bolt 2.6.0 → 2.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ca1602020625348ee5ba03e246feeb9263ca10fdcda10e13bba36eb674dcdfba
-  data.tar.gz: bdde3554a2406f427f57d02f2e0063e592b7ceba235656c406e9f1ece3899c75
+  metadata.gz: 9354d4101556422d8d97c758b64a4e717a9b24488d11cfe48042ebe79e1a28fa
+  data.tar.gz: 3ca45b8616f2ff1aa53c67cccd150d06c7a2d8897a11b3ffdfda352d6d10ec0c
 SHA512:
-  metadata.gz: 13bcc53364488a1f37ebc19821c6429bcbcc055a543f9b581352b03c403793579290af88be0b92416506c3ddd9f23e775c7d9b9a6d2369aed3c38b0ef162da8f
-  data.tar.gz: ea09c6b92cc08d1cd893c136775070df2f6d79097663c58a96212bfdcf23984fe39fd5690d706f4802a61cd384bfe8139e446914506938605ba6d4771f272d63
+  metadata.gz: 8afb009f9b4d602b3255d86dac20551fae9389782abd2dbb3bb256eb3431a33ad7e8bfa8c87d3ffcb14d9c0aad551a5ddb2df5df80a01d8e41b4ebe49a4a2ff5
+  data.tar.gz: b3b471d539c81f37bfcfe1b2b7a3e4a84db0ada296e4300a56830d5a41ad91db96efb9583b84027f85a69d0588f7c0a2fb977d6da24aa1f08e16aea856fb6d03

data/bolt-modules/boltlib/lib/puppet/functions/run_plan.rb

@@ -117,7 +117,7 @@ Puppet::Functions.create_function(:run_plan, Puppet::Functions::InternalFunction
         # undef/nil
         result = catch(:return) do
           scope.with_global_scope do |global_scope|
-            closure.call_by_name_with_scope(global_scope, params, true)
+            executor.run_plan(global_scope, closure, params)
           end
           nil
         end&.value

data/bolt-modules/prompt/lib/puppet/functions/prompt.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'bolt/error'
+
+# Display a prompt and wait for a response.
+#
+# > **Note:** Not available in apply block
+Puppet::Functions.create_function(:prompt) do
+  # @param prompt The prompt to display.
+  # @param options A hash of additional options.
+  # @option options [Boolean] sensitive Disable echo back and mark the response as sensitive.
+  # @return The response to the prompt.
+  # @example Prompt the user if plan execution should continue
+  #   $response = prompt('Continue executing plan? [Y\N]')
+  # @example Prompt the user for sensitive information
+  #   $password = prompt('Enter your password', 'sensitive' => true)
+  dispatch :prompt do
+    param 'String', :prompt
+    optional_param 'Hash[String[1], Any]', :options
+    return_type 'Variant[String, Sensitive]'
+  end
+
+  def prompt(prompt, options = {})
+    unless Puppet[:tasks]
+      raise Puppet::ParseErrorWithIssue
+        .from_issue_and_stack(Bolt::PAL::Issues::PLAN_OPERATION_NOT_SUPPORTED_WHEN_COMPILING,
+                              action: 'prompt')
+    end
+
+    options = options.transform_keys(&:to_sym)
+
+    executor = Puppet.lookup(:bolt_executor)
+    executor.report_function_call(self.class.name)
+
+    response = executor.prompt(prompt, options)
+
+    if options[:sensitive]
+      Puppet::Pops::Types::PSensitiveType::Sensitive.new(response)
+    else
+      response
+    end
+  end
+end

data/lib/bolt/analytics.rb

@@ -63,7 +63,7 @@ module Bolt
               disabled: true
 
             Read more about what data Bolt collects and why here:
-              https://puppet.com/docs/bolt/latest/bolt_installing.html#concept-8242
+              https://puppet.com/docs/bolt/latest/bolt_installing.html#analytics-data-collection
             ANALYTICS
         end
 

data/lib/bolt/bolt_option_parser.rb

@@ -9,7 +9,7 @@ module Bolt
     OPTIONS = { inventory: %w[targets query rerun description],
                 authentication: %w[user password password-prompt private-key host-key-check ssl ssl-verify],
                 escalation: %w[run-as sudo-password sudo-password-prompt sudo-executable],
-                run_context: %w[concurrency inventoryfile save-rerun],
+                run_context: %w[concurrency inventoryfile save-rerun cleanup],
                 global_config_setters: %w[modulepath boltdir configfile],
                 transports: %w[transport connect-timeout tty],
                 display: %w[format color verbose trace],
@@ -695,6 +695,10 @@ module Bolt
              'Maximum number of simultaneous manifest block compiles (default: number of cores)') do |concurrency|
         @options[:'compile-concurrency'] = concurrency
       end
+      define('--[no-]cleanup',
+             'Whether to clean up temporary files created on targets') do |cleanup|
+        @options[:cleanup] = cleanup
+      end
       define('-m', '--modulepath MODULES',
              "List of directories containing modules, separated by '#{File::PATH_SEPARATOR}'",
              'Directories are case-sensitive') do |modulepath|

data/lib/bolt/catalog.rb

@@ -70,9 +70,38 @@ module Bolt
                           bolt_inventory: inv) do
             Puppet.lookup(:pal_current_node).trusted_data = target['trusted']
             pal.with_catalog_compiler do |compiler|
-              # This needs to happen inside the catalog compiler so loaders are initialized for loading
-              vars = Puppet::Pops::Serialization::FromDataConverter.convert(request['plan_vars'])
-              pal.send(:add_variables, compiler.send(:topscope), target['variables'].merge(vars))
+              # Deserializing needs to happen inside the catalog compiler so
+              # loaders are initialized for loading
+              plan_vars = Puppet::Pops::Serialization::FromDataConverter.convert(request['plan_vars'])
+
+              # Facts will be set by the catalog compiler, so we need to ensure
+              # that any plan or target variables with the same name are not
+              # passed into the apply block to avoid a redefinition error.
+              # Filter out plan and target vars separately and raise a Puppet
+              # warning if there are any collisions for either. Puppet warning
+              # is the only way to log a message that will make it back to Bolt
+              # to be printed.
+              pv_collisions, pv_filtered = plan_vars.partition do |k, _|
+                target['facts'].keys.include?(k)
+              end.map(&:to_h)
+              unless pv_collisions.empty?
+                print_pv = pv_collisions.keys.map { |k| "$#{k}" }.join(', ')
+                plural = pv_collisions.keys.length == 1 ? '' : 's'
+                Puppet.warning("Plan variable#{plural} #{print_pv} will be overridden by fact#{plural} " \
+                               "of the same name in the apply block")
+              end
+
+              tv_collisions, tv_filtered = target['variables'].partition do |k, _|
+                target['facts'].keys.include?(k)
+              end.map(&:to_h)
+              unless tv_collisions.empty?
+                print_tv = tv_collisions.keys.map { |k| "$#{k}" }.join(', ')
+                plural = tv_collisions.keys.length == 1 ? '' : 's'
+                Puppet.warning("Target variable#{plural} #{print_tv} " \
+                               "will be overridden by fact#{plural} of the same name in the apply block")
+              end
+
+              pal.send(:add_variables, compiler.send(:topscope), tv_filtered.merge(pv_filtered))
 
               # Configure language strictness in the CatalogCompiler. We want Bolt to be able
               # to compile most Puppet 4+ manifests, so we default to allowing deprecated functions.

data/lib/bolt/config/transport/docker.rb

@@ -8,6 +8,8 @@ module Bolt
     module Transport
       class Docker < Base
         OPTIONS = {
+          "cleanup"       => { type: TrueClass,
+                               desc: "Whether to clean up temporary files created on targets." },
           "host"          => { type: String,
                                desc: "Host name." },
           "interpreters"  => { type: Hash,
@@ -27,7 +29,9 @@ module Bolt
                                desc: "Whether to enable tty on exec commands." }
         }.freeze
 
-        DEFAULTS = {}.freeze
+        DEFAULTS = {
+          'cleanup' => true
+        }.freeze
 
         private def validate
           super

data/lib/bolt/config/transport/local.rb

@@ -8,6 +8,8 @@ module Bolt
     module Transport
       class Local < Base
         OPTIONS = {
+          "cleanup"         => { type: TrueClass,
+                                 desc: "Whether to clean up temporary files created on targets." },
           "interpreters"    => { type: Hash,
                                  desc: "A map of an extension name to the absolute path of an executable, "\
                                       "enabling you to override the shebang defined in a task executable. The "\
@@ -36,6 +38,8 @@ module Bolt
         }.freeze
 
         WINDOWS_OPTIONS = {
+          "cleanup"      => { type: TrueClass,
+                              desc: "Whether to clean up temporary files created on targets." },
           "interpreters" => { type: Hash,
                               desc: "A map of an extension name to the absolute path of an executable, "\
                                     "enabling you to override the shebang defined in a task executable. The "\
@@ -47,7 +51,9 @@ module Bolt
                               desc: "The directory to copy and execute temporary files." }
         }.freeze
 
-        DEFAULTS = {}.freeze
+        DEFAULTS = {
+          'cleanup' => true
+        }.freeze
 
         def self.options
           Bolt::Util.windows? ? WINDOWS_OPTIONS : OPTIONS

data/lib/bolt/config/transport/ssh.rb

@@ -7,7 +7,10 @@ module Bolt
   class Config
     module Transport
       class SSH < Base
+        LOGIN_SHELLS = %w[sh bash zsh dash ksh powershell].freeze
         OPTIONS = {
+          "cleanup"            => { type: TrueClass,
+                                    desc: "Whether to clean up temporary files created on targets." },
           "connect-timeout"    => { type: Integer,
                                     desc: "How long to wait when establishing connections." },
           "disconnect-timeout" => { type: Integer,
@@ -16,6 +19,12 @@ module Bolt
                                     desc: "Host name." },
           "host-key-check"     => { type: TrueClass,
                                     desc: "Whether to perform host key validation when connecting." },
+          "extensions"         => { type: Array,
+                                    desc: "List of file extensions that are accepted for scripts or tasks on Windows. "\
+                                         "Scripts with these file extensions rely on the target's file type "\
+                                         "association to run. For example, if Python is installed on the system, "\
+                                         "a `.py` script runs with `python.exe`. The extensions `.ps1`, `.rb`, and "\
+                                         "`.pp` are always allowed and run via hard-coded executables." },
           "interpreters"       => { type: Hash,
                                     desc: "A map of an extension name to the absolute path of an executable, "\
                                           "enabling you to override the shebang defined in a task executable. The "\
@@ -25,6 +34,10 @@ module Bolt
                                           "Bolt Ruby interpreter by default." },
           "load-config"        => { type: TrueClass,
                                     desc: "Whether to load system SSH configuration." },
+          "login-shell"        => { type: String,
+                                    desc: "Which login shell Bolt should expect on the target. "\
+                                          "Supported shells are #{LOGIN_SHELLS.join(', ')}. "\
+                                          "**This option is experimental.**" },
           "password"           => { type: String,
                                     desc: "Login password." },
           "port"               => { type: Integer,
@@ -67,10 +80,12 @@ module Bolt
         }.freeze
 
         DEFAULTS = {
+          "cleanup"            => true,
           "connect-timeout"    => 10,
           "tty"                => false,
           "load-config"        => true,
-          "disconnect-timeout" => 5
+          "disconnect-timeout" => 5,
+          "login-shell"        => 'bash'
         }.freeze
 
         private def validate
@@ -92,12 +107,26 @@ module Bolt
             @config['interpreters'] = normalize_interpreters(@config['interpreters'])
           end
 
+          if @config['login-shell'] && !LOGIN_SHELLS.include?(@config['login-shell'])
+            raise Bolt::ValidationError,
+                  "Unsupported login-shell #{@config['login-shell']}. Supported shells are #{LOGIN_SHELLS.join(', ')}"
+          end
+
           if (run_as_cmd = @config['run-as-command'])
             unless run_as_cmd.all? { |n| n.is_a?(String) }
               raise Bolt::ValidationError,
                     "run-as-command must be an Array of Strings, received #{run_as_cmd.class} #{run_as_cmd.inspect}"
             end
           end
+
+          if @config['login-shell'] == 'powershell'
+            %w[tty run-as].each do |key|
+              if @config[key]
+                raise Bolt::ValidationError,
+                      "#{key} is not supported when using PowerShell"
+              end
+            end
+          end
         end
       end
     end

data/lib/bolt/config/transport/winrm.rb

@@ -12,6 +12,8 @@ module Bolt
                                  desc: "Force basic authentication. This option is only available when using SSL." },
           "cacert"          => { type: String,
                                  desc: "The path to the CA certificate." },
+          "cleanup"         => { type: TrueClass,
+                                 desc: "Whether to clean up temporary files created on targets." },
           "connect-timeout" => { type: Integer,
                                  desc: "How long Bolt should wait when establishing connections." },
           "extensions"      => { type: Array,
@@ -53,6 +55,7 @@ module Bolt
 
         DEFAULTS = {
           "basic-auth-only" => false,
+          "cleanup"         => true,
           "connect-timeout" => 10,
           "ssl"             => true,
           "ssl-verify"      => true,

data/lib/bolt/executor.rb

@@ -291,6 +291,10 @@ module Bolt
       end
     end
 
+    def run_plan(scope, plan, params)
+      plan.call_by_name_with_scope(scope, params, true)
+    end
+
     class TimeoutError < RuntimeError; end
 
     def wait_until_available(targets,
@@ -326,6 +330,24 @@ module Bolt
       end
     end
 
+    def prompt(prompt, options)
+      unless STDIN.tty?
+        raise Bolt::Error.new('STDIN is not a tty, unable to prompt', 'bolt/no-tty-error')
+      end
+
+      STDERR.print("#{prompt}: ")
+
+      value = if options[:sensitive]
+                STDIN.noecho(&:gets).to_s.chomp
+              else
+                STDIN.gets.to_s.chomp
+              end
+
+      STDERR.puts if options[:sensitive]
+
+      value
+    end
+
     # Plan context doesn't make sense for most transports but it is tightly
     # coupled with the orchestrator transport since the transport behaves
     # differently when a plan is running. In order to limit how much this

data/lib/bolt/inventory/inventory.rb

@@ -50,6 +50,10 @@ module Bolt
         @group_lookup.keys
       end
 
+      def group_names_for(target_name)
+        group_data_for(target_name).fetch('groups', [])
+      end
+
       def target_names
         @groups.all_targets
       end

data/lib/bolt/plugin/env_var.rb

@@ -17,13 +17,14 @@ module Bolt
         unless opts['var']
           raise Bolt::ValidationError, "env_var plugin requires that the 'var' is specified"
         end
+        return if opts['optional'] || opts['default']
         unless ENV[opts['var']]
           raise Bolt::ValidationError, "env_var plugin requires that the var '#{opts['var']}' be set"
         end
       end
 
       def resolve_reference(opts)
-        ENV[opts['var']]
+        ENV[opts['var']] || opts['default']
       end
     end
   end

data/lib/bolt/plugin/prompt.rb

@@ -19,7 +19,7 @@ module Bolt
 
       def resolve_reference(opts)
         STDERR.print("#{opts['message']}: ")
-        value = STDIN.noecho(&:gets).chomp
+        value = STDIN.noecho(&:gets).to_s.chomp
         STDERR.puts
 
         value

data/lib/bolt/shell/bash.rb

@@ -34,7 +34,7 @@ module Bolt
 
       def upload(source, destination, options = {})
         running_as(options[:run_as]) do
-          with_tempdir do |dir|
+          with_tmpdir do |dir|
             basename = File.basename(destination)
             tmpfile = File.join(dir.to_s, basename)
             conn.copy_file(source, tmpfile)
@@ -55,7 +55,7 @@ module Bolt
         arguments = unwrap_sensitive_args(arguments)
 
         running_as(options[:run_as]) do
-          with_tempdir do |dir|
+          with_tmpdir do |dir|
             path = write_executable(dir.to_s, script)
             dir.chown(run_as)
             output = execute([path, *arguments], sudoable: true)
@@ -86,7 +86,7 @@ module Bolt
           # unpack any Sensitive data
           arguments = unwrap_sensitive_args(arguments)
 
-          with_tempdir do |dir|
+          with_tmpdir do |dir|
             if extra_files.empty?
               task_dir = dir
             else
@@ -234,7 +234,7 @@ module Bolt
         end
       end
 
-      def make_tempdir
+      def make_tmpdir
         tmpdir = @target.options.fetch('tmpdir', '/tmp')
         script_dir = @target.options.fetch('script-dir', SecureRandom.uuid)
         tmppath = File.join(tmpdir, script_dir)
@@ -242,7 +242,7 @@ module Bolt
 
         result = execute(command)
         if result.exit_code != 0
-          raise Bolt::Node::FileError.new("Could not make tempdir: #{result.stderr.string}", 'TEMPDIR_ERROR')
+          raise Bolt::Node::FileError.new("Could not make tmpdir: #{result.stderr.string}", 'TMPDIR_ERROR')
         end
         path = tmppath || result.stdout.string.chomp
         Bolt::Shell::Bash::Tmpdir.new(self, path)
@@ -256,13 +256,19 @@ module Bolt
         remote_path
       end
 
-      # A helper to create and delete a tempdir on the remote system. Yields the
+      # A helper to create and delete a tmpdir on the remote system. Yields the
       # directory name.
-      def with_tempdir
-        dir = make_tempdir
+      def with_tmpdir
+        dir = make_tmpdir
         yield dir
       ensure
-        dir&.delete
+        if dir
+          if target.options['cleanup']
+            dir.delete
+          else
+            @logger.warn("Skipping cleanup of tmpdir #{dir}")
+          end
+        end
       end
 
       # In the case where a task is run with elevated privilege and needs stdin

data/lib/bolt/shell/bash/tmpdir.rb

@@ -48,7 +48,7 @@ module Bolt
         def delete
           result = @shell.execute(['rm', '-rf', @path], sudoable: true, run_as: @owner)
           if result.exit_code != 0
-            @logger.warn("Failed to clean up tempdir '#{@path}': #{result.stderr.string}")
+            @logger.warn("Failed to clean up tmpdir '#{@path}': #{result.stderr.string}")
           end
           # For testing
           result.stderr.string

data/lib/bolt/shell/powershell.rb

@@ -6,7 +6,7 @@ module Bolt
   class Shell
     class Powershell < Shell
       DEFAULT_EXTENSIONS = Set.new(%w[.ps1 .rb .pp])
-      PS_ARGS = %w[-NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass -File].freeze
+      PS_ARGS = %w[-NoProfile -NonInteractive -NoLogo -ExecutionPolicy Bypass].freeze
 
       def initialize(target, conn)
         super
@@ -45,7 +45,7 @@ module Bolt
         when '.ps1'
           [
             'powershell.exe',
-            [*PS_ARGS, path]
+            [*PS_ARGS, '-File', path]
           ]
         when '.pp'
           [
@@ -119,11 +119,11 @@ module Bolt
         end
       end
 
-      def make_tempdir
+      def make_tmpdir
         find_parent = target.options['tmpdir'] ? "\"#{target.options['tmpdir']}\"" : '[System.IO.Path]::GetTempPath()'
-        result = execute(Snippets.make_tempdir(find_parent))
+        result = execute(Snippets.make_tmpdir(find_parent))
         if result.exit_code != 0
-          raise Bolt::Node::FileError.new("Could not make tempdir: #{result.stderr.string}", 'TEMPDIR_ERROR')
+          raise Bolt::Node::FileError.new("Could not make tmpdir: #{result.stderr.string}", 'TMPDIR_ERROR')
         end
         result.stdout.string.chomp
       end
@@ -132,11 +132,21 @@ module Bolt
         execute(Snippets.rmdir(dir))
       end
 
-      def with_tempdir
-        dir = make_tempdir
-        yield dir
+      def with_tmpdir
+        unless @tmpdir
+          # Only cleanup the directory afterward if we made it to begin with
+          owner = true
+          @tmpdir = make_tmpdir
+        end
+        yield @tmpdir
       ensure
-        rmdir(dir)
+        if owner && @tmpdir
+          if target.options['cleanup']
+            rmdir(@tmpdir)
+          else
+            @logger.warn("Skipping cleanup of tmpdir '#{@tmpdir}'")
+          end
+        end
       end
 
       def run_ps_task(task_path, arguments, input_method)
@@ -167,7 +177,7 @@ module Bolt
       def run_script(script, arguments, _options = {})
         # unpack any Sensitive data
         arguments = unwrap_sensitive_args(arguments)
-        with_tempdir do |dir|
+        with_tmpdir do |dir|
           script_path = write_executable(dir, script)
           command = if powershell_file?(script_path)
                       Snippets.run_script(arguments, script_path)
@@ -194,7 +204,7 @@ module Bolt
 
         # unpack any Sensitive data
         arguments = unwrap_sensitive_args(arguments)
-        with_tempdir do |dir|
+        with_tmpdir do |dir|
           if extra_files.empty?
             task_dir = dir
           else
@@ -243,6 +253,16 @@ module Bolt
       end
 
       def execute(command)
+        if conn.max_command_length && command.length > conn.max_command_length
+          return with_tmpdir do |dir|
+            command += "\r\nif (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
+            script_file = File.join(dir, "#{SecureRandom.uuid}_wrapper.ps1")
+            conn.copy_file(StringIO.new(command), script_file)
+            args = escape_arguments([script_file])
+            script_invocation = ['powershell.exe', *PS_ARGS, '-File', *args].join(' ')
+            execute(script_invocation)
+          end
+        end
         inp, out, err, t = conn.execute(command)
 
         result = Bolt::Node::Output.new

data/lib/bolt/shell/powershell/snippets.rb

@@ -20,7 +20,7 @@ module Bolt
             PS
           end
 
-          def make_tempdir(parent)
+          def make_tmpdir(parent)
             <<~PS
             $parent = #{parent}
             $name = [System.IO.Path]::GetRandomFileName()

data/lib/bolt/target.rb

@@ -99,7 +99,8 @@ module Bolt
         'vars' => vars,
         'features' => features,
         'facts' => facts,
-        'plugin_hooks' => plugin_hooks
+        'plugin_hooks' => plugin_hooks,
+        'groups' => @inventory.group_names_for(name)
       }
     end
 

data/lib/bolt/transport/docker.rb

@@ -19,7 +19,7 @@ module Bolt
 
       def upload(target, source, destination, _options = {})
         with_connection(target) do |conn|
-          conn.with_remote_tempdir do |dir|
+          conn.with_remote_tmpdir do |dir|
             basename = File.basename(destination)
             tmpfile = "#{dir}/#{basename}"
             if File.directory?(source)
@@ -57,7 +57,7 @@ module Bolt
         arguments = unwrap_sensitive_args(arguments)
 
         with_connection(target) do |conn|
-          conn.with_remote_tempdir do |dir|
+          conn.with_remote_tmpdir do |dir|
             remote_path = conn.write_remote_executable(dir, script)
             stdout, stderr, exitcode = conn.execute(remote_path, *arguments, {})
             Bolt::Result.for_command(target, stdout, stderr, exitcode, 'script', script)
@@ -77,7 +77,7 @@ module Bolt
         with_connection(target) do |conn|
           execute_options = {}
           execute_options[:interpreter] = select_interpreter(executable, target.options['interpreters'])
-          conn.with_remote_tempdir do |dir|
+          conn.with_remote_tmpdir do |dir|
             if extra_files.empty?
               task_dir = dir
             else

data/lib/bolt/transport/docker/connection.rb

@@ -103,25 +103,29 @@ module Bolt
           end
         end
 
-        def make_tempdir
+        def make_tmpdir
           tmpdir = @target.options.fetch('tmpdir', container_tmpdir)
           tmppath = "#{tmpdir}/#{SecureRandom.uuid}"
 
           stdout, stderr, exitcode = execute('mkdir', '-m', '700', tmppath, {})
           if exitcode != 0
-            raise Bolt::Node::FileError.new("Could not make tempdir: #{stderr}", 'TEMPDIR_ERROR')
+            raise Bolt::Node::FileError.new("Could not make tmpdir: #{stderr}", 'TMPDIR_ERROR')
           end
           tmppath || stdout.first
         end
 
-        def with_remote_tempdir
-          dir = make_tempdir
+        def with_remote_tmpdir
+          dir = make_tmpdir
           yield dir
         ensure
           if dir
-            _, stderr, exitcode = execute('rm', '-rf', dir, {})
-            if exitcode != 0
-              @logger.warn("Failed to clean up tempdir '#{dir}': #{stderr}")
+            if @target.options['cleanup']
+              _, stderr, exitcode = execute('rm', '-rf', dir, {})
+              if exitcode != 0
+                @logger.warn("Failed to clean up tmpdir '#{dir}': #{stderr}")
+              end
+            else
+              @logger.warn("Skipping cleanup of tmpdir '#{dir}'")
             end
           end
         end

data/lib/bolt/transport/local/connection.rb

@@ -32,7 +32,8 @@ module Bolt
           if source.is_a?(StringIO)
             Tempfile.create(File.basename(dest)) do |f|
               f.write(source.read)
-              FileUtils.mv(t, dest)
+              f.close
+              FileUtils.mv(f, dest)
             end
           else
             # Mimic the behavior of `cp --remove-destination`
@@ -46,12 +47,11 @@ module Bolt
 
         def execute(command)
           if Bolt::Util.windows?
-            command += "\r\nif (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
-            script_file = Tempfile.new(['wrapper', '.ps1'], target.options['tmpdir'])
-            File.write(script_file, command)
-            script_file.close
-
-            command = ['powershell.exe', *Bolt::Shell::Powershell::PS_ARGS, script_file.path]
+            # If it's already a powershell command then invoke it normally.
+            # Otherwise, wrap it in powershell.exe.
+            unless command.start_with?('powershell.exe')
+              command = ['powershell.exe', *Bolt::Shell::Powershell::PS_ARGS, '-Command', command]
+            end
           end
 
           Open3.popen3(*command)
@@ -62,6 +62,12 @@ module Bolt
         def reset_cwd?
           false
         end
+
+        def max_command_length
+          if Bolt::Util.windows?
+            32000
+          end
+        end
       end
     end
   end

data/lib/bolt/transport/orch.rb

@@ -197,7 +197,7 @@ module Bolt
           end
         rescue StandardError => e
           targets.map do |target|
-            Bolt::Result.from_exception(target, e, 'task')
+            Bolt::Result.from_exception(target, e, action: 'task')
           end
         end
       end

data/lib/bolt/transport/ssh/connection.rb

@@ -108,6 +108,7 @@ module Bolt
           end
 
           @session = Net::SSH.start(target.host, @user, options)
+          validate_ssh_version
           @logger.debug { "Opened session" }
         rescue Net::SSH::AuthenticationFailed => e
           raise Bolt::Node::ConnectError.new(
@@ -242,7 +243,11 @@ module Bolt
         end
 
         def shell
-          @shell ||= Bolt::Shell::Bash.new(target, self)
+          @shell ||= if target.options['login-shell'] == 'powershell'
+                       Bolt::Shell::Powershell.new(target, self)
+                     else
+                       Bolt::Shell::Bash.new(target, self)
+                     end
         end
 
         # This is used by the Bash shell to decide whether to `cd` before
@@ -250,6 +255,22 @@ module Bolt
         def reset_cwd?
           true
         end
+
+        def max_command_length
+          if target.options['login-shell'] == 'powershell'
+            32000
+          end
+        end
+
+        def validate_ssh_version
+          remote_version = @session.transport.server_version.version
+          return unless target.options['login-shell'] && remote_version
+
+          match = remote_version.match(/OpenSSH_for_Windows_(\d+\.\d+)/)
+          if match && match[1].to_f < 7.9
+            raise "Powershell over SSH requires OpenSSH server >= 7.9, target is running #{match[1]}"
+          end
+        end
       end
     end
   end

data/lib/bolt/transport/winrm/connection.rb

@@ -175,6 +175,10 @@ module Bolt
           @shell ||= Bolt::Shell::Powershell.new(target, self)
         end
 
+        def max_command_length
+          nil
+        end
+
         private
 
         def smb_client_login

data/lib/bolt/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bolt
-  VERSION = '2.6.0'
+  VERSION = '2.7.0'
 end

data/lib/bolt_spec/plans.rb

@@ -40,6 +40,23 @@ require 'bolt/pal'
 #  an otherwise empty bolt config and inventory. To create your own values for
 #  these override the modulepath, config, or inventory methods.
 #
+# Sub-plan Execution
+#
+#  When testing a plan, often times those plans call other plans in order to
+#  build complex workflows. To support this we offer running in two different
+#  modes:
+#    execute_any_plan (default) - This mode will execute any plan that is encountered
+#      without having to be stubbed/mocked. This default mode allows for plan control
+#      flow to behave as normal. If you choose to stub/mock out a sub-plan in this mode
+#      that will be honored and the sub-plan will not be executed. We will use the modifiers
+#      on the stub to check for the conditions specified (example: be_called_times(3))
+#
+#    execute_no_plan - This mode will not execute a plans that it encounters. Instead, when
+#      a plan is encountered it will throw an error unless the plan is mocked out. This
+#      mode is useful for ensuring that there are no plans called that you do not expect.
+#      This plan requires authors to mock out all sub-plans that may be invoked when running
+#      tests.
+#
 #  TODO:
 #  - Allow description based stub matching
 #  - Better testing of plan errors
@@ -47,15 +64,20 @@ require 'bolt/pal'
 #  - Allow stubbing with a block(at the double level? As a matched stub?)
 #  - package code so that it can be used for testing modules outside of this repo
 #  - set subject from describe and provide matchers similar to rspec puppets function tests
+#  - Allow specific plans to be executed when running in execute_no_plan mode.
 #
 #  MAYBE TODO?:
-#  - allow stubbing for subplans
 #  - validate call expectations at the end of the example instead of in run_plan
 #  - resultset matchers to help testing canary like plans?
 #  - inventory matchers to help testing plans that change inventory
 #
+# Flags:
+# - execute_any_plan: execute any plan that is encountered unless it is mocked (default)
+# - execute_no_plan: throw an error if a plan is encountered that is not stubbed
+#
 # Stubs:
 # - allow_command(cmd), expect_command(cmd): expect the exact command
+# - allow_plan(plan), expect_plan(plan): expect the named plan
 # - allow_script(script), expect_script(script): expect the script as <module>/path/to/file
 # - allow_task(task), expect_task(task): expect the named task
 # - allow_upload(file), expect_upload(file): expect the identified source file
@@ -69,22 +91,28 @@ require 'bolt/pal'
 #                       if expected, fail unless the action is called 'n' times
 # - not_be_called: fail if the action is called
 # - with_targets(targets): target or list of targets that you expect to be passed to the action
+#                          plan: does not support this modifier
 # - with_params(params): list of params and metaparams (or options) that you expect to be passed to the action.
 #                        Corresponds to the action's last argument.
 # - with_destination(dest): for upload_file, the expected destination path
 # - always_return(value): return a Bolt::ResultSet of Bolt::Result objects with the specified value Hash
+#                         plan: returns a Bolt::PlanResult with the specified value with a status of 'success'
 #                         command and script: only accept 'stdout' and 'stderr' keys
 #                         upload: does not support this modifier
 # - return_for_targets(targets_to_values): return a Bolt::ResultSet of Bolt::Result objects from the Hash mapping
 #                                          targets to their value Hashes
 #                                          command and script: only accept 'stdout' and 'stderr' keys
 #                                          upload: does not support this modifier
+#                                          plan: does not support this modifier
 # - return(&block): invoke the block to construct a Bolt::ResultSet. The blocks parameters differ based on action
 #                   command: `{ |targets:, command:, params:| ... }`
+#                   plan: `{ |plan:, params:| ... }`
 #                   script: `{ |targets:, script:, params:| ... }`
 #                   task: `{ |targets:, task:, params:| ... }`
 #                   upload: `{ |targets:, source:, destination:, params:| ... }`
 # - error_with(err): return a failing Bolt::ResultSet, with Bolt::Result objects with the identified err hash
+#                    plans will throw a Bolt::PlanFailure that will be returned as the value of
+#                    the Bolt::PlanResult object with a status of 'failure'.
 #
 # Example:
 #   describe "my_plan" do
@@ -128,12 +156,38 @@ require 'bolt/pal'
 #       end
 #       expect(run_plan('my_plan', { 'param1' => 10 })).to eq(10)
 #     end
-
+#
 #     it 'expects multiple messages to out::message' do
 #       expect_out_message.be_called_times(2).with_params(message)
 #       result = run_plan(plan_name, 'messages' => [message, message])
 #       expect(result).to be_ok
 #     end
+#
+#     it 'expects a sub-plan to be called' do
+#       expect_plan('module::sub_plan').with_params('targets' => ['foo']).be_called_times(1)
+#       result = run_plan('module::main_plan', 'targets' => ['foo'])
+#       expect(result).to be_ok
+#       expect(result.class).to eq(Bolt::PlanResult)
+#       expect(result.value).to eq('foo' => 'is_good')
+#       expect(result.status).to eq('success')
+#     end
+#
+#     it 'error when sub-plan is called' do
+#       execute_no_plan
+#       err = 'Unexpected call to 'run_plan(module::sub_plan, {\"targets\"=>[\"foo\"]})'
+#       expect { run_plan('module::main_plan', 'targets' => ['foo']) }
+#         .to raise_error(RuntimeError, err)
+#     end
+#
+#     it 'errors when plan calls fail_plan()' do
+#       result = run_plan('module::calls_fail_plan', {})
+#       expect(result).not_to be_ok
+#       expect(result.class).to eq(Bolt::PlanResult)
+#       expect(result.status).to eq('failure')
+#       expect(result.value.class).to eq(Bolt::PlanFailure)
+#       expect(result.value.msg).to eq('failure message passed to fail_plan()')
+#       expect(result.value.kind).to eq('bolt/plan-failure')
+#     end
 #   end
 #
 # See spec/bolt_spec/plan_spec.rb for more examples.
@@ -166,7 +220,9 @@ module BoltSpec
 
     def run_plan(name, params)
       pal = Bolt::PAL.new(config.modulepath, config.hiera_config, config.boltdir.resource_types)
-      result = pal.run_plan(name, params, executor, inventory, puppetdb_client)
+      result = executor.with_plan_allowed_exec(name, params) do
+        pal.run_plan(name, params, executor, inventory, puppetdb_client)
+      end
 
       if executor.error_message
         raise executor.error_message
@@ -175,7 +231,7 @@ module BoltSpec
       begin
         executor.assert_call_expectations
       rescue StandardError => e
-        raise "#{e.message}\nPlan result: #{result}"
+        raise "#{e.message}\nPlan result: #{result}\n#{e.backtrace.join("\n")}"
       end
 
       result
@@ -196,9 +252,23 @@ module BoltSpec
       nil
     end
 
-    # Plan execution does not flow through the executor mocking may make sense but
-    # will be a separate effort.
-    # def allow_plan(plan_name)
+    # Flag for the default behavior of executing sub-plans during testing
+    # By *default* we allow any sub-plan to be executed, no mocking required.
+    # Users can still mock out plans in this mode and the mocks will check for
+    # parameters and return values like normal. However, if a plan isn't explicitly
+    # mocked out, it will be executed.
+    def execute_any_plan
+      executor.execute_any_plan = true
+    end
+
+    # If you want to explicitly mock out all of the sub-plan calls, then
+    # call this prior to calling `run_plan()` along with setting up any
+    # mocks that you require.
+    # In this mode, any plan that is not explicitly mocked out will not be executed
+    # and an error will be thrown.
+    def execute_no_plan
+      executor.execute_any_plan = false
+    end
 
     # intended to be private below here
   end

data/lib/bolt_spec/plans/action_stubs.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'bolt/plan_result'
 require 'bolt/result'
 require 'bolt/util'
 
@@ -23,8 +24,8 @@ module BoltSpec
         @stubs.each { |s| s.assert_called(object) }
       end
 
-      def add_stub
-        stub = Plans.const_get(@action_stub).new
+      def add_stub(inventory = nil)
+        stub = Plans.const_get(@action_stub).new(false, inventory)
         @stubs.unshift stub
         stub
       end
@@ -33,7 +34,7 @@ module BoltSpec
     class ActionStub
       attr_reader :invocation
 
-      def initialize(expect = false)
+      def initialize(expect = false, inventory = nil)
         @calls = 0
         @expect = expect
         @expected_calls = nil
@@ -41,6 +42,7 @@ module BoltSpec
         @invocation = {}
         # return value
         @data = { default: {} }
+        @inventory = inventory
       end
 
       def assert_called(object)
@@ -55,7 +57,16 @@ module BoltSpec
           end
           message = "Expected #{object} to be called #{times} times"
           message += " with targets #{@invocation[:targets]}" if @invocation[:targets]
-          message += " with parameters #{parameters}" if parameters
+          if parameters
+            # Print the parameters hash by converting it to JSON and then re-parsing.
+            # This prevents issues in Bolt data types, such as Targets, from generating
+            # gigantic, unreadable, data when converted to string by interpolation.
+            # Targets exhibit this behavior because they have a reference to @inventory.
+            # When the target is converted into a string, it converts the full Inventory
+            # into a string recursively.
+            parameters_str = JSON.parse(parameters.to_json)
+            message += " with parameters #{parameters_str}"
+          end
           raise message
         end
       end
@@ -71,6 +82,14 @@ module BoltSpec
       # Used to create a valid Bolt::Result object from result data.
       def default_for(target)
         case @data[:default]
+        when Bolt::PlanFailure
+          # Bolt::PlanFailure needs to be declared before Bolt::Error because
+          # Bolt::PlanFailure is an instance of Bolt::Error, so it can match both
+          # in this case we need to treat Bolt::PlanFailure's in a different way
+          #
+          # raise Bolt::PlanFailure errors so that the PAL can catch them and wrap
+          # them into Bolt::PlanResult's for us.
+          raise @data[:default]
         when Bolt::Error
           Bolt::Result.from_exception(target, @data[:default])
         when Hash
@@ -87,6 +106,13 @@ module BoltSpec
         result_set
       end
 
+      def check_plan_result(plan_result, plan_clj)
+        unless plan_result.is_a?(Bolt::PlanResult)
+          raise "Return block for #{plan_clj.closure_name} did not return a Bolt::PlanResult"
+        end
+        plan_result
+      end
+
       # Below here are the intended 'public' methods of the stub
 
       # Restricts the stub to only match invocations with
@@ -127,7 +153,10 @@ module BoltSpec
       def return_for_targets(data)
         data.each_with_object(@data) do |(target, result), hsh|
           raise "Mocked results must be hashes: #{target}: #{result}" unless result.is_a? Hash
-          hsh[target] = result_for(Bolt::Target.new(target), Bolt::Util.walk_keys(result, &:to_sym))
+          # set the inventory from the BoltSpec::Plans, otherwise if we try to convert
+          # this target to a string, it will fail to string conversion because the
+          # inventory is nil
+          hsh[target] = result_for(Bolt::Target.new(target, @inventory), Bolt::Util.walk_keys(result, &:to_sym))
         end
         raise "Cannot set return values and return block." if @return_block
         @data_set = true
@@ -143,10 +172,10 @@ module BoltSpec
       end
 
       # Set a default error result for all targets.
-      def error_with(data)
+      def error_with(data, clazz = Bolt::Error)
         data = Bolt::Util.walk_keys(data, &:to_s)
         if data['msg'] && data['kind'] && (data.keys - %w[msg kind details issue_code]).empty?
-          @data[:default] = Bolt::Error.new(data['msg'], data['kind'], data['details'], data['issue_code'])
+          @data[:default] = clazz.new(data['msg'], data['kind'], data['details'], data['issue_code'])
         else
           STDERR.puts "In the future 'error_with()' may require msg and kind, and " \
                       "optionally accept only details and issue_code."
@@ -160,6 +189,7 @@ module BoltSpec
 end
 
 require_relative 'action_stubs/command_stub'
+require_relative 'action_stubs/plan_stub'
 require_relative 'action_stubs/script_stub'
 require_relative 'action_stubs/task_stub'
 require_relative 'action_stubs/upload_stub'

data/lib/bolt_spec/plans/action_stubs/plan_stub.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module BoltSpec
+  module Plans
+    class PlanStub < ActionStub
+      def matches(_scope, _plan, params)
+        targets = params.fetch('nodes', params.fetch('targets', nil))
+        if @invocation[:targets] && Set.new(@invocation[:targets]) != Set.new(targets)
+          return false
+        end
+
+        if @invocation[:params] && params != @invocation[:params]
+          return false
+        end
+
+        true
+      end
+
+      def call(_scope, plan, params)
+        @calls += 1
+        if @return_block
+          check_plan_result(@return_block.call(plan: plan, params: params), plan)
+        else
+          default_for(nil)
+        end
+      end
+
+      def parameters
+        @invocation[:params]
+      end
+
+      # Allow any data.
+      def result_for(_target, data)
+        Bolt::PlanResult.new(Bolt::Util.walk_keys(data, &:to_s), 'success')
+      end
+
+      # Public methods
+
+      # Restricts the stub to only match invocations with certain parameters.
+      # All parameters must match exactly.
+      def with_params(params)
+        @invocation[:params] = params
+        self
+      end
+
+      def return_for_targets(_data)
+        raise "return_for_targets is not implemented for plan spec tests (allow_plan, expect_plan, allow_any_plan, etc)"
+      end
+
+      def error_with(data, clazz = Bolt::PlanFailure)
+        super(data, clazz)
+      end
+    end
+  end
+end

data/lib/bolt_spec/plans/mock_executor.rb

@@ -3,6 +3,7 @@
 require 'bolt_spec/plans/action_stubs'
 require 'bolt_spec/plans/publish_stub'
 require 'bolt/error'
+require 'bolt/executor'
 require 'bolt/result_set'
 require 'bolt/result'
 require 'pathname'
@@ -10,14 +11,14 @@ require 'set'
 
 module BoltSpec
   module Plans
-    MOCKED_ACTIONS = %i[command script task upload].freeze
+    MOCKED_ACTIONS = %i[command plan script task upload].freeze
 
     class UnexpectedInvocation < ArgumentError; end
 
     # Nothing on the executor is 'public'
     class MockExecutor
       attr_reader :noop, :error_message
-      attr_accessor :run_as, :transport_features
+      attr_accessor :run_as, :transport_features, :execute_any_plan
 
       def initialize(modulepath)
         @noop = false
@@ -28,6 +29,13 @@ module BoltSpec
         MOCKED_ACTIONS.each { |action| instance_variable_set(:"@#{action}_doubles", {}) }
         @stub_out_message = nil
         @transport_features = ['puppet-agent']
+        @executor_real = Bolt::Executor.new
+        # by default, we want to execute any plan that we come across without error
+        # or mocking. users can toggle this behavior so that plans will either need to
+        # be mocked out, or an error will be thrown.
+        @execute_any_plan = true
+        # plans that are allowed to be executed by the @executor_real
+        @allowed_exec_plans = {}
       end
 
       def module_file_id(file)
@@ -96,6 +104,57 @@ module BoltSpec
         result
       end
 
+      def with_plan_allowed_exec(plan_name, params)
+        @allowed_exec_plans[plan_name] = params
+        result = yield
+        @allowed_exec_plans.delete(plan_name)
+        result
+      end
+
+      def run_plan(scope, plan_clj, params)
+        result = nil
+        plan_name = plan_clj.closure_name
+
+        # get the mock object either by plan name, or the default in case allow_any_plan
+        # was called, if both are nil / don't exist, then dub will be nil and we'll fall
+        # through to another conditional statement
+        doub = @plan_doubles[plan_name] || @plan_doubles[:default]
+
+        # High level:
+        #  - If we've explicitly allowed execution of the plan (normally the main plan
+        #    passed into BoltSpec::Plan::run_plan()), then execute it
+        #  - If we've explicitly "allowed/expected" the plan (mocked),
+        #    then run it through the mock object
+        #  - If we're allowing "any" plan to be executed,
+        #    then execute it
+        #  - Otherwise we have an error
+        if @allowed_exec_plans.key?(plan_name) && @allowed_exec_plans[plan_name] == params
+          # This plan's name + parameters were explicitly allowed to be executed.
+          # run it with the real executor.
+          # We require this functionality so that the BoltSpec::Plans.run_plan()
+          # function can kick off the initial plan. In reality, no other plans should
+          # be in this hash.
+          result = @executor_real.run_plan(scope, plan_clj, params)
+        elsif doub
+          result = doub.process(scope, plan_clj, params)
+          # the throw here is how Puppet exits out of a closure and returns a result
+          # it throws this special symbol with a result object that is captured by
+          # the run_plan Puppet function
+          throw :return, result
+        elsif @execute_any_plan
+          # if the plan wasn't allowed or mocked out, and we're allowing any plan to be
+          # executed, then execute the plan
+          result = @executor_real.run_plan(scope, plan_clj, params)
+        else
+          # convert to JSON and back so that we get the ruby representation with all keys and
+          # values converted to a string .to_s instead of their ruby object notation
+          params_str = JSON.parse(params.to_json)
+          @error_message = "Unexpected call to 'run_plan(#{plan_name}, #{params_str})'"
+          raise UnexpectedInvocation, @error_message
+        end
+        result
+      end
+
       def assert_call_expectations
         MOCKED_ACTIONS.each do |action|
           instance_variable_get(:"@#{action}_doubles").map do |object, doub|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bolt
 version: !ruby/object:Gem::Version
-  version: 2.6.0
+  version: 2.7.0
 platform: ruby
 authors:
 - Puppet
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-04-20 00:00:00.000000000 Z
+date: 2020-04-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -324,6 +324,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '1.14'
+- !ruby/object:Gem::Dependency
+  name: octokit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: puppetlabs_spec_helper
   requirement: !ruby/object:Gem::Requirement
@@ -414,6 +428,7 @@ files:
 - bolt-modules/file/lib/puppet/functions/file/readable.rb
 - bolt-modules/file/lib/puppet/functions/file/write.rb
 - bolt-modules/out/lib/puppet/functions/out/message.rb
+- bolt-modules/prompt/lib/puppet/functions/prompt.rb
 - bolt-modules/system/lib/puppet/functions/system/env.rb
 - exe/bolt
 - lib/bolt.rb
@@ -528,6 +543,7 @@ files:
 - lib/bolt_spec/plans.rb
 - lib/bolt_spec/plans/action_stubs.rb
 - lib/bolt_spec/plans/action_stubs/command_stub.rb
+- lib/bolt_spec/plans/action_stubs/plan_stub.rb
 - lib/bolt_spec/plans/action_stubs/script_stub.rb
 - lib/bolt_spec/plans/action_stubs/task_stub.rb
 - lib/bolt_spec/plans/action_stubs/upload_stub.rb