0'
+mod 'puppetlabs-bash_task_helper', '2.0.0'
 
 # Plugin modules
 mod 'puppetlabs-aws_inventory', '0.7.0'

data/bolt-modules/boltlib/lib/puppet/datatypes/applyresult.rb

@@ -12,11 +12,20 @@
 #   keys](applying_manifest_blocks.md#result-keys).
 # @param target
 #   The target the result is from.
+# @param error
+#   An Error object constructed from the `_error` field of the result's value.
+# @param catalog
+#   The Puppet catalog used to configure the target. The catalog describes the
+#   desired state of the target. The catalog is masked with the `Sensitive` data
+#   type to protect any sensitive information in the catalog from being printed
+#   to the console or logs. Using this function automatically unwraps the
+#   catalog. For more information about catalogs and the catalog compilation
+#   process, see [Catalog
+#   compilation](https://puppet.com/docs/puppet/latest/subsystem_catalog_compilation.html).
+
 #
 # @!method action
 #   The action performed. `ApplyResult.action` always returns the string `apply`.
-# @!method error
-#   Returns an Error object constructed from the `_error` field of the result's value.
 # @!method message
 #   The `_output` field of the result's value.
 # @!method ok
@@ -30,10 +39,11 @@ Puppet::DataTypes.create_type('ApplyResult') do
   interface <<-PUPPET
     attributes => {
       'report' => Hash[String[1], Data],
-      'target' => Target
+      'target' => Target,
+      'error' => Optional[Error],
+      'catalog' => Optional[Hash]
     },
     functions => {
-      error => Callable[[], Optional[Error]],
       ok => Callable[[], Boolean],
       message => Callable[[], Optional[String]],
       action => Callable[[], String],

data/lib/bolt/application.rb

@@ -49,7 +49,7 @@ module Bolt
                         code
                       end
 
-      targets = inventory.get_targets(targets)
+      targets = inventory.get_targets(targets, ext_glob: true)
 
       Puppet[:tasks] = false
       ast = pal.parse_manifest(manifest_code, manifest)
@@ -90,7 +90,7 @@ module Bolt
     # @return [Bolt::ResultSet]
     #
     def run_command(command, targets, env_vars: nil)
-      targets = inventory.get_targets(targets)
+      targets = inventory.get_targets(targets, ext_glob: true)
 
       with_benchmark do
         executor.run_command(targets, command, env_vars: env_vars)
@@ -106,7 +106,7 @@ module Bolt
     #
     def download_file(source, destination, targets)
       destination = File.expand_path(destination, Dir.pwd)
-      targets     = inventory.get_targets(targets)
+      targets     = inventory.get_targets(targets, ext_glob: true)
 
       with_benchmark do
         executor.download_file(targets, source, destination)
@@ -122,7 +122,7 @@ module Bolt
     #
     def upload_file(source, destination, targets)
       source  = find_file(source)
-      targets = inventory.get_targets(targets)
+      targets = inventory.get_targets(targets, ext_glob: true)
 
       Bolt::Util.validate_file('source file', source, true)
 
@@ -225,7 +225,7 @@ module Bolt
 
       with_benchmark do
         pal.lookup(key,
-                   inventory.get_targets(targets),
+                   inventory.get_targets(targets, ext_glob: true),
                    inventory,
                    executor,
                    plan_vars: vars)
@@ -351,6 +351,7 @@ module Bolt
     # @return [Bolt::PlanResult]
     #
     def run_plan(plan, targets, params: {})
+      plan_params = pal.get_plan_info(plan)['parameters']
       if targets && targets.any?
         if params['nodes'] || params['targets']
           key = params.include?('nodes') ? 'nodes' : 'targets'
@@ -360,7 +361,6 @@ module Bolt
                 "in the JSON data passed in the --params option"
         end
 
-        plan_params  = pal.get_plan_info(plan)['parameters']
         target_param = plan_params.dig('targets', 'type') =~ /TargetSpec/
         node_param   = plan_params.include?('nodes')
 
@@ -375,13 +375,17 @@ module Bolt
         end
       end
 
-      plan_context = { plan_name: plan, params: params }
+      sensitive_params = params.keys.select { |param| plan_params.dig(param, 'sensitive') }
+
+      plan_context = { plan_name: plan, params: params, sensitive: sensitive_params }
 
       executor.start_plan(plan_context)
       result = pal.run_plan(plan, params, executor, inventory, plugins.puppetdb_client)
       executor.finish_plan(result)
 
       result
+    rescue Bolt::Error => e
+      Bolt::PlanResult.new(e, 'failure')
     end
 
     # Show plan information.
@@ -620,7 +624,10 @@ module Bolt
       Bolt::Util.validate_file('script', script)
 
       with_benchmark do
-        executor.run_script(inventory.get_targets(targets), script, arguments, env_vars: env_vars)
+        executor.run_script(inventory.get_targets(targets, ext_glob: true),
+                            script,
+                            arguments,
+                            env_vars: env_vars)
       end
     end
 
@@ -676,7 +683,7 @@ module Bolt
     # @return [Bolt::ResultSet]
     #
     def run_task(task, targets, params: {})
-      targets = inventory.get_targets(targets)
+      targets = inventory.get_targets(targets, ext_glob: true)
 
       with_benchmark do
         pal.run_task(task, targets, params, executor, inventory)
@@ -775,7 +782,7 @@ module Bolt
       # Retrieve the known group and target names. This needs to be done before
       # updating targets, as that will add adhoc targets to the inventory.
       known_names = inventory.target_names
-      targets     = inventory.get_targets(targets)
+      targets     = inventory.get_targets(targets, ext_glob: true)
 
       inventory_targets, adhoc_targets = targets.partition do |target|
         known_names.include?(target.name)

data/lib/bolt/applicator.rb

@@ -280,7 +280,6 @@ module Bolt
                   result
                 end
               else
-
                 arguments = {
                   'catalog' => Puppet::Pops::Types::PSensitiveType::Sensitive.new(catalog),
                   'plugins' => Puppet::Pops::Types::PSensitiveType::Sensitive.new(plugins),
@@ -291,7 +290,7 @@ module Bolt
 
                 callback = proc do |event|
                   if event[:type] == :node_result
-                    event = event.merge(result: ApplyResult.from_task_result(event[:result]))
+                    event = event.merge(result: ApplyResult.from_task_result(event[:result], catalog))
                   end
                   @executor.publish_event(event)
                 end
@@ -299,7 +298,7 @@ module Bolt
                 options[:run_as] = @executor.run_as if @executor.run_as && !options.key?(:run_as)
 
                 results = transport.batch_task(batch, catalog_apply_task, arguments, options, &callback)
-                Array(results).map { |result| ApplyResult.from_task_result(result) }
+                Array(results).map { |result| ApplyResult.from_task_result(result, catalog) }
               end
             end
           end

data/lib/bolt/apply_result.rb

@@ -65,23 +65,30 @@ module Bolt
       end
     end
 
-    def self.from_task_result(result)
+    def self.from_task_result(result, catalog = nil)
       if (puppet_missing = puppet_missing_error(result))
         new(result.target,
             error: puppet_missing,
-            report: result.value.reject { |k| k == '_error' })
+            report: result.value.reject { |k| k == '_error' },
+            catalog: catalog)
       elsif !result.ok?
-        new(result.target, error: result.error_hash)
+        new(result.target,
+            error: result.error_hash,
+            catalog: catalog)
       elsif (invalid_report = invalid_report_error(result))
         new(result.target,
             error: invalid_report,
-            report: result.value.reject { |k| %w[_error _output].include?(k) })
+            report: result.value.reject { |k| %w[_error _output].include?(k) },
+            catalog: catalog)
       elsif (resource_error = resource_error(result))
         new(result.target,
             error: resource_error,
-            report: result.value.reject { |k| k == '_error' })
+            report: result.value.reject { |k| k == '_error' },
+            catalog: catalog)
       else
-        new(result.target, report: result.value)
+        new(result.target,
+            report: result.value,
+            catalog: catalog)
       end
     end
 
@@ -89,16 +96,21 @@ module Bolt
     def _pcore_init_hash
       { 'target' => @target,
         'error' => value['_error'],
-        'report' => value['report'] }
+        'report' => value['report'],
+        'catalog' => catalog }
     end
 
-    def initialize(target, error: nil, report: nil)
+    def initialize(target, error: nil, report: nil, catalog: nil)
       @target = target
       @value = {}
       @action = 'apply'
       @value['report'] = report if report
       @value['_error'] = error if error
       @value['_output'] = metrics_message if metrics_message
+
+      if catalog
+        @value['_sensitive'] = Puppet::Pops::Types::PSensitiveType::Sensitive.new({ 'catalog' => catalog })
+      end
     end
 
     def event_metrics
@@ -131,6 +143,10 @@ module Bolt
       @value['report']
     end
 
+    def catalog
+      sensitive.unwrap['catalog'] if sensitive
+    end
+
     def generic_value
       {}
     end

data/lib/bolt/config/transport/lxd.rb

@@ -9,6 +9,7 @@ module Bolt
       class LXD < Base
         OPTIONS = %w[
           cleanup
+          interpreters
           remote
           tmpdir
         ].concat(RUN_AS_OPTIONS).sort.freeze
@@ -17,6 +18,14 @@ module Bolt
           'cleanup' => true,
           'remote'  => 'local'
         }.freeze
+
+        private def validate
+          super
+
+          if @config['interpreters']
+            @config['interpreters'] = normalize_interpreters(@config['interpreters'])
+          end
+        end
       end
     end
   end

data/lib/bolt/inventory/group.rb

@@ -10,8 +10,10 @@ module Bolt
     class Group
       attr_accessor :name, :groups
 
-      # Regex used to validate group names and target aliases.
-      NAME_REGEX = /\A[a-z0-9_][a-z0-9_-]*\Z/.freeze
+      # Illegal characters that are not permitted in group names or aliases.
+      # These characters are delimiters for target and group names and allowing
+      # them would cause unexpected behavior.
+      ILLEGAL_CHARS = /[\s,]/.freeze
 
       # NOTE: All keys should have a corresponding schema property in schemas/bolt-inventory.schema.json
       DATA_KEYS = %w[config facts vars features plugin_hooks].freeze
@@ -41,7 +43,10 @@ module Bolt
         @name = @plugins.resolve_references(input['name'])
 
         raise ValidationError.new("Group name must be a String, not #{@name.inspect}", nil) unless @name.is_a?(String)
-        raise ValidationError.new("Invalid group name #{@name}", @name) unless @name =~ NAME_REGEX
+
+        if (illegal_char = @name.match(ILLEGAL_CHARS))
+          raise ValidationError.new("Illegal character '#{illegal_char}' in group name '#{@name}'", @name)
+        end
 
         validate_group_input(input)
 
@@ -167,7 +172,9 @@ module Bolt
 
       def insert_alia(target_name, aliases)
         aliases.each do |alia|
-          raise ValidationError.new("Invalid alias #{alia}", @name) unless alia =~ NAME_REGEX
+          if (illegal_char = alia.match(ILLEGAL_CHARS))
+            raise ValidationError.new("Illegal character '#{illegal_char}' in alias '#{alia}'", @name)
+          end
 
           if (found = @aliases[alia])
             raise ValidationError.new(alias_conflict(alia, found, target_name), @name)

data/lib/bolt/inventory/inventory.rb

@@ -8,6 +8,12 @@ module Bolt
     class Inventory
       attr_reader :plugins, :source, :targets, :transport
 
+      # Getting targets from the inventory using '--targets' supports extended glob pattern
+      # matching. In this case, use the extended regex so Bolt only uses commas outside
+      # brackets and braces as delimiters.
+      EXTENDED_TARGET_REGEX = /[[:space:],]+(?=[^\]}]*(?:[\[{]|$))/.freeze
+      TARGET_REGEX          = /[[:space:],]+/.freeze
+
       class WildcardError < Bolt::Error
         def initialize(target)
           super("Found 0 targets matching wildcard pattern #{target}", 'bolt.inventory/wildcard-error')
@@ -85,8 +91,8 @@ module Bolt
       # alias for analytics
       alias node_names target_names
 
-      def get_targets(targets)
-        target_array = expand_targets(targets)
+      def get_targets(targets, ext_glob: false)
+        target_array = expand_targets(targets, ext_glob: ext_glob)
         if target_array.is_a? Array
           target_array.flatten.uniq(&:name)
         else
@@ -107,41 +113,63 @@ module Bolt
         groups.group_collect(target_name)
       end
 
+      # Does a target match the glob-style wildcard?
+      # Ignore case; use extended globs ({a,b}) when running from the CLI.
+      def match_wildcard?(wildcard, target_name, ext_glob: false)
+        if ext_glob
+          File.fnmatch(wildcard, target_name, File::FNM_CASEFOLD | File::FNM_EXTGLOB)
+        else
+          regexp = Regexp.new("^#{Regexp.escape(wildcard).gsub('\*', '.*?')}$", Regexp::IGNORECASE)
+          target_name =~ regexp
+        end
+      end
+
       # If target is a group name, expand it to the members of that group.
-      # Else match against targets in inventory by name or alias.
+      # Else match against groups and targets in inventory by name or alias.
       # If a wildcard string, error if no matches are found.
       # Else fall back to [target] if no matches are found.
-      def resolve_name(target)
+      def resolve_name(target, ext_glob: false)
         if (group = group_lookup[target])
-          group.all_targets
+          group.all_targets.to_a
         else
-          # Try to wildcard match targets in inventory
-          # Ignore case because hostnames are generally case-insensitive
-          regexp = Regexp.new("^#{Regexp.escape(target).gsub('\*', '.*?')}$", Regexp::IGNORECASE)
+          targets = []
+
+          # Find groups that match the glob
+          group_lookup.each do |name, grp|
+            next unless match_wildcard?(target, name, ext_glob: ext_glob)
+            targets += grp.all_targets.to_a
+          end
+
+          # Find target names that match the glob
+          targets += groups.all_targets.select { |targ| match_wildcard?(target, targ, ext_glob: ext_glob) }
 
-          targets = groups.all_targets.select { |targ| targ =~ regexp }
-          targets += groups.target_aliases.select { |target_alias, _target| target_alias =~ regexp }.values
+          # Find target aliases that match the glob
+          targets += groups.target_aliases
+                           .select { |tgt_alias, _| match_wildcard?(target, tgt_alias, ext_glob: ext_glob) }
+                           .values
 
           if targets.empty?
             raise(WildcardError, target) if target.include?('*')
             [target]
           else
-            targets
+            targets.uniq
           end
         end
       end
       private :resolve_name
 
-      def expand_targets(targets)
+      def expand_targets(targets, ext_glob: false)
         case targets
         when Bolt::Target
           targets
         when Array
-          targets.map { |tish| expand_targets(tish) }
+          targets.map { |tish| expand_targets(tish, ext_glob: ext_glob) }
         when String
           # Expand a comma-separated list
-          targets.split(/[[:space:],]+/).reject(&:empty?).map do |name|
-            ts = resolve_name(name)
+          # Regex magic below is required to workaround `{foo,bar}` glob syntax
+          regex = ext_glob ? EXTENDED_TARGET_REGEX : TARGET_REGEX
+          targets.split(regex).reject(&:empty?).map do |name|
+            ts = resolve_name(name, ext_glob: ext_glob)
             ts.map do |t|
               # If the target doesn't exist, evaluate it from the inventory.
               # Then return a Bolt::Target.

data/lib/bolt/inventory/target.rb

@@ -8,6 +8,11 @@ module Bolt
     class Target
       attr_reader :name, :uri, :safe_name, :target_alias, :resources
 
+      # Illegal characters that are not permitted in target names.
+      # These characters are delimiters for target and group names and allowing
+      # them would cause unexpected behavior.
+      ILLEGAL_CHARS = /[\s,]/.freeze
+
       def initialize(target_data, inventory)
         unless target_data['name'] || target_data['uri']
           raise Bolt::Inventory::ValidationError.new("Target must have either a name or uri", nil)
@@ -150,6 +155,10 @@ module Bolt
           raise Bolt::Inventory::ValidationError.new("Target name must be ASCII characters: #{@name}", nil)
         end
 
+        if (illegal_char = @name.match(ILLEGAL_CHARS))
+          raise ValidationError.new("Illegal character '#{illegal_char}' in target name '#{@name}'", nil)
+        end
+
         unless transport.nil? || Bolt::TRANSPORTS.include?(transport.to_sym)
           raise Bolt::UnknownTransportError.new(transport, uri)
         end

data/lib/bolt/module_installer/resolver.rb

@@ -49,7 +49,7 @@ module Bolt
             spec_searcher_configuration: spec_searcher_config(config)
           )
         rescue StandardError => e
-          raise Bolt::Error.new(e.message, 'bolt/module-resolver-error')
+          raise Bolt::Error.new("Unable to resolve modules: #{e.message}", 'bolt/module-resolver-error')
         end
 
         # Create the Puppetfile object.