bolt 1.30.1 → 1.31.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b5c70a9312d9fa6f384b140fec6cbc3c173906e9b428e0d3b19faaab91cf6590
-  data.tar.gz: 10fe1a0b13b4bd489cd41a9b3971d6e5a8f797fced7ddd1faeaf33c09c9f3e28
+  metadata.gz: e2159fe8eb6cf9a69b3ff093bf61d45f00ac4dbdfab37c412165da8c642c0909
+  data.tar.gz: 34e56147d83f6894dbc6baa73ad571213d1964c86af61bfff9c4b8a75a248923
 SHA512:
-  metadata.gz: 26f36949b058636604697ba4804e1aeb3068c94dd49890c19f336bb9afabe3256f5383661e876881d51b95c667d6c9f4f6bf149566d9d06e54c21456a6de1301
-  data.tar.gz: cc48faf53683fac36548175e42466a80330580942b48f3bdfd2fae060e1e91eef67b289c1e751e58bde2be3ab459bd52a5a2460e3c108468b77fc82ff4c37800
+  metadata.gz: 05b79d3c523be35edb9230222301ab4328fe3907a3ab1199d4f6dd3e2037b30182dbfb08436079e728f92d9beabf8890911acfdca99551755cc5dd45062dccf0
+  data.tar.gz: 3fd5a1a1a54b338ca99550f3f83720a50eba7a61195fff12fedffc336fd84533f23d836d1d6efca083cbba27b60f223f6c2cb2536a71515acb8569aa223beaf2

data/bolt-modules/boltlib/lib/puppet/functions/run_plan.rb

@@ -70,9 +70,7 @@ Puppet::Functions.create_function(:run_plan, Puppet::Functions::InternalFunction
 
     # TODO: Why would we not have a private_environment_loader?
     unless loader && (func = loader.load(:plan, plan_name))
-      raise Puppet::ParseErrorWithIssue.from_issue_and_stack(
-        Puppet::Pops::Issues.issue(:UNKNOWN_PLAN) { Bolt::Error.unknown_plan(plan_name) }
-      )
+      raise Bolt::Error.unknown_plan(plan_name)
     end
 
     if (run_as = named_args['_run_as'])

data/bolt-modules/boltlib/lib/puppet/functions/run_task.rb

@@ -77,7 +77,7 @@ Puppet::Functions.create_function(:run_task) do
       # TODO: use the compiler injection once PUP-8237 lands
       task_signature = Puppet::Pal::ScriptCompiler.new(closure_scope.compiler).task_signature(task_name)
       if task_signature.nil?
-        raise with_stack(:UNKNOWN_TASK, Bolt::Error.unknown_task(task_name))
+        raise Bolt::Error.unknown_task(task_name)
       end
 
       task_signature.runnable_with?(use_args) do |mismatch_message|

data/lib/bolt/bolt_option_parser.rb

@@ -62,7 +62,7 @@ module Bolt
         { flags: ACTION_OPTS + %w[tmpdir],
           banner: SCRIPT_HELP }
       when 'secret'
-        { flags: OPTIONS[:global] + OPTIONS[:global_config_setters],
+        { flags: OPTIONS[:global] + OPTIONS[:global_config_setters] + %w[plugin],
           banner: SECRET_HELP }
       when 'task'
         case action
@@ -261,6 +261,7 @@ module Bolt
     HELP
 
     SECRET_HELP = <<~SECRET_HELP
+      Usage: bolt secret <action> <value>
       Manage secrets for inventory and hiera data.
 
       Available actions are:
@@ -446,6 +447,10 @@ module Bolt
       define('--debug', 'Display debug logging') do |_|
         @options[:debug] = true
       end
+
+      define('--plugin PLUGIN', 'Select the plugin to use') do |plug|
+        @options[:plugin] = plug
+      end
     end
 
     def remove_excluded_opts(option_list)

data/lib/bolt/cli.rb

@@ -244,7 +244,7 @@ module Bolt
     end
 
     def plugins
-      @plugins ||= Bolt::Plugin.setup(config, puppetdb_client, analytics)
+      @plugins ||= Bolt::Plugin.setup(config, pal, puppetdb_client, analytics)
     end
 
     def query_puppetdb_nodes(query)

data/lib/bolt/error.rb

@@ -33,11 +33,15 @@ module Bolt
     end
 
     def self.unknown_task(task)
-      "Could not find a task named \"#{task}\". For a list of available tasks, run \"bolt task show\""
+      new("Could not find a task named \"#{task}\". For a list of available tasks, run \"bolt task show\"",
+          'bolt/unknown-task')
     end
 
     def self.unknown_plan(plan)
-      "Could not find a plan named \"#{plan}\". For a list of available plans, run \"bolt plan show\""
+      new(
+        "Could not find a plan named \"#{plan}\". For a list of available plans, run \"bolt plan show\"",
+        'bolt/unknown-plan'
+      )
     end
   end
 

data/lib/bolt/inventory/group2.rb

@@ -102,13 +102,13 @@ module Bolt
           if value.is_a?(Hash) && value.include?('_plugin')
             plugin_name = value['_plugin']
             begin
-              hook = @plugins.get_hook(plugin_name, :inventory_config)
+              hook = @plugins.get_hook(plugin_name, :resolve_reference)
             rescue Bolt::Plugin::PluginError => e
               raise ValidationError.new(e.message, @name)
             end
 
             begin
-              validate_proc = @plugins.get_hook(plugin_name, :validate_inventory_config)
+              validate_proc = @plugins.get_hook(plugin_name, :validate_resolve_reference)
             rescue Bolt::Plugin::PluginError
               validate_proc = proc { |*args| }
             end
@@ -119,7 +119,7 @@ module Bolt
               begin
                 hook.call(value)
               rescue StandardError => e
-                loc = "inventory_config in #{@name}"
+                loc = "resolve_reference in #{@name}"
                 raise Bolt::Plugin::PluginError::ExecutionError.new(e.message, plugin_name, loc)
               end
             end
@@ -213,7 +213,7 @@ module Bolt
 
       def lookup_targets(lookup)
         begin
-          hook = @plugins.get_hook(lookup['_plugin'], :inventory_targets)
+          hook = @plugins.get_hook(lookup['_plugin'], :resolve_reference)
         rescue Bolt::Plugin::PluginError => e
           raise ValidationError.new(e.message, @name)
         end
@@ -221,7 +221,7 @@ module Bolt
         begin
           targets = hook.call(lookup)
         rescue StandardError => e
-          loc = "inventory_targets in #{@name}"
+          loc = "resolve_reference in #{@name}"
           raise Bolt::Plugin::PluginError::ExecutionError.new(e.message, lookup['_plugin'], loc)
         end
 

data/lib/bolt/module.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+# Is this Bolt::Pobs::Module?
+module Bolt
+  class Module
+    MODULE_NAME_REGEX = /\A[a-z][a-z0-9_]*\z/.freeze
+
+    def self.discover(modulepath)
+      modulepath.each_with_object({}) do |path, mods|
+        next unless File.exist?(path) && File.directory?(path)
+        Dir.children(path)
+           .map { |dir| File.join(path, dir) }
+           .select { |dir| File.directory?(dir) }
+           .each do |dir|
+          module_name = File.basename(dir)
+          if module_name =~ MODULE_NAME_REGEX
+            # Puppet will load some objects from shadowed modules but this won't
+            mods[module_name] ||= Bolt::Module.new(module_name, dir)
+          end
+        end
+      end
+    end
+
+    attr_reader :name, :path
+
+    def initialize(name, path)
+      @name = name
+      @path = path
+    end
+
+    def plugin_data_file
+      File.join(path, 'bolt_plugin.json')
+    end
+
+    def plugin?
+      File.exist?(plugin_data_file)
+    end
+  end
+end

data/lib/bolt/pal.rb

@@ -41,12 +41,9 @@ module Bolt
 
     def initialize(modulepath, hiera_config, max_compiles = Etc.nprocessors)
       # Nothing works without initialized this global state. Reinitializing
-      # is safe and in practice only happen in tests
+      # is safe and in practice only happens in tests
       self.class.load_puppet
 
-      # This makes sure we don't accidentally create puppet dirs
-      with_puppet_settings { |_| nil }
-
       @original_modulepath = modulepath
       @modulepath = [BOLTLIB_PATH, *modulepath, MODULES_PATH]
       @hiera_config = hiera_config
@@ -56,6 +53,8 @@ module Bolt
       if modulepath && !modulepath.empty?
         @logger.info("Loading modules from #{@modulepath.join(File::PATH_SEPARATOR)}")
       end
+
+      @loaded = false
     end
 
     # Puppet logging is global so this is class method to avoid confusion
@@ -91,6 +90,17 @@ module Bolt
       Bolt::ResultSet.include_iterable
     end
 
+    def setup
+      unless @loaded
+        # This is slow so don't do it until we have to
+        Bolt::PAL.load_puppet
+
+        # Make sure we don't create the puppet directories
+        with_puppet_settings { |_| nil }
+        @loaded = true
+      end
+    end
+
     # Create a top-level alias for TargetSpec and PlanResult so that users don't have to
     # namespace it with Boltlib, which is just an implementation detail. This
     # allows them to feel like a built-in type in bolt, rather than
@@ -104,6 +114,8 @@ module Bolt
     # exceptions thrown by the block and re-raises them ensuring they are
     # Bolt::Errors since the script compiler block will squash all exceptions.
     def in_bolt_compiler
+      # TODO: If we always call this inside a bolt_executor we can remove this here
+      setup
       r = Puppet::Pal.in_tmp_environment('bolt', modulepath: @modulepath, facts: {}) do |pal|
         pal.with_script_compiler do |compiler|
           alias_types(compiler)
@@ -129,6 +141,7 @@ module Bolt
     end
 
     def with_bolt_executor(executor, inventory, pdb_client = nil, applicator = nil, &block)
+      setup
       opts = {
         bolt_executor: executor,
         bolt_inventory: inventory,
@@ -188,6 +201,7 @@ module Bolt
     # Parses a snippet of Puppet manifest code and returns the AST represented
     # in JSON.
     def parse_manifest(code, filename)
+      setup
       Puppet::Pops::Parser::EvaluatingParser.new.parse_string(code, filename)
     rescue Puppet::Error => e
       raise Bolt::PAL::PALError, "Failed to parse manifest: #{e}"
@@ -250,7 +264,7 @@ module Bolt
       task = task_signature(task_name)
 
       if task.nil?
-        raise Bolt::Error.new(Bolt::Error.unknown_task(task_name), 'bolt/unknown-task')
+        raise Bolt::Error.unknown_task(task_name)
       end
 
       task.task_hash.reject { |k, _| k == 'parameters' }
@@ -296,7 +310,7 @@ module Bolt
       end
 
       if plan_info.nil?
-        raise Bolt::Error.new(Bolt::Error.unknown_plan(plan_name), 'bolt/unknown-plan')
+        raise Bolt::Error.unknown_plan(plan_name)
       end
       plan_info
     end

data/lib/bolt/plugin.rb

@@ -1,20 +1,26 @@
 # frozen_string_literal: true
 
+require 'bolt/inventory'
+require 'bolt/executor'
+require 'bolt/module'
+require 'bolt/pal'
 require 'bolt/plugin/puppetdb'
-require 'bolt/plugin/terraform'
-require 'bolt/plugin/pkcs7'
-require 'bolt/plugin/prompt'
-require 'bolt/plugin/task'
-require 'bolt/plugin/aws'
-require 'bolt/plugin/vault'
-require 'bolt/plugin/install_agent'
 
 module Bolt
   class Plugin
+    KNOWN_HOOKS = %i[
+      puppet_library
+      resolve_reference
+      secret_encrypt
+      secret_decrypt
+      secret_createkeys
+      validate_resolve_reference
+    ].freeze
+
     class PluginError < Bolt::Error
       class ExecutionError < PluginError
         def initialize(msg, plugin_name, location)
-          mess = "Error executing plugin: #{plugin_name} from #{location}: #{msg}"
+          mess = "Error executing plugin #{plugin_name} from #{location}: #{msg}"
           super(mess, 'bolt/plugin-error')
         end
       end
@@ -32,40 +38,180 @@ module Bolt
       end
     end
 
-    def self.setup(config, pdb_client, analytics)
-      plugins = new(config, analytics)
+    class PluginContext
+      def initialize(config, pal)
+        @pal = pal
+        @config = config
+      end
+
+      def serial_executor
+        @serial_executor ||= Bolt::Executor.new(1)
+      end
+      private :serial_executor
+
+      def empty_inventory
+        @empty_inventory ||= Bolt::Inventory.new({}, @config)
+      end
+      private :empty_inventory
+
+      def with_a_compiler
+        # If we're already inside a pal compiler block use that compiler
+        # This may blow up if you try to load a task in catalog pal. Should we
+        # guard against that?
+        compiler = nil
+        if defined?(Puppet)
+          begin
+            compiler = Puppet.lookup(:pal_compiler)
+          rescue Puppet::Context::UndefinedBindingError; end # rubocop:disable Lint/HandleExceptions
+        end
+
+        if compiler
+          yield compiler
+        else
+          @pal.in_bolt_compiler do |temp_compiler|
+            yield temp_compiler
+          end
+        end
+      end
+      private :with_a_compiler
+
+      def get_validated_task(task_name, params = nil)
+        with_a_compiler do |compiler|
+          tasksig = compiler.task_signature(task_name)
+
+          raise Bolt::Error.unknown_task(task_name) unless tasksig
+
+          Bolt::Task::Run.validate_params(tasksig, params) if params
+          Bolt::Task.new(tasksig.task_hash)
+        end
+      end
+
+      def validate_params(task_name, params)
+        with_a_compiler do |compiler|
+          tasksig = compiler.task_signature(task_name)
+
+          raise Bolt::Error.new("#{task_name} could not be found", 'bolt/plugin-error') unless tasksig
+
+          Bolt::Task::Run.validate_params(tasksig, params)
+        end
+        nil
+      end
+
+      # By passing `_` keys in params the caller can send metaparams directly to the task
+      # _catch_errors must be passed as an executor option not a param
+      def run_local_task(task, params, options)
+        # Make sure we're in a compiler to use the sensitive type
+        with_a_compiler do |_comp|
+          params = Bolt::Task::Run.wrap_sensitive(task, params)
+          Bolt::Task::Run.run_task(
+            task,
+            empty_inventory.get_targets('localhost'),
+            params,
+            options,
+            serial_executor
+          )
+        end
+      end
+
+      def boltdir
+        @config.boltdir.path
+      end
+    end
+
+    def self.setup(config, pal, pdb_client, analytics)
+      plugins = new(config, pal, analytics)
+      # PDB is special do we want to expose the default client to the context?
       plugins.add_plugin(Bolt::Plugin::Puppetdb.new(pdb_client))
-      plugins.add_plugin(Bolt::Plugin::Terraform.new)
-      plugins.add_plugin(Bolt::Plugin::Prompt.new)
-      plugins.add_plugin(Bolt::Plugin::Pkcs7.new(config.boltdir.path, config.plugins['pkcs7'] || {}))
-      plugins.add_plugin(Bolt::Plugin::Task.new(config))
-      plugins.add_plugin(Bolt::Plugin::Aws::EC2.new(config.plugins['aws'] || {}))
-      plugins.add_plugin(Bolt::Plugin::Vault.new(config.plugins['vault'] || {}))
-      plugins.add_plugin(Bolt::Plugin::InstallAgent.new)
+
+      plugins.add_ruby_plugin('Bolt::Plugin::AwsInventory')
+      plugins.add_ruby_plugin('Bolt::Plugin::InstallAgent')
+      plugins.add_ruby_plugin('Bolt::Plugin::Task')
+      plugins.add_ruby_plugin('Bolt::Plugin::Terraform')
+      plugins.add_ruby_plugin('Bolt::Plugin::Pkcs7')
+      plugins.add_ruby_plugin('Bolt::Plugin::Prompt')
+      plugins.add_ruby_plugin('Bolt::Plugin::Vault')
+
       plugins
     end
 
-    def initialize(config, analytics)
+    BUILTIN_PLUGINS = %w[task terraform pkcs7 prompt vault aws_inventory puppetdb].freeze
+
+    attr_reader :pal, :plugin_context
+
+    def initialize(config, pal, analytics)
       @config = config
       @analytics = analytics
+      @plugin_context = PluginContext.new(config, pal)
       @plugins = {}
+      @unknown = Set.new
+    end
+
+    def modules
+      @modules ||= Bolt::Module.discover(@config.modulepath)
     end
 
+    # Generally this is private. Puppetdb is special though
     def add_plugin(plugin)
       @plugins[plugin.name] = plugin
     end
 
+    def add_ruby_plugin(cls_name)
+      snake_name = Bolt::Util.class_name_to_file_name(cls_name)
+      require snake_name
+      cls = Kernel.const_get(cls_name)
+      plugin_name = snake_name.split('/').last
+      opts = {
+        context: @plugin_context,
+        config: config_for_plugin(plugin_name)
+      }
+
+      plugin = cls.new(**opts)
+      add_plugin(plugin)
+    end
+
+    def add_module_plugin(plugin_name)
+      opts = {
+        context: @plugin_context,
+        config: config_for_plugin(plugin_name)
+      }
+
+      plugin = Bolt::Plugin::Module.load(plugin_name, modules, opts)
+      add_plugin(plugin)
+    end
+
+    def add_from_config
+      @config.plugins.keys.each do |plugin_name|
+        by_name(plugin_name)
+      end
+    end
+
+    def config_for_plugin(plugin_name)
+      @config.plugins[plugin_name] || {}
+    end
+
     def get_hook(plugin_name, hook)
       plugin = by_name(plugin_name)
       raise PluginError::Unknown, plugin_name unless plugin
-      raise PluginError::UnsupportedHook.new(plugin_name, hook) unless plugin.respond_to?(hook)
-      @analytics.report_bundled_content("Plugin #{hook}", plugin_name)
+      raise PluginError::UnsupportedHook.new(plugin_name, hook) unless plugin.hooks.include?(hook)
+      @analytics.report_bundled_content("Plugin #{hook}", plugin_name) if BUILTIN_PLUGINS.include?(plugin_name)
 
       plugin.method(hook)
     end
 
+    # Calling by_name or get_hook will load any module based plugin automatically
     def by_name(plugin_name)
-      @plugins[plugin_name]
+      return @plugins[plugin_name] if @plugins.include?(plugin_name)
+      begin
+        unless @unknown.include?(plugin_name)
+          add_module_plugin(plugin_name)
+        end
+      rescue PluginError::Unknown
+        @unknown << plugin_name
+        nil
+      end
     end
   end
 end
+
+# references PluginError
+require 'bolt/plugin/module'