smart_proxy_openbolt 0.1.1 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 36046765b42f9044d323f7fc6747f45d86dcf55061f7b8dee448beb8e4cb57b5
-  data.tar.gz: 43e6b2f9232d950aa864fd2fe5a052892a080cac2cb4fc661a83ee934a511799
+  metadata.gz: b6a0f4f6e883f4a2077ea3afccd8f244a1dfd27aafa73c6ce69f29ee423f921b
+  data.tar.gz: f74f56b1108bc2d0570af5135c225194d046e40e5741541265eff68c4bc61359
 SHA512:
-  metadata.gz: 451020463a4abf1c06be9e392f86b40874696aebd7454bb6fde290926751b50711c1823fed0dc1e57223297ac3912f6afcbba3602e43ec940f2cca750ccbf0b2
-  data.tar.gz: a22e52ad09bfa367e5a73d83547cc8ffa27db3c79d600b034e691f45a0dba2062d96088589a7b60edbffd887dc53c96cb17576f7ef270330624068d9de2c7b93
+  metadata.gz: cfcc15bcfa344fa5a92b323ec6c9e9a11a0408ac49f111e1bf45e1eafdb228c5a557909d489cadde2594b54e8fd063de944dfff352bca9fca2950b4ac839477f
+  data.tar.gz: 427492ec2136bf63d811c50edd8fa24ab2642e0b54180b97bc02f4c396e9188fa8963d35d845bdc59f06bd0a591b7bdbf2e3317dd84d166ce2522b4a199e774d

data/README.md

@@ -1,22 +1,308 @@
 # Smart Proxy - OpenBolt
 
 [![License](https://img.shields.io/github/license/overlookinfra/smart_proxy_openbolt.svg)](https://github.com/overlookinfra/smart_proxy_openbolt/blob/master/LICENSE)
-[![Test](https://github.com/overlookinfra/smart_proxy_openbolt/actions/workflows/main.yml/badge.svg)](https://github.com/overlookinfra/smart_proxy_openbolt/actions/workflows/main.yml)
+[![Test](https://github.com/overlookinfra/smart_proxy_openbolt/actions/workflows/ci.yml/badge.svg)](https://github.com/overlookinfra/smart_proxy_openbolt/actions/workflows/ci.yml)
 [![Release](https://github.com/overlookinfra/smart_proxy_openbolt/actions/workflows/release.yml/badge.svg)](https://github.com/overlookinfra/smart_proxy_openbolt/actions/workflows/release.yml)
 [![RubyGem Version](https://img.shields.io/gem/v/smart_proxy_openbolt.svg)](https://rubygems.org/gems/smart_proxy_openbolt)
 [![RubyGem Downloads](https://img.shields.io/gem/dt/smart_proxy_openbolt.svg)](https://rubygems.org/gems/smart_proxy_openbolt)
 
-This plug-in adds support for OpenBolt to Foreman's Smart Proxy.
+This plugin adds [OpenBolt](https://github.com/OpenVoxProject/openbolt) support to [Foreman's Smart Proxy](https://github.com/theforeman/smart-proxy).
+It exposes an HTTP API that the [foreman_openbolt](https://github.com/overlookinfra/foreman_openbolt) plugin uses to run Tasks and Plans on remote targets via the OpenBolt CLI.
+
+## Introduction
+
+[OpenBolt](https://github.com/OpenVoxProject/openbolt) is the open source successor of [Bolt](https://github.com/puppetlabs/bolt) by [Perforce](https://www.perforce.com/).
+It runs Tasks and Plans against remote targets over SSH, WinRM, Choria, or other transports.
+
+This smart proxy plugin wraps the OpenBolt CLI and provides:
+
+* A REST API for listing available tasks, launching task runs, and retrieving results
+* Concurrent job execution via a configurable thread pool
+* Disk-based result storage so results survive proxy restarts
+* Transport option forwarding (SSH, WinRM, Choria) from the Foreman UI
+
+The Foreman UI talks to this plugin; it does not invoke OpenBolt directly. See the [foreman_openbolt README](https://github.com/overlookinfra/foreman_openbolt) for screenshots and the full user-facing workflow.
+
+## Installation
+
+See [How to Install a Plugin](https://theforeman.org/plugins/#2.Installation) for general Foreman plugin installation instructions.
+The [theforeman/foreman_proxy](https://github.com/theforeman/puppet-foreman_proxy/blob/master/manifests/plugin/openbolt.pp) Puppet module supports automated installation.
+
+You need `bolt` in your `$PATH` on the Smart Proxy host.
+OpenBolt packages are available at [yum.voxpupuli.org](https://yum.voxpupuli.org/) and [apt.voxpupuli.org](https://apt.voxpupuli.org/) in the openvox8 repo.
+You can also use the legacy Bolt packages from Perforce from the `puppet-tools` repo on [apt.puppet.com](https://apt.puppet.com/) or [yum.puppet.com](https://yum.puppet.com/).
+
+OpenBolt relies on Tasks and Plans distributed as Puppet modules.
+Deploy your code with [r10k](https://github.com/puppetlabs/r10k) or [g10k](https://github.com/xorpaul/g10k), as you do on your compilers.
+A handful of core Tasks and Plans are also included in the [OpenBolt packages](https://github.com/OpenVoxProject/openbolt/blob/main/Puppetfile).
+
+The integration is supported on Foreman 3.17 and all following versions, including development/nightly builds.
+
+## Things to be aware of
 
-# Things to be aware of
 * Any SSH keys to be used should be readable by the foreman-proxy user.
-* Results are currently stored on disk at /var/logs/foreman-proxy/openbolt by default (configurable in settings). Fetching old results is possible as long as the files stay on disk.
+* Results are stored on disk at `/var/log/foreman-proxy/openbolt` by default (configurable via `log_dir`). Fetching old results is possible as long as the files remain on disk.
+
+## Configuration
+
+The plugin is configured in `settings.d/openbolt.yml` on the Smart Proxy host. All settings have sensible defaults:
+
+```yaml
+---
+:enabled: https
+:environment_path: /etc/puppetlabs/code/environments/production
+:workers: 20
+:concurrency: 100
+:connect_timeout: 30
+:log_dir: /var/log/foreman-proxy/openbolt
+```
+
+| Setting | Default | Description |
+|---------|---------|-------------|
+| `enabled` | `https` | Enable the plugin (`https`, `http`, or `false`) |
+| `environment_path` | `/etc/puppetlabs/code/environments/production` | Path to the Puppet environment containing Tasks and Plans |
+| `workers` | `20` | Number of threads in the job executor pool |
+| `concurrency` | `100` | Maximum number of concurrent target connections per job |
+| `connect_timeout` | `30` | Connection timeout in seconds for target connections |
+| `log_dir` | `/var/log/foreman-proxy/openbolt` | Directory for job result files (created automatically if missing) |
+
+After installing the plugin and restarting the smart proxy, refresh the
+proxy features in Foreman so it detects the OpenBolt capability:
+
+```bash
+foreman-rake openbolt:refresh_proxies
+```
+
+## Choria Transport
+
+**Requires OpenBolt 5.5 or later.** The Choria transport is not available
+in Puppet Bolt. SSH and WinRM transports work with any version.
+
+The Choria transport works out of the box on HTTPS-enabled proxies. The
+proxy ships a built-in MCollective client configuration and automatically
+derives SSL paths and the MCollective certname from the proxy's own
+OpenVox/Puppet certificates (configured via `ssl_certificate`,
+`ssl_private_key`, and `ssl_ca_file` in `settings.yml`).
+
+The `foreman-proxy` user must be in the `puppet` group to read the SSL
+files. This is the default when the proxy is set up with
+`foreman-installer` (the `puppet-foreman_proxy` module's
+`manage_puppet_group` parameter handles this).
+
+In common configurations where the Choria broker and Foreman are on the
+same host, OpenVox/Puppet certificates are being used for authentication,
+and Choria configuration is largely using default settings, the Choria
+transport mostly just works out of the box with default settings. The one
+setting you may need to evaluate is **Choria Brokers** (in the Foreman UI
+under Administer > Settings > OpenBolt). If `puppet` resolves to the
+broker host or SRV records are configured, it can be left blank. Otherwise,
+set it to your broker's address (e.g. `primary.example.com:4222`). Other
+Choria settings (SSL, a default config file we provide, certname) are
+derived automatically and can be ignored unless your Choria configuration
+requires customization.
+
+### Custom Choria configuration file
+
+The built-in default config is at
+`lib/smart_proxy_openbolt/config/choria-client.conf` in this gem. You
+can view it to see what settings are included. To use a custom
+MCollective client configuration file instead, set the "Choria Config
+File" setting under Administer > Settings > OpenBolt. When a custom
+config file is provided, the proxy does not inject SSL defaults (the
+config file is expected to handle SSL on its own). SSL settings from
+the Foreman UI still override the config file if set.
+
+If your custom config file includes its own SSL paths, you should also
+set **Choria MCollective Certname** to the CN of the certificate in your
+config file. Without it, the MCollective client defaults to
+`<user>.mcollective` (e.g. `foreman-proxy.mcollective`), which will fail
+authentication if the certificate's CN doesn't match that pattern.
+
+### How it works
+
+When the transport is Choria and no custom config file is provided:
+
+1. The proxy uses its built-in `choria-client.conf` (MCollective boilerplate)
+2. SSL cert, key, and CA default from the proxy's `settings.yml` SSL paths
+3. The MCollective certname is read from the certificate's CN
+4. All values are passed as OpenBolt CLI flags (`--choria-ssl-cert`,
+   `--choria-ssl-key`, `--choria-ssl-ca`, `--choria-mcollective-certname`,
+   `--choria-config-file`)
+
+For full Choria infrastructure setup (broker, managed nodes, Puppet modules),
+see the [Choria Testing](https://github.com/overlookinfra/foreman_openbolt/blob/main/docs/choria-testing.md) guide in the foreman_openbolt repo.
+
+## API
+
+The plugin mounts its API at `/openbolt` on the Smart Proxy. All endpoints are used by the Foreman plugin and are not intended for direct use, but can be useful for debugging.
+
+| Method | Endpoint | Description |
+|--------|----------|-------------|
+| `GET` | `/openbolt/tasks` | List available tasks from the configured environment |
+| `GET` | `/openbolt/tasks/reload` | Clear the task cache and reload from disk |
+| `GET` | `/openbolt/tasks/options` | Get available transport options (SSH, WinRM, Choria) |
+| `POST` | `/openbolt/launch/task` | Launch a task run against specified targets |
+| `GET` | `/openbolt/job/:id/status` | Get the status of a running or completed job |
+| `GET` | `/openbolt/job/:id/result` | Get the full result of a completed job |
+| `DELETE` | `/openbolt/job/:id/artifacts` | Delete stored result files for a job |
+
+## Authentication
+
+The OpenBolt API is HTTPS-only and requires SSL client certificate authentication.
+The smart proxy verifies that:
+
+1. The client presents a valid SSL certificate signed by the same CA configured
+   in `ssl_ca_file` in `/etc/foreman-proxy/settings.yml`.
+2. The certificate's CN appears in the `trusted_hosts` list in that same file.
+
+In a standard Foreman installation, the Foreman server's certificate is already
+trusted by the smart proxy, so no additional configuration is needed for
+Foreman-to-proxy communication.
+
+### Direct API access
+
+If you want to hit the smart proxy OpenBolt API directly from the Foreman host
+(for debugging, scripting, etc.), you can reuse Foreman's own client
+certificates since they are already trusted by the proxy:
+
+```bash
+curl -s \
+  --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
+  --cert /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem \
+  --key /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem \
+  https://$(hostname -f):8443/openbolt/tasks
+```
+
+The Foreman server's CN should already be in `trusted_hosts` in the smart
+proxy's `/etc/foreman-proxy/settings.yml`. If not, add it:
+
+```yaml
+:trusted_hosts:
+  - foreman.example.com
+```
+
+## Development
+
+### Unit Tests
+
+```bash
+bundle exec rake test
+```
+
+### Acceptance Tests (SSH)
+
+Acceptance tests run against Docker containers with a proxy and SSH targets.
+
+```bash
+bundle exec rake acceptance:ssh:up    # Start containers
+bundle exec rake acceptance:ssh       # Run tests
+bundle exec rake acceptance:ssh:down  # Stop and clean up
+```
+
+### Building Packages
+
+Build RPM or DEB packages locally using containers. The [foreman-packaging](https://github.com/theforeman/foreman-packaging) repo is cloned automatically:
+
+```bash
+bundle exec rake build:rpm   # Build RPM
+bundle exec rake build:deb   # Build DEB
+```
+
+### Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `FOREMAN_PACKAGING_REPO` | `https://github.com/theforeman/foreman-packaging.git` | Git URL for foreman-packaging |
+| `FOREMAN_VERSION` | `3.18` | Foreman version for package builds |
+
+## Contributing and support
+
+Fork and send a Pull Request. Thanks!
+If you have questions or need professional support, please join the `#sig-orchestrator` channel on the [Vox Pupuli Slack](https://voxpupuli.org/connect/).
+
+## Copyright
+
+Copyright (c) 2025 Overlook InfraTech
+
+Copyright (c) 2025 betadots GmbH
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+## How to Release
+
+### Release steps
+
+1. Go to [Actions > Prepare Release](../../actions/workflows/prepare_release.yml) and run the workflow with the version to release (e.g. `1.2.0`)
+2. The workflow bumps the version in `version.rb`, generates the changelog, and opens a PR with the `skip-changelog` label
+3. Review and merge the PR
+4. Go to [Actions > Release](../../actions/workflows/release.yml) and run the workflow with the same version
+5. The release workflow:
+   - Verifies the version in `version.rb` matches the input
+   - Creates and pushes a git tag
+   - Builds the gem
+   - Creates a GitHub Release with auto-generated notes and the gem attached
+   - Publishes the gem to GitHub Packages
+   - Publishes the gem to RubyGems.org (requires the `release` environment)
+   - Verifies the gem is available on RubyGems.org
+
+### RPM/DEB packaging
+
+After the gem is published to RubyGems, both RPM and DEB packages need to be updated in [theforeman/foreman-packaging](https://github.com/theforeman/foreman-packaging).
+
+A bot automatically creates PRs against the `rpm/develop` and `deb/develop` branches to pick up the new gem version. These PRs build packages for Foreman nightly.
+
+For stable Foreman releases (currently 3.17 and 3.18), cherry-pick the packaging commits from the develop branches into the corresponding stable branches. For each stable version you want to support:
+
+```bash
+cd foreman-packaging
+
+# RPM: cherry-pick from rpm/develop into a branch off the stable target
+git checkout rpm/3.18
+git checkout -b cherry-pick/rubygem-smart_proxy_openbolt-rpm-3.18
+git cherry-pick <commit-from-rpm/develop>
+# Push to your fork and open a PR targeting rpm/3.18
+
+# DEB: same approach for the deb side
+git checkout deb/3.18
+git checkout -b cherry-pick/rubygem-smart_proxy_openbolt-deb-3.18
+git cherry-pick <commit-from-deb/develop>
+# Push to your fork and open a PR targeting deb/3.18
+```
+
+PRs against stable branches should be labeled "Stable branch".
+
+**Alternative: manual version bump**
+
+If the cherry-pick doesn't apply cleanly, you can bump the version manually on the stable branch instead.
+
+*RPM:* Checkout the target branch and run `bump_rpm.sh`:
+```bash
+cd foreman-packaging
+git checkout rpm/3.18
+git checkout -b bump_rpm/rubygem-smart_proxy_openbolt
+./bump_rpm.sh packages/plugins/rubygem-smart_proxy_openbolt
+# Review changes, push to your fork, and open a PR targeting rpm/3.18
+```
 
-## how to release
+*DEB:* Checkout the target branch and update these files:
+- `debian/gem.list` -- new gem filename
+- `smart_proxy_openbolt.rb` -- new version
+- `debian/control` -- dependency versions (if changed)
+- `debian/changelog` -- add a new entry
 
-* bump version in `lib/smart_proxy_openbolt/version.rb`
-* run `CHANGELOG_GITHUB_TOKEN=github_pat... bundle exec rake changelog`
-* create a PR
-* get a review & merge
-* create and push a tag
-* github actions will publish the tag
+```bash
+git checkout deb/3.18
+git checkout -b bump_deb/ruby-smart-proxy-openbolt
+# Make the changes above, push to your fork, and open a PR targeting deb/3.18
+```

data/lib/smart_proxy_openbolt/api.rb

@@ -5,23 +5,23 @@ require 'smart_proxy_openbolt/main'
 require 'smart_proxy_openbolt/error'
 
 module Proxy::OpenBolt
-
   class Api < ::Sinatra::Base
     include ::Proxy::Log
-    helpers ::Proxy::Helpers
 
-    # Require authentication
-    # These require foreman-proxy to be able to read Puppet's certs/CA, which
-    # by default are owned by puppet:puppet. Need to have installation figure out
-    # the best way to open them to foreman-proxy if we want to use this, I think.
-    #authorize_with_trusted_hosts
-    #authorize_with_ssl_client
+    helpers ::Proxy::Helpers
+    authorize_with_trusted_hosts
+    authorize_with_ssl_client
 
     # Call reload_tasks at class load so the first call to /tasks
     # is potentially faster (if called after this finishes). Do it
     # async so we don't block. The reload_tasks function uses a mutex
     # so it will be safe to call /tasks before it completes.
-    Thread.new { Proxy::OpenBolt.tasks }
+    Thread.new do
+      Proxy::OpenBolt.tasks
+    rescue StandardError => e
+      Proxy::OpenBolt.logger.error("Task prefetch failed (#{e.class}): #{e.message}")
+      Proxy::OpenBolt.logger.debug(e.backtrace.join("\n")) if e.backtrace
+    end
 
     get '/tasks' do
       catch_errors { Proxy::OpenBolt.tasks.to_json }
@@ -32,12 +32,16 @@ module Proxy::OpenBolt
     end
 
     get '/tasks/options' do
-      catch_errors { Proxy::OpenBolt.openbolt_options.to_json}
+      catch_errors { Proxy::OpenBolt.openbolt_options.to_json }
     end
 
     post '/launch/task' do
       catch_errors do
-        data = JSON.parse(request.body.read)
+        begin
+          data = JSON.parse(request.body.read)
+        rescue JSON::ParserError => e
+          raise Error.new(message: "Invalid JSON in request body: #{e.message}")
+        end
         Proxy::OpenBolt.launch_task(data)
       end
     end
@@ -51,40 +55,15 @@ module Proxy::OpenBolt
     end
 
     delete '/job/:id/artifacts' do |id|
-      catch_errors do
-        # Validate the job ID format to prevent directory traversal
-        unless id =~ /\A[a-f0-9\-]+\z/i
-          raise Proxy::OpenBolt::Error.new(message: "Invalid job ID format")
-        end
-
-        file_path = File.join(Proxy::OpenBolt::Plugin.settings.log_dir, "#{id}.json")
-
-        if File.exist?(file_path)
-          real_path = File.realpath(file_path)
-          expected_dir = File.realpath(Proxy::OpenBolt::Plugin.settings.log_dir)
-          raise Proxy::OpenBolt::Error.new(message: "Invalid file path") unless real_path.start_with?(expected_dir)
-
-          File.delete(file_path)
-          logger.info("Deleted artifacts for job #{id}")
-          { status: 'deleted', job_id: id, path: file_path }.to_json
-        else
-          logger.warning("Artifacts not found for job #{id}")
-          { status: 'not_found', job_id: id }.to_json
-        end
-      end
+      catch_errors { Proxy::OpenBolt.delete_artifacts(id) }
     end
 
     private
 
-    def catch_errors(&block)
-      begin
-        yield
-      rescue Proxy::OpenBolt::Error => e
-        e.to_json
-      rescue Exception => e
-        raise e
-        #Proxy::OpenBolt::Error.new(message: "Unhandled exception", exception: e).to_json
-      end
+    def catch_errors
+      yield
+    rescue Error => e
+      e.to_json
     end
   end
 end

data/lib/smart_proxy_openbolt/config/choria-client.conf

@@ -0,0 +1,25 @@
+collectives = mcollective
+main_collective = mcollective
+connector = nats
+libdir = /opt/puppetlabs/mcollective/plugins
+logger_type = console
+loglevel = warn
+securityprovider = choria
+
+# This is the default Choria client configuration shipped with
+# smart_proxy_openbolt. SSL paths, the MCollective certname, and
+# Choria broker addresses are provided by the proxy via OpenBolt
+# CLI flags and do not need to be configured here.
+#
+# To use a custom configuration file instead, set the "Choria Config
+# File" option under Administer > Settings > OpenBolt. If your config
+# file includes SSL
+# paths, leave the Choria SSL settings in Foreman blank and they
+# will be read from the config file.
+#
+# Example SSL configuration for a custom config file:
+#
+# plugin.security.provider = file
+# plugin.security.file.certificate = /etc/puppetlabs/puppet/ssl/certs/<certname>.pem
+# plugin.security.file.key = /etc/puppetlabs/puppet/ssl/private_keys/<certname>.pem
+# plugin.security.file.ca = /etc/puppetlabs/puppet/ssl/certs/ca.pem

data/lib/smart_proxy_openbolt/error.rb

@@ -1,43 +1,33 @@
 module Proxy::OpenBolt
   class Error < StandardError
-    def initialize(**fields)
-      fields.each { |key, val| instance_variable_set("@#{key}", val) }
-      super(fields[:message])
-    end
-
-    def to_json
-      details = {}
-      instance_variables.each do |var|
-        name = var.to_s.delete("@").to_sym
-        val = instance_variable_get(var)
+    attr_reader :details
 
-        next if val.nil?
+    def initialize(message:, **details)
+      @details = details
+      super(message)
+    end
 
-        if name == :exception && val.is_a?(Exception)
-          details[:exception] = {
+    def to_json(*args)
+      result = { message: message }
+      details.each do |key, val|
+        if key == :exception && val.is_a?(Exception)
+          result[:exception] = {
             class:     val.class.to_s,
             message:   val.message,
-            backtrace: val.backtrace
+            backtrace: val.backtrace,
           }
         else
-          details[name] = val
+          result[key] = val unless val.nil?
         end
       end
-      { error: details }.to_json
+      { error: result }.to_json(*args)
     end
   end
 
   class CliError < Error
-    attr_accessor :exitcode, :stdout, :stderr, :command
-
-    def initialize(message:, exitcode:, stdout:, stderr:, command:)
-      super(
-        message:  message,
-        exitcode: exitcode,
-        stdout:   stdout,
-        stderr:   stderr,
-        command:  command,
-      )
-    end
+    def exitcode = details[:exitcode]
+    def stdout = details[:stdout]
+    def stderr = details[:stderr]
+    def command = details[:command]
   end
 end

data/lib/smart_proxy_openbolt/executor.rb

@@ -2,6 +2,7 @@ require 'concurrent'
 require 'securerandom'
 require 'singleton'
 require 'smart_proxy_openbolt/job'
+require 'smart_proxy_openbolt/lru_cache'
 require 'smart_proxy_openbolt/task_job'
 
 module Proxy::OpenBolt
@@ -9,17 +10,18 @@ module Proxy::OpenBolt
     include Singleton
 
     SHUTDOWN_TIMEOUT = 30
+    MAX_CACHED_JOBS = 1000
 
     def initialize
-      @pool = Concurrent::FixedThreadPool.new(Proxy::OpenBolt::Plugin.settings.workers.to_i)
-      @jobs = Concurrent::Map.new
+      @pool = Concurrent::FixedThreadPool.new(Plugin.settings.workers.to_i)
+      @jobs = LruCache.new(MAX_CACHED_JOBS)
     end
 
     def add_job(job)
       raise ArgumentError, "Only Job instances can be added" unless job.is_a?(Job)
       id = SecureRandom.uuid
       job.id = id
-      @jobs[id] = job
+      @jobs.put(id, job)
       @pool.post { job.process }
       id
     end
@@ -27,7 +29,7 @@ module Proxy::OpenBolt
     def status(id)
       job = get_job(id)
       return :invalid unless job
-      job&.status
+      job.status
     end
 
     def result(id)
@@ -36,6 +38,10 @@ module Proxy::OpenBolt
       job.result
     end
 
+    def remove_job(id)
+      @jobs.delete(id)
+    end
+
     # How many workers are currently busy
     def num_running
       @pool.length
@@ -56,36 +62,36 @@ module Proxy::OpenBolt
       @pool.running?
     end
 
-    # Stop accepting tasks and wait up to SHUTDOWN_TIMEOUT seconds
-    # for in-flight jobs to finish. If timeout = nil, wait forever.
-    def shutdown(timeout)
+    # Stop accepting tasks and wait for in-flight jobs to finish.
+    # If timeout is nil, wait forever.
+    def shutdown(timeout = SHUTDOWN_TIMEOUT)
       @pool.shutdown
-      @pool.wait_for_termination(SHUTDOWN_TIMEOUT)
+      @pool.wait_for_termination(timeout)
     end
 
     private
 
     def get_job(id)
-      return @jobs[id] if @jobs.keys.include?(id)
+      cached = @jobs.get(id)
+      return cached if cached
+
       # Look on disk for a past run that may have happened
-      job = nil
-      file = "#{Proxy::OpenBolt::Plugin.settings.log_dir}/#{id}.json"
-      if File.exist?(file)
-        begin
-          data = JSON.parse(File.read(file))
-          return nil if data['schema'].nil? || data['schema'] != 1
-          return nil if data['status'].nil?
-          # This is only for reading back status and result. Don't try
-          # to fill in the other arguments correctly, and don't assume
-          # they are there after execution.
-          job = Job.new(nil, nil, nil)
-          job.id = id
-          job.update_status(data['status'].to_sym)
-          @jobs[id] = job
-        rescue JSON::ParserError
-        end
+      file = Proxy::OpenBolt.result_file_path(id)
+      begin
+        data = JSON.parse(File.read(file))
+        return nil if data['schema'].nil? || data['schema'] != 1
+        return nil if data['status'].nil?
+        # This is only for reading back status and result. Don't try
+        # to fill in the other arguments correctly, and don't assume
+        # they are there after execution.
+        job = Job.new(nil, nil, nil)
+        job.id = id
+        job.update_status(data['status'].to_sym)
+        @jobs.put(id, job)
+        job
+      rescue Errno::ENOENT, JSON::ParserError
+        nil
       end
-      job
     end
   end
 end