openbolt 5.0.0.rc1

data/libexec/custom_facts.rb

@@ -0,0 +1,63 @@
+#! /opt/puppetlabs/puppet/bin/ruby
+# frozen_string_literal: true
+
+require 'json'
+require 'puppet'
+require 'puppet/module_tool/tar'
+require 'tempfile'
+
+args = JSON.parse($stdin.read)
+
+Dir.mktmpdir do |puppet_root|
+  # Create temporary directories for all core Puppet settings so we don't clobber
+  # existing state or read from puppet.conf. Also create a temporary modulepath.
+  moduledir = File.join(puppet_root, 'modules')
+  Dir.mkdir(moduledir)
+  cli = Puppet::Settings::REQUIRED_APP_SETTINGS.flat_map do |setting|
+    ["--#{setting}", File.join(puppet_root, setting.to_s.chomp('dir'))]
+  end
+  cli << '--modulepath' << moduledir
+  Puppet.initialize_settings(cli)
+
+  Tempfile.open('plugins.tar.gz') do |plugins|
+    File.binwrite(plugins, Base64.decode64(args['plugins']))
+    user = Etc.getpwuid.nil? ? Etc.getlogin : Etc.getpwuid.name
+    Puppet::ModuleTool::Tar.instance.unpack(plugins, moduledir, user)
+  end
+
+  env = Puppet.lookup(:environments).get('production')
+  env.each_plugin_directory do |dir|
+    $LOAD_PATH << dir unless $LOAD_PATH.include?(dir)
+  end
+
+  if (conn_info = args['_target'])
+    unless (type = conn_info['remote-transport'])
+      puts "Cannot collect facts for a remote target without knowing the remote-transport type."
+      exit 1
+    end
+
+    begin
+      require 'puppet/resource_api/transport'
+    rescue LoadError
+      msg = "Could not load 'puppet/resource_api/transport', puppet-resource_api "\
+            "gem version 1.8.0 or greater is required on the proxy target"
+      puts msg
+      exit 1
+    end
+
+    # Transport.connect will modify this hash!
+    transport_conn_info = conn_info.transform_keys(&:to_sym)
+    transport = Puppet::ResourceApi::Transport.connect(type, transport_conn_info)
+    Puppet::ResourceApi::Transport.inject_device(type, transport)
+
+    Puppet[:facts_terminus] = :network_device
+    Puppet[:certname] = conn_info['name']
+  end
+
+  facts = Puppet::Node::Facts.indirection.find(SecureRandom.uuid, environment: env)
+
+  facts.name = facts.values['clientcert']
+  puts(facts.values.to_json)
+end
+
+exit 0

data/libexec/query_resources.rb

@@ -0,0 +1,75 @@
+#! /opt/puppetlabs/puppet/bin/ruby
+# frozen_string_literal: true
+
+require 'json'
+require 'puppet'
+require 'puppet/module_tool/tar'
+require 'tempfile'
+
+args = JSON.parse($stdin.read)
+
+RESOURCE_INSTANCE = /^([^\[]+)\[([^\]]+)\]$/.freeze
+
+def instance(type_name, resource_name)
+  resource = Puppet::Resource.indirection.find("#{type_name}/#{resource_name}")
+  stringify_resource(resource)
+end
+
+Dir.mktmpdir do |puppet_root|
+  # Create temporary directories for all core Puppet settings so we don't clobber
+  # existing state or read from puppet.conf. Also create a temporary modulepath.
+  moduledir = File.join(puppet_root, 'modules')
+  Dir.mkdir(moduledir)
+  cli = Puppet::Settings::REQUIRED_APP_SETTINGS.flat_map do |setting|
+    ["--#{setting}", File.join(puppet_root, setting.to_s.chomp('dir'))]
+  end
+  cli << '--modulepath' << moduledir
+  Puppet.initialize_settings(cli)
+
+  Tempfile.open('plugins.tar.gz') do |plugins|
+    File.binwrite(plugins, Base64.decode64(args['plugins']))
+    user = Etc.getpwuid.nil? ? Etc.getlogin : Etc.getpwuid.name
+    Puppet::ModuleTool::Tar.instance.unpack(plugins, moduledir, user)
+  end
+
+  env = Puppet.lookup(:environments).get('production')
+  env.each_plugin_directory do |dir|
+    $LOAD_PATH << dir unless $LOAD_PATH.include?(dir)
+  end
+
+  if (conn_info = args['_target'])
+    unless (type = conn_info['remote-transport'])
+      puts "Cannot discover resources for a remote target without knowing it's the remote-transport type."
+      exit 1
+    end
+
+    begin
+      require 'puppet/resource_api/transport'
+    rescue LoadError
+      msg = "Could not load 'puppet/resource_api/transport', puppet-resource_api "\
+            "gem version 1.8.0 or greater is required on the proxy target"
+      puts msg
+      exit 1
+    end
+
+    # Transport.connect will modify this hash!
+    transport_conn_info = conn_info.transform_keys(&:to_sym)
+
+    transport = Puppet::ResourceApi::Transport.connect(type, transport_conn_info)
+    Puppet::ResourceApi::Transport.inject_device(type, transport)
+
+    Puppet[:facts_terminus] = :network_device
+    Puppet[:certname] = conn_info['name']
+  end
+
+  resources = args['resources'].flat_map do |resource_desc|
+    if (match = RESOURCE_INSTANCE.match(resource_desc))
+      Puppet::Resource.indirection.find("#{match[1]}/#{match[2]}", environment: env)
+    else
+      Puppet::Resource.indirection.search(resource_desc, environment: env)
+    end
+  end
+  puts({ 'resources' => resources }.to_json)
+end
+
+exit 0

data/modules/aggregate/lib/puppet/functions/aggregate/count.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+# Aggregates the key/value pairs in the results of a ResultSet into a hash
+# mapping the keys to a hash of each distinct value and how many targets returned
+# that value for the key.
+Puppet::Functions.create_function(:'aggregate::count') do
+  dispatch :aggregate_count do
+    param 'ResultSet', :resultset
+  end
+
+  def aggregate_count(resultset)
+    resultset.each_with_object({}) do |result, agg|
+      result.value.each do |key, val|
+        agg[key] ||= {}
+        agg[key][val.to_s] ||= 0
+        agg[key][val.to_s] += 1
+      end
+      agg
+    end
+  end
+end

data/modules/aggregate/lib/puppet/functions/aggregate/nodes.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+# Aggregates the key/value pairs in the results of a ResultSet into a hash
+# mapping the keys to a hash of each distinct value and the list of nodes
+# returning that value for the key.
+Puppet::Functions.create_function(:'aggregate::nodes') do
+  dispatch :aggregate_nodes do
+    param 'ResultSet', :resultset
+  end
+
+  def aggregate_nodes(resultset)
+    resultset.each_with_object({}) do |result, agg|
+      result.value.each do |key, val|
+        agg[key] ||= {}
+        agg[key][val.to_s] ||= []
+        agg[key][val.to_s] << result.target.name
+      end
+      agg
+    end
+  end
+end
+

data/modules/aggregate/lib/puppet/functions/aggregate/targets.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+# Aggregates the key/value pairs in the results of a ResultSet into a hash
+# mapping the keys to a hash of each distinct value and the list of targets
+# returning that value for the key.
+Puppet::Functions.create_function(:'aggregate::targets') do
+  dispatch :aggregate_targets do
+    param 'ResultSet', :resultset
+  end
+
+  def aggregate_targets(resultset)
+    resultset.each_with_object({}) do |result, agg|
+      result.value.each do |key, val|
+        agg[key] ||= {}
+        agg[key][val.to_s] ||= []
+        agg[key][val.to_s] << result.target.name
+      end
+      agg
+    end
+  end
+end

data/modules/aggregate/plans/count.pp

@@ -0,0 +1,56 @@
+# @summary
+#   Run a task, command, or script on targets and aggregate the results as
+#   a count of targets for each value of a key.
+#
+# This plan accepts an action and a list of targets. The action can be the name
+# of a task, a script, or a command to run. It will run the action on the
+# targets and aggregate the key/value pairs in each Result into a hash, mapping
+# the keys to a hash of each distinct value and how many targets returned that
+# value for the key.
+#
+# @param command
+#   The command to run. Mutually exclusive with script and task.
+# @param script
+#   The path to the script to run. Mutually exclusive with command and task.
+# @param task
+#   The name of the task to run. Mutually exclusive with command and script.
+# @param targets
+#   The list of targets to run the action on.
+# @param params
+#   A hash of parameters and options to pass to the `run_*` function
+#   associated with the action (e.g. run_task).
+plan aggregate::count(
+  Optional[String[0]] $task = undef,
+  Optional[String[0]] $command = undef,
+  Optional[String[0]] $script = undef,
+  TargetSpec $targets,
+  Hash[String, Data] $params = {}
+) {
+
+  # Validation
+  $type_count = [$task, $command, $script].reduce(0) |$acc, $v| {
+    if ($v) {
+      $acc + 1
+    } else {
+      $acc
+    }
+  }
+
+  if ($type_count == 0) {
+    fail_plan("Must specify a command, script, or task to run", 'aggregate/invalid-params')
+  }
+
+  if ($type_count > 1) {
+    fail_plan("Must specify only one command, script, or task to run", 'aggregate/invalid-params')
+  }
+
+  $res = if ($task) {
+    run_task($task, $targets, $params)
+  } elsif ($command) {
+    run_command($command, $targets, $params)
+  } elsif ($script) {
+    run_script($script, $targets, $params)
+  }
+
+  return aggregate::count($res)
+}

data/modules/aggregate/plans/targets.pp

@@ -0,0 +1,56 @@
+# @summary
+#   Run a task, command, or script on targets and aggregate the results as
+#   the list of targets for each value of a key in the results.
+#
+# This plan accepts an action and a list of targets. The action can be the name
+# of a task, a script, or a command to run. It will run the action on the
+# targets and aggregate the key/value pairs in each Result into a hash, mapping
+# the keys to a hash of each distinct value and a list of targets returning that
+# value.
+#
+# @param command
+#   The command to run. Mutually exclusive with script and task.
+# @param script
+#   The path to the script to run. Mutually exclusive with command and task.
+# @param task
+#   The name of the task to run. Mutually exclusive with command and script.
+# @param targets
+#   The list of targets to run the action on.
+# @param params
+#   A hash of parameters and options to pass to the `run_*` function
+#   associated with the action (e.g. run_task).
+plan aggregate::targets(
+  Optional[String[0]] $task = undef,
+  Optional[String[0]] $command = undef,
+  Optional[String[0]] $script = undef,
+  TargetSpec $targets,
+  Hash[String, Data] $params = {}
+) {
+
+  # Validation
+  $type_count = [$task, $command, $script].reduce(0) |$acc, $v| {
+    if ($v) {
+      $acc + 1
+    } else {
+      $acc
+    }
+  }
+
+  if ($type_count == 0) {
+    fail_plan("Must specify a command, script, or task to run", 'aggregate/invalid-params')
+  }
+
+  if ($type_count > 1) {
+    fail_plan("Must specify only one command, script, or task to run", 'aggregate/invalid-params')
+  }
+
+  $res = if ($task) {
+    run_task($task, $targets, $params)
+  } elsif ($command) {
+    run_command($command, $targets, $params)
+  } elsif ($script) {
+    run_script($script, $targets, $params)
+  }
+
+  return aggregate::targets($res)
+}

data/modules/canary/lib/puppet/functions/canary/merge.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+# Merges two ResultSets into a new ResultSet
+Puppet::Functions.create_function(:'canary::merge') do
+  dispatch :merge_results do
+    param 'ResultSet', :merger
+    param 'ResultSet', :mergee
+  end
+
+  def merge_results(merger, mergee)
+    Bolt::ResultSet.new(merger.results + mergee.results)
+  end
+end

data/modules/canary/lib/puppet/functions/canary/random_split.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+# Splits an array into two groups, where the 1st group is a randomly selected
+# sample of the input (of the specified size) and the 2nd group is the remainder.
+#
+# This function takes 2 parameters:
+# * The array to split (Array)
+# * The number of items to sample from the array (Integer)
+#
+# Returns an array of [<sample>, <remainder>].
+Puppet::Functions.create_function(:'canary::random_split') do
+  dispatch :rand do
+    param 'Array', :arr
+    param 'Integer', :size
+  end
+
+  def rand(arr, size)
+    canaries = arr.sample(size)
+    rest = arr.reject { |r| canaries.include?(r) }
+    [canaries, rest]
+  end
+end

data/modules/canary/lib/puppet/functions/canary/skip.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+# Returns a ResultSet with canary/skipped-target errors for each Target provided.
+#
+# This function takes a single parameter:
+# * List of targets (Array[Variant[Target,String]])
+#
+# Returns a ResultSet.
+Puppet::Functions.create_function(:'canary::skip') do
+  dispatch :skip_result do
+    param 'Array[Variant[Target,String]]', :targets
+  end
+
+  def skip_result(targets)
+    results = targets.map do |target|
+      target = Bolt::Target.new(target) unless target.is_a? Bolt::Target
+      Bolt::Result.new(target, value: { '_error' => {
+                         'msg' => "Skipped #{target.name} because of a previous failure",
+                         'kind' => 'canary/skipped-target',
+                         'details' => {}
+                       } })
+    end
+    Bolt::ResultSet.new(results)
+  end
+end

data/modules/canary/plans/init.pp

@@ -0,0 +1,100 @@
+# @summary
+#   Run a task, command or script on canary targets before running it on all targets.
+#
+# This plan accepts a action and a $targets parameter. The action can be the name
+# of a task, a script or a command to run. It will run the action on a canary
+# group of targets and only continue to the rest of the targets if it succeeds on
+# all canaries. This returns a ResultSet object with a Result for every target.
+# Any skipped targets will have a 'canary/skipped-target' error kind.
+#
+# @param task
+#  The name of the task to run. Mutually exclusive with command and script.
+# @param command
+#   The command to run. Mutually exclusive with task and script.
+# @param script
+#   The script to run. Mutually exclusive with task and command.
+# @param targets
+#   The target to run on.
+# @param params
+#   The parameters to use for the task.
+# @param canary_size
+#   How many targets to use in the canary group.
+#
+# @return ResultSet a merged resultset from running the action on all targets
+#
+# @example Run a command
+#   run_plan(canary, command => 'whoami', targets => $mytargets)
+#
+plan canary(
+  Optional[String[0]] $task = undef,
+  Optional[String[0]] $command = undef,
+  Optional[String[0]] $script = undef,
+  TargetSpec $targets,
+  Hash[String, Data] $params = {},
+  Integer $canary_size = 1
+) {
+
+  # Validation
+  $type_count = [$task, $command, $script].reduce(0) |$acc, $v| {
+    if ($v) {
+      $acc + 1
+    } else {
+      $acc
+    }
+  }
+
+  if ($type_count == 0) {
+    fail_plan("Must specify a command, script, or task to run", 'canary/invalid-params')
+  }
+
+  if ($type_count > 1) {
+    fail_plan("Must specify only one command, script, or task to run", 'canary/invalid-params')
+  }
+
+  [$canaries, $rest] = canary::random_split(get_targets($targets), $canary_size)
+  $catch_params = $params + { '_catch_errors' => true }
+
+  if ($task) {
+    $action = 'run_task'
+    $object = $task
+    $canr = run_task($task, $canaries, $catch_params)
+    if ($canr.ok) {
+      $restr = run_task($task, $rest, $catch_params)
+    }
+  } elsif ($command) {
+    $action = 'run_command'
+    $object = $command
+    $canr = run_command($command, $canaries, $catch_params)
+    if ($canr.ok) {
+      $restr = run_command($command, $rest, $catch_params)
+    }
+  } elsif ($script) {
+    $action = 'run_script'
+    $object = $script
+    $canr = run_script($script, $canaries, $catch_params)
+    if ($canr.ok) {
+      $restr = run_script($script, $rest, $catch_params)
+    }
+  }
+
+  unless ($canr.ok) {
+    $restr = canary::skip($rest)
+  }
+
+  $merged_result = canary::merge($canr, $restr)
+
+  unless ($merged_result.ok) {
+    if ($canr.ok) {
+      $message = "Plan failed for ${merged_result.error_set.count} targets."
+    }
+    else {
+      $message = "${canr.error_set.count} canary target failures. ${restr.count} targets skipped."
+    }
+    $details = {'action' => $action,
+                'object' => $object,
+                'result_set' => $merged_result}
+    fail_plan($message, 'bolt/run-failure', $details)
+  }
+
+  return $merged_result
+}

data/modules/puppet_connect/plans/test_input_data.pp

@@ -0,0 +1,94 @@
+# @summary
+#   Tests that the provided Puppet Connect input data is complete, meaning that all consuming inventory targets are connectable.
+#   You should run this plan with the following command:
+#       PUPPET_CONNECT_INPUT_DATA=/path/to/input_data.yaml bolt plan run puppet_connect::test_input_data
+#   where /path/to/input_data.yaml is the path to the input_data.yaml file containing the key-value input for the
+#   puppet_connect_data plugin. If the plan fails on some targets, then you can use Bolt's --rerun option to rerun the plan on
+#   just the failed targets:
+#       PUPPET_CONNECT_INPUT_DATA=/path/to/input_data.yaml bolt plan run puppet_connect::test_input_data --rerun failure
+#   Note that this plan should only be used as part of the copy-pastable "test input data" workflow specified in the Puppet
+#   Connect docs.
+#
+# @param targets
+#   The set of targets to test. Usually this should be 'all', the default.
+#
+# @return ResultSet the result of invoking the 'is connectable?' query on all
+# the targets. Note that this query currently consists of running the 'echo'
+# command.
+#
+plan puppet_connect::test_input_data(TargetSpec $targets = 'all') {
+  $targs = get_targets($targets)
+  $unique_plugins = $targs.group_by |$t| {$t.plugin_hooks['puppet_library']}
+  if ($unique_plugins.keys.length > 1) {
+    out::message('Multiple puppet_library plugin hooks detected')
+    $unique_plugins.each |$plug, $target_list| {
+      $target_message = if ($target_list.length > 10) {
+                          "${target_list.length} targets"
+                        } else {
+                          $target_list.join(', ')
+                        }
+      out::message("Plugin hook ${plug} configured for ${target_message}")
+    }
+    fail_plan("The puppet_library plugin config must be the same across all targets")
+  }
+  $targs.each |$target| {
+    case $target.transport {
+      'ssh': {
+        $private_key_config = dig($target.config, 'ssh', 'private-key')
+        if $private_key_config =~ String {
+          $msg = @("END")
+            The SSH private key of the ${$target} target points to a filepath on disk,
+            which is not allowed in Puppet Connect. Instead, the private key contents must
+            be specified and this should be done via the PuppetConnectData plugin. Below is
+            an example of a Puppet Connect-compatible specification of the private-key. First,
+            we start with the inventory file:
+              ...
+              private-key:
+                _plugin: puppet_connect_data
+                key: ssh_private_key
+              ...
+
+            Next is the corresponding entry in the input data file:
+              ...
+              ssh_private_key:
+                key-data:
+                  <private_key_contents>
+              ...
+            | END
+
+          out::message($msg)
+          fail_plan("The SSH private key of the ${$target} target points to a filepath on disk")
+        }
+
+        # Disable SSH autoloading to prevent false positive results
+        # (input data is wrong but target is still connectable due
+        # to autoloaded config)
+        set_config($target, ['ssh', 'load-config'], false)
+        # Maintain configuration parity with Puppet Connect to improve
+        # the reliability of our test
+        set_config($target, ['ssh', 'host-key-check'], false)
+      }
+      'winrm': {
+        # Maintain configuration parity with Puppet Connect
+        set_config($target, ['winrm', 'ssl'], false)
+        set_config($target, ['winrm', 'ssl-verify'], false)
+      }
+      default: {
+        fail_plan("Inventory contains target ${target} with unsupported transport, must be ssh or winrm")
+      }
+    }
+
+    # Bolt defaults to using the "module" based form of the puppet_agent plugin. Connect defaults
+    # to using the "task" based form as *only* the task based form in supported in Connect. This check
+    # ensures that if the default is not being used, only task based plugins are allowed.
+    $plugin = $target.plugin_hooks["puppet_library"]
+    $user_configured_plugin = $plugin != { "plugin"=> "puppet_agent", "stop_service"=> true }
+    if ($user_configured_plugin and $plugin["plugin"] != "task"){
+      fail_plan("Only task plugins are acceptable for puppet_library hook")
+    }
+  }
+  # The SSH/WinRM transports will report an 'unknown host' error for targets where
+  # 'host' is unknown so run_command's implementation will take care of raising that
+  # error for us.
+  return run_command('echo Connected', $targs)
+}

data/modules/puppetdb_fact/plans/init.pp

@@ -0,0 +1,20 @@
+# @summary
+#   Collect facts for the specified targets from PuppetDB and store them
+#   on the Targets.
+#
+# This plan accepts a list of targets to collect facts for from the configured
+# PuppetDB connection. After collecting facts, they are stored on each target's
+# Target object. The updated facts can then be accessed using `$target.facts`.
+#
+# @param targets
+#   The targets to collect facts for.
+plan puppetdb_fact(TargetSpec $targets) {
+  $targs = get_targets($targets)
+  $certnames = $targs.map |$target| { $target.host }
+  $pdb_facts = puppetdb_fact($certnames)
+  $targs.each |$target| {
+    add_facts($target, $pdb_facts[$target.host])
+  }
+
+  return $pdb_facts
+}