bolt 3.0.1 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16ea129b96b72ea751f0b59599b8783c7c2ad45ebc46004058384693d71795f1
-  data.tar.gz: 9f227b4c8a2fbe06410090adb6590ddce9e8f4ae29a2fa10f0e2e464fa166c0a
+  metadata.gz: fb26f585ef72c98683208ddbed3f04cfeb20a035a252604bf73927354ccae4ba
+  data.tar.gz: ad2f911f3e960a4c8ae42586c68466f8526d454d8b227391ac8032614176baa7
 SHA512:
-  metadata.gz: 8c6c1b341c1b8d83ec37184a2a9875e0665e4b5a1ed2a6b0c58266b38a541cafffb89df39da659a6ee6157a4140db852d43fa104b3ed7d99400011ec624139a7
-  data.tar.gz: 7f9a485096374549f2d5f29ff00954c810016c751f54d551c9367212ccf889eced3b71a13e262ebd6916ad2568139298b87081412ef96d091aeddeffbb924684
+  metadata.gz: aa283cf489870b48c9b44098c6f4cd0b805ac963c86369481dae603997a3dd150025273ca9168a6c93538ee60acbcfca16fa524951a6e6dcc59a61212d682da9
+  data.tar.gz: cd7b62972011560ac21404e0589169f0ab690faaa7f17b8138bc09ad30637ac66fb1823f21714ea30c7526c637c7fec89e3d4fe237ad1ca753a6c1c7f46cc56c

data/Puppetfile

@@ -23,6 +23,7 @@ mod 'puppetlabs-zone_core', '1.0.3'
 
 # Useful additional modules
 mod 'puppetlabs-package', '1.4.0'
+mod 'puppetlabs-powershell_task_helper', '0.1.0'
 mod 'puppetlabs-puppet_conf', '0.8.0'
 mod 'puppetlabs-python_task_helper', '0.5.0'
 mod 'puppetlabs-reboot', '3.2.0'
@@ -45,3 +46,4 @@ mod 'puppetlabs-yaml', '0.2.0'
 mod 'canary', local: true
 mod 'aggregate', local: true
 mod 'puppetdb_fact', local: true
+mod 'puppet_connect', local: true

data/lib/bolt/cli.rb

@@ -899,7 +899,8 @@ module Bolt
     # Gem installs include the aggregate, canary, and puppetdb_fact modules, while
     # package installs include modules listed in the Bolt repo Puppetfile
     def incomplete_install?
-      (Dir.children(Bolt::Config::Modulepath::MODULES_PATH) - %w[aggregate canary puppetdb_fact secure_env_vars]).empty?
+      builtin_module_list = %w[aggregate canary puppetdb_fact secure_env_vars puppet_connect]
+      (Dir.children(Bolt::Config::Modulepath::MODULES_PATH) - builtin_module_list).empty?
     end
 
     # Mimicks the output from Outputter::Human#fatal_error. This should be used to print

data/lib/bolt/pal.rb

@@ -215,6 +215,7 @@ module Bolt
     def with_bolt_executor(executor, inventory, pdb_client = nil, applicator = nil, &block)
       setup
       opts = {
+        bolt_project: @project,
         bolt_executor: executor,
         bolt_inventory: inventory,
         bolt_pdb_client: pdb_client,

data/lib/bolt/result.rb

@@ -203,12 +203,17 @@ module Bolt
     end
 
     def to_data
+      serialized_value = safe_value
+      if serialized_value.key?('_sensitive') &&
+         serialized_value['_sensitive'].is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
+        serialized_value['_sensitive'] = serialized_value['_sensitive'].to_s
+      end
       {
         "target" => @target.name,
         "action" => action,
         "object" => object,
         "status" => status,
-        "value" => safe_value
+        "value" => serialized_value
       }
     end
 

data/lib/bolt/shell/bash.rb

@@ -331,10 +331,15 @@ module Bolt
         # together multiple commands into a single sh invocation
         commands = [inject_interpreter(options[:interpreter], command)]
 
+        # Let the transport handle adding environment variables if it's custom.
         if options[:environment]
-          env_decl = options[:environment].map do |env, val|
-            "#{env}=#{Shellwords.shellescape(val)}"
-          end.join(' ')
+          if defined? conn.add_env_vars
+            conn.add_env_vars(options[:environment])
+          else
+            env_decl = options[:environment].map do |env, val|
+              "#{env}=#{Shellwords.shellescape(val)}"
+            end.join(' ')
+          end
         end
 
         if escalate

data/lib/bolt/shell/powershell.rb

@@ -274,7 +274,12 @@ module Bolt
                               []
                             end
 
-          output = execute([Snippets.shell_init, *env_assignments, command].join("\n"))
+          output = execute([
+            Snippets.shell_init,
+            Snippets.append_ps_module_path(dir),
+            *env_assignments,
+            command
+          ].join("\n"))
 
           Bolt::Result.for_task(target, output.stdout.string,
                                 output.stderr.string,

data/lib/bolt/shell/powershell/snippets.rb

@@ -55,18 +55,45 @@ module Bolt
             }
             #{build_arg_list}
 
+            switch -regex ( Get-ExecutionPolicy )
+            {
+              '^AllSigned'
+              {
+                if ((Get-AuthenticodeSignature -File "#{script_path}").Status -ne 'Valid') {
+                  $Host.UI.WriteErrorLine("Error: Target host Powershell ExecutionPolicy is set to ${_} and script '#{script_path}' does not contain a valid signature.")
+                  exit 1;
+                }
+              }
+              '^Restricted'
+              {
+                $Host.UI.WriteErrorLine("Error: Target host Powershell ExecutionPolicy is set to ${_} which denies running any scripts on the target.")
+                exit 1;
+              }
+            }
+
+            if([string]::IsNullOrEmpty($invokeArgs.ScriptBlock)){
+              $Host.UI.WriteErrorLine("Error: Failed to obtain scriptblock from '#{script_path}'. Running scripts might be disabled on this system. For more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170");
+              exit 1;
+            }
+
             try
             {
               Invoke-Command @invokeArgs
             }
             catch
             {
-              Write-Error $_.Exception
-              exit 1
+              $Host.UI.WriteErrorLine("[$($_.FullyQualifiedErrorId)] Exception $($_.InvocationInfo.PositionMessage).`n$($_.Exception.Message)");
+              exit 1;
             }
             PS
           end
 
+          def append_ps_module_path(directory)
+            <<~PS
+            $env:PSModulePath += ";#{directory}"
+            PS
+          end
+
           def ps_task(path, arguments)
             <<~PS
             $private:tempArgs = Get-ContentAsJson (
@@ -138,7 +165,7 @@ module Bolt
               [Parameter(Mandatory = $true)] $Text,
               [Parameter(Mandatory = $false)] [Text.Encoding] $Encoding = [Text.Encoding]::UTF8
             )
-          
+
             $Text | ConvertFrom-Json | ConvertFrom-PSCustomObject
             }
             PS

data/lib/bolt/transport/base.rb

@@ -74,15 +74,6 @@ module Bolt
         interpreters[Pathname(executable).extname] if interpreters
       end
 
-      # Transform a parameter map to an environment variable map, with parameter names prefixed
-      # with 'PT_' and values transformed to JSON unless they're strings.
-      def envify_params(params)
-        params.each_with_object({}) do |(k, v), h|
-          v = v.to_json unless v.is_a?(String)
-          h["PT_#{k}"] = v
-        end
-      end
-
       # Raises an error if more than one target was given in the batch.
       #
       # The default implementations of batch_* strictly assume the transport is

data/lib/bolt/transport/docker.rb

@@ -6,7 +6,7 @@ require 'bolt/transport/base'
 
 module Bolt
   module Transport
-    class Docker < Base
+    class Docker < Simple
       def provided_features
         ['shell']
       end
@@ -16,130 +16,6 @@ module Bolt
         conn.connect
         yield conn
       end
-
-      def upload(target, source, destination, _options = {})
-        with_connection(target) do |conn|
-          conn.with_remote_tmpdir do |dir|
-            basename = File.basename(source)
-            tmpfile = "#{dir}/#{basename}"
-            if File.directory?(source)
-              conn.write_remote_directory(source, tmpfile)
-            else
-              conn.write_remote_file(source, tmpfile)
-            end
-
-            _, stderr, exitcode = conn.execute('mv', tmpfile, destination, {})
-            if exitcode != 0
-              message = "Could not move temporary file '#{tmpfile}' to #{destination}: #{stderr}"
-              raise Bolt::Node::FileError.new(message, 'MV_ERROR')
-            end
-          end
-          Bolt::Result.for_upload(target, source, destination)
-        end
-      end
-
-      def download(target, source, destination, _options = {})
-        with_connection(target) do |conn|
-          download = File.join(destination, Bolt::Util.unix_basename(source))
-          conn.download_remote_content(source, destination)
-          Bolt::Result.for_download(target, source, destination, download)
-        end
-      end
-
-      def run_command(target, command, options = {}, position = [])
-        execute_options = {}
-        execute_options[:tty] = target.options['tty']
-        execute_options[:environment] = options[:env_vars]
-
-        if target.options['shell-command'] && !target.options['shell-command'].empty?
-          # escape any double quotes in command
-          command = command.gsub('"', '\"')
-          command = "#{target.options['shell-command']} \" #{command}\""
-        end
-        with_connection(target) do |conn|
-          stdout, stderr, exitcode = conn.execute(*Shellwords.split(command), execute_options)
-          Bolt::Result.for_command(target,
-                                   stdout,
-                                   stderr,
-                                   exitcode,
-                                   'command',
-                                   command,
-                                   position)
-        end
-      end
-
-      def run_script(target, script, arguments, options = {}, position = [])
-        # unpack any Sensitive data
-        arguments = unwrap_sensitive_args(arguments)
-        execute_options = {}
-        execute_options[:environment] = options[:env_vars]
-
-        with_connection(target) do |conn|
-          conn.with_remote_tmpdir do |dir|
-            remote_path = conn.write_remote_executable(dir, script)
-            stdout, stderr, exitcode = conn.execute(remote_path, *arguments, execute_options)
-            Bolt::Result.for_command(target,
-                                     stdout,
-                                     stderr,
-                                     exitcode,
-                                     'script',
-                                     script,
-                                     position)
-          end
-        end
-      end
-
-      def run_task(target, task, arguments, _options = {}, position = [])
-        implementation = task.select_implementation(target, provided_features)
-        executable = implementation['path']
-        input_method = implementation['input_method']
-        extra_files = implementation['files']
-        input_method ||= 'both'
-
-        # unpack any Sensitive data
-        arguments = unwrap_sensitive_args(arguments)
-        with_connection(target) do |conn|
-          execute_options = {}
-          execute_options[:interpreter] = select_interpreter(executable, target.options['interpreters'])
-          conn.with_remote_tmpdir do |dir|
-            if extra_files.empty?
-              task_dir = dir
-            else
-              # TODO: optimize upload of directories
-              arguments['_installdir'] = dir
-              task_dir = File.join(dir, task.tasks_dir)
-              conn.mkdirs([task_dir] + extra_files.map { |file| File.join(dir, File.dirname(file['name'])) })
-              extra_files.each do |file|
-                conn.write_remote_file(file['path'], File.join(dir, file['name']))
-              end
-            end
-
-            remote_task_path = conn.write_remote_executable(task_dir, executable)
-
-            if Bolt::Task::STDIN_METHODS.include?(input_method)
-              execute_options[:stdin] = StringIO.new(JSON.dump(arguments))
-            end
-
-            if Bolt::Task::ENVIRONMENT_METHODS.include?(input_method)
-              execute_options[:environment] = envify_params(arguments)
-            end
-
-            stdout, stderr, exitcode = conn.execute(remote_task_path, execute_options)
-            Bolt::Result.for_task(target,
-                                  stdout,
-                                  stderr,
-                                  exitcode,
-                                  task.name,
-                                  position)
-          end
-        end
-      end
-
-      def connected?(target)
-        with_connection(target) { true }
-      rescue Bolt::Node::ConnectError
-        false
-      end
     end
   end
 end

data/lib/bolt/transport/docker/connection.rb

@@ -5,227 +5,152 @@ require 'bolt/node/errors'
 
 module Bolt
   module Transport
-    class Docker < Base
+    class Docker < Simple
       class Connection
+        attr_reader :user, :target
+
         def initialize(target)
           raise Bolt::ValidationError, "Target #{target.safe_name} does not have a host" unless target.host
           @target = target
+          @user = ENV['USER'] || Etc.getlogin
           @logger = Bolt::Logger.logger(target.safe_name)
-          @docker_host = @target.options['service-url']
-          @logger.trace("Initializing docker connection to #{@target.safe_name}")
+          @container_info = {}
+          @docker_host = target.options['service-url']
+          @logger.trace("Initializing docker connection to #{target.safe_name}")
+        end
+
+        def shell
+          @shell ||= if Bolt::Util.windows?
+                       Bolt::Shell::Powershell.new(target, self)
+                     else
+                       Bolt::Shell::Bash.new(target, self)
+                     end
+        end
+
+        # The full ID of the target container
+        #
+        # @return [String] The full ID of the target container
+        def container_id
+          @container_info["Id"]
         end
 
         def connect
           # We don't actually have a connection, but we do need to
           # check that the container exists and is running.
-          output = execute_local_docker_json_command('ps')
-          index = output.find_index { |item| item["ID"] == @target.host || item["Names"] == @target.host }
-          raise "Could not find a container with name or ID matching '#{@target.host}'" if index.nil?
+          output = execute_local_json_command('ps')
+          index = output.find_index { |item| item["ID"] == target.host || item["Names"] == target.host }
+          raise "Could not find a container with name or ID matching '#{target.host}'" if index.nil?
           # Now find the indepth container information
-          output = execute_local_docker_json_command('inspect', [output[index]["ID"]])
+          output = execute_local_json_command('inspect', [output[index]["ID"]])
           # Store the container information for later
           @container_info = output[0]
           @logger.trace { "Opened session" }
           true
         rescue StandardError => e
           raise Bolt::Node::ConnectError.new(
-            "Failed to connect to #{@target.safe_name}: #{e.message}",
+            "Failed to connect to #{target.safe_name}: #{e.message}",
             'CONNECT_ERROR'
           )
         end
 
-        # Executes a command inside the target container
-        #
-        # @param command [Array] The command to run, expressed as an array of strings
-        # @param options [Hash] command specific options
-        # @option opts [String] :interpreter statements that are prefixed to the command e.g `/bin/bash` or `cmd.exe /c`
-        # @option opts [Hash] :environment A hash of environment variables that will be injected into the command
-        # @option opts [IO] :stdin An IO object that will be used to redirect STDIN for the docker command
-        def execute(*command, options)
-          command.unshift(options[:interpreter]) if options[:interpreter]
-          # Build the `--env` parameters
-          envs = []
-          if options[:environment]
-            options[:environment].each { |env, val| envs.concat(['--env', "#{env}=#{val}"]) }
+        def add_env_vars(env_vars)
+          @env_vars = env_vars.each_with_object([]) do |env_var, acc|
+            acc << "--env"
+            acc << "#{env_var[0]}=#{env_var[1]}"
           end
+        end
 
-          command_options = []
-          # Need to be interactive if redirecting STDIN
-          command_options << '--interactive' unless options[:stdin].nil?
-          command_options << '--tty' if options[:tty]
-          command_options.concat(envs) unless envs.empty?
-          command_options << container_id
-          command_options.concat(command)
-
-          @logger.trace { "Executing: exec #{command_options}" }
+        # Executes a command inside the target container. This is called from the shell class.
+        #
+        # @param command [string] The command to run
+        def execute(command)
+          args = []
+          # CODEREVIEW: Is it always safe to pass --interactive?
+          args += %w[--interactive]
+          args += %w[--tty] if target.options['tty']
+          args += %W[--env DOCKER_HOST=#{@docker_host}] if @docker_host
+          args += @env_vars if @env_vars
+
+          if target.options['shell-command'] && !target.options['shell-command'].empty?
+            # escape any double quotes in command
+            command = command.gsub('"', '\"')
+            command = "#{target.options['shell-command']} \"#{command}\""
+          end
 
-          stdout_str, stderr_str, status = execute_local_docker_command('exec', command_options, options[:stdin])
+          docker_command = %w[docker exec] + args + [container_id] + Shellwords.split(command)
+          @logger.trace { "Executing: #{docker_command.join(' ')}" }
 
-          # The actual result is the exitstatus not the process object
-          status = status.nil? ? -32768 : status.exitstatus
-          if status == 0
-            @logger.trace { "Command returned successfully" }
-          else
-            @logger.trace { "Command failed with exit code #{status}" }
-          end
-          stdout_str.force_encoding(Encoding::UTF_8)
-          stderr_str.force_encoding(Encoding::UTF_8)
-          # Normalise line endings
-          stdout_str.gsub!("\r\n", "\n")
-          stderr_str.gsub!("\r\n", "\n")
-          [stdout_str, stderr_str, status]
+          Open3.popen3(*docker_command)
         rescue StandardError
           @logger.trace { "Command aborted" }
           raise
         end
 
-        def write_remote_file(source, destination)
-          @logger.trace { "Uploading #{source} to #{destination}" }
-          _, stdout_str, status = execute_local_docker_command('cp', [source, "#{container_id}:#{destination}"])
-          unless status.exitstatus.zero?
-            raise "Error writing file to container #{@container_id}: #{stdout_str}"
-          end
-        rescue StandardError => e
-          raise Bolt::Node::FileError.new(e.message, 'WRITE_ERROR')
-        end
-
-        def write_remote_directory(source, destination)
+        def upload_file(source, destination)
           @logger.trace { "Uploading #{source} to #{destination}" }
-          _, stdout_str, status = execute_local_docker_command('cp', [source, "#{container_id}:#{destination}"])
+          _stdout, stderr, status = execute_local_command('cp', [source, "#{container_id}:#{destination}"])
           unless status.exitstatus.zero?
-            raise "Error writing directory to container #{@container_id}: #{stdout_str}"
+            raise "Error writing to container #{container_id}: #{stderr}"
           end
         rescue StandardError => e
           raise Bolt::Node::FileError.new(e.message, 'WRITE_ERROR')
         end
 
-        def download_remote_content(source, destination)
+        def download_file(source, destination, _download)
           @logger.trace { "Downloading #{source} to #{destination}" }
           # Create the destination directory, otherwise copying a source directory with Docker will
           # copy the *contents* of the directory.
           # https://docs.docker.com/engine/reference/commandline/cp/
           FileUtils.mkdir_p(destination)
-          _, stdout_str, status = execute_local_docker_command('cp', ["#{container_id}:#{source}", destination])
+          _stdout, stderr, status = execute_local_command('cp', ["#{container_id}:#{source}", destination])
           unless status.exitstatus.zero?
-            raise "Error downloading content from container #{@container_id}: #{stdout_str}"
+            raise "Error downloading content from container #{container_id}: #{stderr}"
           end
         rescue StandardError => e
           raise Bolt::Node::FileError.new(e.message, 'WRITE_ERROR')
         end
 
-        def mkdirs(dirs)
-          _, stderr, exitcode = execute('mkdir', '-p', *dirs, {})
-          if exitcode != 0
-            message = "Could not create directories: #{stderr}"
-            raise Bolt::Node::FileError.new(message, 'MKDIR_ERROR')
-          end
-        end
-
-        def make_tmpdir
-          tmpdir = @target.options.fetch('tmpdir', container_tmpdir)
-          tmppath = "#{tmpdir}/#{SecureRandom.uuid}"
-
-          stdout, stderr, exitcode = execute('mkdir', '-m', '700', tmppath, {})
-          if exitcode != 0
-            raise Bolt::Node::FileError.new("Could not make tmpdir: #{stderr}", 'TMPDIR_ERROR')
-          end
-          tmppath || stdout.first
-        end
-
-        def with_remote_tmpdir
-          dir = make_tmpdir
-          yield dir
-        ensure
-          if dir
-            if @target.options['cleanup']
-              _, stderr, exitcode = execute('rm', '-rf', dir, {})
-              if exitcode != 0
-                Bolt::Logger.warn("fail_cleanup", "Failed to clean up tmpdir '#{dir}': #{stderr}")
-              end
-            else
-              Bolt::Logger.warn("skip_cleanup", "Skipping cleanup of tmpdir '#{dir}'")
-            end
-          end
-        end
+        # Executes a Docker CLI command. This is useful for running commands as
+        # part of this class without having to go through the `execute`
+        # function and manage pipes.
+        #
+        # @param subcommand [String] The docker subcommand to run
+        #   e.g. 'inspect' for `docker inspect`
+        # @param arguments [Array] Arguments to pass to the docker command
+        #   e.g. 'src' and 'dest' for `docker cp <src> <dest>
+        # @return [String, String, Process::Status] The output of the command: STDOUT, STDERR, Process Status
+        private def execute_local_command(subcommand, arguments = [])
+          # Set the DOCKER_HOST if we are using a non-default service-url
+          env_hash = @docker_host.nil? ? {} : { 'DOCKER_HOST' => @docker_host }
+          docker_command = [subcommand].concat(arguments)
 
-        def write_remote_executable(dir, file, filename = nil)
-          filename ||= File.basename(file)
-          remote_path = File.join(dir.to_s, filename)
-          write_remote_file(file, remote_path)
-          make_executable(remote_path)
-          remote_path
+          Open3.capture3(env_hash, 'docker', *docker_command, { binmode: true })
         end
 
-        def make_executable(path)
-          _, stderr, exitcode = execute('chmod', 'u+x', path, {})
-          if exitcode != 0
-            message = "Could not make file '#{path}' executable: #{stderr}"
-            raise Bolt::Node::FileError.new(message, 'CHMOD_ERROR')
-          end
+        # Executes a Docker CLI command and parses the output in JSON format
+        #
+        # @param subcommand [String] The docker subcommand to run
+        #   e.g. 'inspect' for `docker inspect`
+        # @param arguments [Array] Arguments to pass to the docker command
+        #   e.g. 'src' and 'dest' for `docker cp <src> <dest>
+        # @return [Object] Ruby object representation of the JSON string
+        private def execute_local_json_command(subcommand, arguments = [])
+          command_options = ['--format', '{{json .}}'].concat(arguments)
+          stdout, _stderr, _status = execute_local_command(subcommand, command_options)
+          extract_json(stdout)
         end
 
-        private
-
         # Converts the JSON encoded STDOUT string from the docker cli into ruby objects
         #
         # @param stdout_string [String] The string to convert
         # @return [Object] Ruby object representation of the JSON string
-        def extract_json(stdout_string)
+        private def extract_json(stdout)
           # The output from the docker format command is a JSON string per line.
           # We can't do a direct convert but this helper method will convert it into
           # an array of Objects
-          stdout_string.split("\n")
-                       .reject { |str| str.strip.empty? }
-                       .map { |str| JSON.parse(str) }
-        end
-
-        # rubocop:disable Layout/LineLength
-        # Executes a Docker CLI command
-        #
-        # @param subcommand [String] The docker subcommand to run e.g. 'inspect' for `docker inspect`
-        # @param command_options [Array] Additional command options e.g. ['--size'] for `docker inspect --size`
-        # @param redir_stdin [IO] IO object which will be use to as STDIN in the docker command. Default is nil, which does not perform redirection
-        # @return [String, String, Process::Status] The output of the command:  STDOUT, STDERR, Process Status
-        # rubocop:enable Layout/LineLength
-        def execute_local_docker_command(subcommand, command_options = [], redir_stdin = nil)
-          env_hash = {}
-          # Set the DOCKER_HOST if we are using a non-default service-url
-          env_hash['DOCKER_HOST'] = @docker_host unless @docker_host.nil?
-
-          command_options = [] if command_options.nil?
-          docker_command = [subcommand].concat(command_options)
-
-          # Always use binary mode for any text data
-          capture_options = { binmode: true }
-          capture_options[:stdin_data] = redir_stdin unless redir_stdin.nil?
-          stdout_str, stderr_str, status = Open3.capture3(env_hash, 'docker', *docker_command, capture_options)
-          [stdout_str, stderr_str, status]
-        end
-
-        # Executes a Docker CLI command and parses the output in JSON format
-        #
-        # @param subcommand [String] The docker subcommand to run e.g. 'inspect' for `docker inspect`
-        # @param command_options [Array] Additional command options e.g. ['--size'] for `docker inspect --size`
-        # @return [Object] Ruby object representation of the JSON string
-        def execute_local_docker_json_command(subcommand, command_options = [])
-          command_options = [] if command_options.nil?
-          command_options = ['--format', '{{json .}}'].concat(command_options)
-          stdout_str, _stderr_str, _status = execute_local_docker_command(subcommand, command_options)
-          extract_json(stdout_str)
-        end
-
-        # The full ID of the target container
-        #
-        # @return [String] The full ID of the target container
-        def container_id
-          @container_info["Id"]
-        end
-
-        # The temp path inside the target container
-        #
-        # @return [String] The absolute path to the temp directory
-        def container_tmpdir
-          '/tmp'
+          stdout.split("\n")
+                .reject { |str| str.strip.empty? }
+                .map { |str| JSON.parse(str) }
         end
       end
     end

data/lib/bolt/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bolt
-  VERSION = '3.0.1'
+  VERSION = '3.1.0'
 end

data/lib/bolt_server/transport_app.rb

@@ -133,7 +133,14 @@ module BoltServer
       task_data = body['task']
       task = Bolt::Task::PuppetServer.new(task_data['name'], task_data['metadata'], task_data['files'], @file_cache)
       parameters = body['parameters'] || {}
-      [@executor.run_task(target, task, parameters), nil]
+      task_result = @executor.run_task(target, task, parameters)
+      task_result.each do |result|
+        value = result.value
+        next unless value.is_a?(Hash)
+        next unless value.key?('_sensitive')
+        value['_sensitive'] = value['_sensitive'].unwrap
+      end
+      [task_result, nil]
     end
 
     def run_command(target, body)
@@ -275,15 +282,19 @@ module BoltServer
       Bolt::Config.from_project(project, { log: { 'bolt-debug.log' => 'disable' } })
     end
 
+    def pal_from_project_bolt_config(bolt_config)
+      modulepath_object = Bolt::Config::Modulepath.new(
+        bolt_config.modulepath,
+        boltlib_path: [PE_BOLTLIB_PATH, Bolt::Config::Modulepath::BOLTLIB_PATH],
+        builtin_content_path: @config['builtin-content-dir']
+      )
+      Bolt::PAL.new(modulepath_object, nil, nil, nil, nil, nil, bolt_config.project)
+    end
+
     def in_bolt_project(versioned_project)
       @pal_mutex.synchronize do
         bolt_config = config_from_project(versioned_project)
-        modulepath_object = Bolt::Config::Modulepath.new(
-          bolt_config.modulepath,
-          boltlib_path: [PE_BOLTLIB_PATH, Bolt::Config::Modulepath::BOLTLIB_PATH],
-          builtin_content_path: @config['builtin-content-dir']
-        )
-        pal = Bolt::PAL.new(modulepath_object, nil, nil, nil, nil, nil, bolt_config.project)
+        pal = pal_from_project_bolt_config(bolt_config)
         context = {
           pal: pal,
           config: bolt_config
@@ -351,8 +362,8 @@ module BoltServer
       }
     end
 
-    def allowed_helper(metadata, allowlist)
-      allowed = allowlist.nil? || allowlist.include?(metadata['name'])
+    def allowed_helper(pal, metadata, allowlist)
+      allowed = !pal.filter_content([metadata['name']], allowlist).empty?
       metadata.merge({ 'allowed' => allowed })
     end
 
@@ -366,21 +377,27 @@ module BoltServer
       plans.map { |plan_name| { 'name' => plan_name } }
     end
 
-    def file_metadatas(pal, module_name, file)
-      pal.in_bolt_compiler do
-        mod = Puppet.lookup(:current_environment).module(module_name)
-        raise ArgumentError, "`module_name`: #{module_name} does not exist" unless mod
-        abs_file_path = mod.file(file)
-        raise ArgumentError, "`file`: #{file} does not exist inside the module's 'files' directory" unless abs_file_path
-        fileset = Puppet::FileServing::Fileset.new(abs_file_path, 'recurse' => 'yes')
-        Puppet::FileServing::Fileset.merge(fileset).collect do |relative_file_path, base_path|
-          metadata = Puppet::FileServing::Metadata.new(base_path, relative_path: relative_file_path)
-          metadata.checksum_type = 'sha256'
-          metadata.links = 'follow'
-          metadata.collect
-          metadata.to_data_hash
+    def file_metadatas(versioned_project, module_name, file)
+      abs_file_path = @pal_mutex.synchronize do
+        bolt_config = config_from_project(versioned_project)
+        pal = pal_from_project_bolt_config(bolt_config)
+        pal.in_bolt_compiler do
+          mod = Puppet.lookup(:current_environment).module(module_name)
+          raise ArgumentError, "`module_name`: #{module_name} does not exist" unless mod
+          mod.file(file)
         end
       end
+
+      raise ArgumentError, "`file`: #{file} does not exist inside the module's 'files' directory" unless abs_file_path
+
+      fileset = Puppet::FileServing::Fileset.new(abs_file_path, 'recurse' => 'yes')
+      Puppet::FileServing::Fileset.merge(fileset).collect do |relative_file_path, base_path|
+        metadata = Puppet::FileServing::Metadata.new(base_path, relative_path: relative_file_path)
+        metadata.checksum_type = 'sha256'
+        metadata.links = 'follow'
+        metadata.collect
+        metadata.to_data_hash
+      end
     end
 
     get '/' do
@@ -520,7 +537,7 @@ module BoltServer
       return MISSING_VERSIONED_PROJECT_RESPONSE if params['versioned_project'].nil?
       in_bolt_project(params['versioned_project']) do |context|
         plan_info = pe_plan_info(context[:pal], params[:module_name], params[:plan_name])
-        plan_info = allowed_helper(plan_info, context[:config].project.plans)
+        plan_info = allowed_helper(context[:pal], plan_info, context[:config].project.plans)
         [200, plan_info.to_json]
       end
     rescue Bolt::Error => e
@@ -550,7 +567,7 @@ module BoltServer
           'versioned_project' => params['versioned_project']
         }
         task_info = pe_task_info(context[:pal], params[:module_name], params[:task_name], ps_parameters)
-        task_info = allowed_helper(task_info, context[:config].project.tasks)
+        task_info = allowed_helper(context[:pal], task_info, context[:config].project.tasks)
         [200, task_info.to_json]
       end
     rescue Bolt::Error => e
@@ -590,7 +607,7 @@ module BoltServer
         plans_response = plan_list(context[:pal])
 
         # Dig in context for the allowlist of plans from project object
-        plans_response.map! { |metadata| allowed_helper(metadata, context[:config].project.plans) }
+        plans_response.map! { |metadata| allowed_helper(context[:pal], metadata, context[:config].project.plans) }
 
         # We structure this array of plans to be an array of hashes so that it matches the structure
         # returned by the puppetserver API that serves data like this. Structuring the output this way
@@ -626,7 +643,7 @@ module BoltServer
         tasks_response = task_list(context[:pal])
 
         # Dig in context for the allowlist of tasks from project object
-        tasks_response.map! { |metadata| allowed_helper(metadata, context[:config].project.tasks) }
+        tasks_response.map! { |metadata| allowed_helper(context[:pal], metadata, context[:config].project.tasks) }
 
         # We structure this array of tasks to be an array of hashes so that it matches the structure
         # returned by the puppetserver API that serves data like this. Structuring the output this way
@@ -642,12 +659,11 @@ module BoltServer
     #
     # @param versioned_project [String] the versioned_project to fetch the file metadatas from
     get '/project_file_metadatas/:module_name/*' do
-      return MISSING_VERSIONED_PROJECT_RESPONSE if params['versioned_project'].nil?
-      in_bolt_project(params['versioned_project']) do |context|
-        file = params[:splat].first
-        metadatas = file_metadatas(context[:pal], params[:module_name], file)
-        [200, metadatas.to_json]
-      end
+      versioned_project = params['versioned_project']
+      return MISSING_VERSIONED_PROJECT_RESPONSE if versioned_project.nil?
+      file = params[:splat].first
+      metadatas = file_metadatas(versioned_project, params[:module_name], file)
+      [200, metadatas.to_json]
     rescue Bolt::Error => e
       [400, e.to_json]
     rescue ArgumentError => e

data/lib/bolt_spec/bolt_context.rb

@@ -130,11 +130,16 @@ module BoltSpec
       @executor ||= BoltSpec::Plans::MockExecutor.new(modulepath)
     end
 
-    # Override in your tests
+    # Overrides inventory for tests.
     def inventory_data
       {}
     end
 
+    # Overrides configuration for tests.
+    def config_data
+      {}
+    end
+
     def inventory
       @inventory ||= Bolt::Inventory.create_version(inventory_data, config.transport, config.transports, plugins)
     end
@@ -142,7 +147,7 @@ module BoltSpec
     # Override in your tests
     def config
       @config ||= begin
-        conf = Bolt::Config.default
+        conf = Bolt::Config.new(Bolt::Project.default_project, config_data)
         conf.modulepath = [modulepath].flatten
         conf
       end
@@ -161,7 +166,7 @@ module BoltSpec
     BoltSpec::Plans::MOCKED_ACTIONS.each do |action|
       # Allowed action stubs can be called up to be_called_times number of times
       define_method :"allow_#{action}" do |object|
-        executor.send(:"stub_#{action}", object).add_stub
+        executor.send(:"stub_#{action}", object).add_stub(inventory)
       end
 
       # Expected action stubs must be called exactly the expected number of times
@@ -172,7 +177,7 @@ module BoltSpec
 
       # This stub will catch any action call if there are no stubs specifically for that task
       define_method :"allow_any_#{action}" do
-        executor.send(:"stub_#{action}", :default).add_stub
+        executor.send(:"stub_#{action}", :default).add_stub(inventory)
       end
     end
 

data/lib/bolt_spec/plans.rb

@@ -5,119 +5,11 @@ require 'bolt_spec/plans/mock_executor'
 require 'bolt/pal'
 
 # These helpers are intended to be used for plan unit testing without calling
-# out to target nodes. It uses the BoltContext helper to set up a mock executor
+# out to targets. It uses the BoltContext helper to set up a mock executor
 # which allows calls to run_* functions to be stubbed for testing. The context
 # helper also loads Bolt datatypes and plan functions to be used by the code
 # being tested.
 #
-# Stub matching
-#
-# Stubs match invocations of run_* functions by default matching any call but
-# with_targets and with_params helpers can further restrict the stub to match
-# more exact invocations. It's possible a call to run_* could match multiple
-# stubs. In this case the mock executor will first check for stubs specifically
-# matching the task being run after which it will use the last stub that
-# matched
-#
-#
-# allow vs expect
-#
-# Stubs have two general modes bases on whether the test is making assertions
-# on whether function was called. Allow stubs allow the run_* invocation  to
-# be called any number of times while expect stubs will fail if no run_*
-# invocation matches them. The be_called_times(n) stub method can be used to
-# ensure an allow stub is not called more than n times or that an expect stub
-# is called exactly n times.
-#
-# Configuration
-#
-#  To configure Puppet and Bolt at the beginning of tests, add the following
-#  line to your spec_helper.rb:
-#
-#  BoltSpec::Plans.init
-#
-#  By default the plan helpers use the modulepath set up for rspec-puppet and
-#  an otherwise empty bolt config and inventory. To create your own values for
-#  these override the modulepath, config, or inventory methods.
-#
-# Sub-plan Execution
-#
-#  When testing a plan, often times those plans call other plans in order to
-#  build complex workflows. To support this we offer running in two different
-#  modes:
-#    execute_any_plan (default) - This mode will execute any plan that is encountered
-#      without having to be stubbed/mocked. This default mode allows for plan control
-#      flow to behave as normal. If you choose to stub/mock out a sub-plan in this mode
-#      that will be honored and the sub-plan will not be executed. We will use the modifiers
-#      on the stub to check for the conditions specified (example: be_called_times(3))
-#
-#    execute_no_plan - This mode will not execute a plans that it encounters. Instead, when
-#      a plan is encountered it will throw an error unless the plan is mocked out. This
-#      mode is useful for ensuring that there are no plans called that you do not expect.
-#      This plan requires authors to mock out all sub-plans that may be invoked when running
-#      tests.
-#
-#  TODO:
-#  - Allow description based stub matching
-#  - Better testing of plan errors
-#  - Better error collection around call counts. Show what stubs exists and more than a single failure
-#  - Allow stubbing with a block(at the double level? As a matched stub?)
-#  - package code so that it can be used for testing modules outside of this repo
-#  - set subject from describe and provide matchers similar to rspec puppets function tests
-#  - Allow specific plans to be executed when running in execute_no_plan mode.
-#
-#  MAYBE TODO?:
-#  - validate call expectations at the end of the example instead of in run_plan
-#  - resultset matchers to help testing canary like plans?
-#  - inventory matchers to help testing plans that change inventory
-#
-# Flags:
-# - execute_any_plan: execute any plan that is encountered unless it is mocked (default)
-# - execute_no_plan: throw an error if a plan is encountered that is not stubbed
-#
-# Stubs:
-# - allow_command(cmd), expect_command(cmd): expect the exact command
-# - allow_plan(plan), expect_plan(plan): expect the named plan
-# - allow_script(script), expect_script(script): expect the script as <module>/path/to/file
-# - allow_task(task), expect_task(task): expect the named task
-# - allow_download(file), expect_download(file): expect the identified source file
-# - allow_upload(file), expect_upload(file): expect the identified source file
-# - allow_apply_prep: allows `apply_prep` to be invoked in the plan but does not allow modifiers
-# - allow_apply: allows `apply` to be invoked in the plan but does not allow modifiers
-# - allow_out_message, expect_out_message: expect a message to be passed to out::message (only modifiers are
-#   be_called_times(n), with_params(params), and not_be_called)
-#
-# Stub modifiers:
-# - be_called_times(n): if allowed, fail if the action is called more than 'n' times
-#                       if expected, fail unless the action is called 'n' times
-# - not_be_called: fail if the action is called
-# - with_targets(targets): target or list of targets that you expect to be passed to the action
-#                          plan: does not support this modifier
-# - with_params(params): list of params and metaparams (or options) that you expect to be passed to the action.
-#                        Corresponds to the action's last argument.
-# - with_destination(dest): for upload_file and download_file, the expected destination path
-# - always_return(value): return a Bolt::ResultSet of Bolt::Result objects with the specified value Hash
-#                         plan: returns a Bolt::PlanResult with the specified value with a status of 'success'
-#                         command and script: only accept 'stdout' and 'stderr' keys
-#                         upload: does not support this modifier
-#                         download: does not support this modifier
-# - return_for_targets(targets_to_values): return a Bolt::ResultSet of Bolt::Result objects from the Hash mapping
-#                                          targets to their value Hashes
-#                                          command and script: only accept 'stdout' and 'stderr' keys
-#                                          upload: does not support this modifier
-#                                          download: does not support this modifier
-#                                          plan: does not support this modifier
-# - return(&block): invoke the block to construct a Bolt::ResultSet. The blocks parameters differ based on action
-#                   command: `{ |targets:, command:, params:| ... }`
-#                   plan: `{ |plan:, params:| ... }`
-#                   script: `{ |targets:, script:, params:| ... }`
-#                   task: `{ |targets:, task:, params:| ... }`
-#                   upload: `{ |targets:, source:, destination:, params:| ... }`
-#                   download: `{ |targets:, source:, destination:, params:| ... }`
-# - error_with(err): return a failing Bolt::ResultSet, with Bolt::Result objects with the identified err hash
-#                    plans will throw a Bolt::PlanFailure that will be returned as the value of
-#                    the Bolt::PlanResult object with a status of 'failure'.
-#
 # Example:
 #   describe "my_plan" do
 #     it 'should return' do

data/modules/puppet_connect/plans/test_input_data.pp

@@ -14,14 +14,50 @@
 plan puppet_connect::test_input_data(TargetSpec $targets = 'all') {
   $targs = get_targets($targets)
   $targs.each |$target| {
-    if $target.transport != 'ssh' and $target.transport != 'winrm' {
-      fail_plan("Inventory contains target ${target} with unsupported transport, must be ssh or winrm")
-    }
-    if $target.transport == 'ssh' {
-      # Disable SSH autoloading to prevent false positive results
-      # (input data is wrong but target is still connectable due
-      # to autoloaded config)
-      set_config($target, ['ssh', 'load-config'], false)
+    case $target.transport {
+      'ssh': {
+        $private_key_config = dig($target.config, 'ssh', 'private-key')
+        if $private_key_config =~ String {
+          $msg = @("END")
+            The SSH private key of the ${$target} target points to a filepath on disk,
+            which is not allowed in Puppet Connect. Instead, the private key contents must
+            be specified and this should be done via the PuppetConnectData plugin. Below is
+            an example of a Puppet Connect-compatible specification of the private-key. First,
+            we start with the inventory file:
+              ...
+              private-key:
+                _plugin: puppet_connect_data
+                key: ssh_private_key
+              ...
+
+            Next is the corresponding entry in the input data file:
+              ...
+              ssh_private_key:
+                key-data:
+                  <private_key_contents>
+              ...
+            | END
+
+          out::message($msg)
+          fail_plan("The SSH private key of the ${$target} target points to a filepath on disk")
+        }
+
+        # Disable SSH autoloading to prevent false positive results
+        # (input data is wrong but target is still connectable due
+        # to autoloaded config)
+        set_config($target, ['ssh', 'load-config'], false)
+        # Maintain configuration parity with Puppet Connect to improve
+        # the reliability of our test
+        set_config($target, ['ssh', 'host-key-check'], false)
+      }
+      'winrm': {
+        # Maintain configuration parity with Puppet Connect
+        set_config($target, ['winrm', 'ssl'], false)
+        set_config($target, ['winrm', 'ssl-verify'], false)
+      }
+      default: {
+        fail_plan("Inventory contains target ${target} with unsupported transport, must be ssh or winrm")
+      }
     }
   }
   # The SSH/WinRM transports will report an 'unknown host' error for targets where

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bolt
 version: !ruby/object:Gem::Version
-  version: 3.0.1
+  version: 3.1.0
 platform: ruby
 authors:
 - Puppet
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-02-16 00:00:00.000000000 Z
+date: 2021-03-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable