openbolt 5.0.0.rc1

data/lib/bolt_server/acl.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'rails/auth/rack'
+
+module BoltServer
+  class ACL < Rails::Auth::ErrorPage::Middleware
+    class X509Matcher
+      def initialize(options)
+        @options = options.freeze
+      end
+
+      def match(env)
+        certificate = Rails::Auth::X509::Certificate.new(env['puma.peercert'])
+        # This can be extended fairly easily to search OpenSSL::X509::Certificate#extensions for subjectAltNames.
+        @options.all? { |name, value| certificate[name] == value }
+      end
+    end
+
+    def initialize(app, allowlist)
+      acls = []
+      allowlist.each do |entry|
+        acls << {
+          'resources' => [
+            {
+              'method' => 'ALL',
+              'path' => '/.*'
+            }
+          ],
+          'allow_x509_subject' => {
+            'cn' => entry
+          }
+        }
+      end
+      acl = Rails::Auth::ACL.new(acls, matchers: { allow_x509_subject: X509Matcher })
+      mid = Rails::Auth::ACL::Middleware.new(app, acl: acl)
+      super(mid, page_body: 'Access denied')
+    end
+  end
+end

data/lib/bolt_server/base_config.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+require 'hocon'
+require 'bolt/error'
+
+module BoltServer
+  class BaseConfig
+    def config_keys
+      %w[host port ssl-cert ssl-key ssl-ca-cert
+         ssl-cipher-suites loglevel logfile allowlist
+         environments-codedir
+         environmentpath basemodulepath]
+    end
+
+    def env_keys
+      %w[ssl-cert ssl-key ssl-ca-cert loglevel]
+    end
+
+    def defaults
+      { 'host' => '127.0.0.1',
+        'loglevel' => 'warn',
+        'ssl-cipher-suites' => %w[ECDHE-ECDSA-AES256-GCM-SHA384
+                                  ECDHE-RSA-AES256-GCM-SHA384
+                                  ECDHE-ECDSA-CHACHA20-POLY1305
+                                  ECDHE-RSA-CHACHA20-POLY1305
+                                  ECDHE-ECDSA-AES128-GCM-SHA256
+                                  ECDHE-RSA-AES128-GCM-SHA256
+                                  ECDHE-ECDSA-AES256-SHA384
+                                  ECDHE-RSA-AES256-SHA384
+                                  ECDHE-ECDSA-AES128-SHA256
+                                  ECDHE-RSA-AES128-SHA256] }
+    end
+
+    def ssl_keys
+      %w[ssl-cert ssl-key ssl-ca-cert]
+    end
+
+    def required_keys
+      ssl_keys
+    end
+
+    def service_name
+      raise "Method service_name must be defined in the service class"
+    end
+
+    def initialize(config = nil)
+      @data = defaults
+      @data = @data.merge(config.select { |key, _| config_keys.include?(key) }) if config
+      @config_path = nil
+    end
+
+    def load_file_config(path)
+      @config_path = path
+      begin
+        # This lets us get the actual config values without needing to
+        # know the service name
+        parsed_hocon = Hocon.load(path)[service_name]
+      rescue Hocon::ConfigError => e
+        raise "Hocon data in '#{path}' failed to load.\n Error: '#{e.message}'"
+      rescue Errno::EACCES
+        raise "Your user doesn't have permission to read #{path}"
+      end
+
+      raise "Could not find service config at #{path}" if parsed_hocon.nil?
+
+      parsed_hocon = parsed_hocon.select { |key, _| config_keys.include?(key) }
+
+      @data = @data.merge(parsed_hocon)
+    end
+
+    def load_env_config
+      raise "load_env_config should be defined in the service class"
+    end
+
+    def natural?(num)
+      num.is_a?(Integer) && num.positive?
+    end
+
+    def validate
+      required_keys.each do |k|
+        # Handled nested config
+        if k.is_a?(Array)
+          next unless @data.dig(*k).nil?
+        else
+          next unless @data[k].nil?
+        end
+        raise Bolt::ValidationError, "You must configure #{k} in #{@config_path}"
+      end
+
+      unless natural?(@data['port'])
+        raise Bolt::ValidationError, "Configured 'port' must be a valid integer greater than 0"
+      end
+      ssl_keys.each do |sk|
+        unless File.file?(@data[sk]) && File.readable?(@data[sk])
+          raise Bolt::ValidationError, "Configured #{sk} must be a valid filepath"
+        end
+      end
+
+      unless @data['ssl-cipher-suites'].is_a?(Array)
+        raise Bolt::ValidationError, "Configured 'ssl-cipher-suites' must be an array of cipher suite names"
+      end
+
+      unless @data['allowlist'].nil? || @data['allowlist'].is_a?(Array)
+        raise Bolt::ValidationError, "Configured 'allowlist' must be an array of names"
+      end
+    end
+
+    def [](key)
+      @data[key]
+    end
+  end
+end

data/lib/bolt_server/config.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'hocon'
+require 'bolt_server/base_config'
+require 'bolt/error'
+
+module BoltServer
+  class Config < BoltServer::BaseConfig
+    def config_keys
+      super + %w[concurrency cache-dir file-server-conn-timeout
+                 file-server-uri environments-codedir
+                 environmentpath basemodulepath builtin-content-dir]
+    end
+
+    def env_keys
+      super + %w[concurrency file-server-conn-timeout file-server-uri]
+    end
+
+    def int_keys
+      %w[concurrency file-server-conn-timeout]
+    end
+
+    def defaults
+      super.merge(
+        'port' => 62658,
+        'concurrency' => 100,
+        'cache-dir' => "/opt/puppetlabs/server/data/bolt-server/cache",
+        'file-server-conn-timeout' => 120
+      )
+    end
+
+    def required_keys
+      super + %w[file-server-uri]
+    end
+
+    def service_name
+      'bolt-server'
+    end
+
+    def load_env_config
+      env_keys.each do |key|
+        transformed_key = "BOLT_#{key.tr('-', '_').upcase}"
+        next unless ENV.key?(transformed_key)
+        @data[key] = if int_keys.include?(key)
+                       ENV[transformed_key].to_i
+                     else
+                       ENV[transformed_key]
+                     end
+      end
+    end
+
+    def validate
+      super
+
+      unless natural?(@data['concurrency'])
+        raise Bolt::ValidationError, "Configured 'concurrency' must be a positive integer"
+      end
+
+      unless natural?(@data['file-server-conn-timeout'])
+        raise Bolt::ValidationError, "Configured 'file-server-conn-timeout' must be a positive integer"
+      end
+    end
+  end
+end

data/lib/bolt_server/file_cache.rb

@@ -0,0 +1,200 @@
+# frozen_string_literal: true
+
+require 'concurrent/atomic/read_write_lock'
+require 'concurrent/executor/single_thread_executor'
+require 'concurrent/promise'
+require 'concurrent/timer_task'
+require 'digest'
+require 'fileutils'
+require 'net/http'
+require 'logging'
+require 'timeout'
+
+require 'bolt/error'
+
+module BoltServer
+  class FileCache
+    class Error < Bolt::Error
+      def initialize(msg)
+        super(msg, 'bolt-server/file-cache-error')
+      end
+    end
+
+    PURGE_TIMEOUT = 60 * 60
+    PURGE_INTERVAL = 24 * PURGE_TIMEOUT
+    PURGE_TTL = 7 * PURGE_INTERVAL
+
+    def initialize(config,
+                   executor: Concurrent::SingleThreadExecutor.new,
+                   purge_interval: PURGE_INTERVAL,
+                   purge_timeout: PURGE_TIMEOUT,
+                   purge_ttl: PURGE_TTL,
+                   cache_dir_mutex: Concurrent::ReadWriteLock.new,
+                   do_purge: true)
+      @executor = executor
+      @cache_dir = config['cache-dir']
+      @config = config
+      @logger = Bolt::Logger.logger(self)
+      @cache_dir_mutex = cache_dir_mutex
+
+      if do_purge
+        @purge = Concurrent::TimerTask.new(execution_interval: purge_interval,
+                                           run_now: true) { expire(purge_ttl, purge_timeout) }
+        @purge.execute
+      end
+    end
+
+    def tmppath
+      File.join(@cache_dir, 'tmp')
+    end
+
+    def setup
+      FileUtils.mkdir_p(@cache_dir)
+      FileUtils.mkdir_p(tmppath)
+      self
+    end
+
+    def ssl_cert
+      @ssl_cert ||= File.read(@config['ssl-cert'])
+    end
+
+    def ssl_key
+      @ssl_key ||= File.read(@config['ssl-key'])
+    end
+
+    def client
+      # rubocop:disable Naming/VariableNumber
+      @client ||= begin
+        uri = URI(@config['file-server-uri'])
+        https = Net::HTTP.new(uri.host, uri.port)
+        https.use_ssl = true
+        https.ssl_version = :TLSv1_2
+        https.ca_file = @config['ssl-ca-cert']
+        https.cert = OpenSSL::X509::Certificate.new(ssl_cert)
+        https.key = OpenSSL::PKey::RSA.new(ssl_key)
+        https.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        https.open_timeout = @config['file-server-conn-timeout']
+        https
+      end
+      # rubocop:enable Naming/VariableNumber
+    end
+
+    def request_file(path, params, file)
+      uri = "#{@config['file-server-uri'].chomp('/')}#{path}"
+      uri = URI(uri)
+      uri.query = URI.encode_www_form(params)
+
+      req = Net::HTTP::Get.new(uri)
+
+      begin
+        client.request(req) do |resp|
+          if resp.code != "200"
+            msg = "Failed to download file: #{resp.body}"
+            @logger.warn resp.body
+            raise Error, msg
+          end
+          resp.read_body do |chunk|
+            file.write(chunk)
+          end
+        end
+      rescue StandardError => e
+        if e.is_a?(Bolt::Error)
+          raise e
+        else
+          @logger.warn e
+          raise Error, "Failed to download file: #{e.message}"
+        end
+      end
+    ensure
+      file.close
+    end
+
+    def check_file(file_path, sha)
+      File.exist?(file_path) && Digest::SHA256.file(file_path) == sha
+    end
+
+    def serial_execute(&block)
+      promise = Concurrent::Promise.new(executor: @executor, &block).execute.wait
+      raise promise.reason if promise.rejected?
+      promise.value
+    end
+
+    # Create a cache dir if necessary and update it's last write time. Returns the dir.
+    # Acquires @cache_dir_mutex to ensure we don't try to purge the directory at the same time.
+    # Uses the directory mtime because it's simpler to ensure the directory exists and update
+    # mtime in a single place than with a file in a directory that may not exist.
+    def create_cache_dir(sha)
+      file_dir = File.join(@cache_dir, sha)
+      @cache_dir_mutex.with_read_lock do
+        # mkdir_p doesn't error if the file exists
+        FileUtils.mkdir_p(file_dir, mode: 0o750)
+        FileUtils.touch(file_dir)
+      end
+      file_dir
+    end
+
+    def download_file(file_path, sha, uri)
+      if check_file(file_path, sha)
+        @logger.debug("File was downloaded while queued: #{file_path}")
+        return file_path
+      end
+
+      @logger.debug("Downloading file: #{file_path}")
+
+      tmpfile = Tempfile.new(sha, tmppath)
+      request_file(uri['path'], uri['params'], tmpfile)
+
+      if Digest::SHA256.file(tmpfile.path) == sha
+        # mv doesn't error if the file exists
+        FileUtils.mv(tmpfile.path, file_path)
+        @logger.debug("Downloaded file: #{file_path}")
+        file_path
+      else
+        msg = "Downloaded file did not match checksum for: #{file_path}"
+        @logger.warn msg
+        raise Error, msg
+      end
+    end
+
+    # If the file doesn't exist or is invalid redownload it
+    # This downloads, validates and moves into place
+    def update_file(file_data)
+      sha = file_data['sha256']
+      file_dir = create_cache_dir(file_data['sha256'])
+      file_path = File.join(file_dir, File.basename(file_data['filename']))
+      if check_file(file_path, sha)
+        @logger.debug("Using prexisting file: #{file_path}")
+        return file_path
+      end
+
+      @logger.debug("Queueing download for: #{file_path}")
+      serial_execute { download_file(file_path, sha, file_data['uri']) }
+    end
+
+    def expire(purge_ttl, purge_timeout)
+      expired_time = Time.now - purge_ttl
+      Timeout.timeout(purge_timeout) do
+        @cache_dir_mutex.with_write_lock do
+          Dir.glob(File.join(@cache_dir, '*')).select { |f| File.directory?(f) }.each do |dir|
+            if (mtime = File.mtime(dir)) < expired_time && dir != tmppath
+              @logger.debug("Removing #{dir}, last used at #{mtime}")
+              FileUtils.remove_dir(dir)
+            end
+          end
+        end
+      end
+    end
+
+    def get_cached_project_file(versioned_project, file_name)
+      file_dir = create_cache_dir(versioned_project)
+      file_path = File.join(file_dir, file_name)
+      serial_execute { File.read(file_path) if File.exist?(file_path) }
+    end
+
+    def cache_project_file(versioned_project, file_name, data)
+      file_dir = create_cache_dir(versioned_project)
+      file_path = File.join(file_dir, file_name)
+      serial_execute { File.open(file_path, 'w') { |f| f.write(data) } }
+    end
+  end
+end

data/lib/bolt_server/request_error.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'bolt/error'
+
+module BoltServer
+  class RequestError < Bolt::Error
+    def initialize(msg, details = {})
+      super(msg, 'bolt-server/request-error', details)
+    end
+  end
+end

data/lib/bolt_server/schemas/action-check_node_connections.json

@@ -0,0 +1,14 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "title": "check_node_connections request",
+  "description": "POST <transport>/check_node_connections request schema",
+  "type": "object",
+  "properties": {
+    "targets": {
+      "type": "array",
+      "items": { "$ref": "partial:target-any" }
+    }
+  },
+  "required": ["targets"],
+  "additionalProperties": false
+}

data/lib/bolt_server/schemas/action-run_command.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "title": "run_command request",
+  "description": "POST <transport>/run_command request schema",
+  "type": "object",
+  "properties": {
+    "command": { "type": "string" },
+    "target": { "$ref": "partial:target-any" }
+  },
+  "required": ["command", "target"],
+  "additionalProperties": false
+}

data/lib/bolt_server/schemas/action-run_script.json

@@ -0,0 +1,47 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "title": "run_script request",
+  "description": "POST <transport>/run_script request schema",
+  "type": "object",
+  "properties": {
+    "script": {
+      "type": "object",
+      "properties": {
+        "filename": {
+          "type": "string"
+        },
+        "uri": {
+          "type": "object",
+          "properties": {
+            "path": {
+              "type": "string"
+            },
+            "params": {
+              "type": "object"
+            }
+          },
+          "required": [
+            "path",
+            "params"
+          ]
+        },
+        "sha256": {
+          "type": "string"
+        }
+      },
+      "required": [
+        "filename",
+        "uri",
+        "sha256"
+      ]
+    },
+    "arguments": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    },
+    "target": { "$ref": "partial:target-any" }
+  },
+  "required": ["script", "target"]
+}

data/lib/bolt_server/schemas/action-run_task.json

@@ -0,0 +1,20 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "title": "run_task request",
+  "description": "POST <transport>/run_task request schema",
+  "type": "object",
+  "properties": {
+    "task": { "$ref": "partial:task" },
+    "parameters": {
+      "type": "object",
+      "description": "JSON formatted parameters to be provided to task"
+    },
+    "target": { "$ref": "partial:target-any" },
+    "timeout": {
+      "type": "integer",
+      "description": "Number of seconds to wait before abandoning the task execution on the tartet."
+    }
+  },
+  "required": ["target", "task"],
+  "additionalProperties": false
+}

data/lib/bolt_server/schemas/action-upload_file.json

@@ -0,0 +1,47 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",
+  "title": "upload_file request",
+  "description": "POST <transport>/upload_file request schema",
+  "type": "object",
+  "properties": {
+    "files": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "relative_path": {
+            "type": "string"
+          },
+          "uri": {
+            "type": "object",
+            "properties": {
+              "path": {
+                "type": "string"
+              },
+              "params": {
+                "type": "object"
+              }
+            },
+            "required": ["path", "params"]
+          },
+          "sha256": {
+            "type": "string"
+          },
+          "kind": {
+            "type": "string"
+          }
+        },
+        "required": ["relative_path", "uri", "sha256", "kind"]
+      }
+    },
+    "job_id": {
+      "type": "integer"
+    },
+    "destination": {
+      "type": "string"
+    },
+    "target": { "$ref": "partial:target-any" }
+  },
+  "required": ["files", "job_id", "destination", "target"],
+  "additionalProperties": false
+}

data/lib/bolt_server/schemas/partials/target-any.json

@@ -0,0 +1,10 @@
+{
+  "id": "partial:target-any",
+  "$schema": "http://json-schema.org/draft-04/schema",
+  "title": "Target information about where to run a bolt action, either over SSH or WinRM",
+  "type": "object",
+  "anyOf": [
+    { "$ref": "partial:target-ssh" },
+    { "$ref": "partial:target-winrm" }
+  ]
+}

data/lib/bolt_server/schemas/partials/target-ssh.json

@@ -0,0 +1,88 @@
+{
+  "id": "partial:target-ssh",
+  "$schema": "http://json-schema.org/draft-04/schema",
+  "title": "Target information about where to run a bolt action over SSH",
+  "type": "object",
+  "properties": {
+    "hostname": {
+      "type": "string",
+      "description": "Target identifier"
+    },
+    "user": {
+      "type": "string",
+      "description": "Login user"
+    },
+    "password": {
+      "type": "string",
+      "description": "Password for SSH transport authentication"
+    },
+    "private-key-content": {
+      "type": "string",
+      "description": "Contents of private key for SSH"
+    },
+    "port": {
+      "type": "integer",
+      "description": "Connection port"
+    },
+    "connect-timeout": {
+      "type": "integer",
+      "description": "How long Bolt should wait when establishing connections"
+    },
+    "disconnect-timeout": {
+      "type": "integer",
+      "description": "How long Bolt should wait before forcing a disconnect"
+    },
+    "run-as-command": {
+      "type": "array",
+      "description": "Command elevate permissions",
+      "items": {
+        "type": "string"
+      }
+    },
+    "run-as": {
+      "type": "string",
+      "description": "A different user to run commands as after login"
+    },
+    "tmpdir": {
+      "type": "string",
+      "description": "The directory to upload and execute temporary files on the target"
+    },
+    "tty": {
+      "type": "boolean",
+      "description": "Should bolt use pseudo tty to meet sudoer restrictions"
+    },
+    "host-key-check": {
+      "type": "boolean",
+      "description": "Whether to perform host key validation when connecting over SSH"
+    },
+    "sudo-password": {
+      "type": "string",
+      "description": "Password to use when changing users via run-as"
+    },
+    "interpreters": {
+      "type": "object",
+      "description": "Map of file extensions to remote executable"
+    },
+    "plugin_hooks": {
+      "type": "object",
+      "description": "Configuration for plugins to use"
+    }
+  },
+  "oneOf": [
+    {
+      "required": [
+        "password"
+      ]
+    },
+    {
+      "required": [
+        "private-key-content"
+      ]
+    }
+  ],
+  "required": [
+    "hostname",
+    "user"
+  ],
+  "additionalProperties": false
+}