Upgrade puppetcore* msi from artifacts-puppetcore.puppet.com

When using the puppetcore collection on Windows, if we detect the installed
version does not match, then upgrade the MSI. Due to a puppet bug, we cannot
pass credentials in the `source` parameter. And `curl.exe` is not present in
our puppet-agent packages. So use powershell to download.

Co-authored-by: Kevin <114269618+klab-systems@users.noreply.github.com>

Author: joshcooper

REFERENCE.md

@@ -624,6 +624,7 @@ working with a remote https repository.
 The following parameters are available in the `puppet_agent::prepare::package` class:
 
 * [`source`](#-puppet_agent--prepare--package--source)
+* [`package_file_name`](#-puppet_agent--prepare--package--package_file_name)
 
 ##### <a name="-puppet_agent--prepare--package--source"></a>`source`
 
@@ -632,6 +633,16 @@ Data type: `Variant[String, Array]`
 The source file for the puppet-agent package. Can use any of the data types
 and protocols that the File resource's source attribute can.
 
+##### <a name="-puppet_agent--prepare--package--package_file_name"></a>`package_file_name`
+
+Data type: `Optional[String]`
+
+The destination file name for the puppet-agent package. If no destination
+is given, then the basename component of the source will be used as the
+destination filename.
+
+Default value: `undef`
+
 ### <a name="puppet_agent--prepare--puppet_config"></a>`puppet_agent::prepare::puppet_config`
 
 Private class called from puppet_agent::prepare class.
@@ -993,6 +1004,18 @@ Data type: `Optional[Integer]`
 
 The number of retries in case of network connectivity failures
 
+##### `username`
+
+Data type: `Optional[String]`
+
+The username to use when downloading from a source location requiring authentication
+
+##### `password`
+
+Data type: `Optional[String]`
+
+The password to use when downloading from a source location requiring authentication
+
 ### <a name="install_shell"></a>`install_shell`
 
 Install the Puppet agent package

manifests/osfamily/windows.pp

@@ -23,13 +23,22 @@
   } else {
     if $puppet_agent::collection == 'PC1' {
       $source = "${puppet_agent::windows_source}/windows/${puppet_agent::package_name}-${puppet_agent::prepare::package_version}-${puppet_agent::arch}.msi"
+    } elsif $puppet_agent::collection =~ /core/ {
+      $source = 'https://artifacts-puppetcore.puppet.com/v1/download'
     } else {
       $source = "${puppet_agent::windows_source}/windows/${puppet_agent::collection}/${puppet_agent::package_name}-${puppet_agent::prepare::package_version}-${puppet_agent::arch}.msi"
     }
   }
 
+  if $puppet_agent::collection and $puppet_agent::collection =~ /core/ {
+    $destination_name = "${puppet_agent::package_name}-${puppet_agent::prepare::package_version}-${puppet_agent::arch}.msi"
+  } else {
+    $destination_name = undef
+  }
+
   class { 'puppet_agent::prepare::package':
-    source => $source,
+    source           => $source,
+    destination_name => $destination_name,
   }
 
   contain puppet_agent::prepare::package

manifests/prepare/package.pp

@@ -5,21 +5,31 @@
 # @param source
 #   The source file for the puppet-agent package. Can use any of the data types
 #   and protocols that the File resource's source attribute can.
+# @param destination_name
+#   The destination file name for the puppet-agent package. If no destination
+#   is given, then the basename component of the source will be used as the
+#   destination name.
 class puppet_agent::prepare::package (
   Variant[String, Array] $source,
+  Optional[String] $destination_name = undef
 ) {
   assert_private()
 
   file { $puppet_agent::params::local_packages_dir:
     ensure => directory,
   }
 
-  # In order for the 'basename' function to work correctly we need to change
-  # any \s to /s (even for windows UNC paths) so that it will correctly pull off
-  # the filename. Since this operation is only grabbing the base filename and not
-  # any part of the path this should be safe, since the source will simply remain
-  # what it was before and we can still pull off the filename.
-  $package_file_name = basename(regsubst($source, "\\\\", '/', 'G'))
+  if $destination_name {
+    $package_file_name = $destination_name
+  } else {
+    # In order for the 'basename' function to work correctly we need to change
+    # any \s to /s (even for windows UNC paths) so that it will correctly pull off
+    # the filename. Since this operation is only grabbing the base filename and not
+    # any part of the path this should be safe, since the source will simply remain
+    # what it was before and we can still pull off the filename.
+    $package_file_name = basename(regsubst($source, "\\\\", '/', 'G'))
+  }
+
   if $facts['os']['family'] =~ /windows/ {
     $local_package_file_path = windows_native_path("${puppet_agent::params::local_packages_dir}/${package_file_name}")
     $mode = undef
@@ -28,12 +38,37 @@
     $mode = '0644'
   }
 
-  file { $local_package_file_path:
-    ensure  => file,
-    owner   => $puppet_agent::params::user,
-    group   => $puppet_agent::params::group,
-    mode    => $mode,
-    source  => $source,
-    require => File[$puppet_agent::params::local_packages_dir],
+  if $puppet_agent::collection =~ /core/ and $facts['os']['family'] =~ /windows/ {
+    $download_username = getvar('puppet_agent::username', 'forge-key')
+    $download_password = unwrap(getvar('puppet_agent::password'))
+
+    $_download_puppet = windows_native_path("${facts['env_temp_variable']}/download_puppet.ps1")
+    file { $_download_puppet:
+      ensure  => file,
+      content => Sensitive(epp('puppet_agent/download_puppet.ps1.epp')),
+    }
+
+    exec { 'Download Puppet Agent':
+      command  => [
+        "${facts['os']['windows']['system32']}\\WindowsPowerShell\\v1.0\\powershell.exe",
+        "-ExecutionPolicy",
+        "Bypass",
+        "-NoProfile",
+        "-NoLogo",
+        "-NonInteractive"
+        ${_download_puppet}"
+      ],
+      creates  => $local_package_file_path,
+      require  => File[$puppet_agent::params::local_packages_dir],
+    }
+  } else {
+    file { $local_package_file_path:
+      ensure  => file,
+      owner   => $puppet_agent::params::user,
+      group   => $puppet_agent::params::group,
+      mode    => $mode,
+      source  => $source,
+      require => File[$puppet_agent::params::local_packages_dir],
+    }
   }
 }

metadata.json

@@ -23,6 +23,10 @@
     {
       "name": "puppetlabs-facts",
       "version_requirement": ">= 0.5.0 < 2.0.0"
+    },
+    {
+      "name": "puppetlabs-powershell",
+      "version_requirement": ">= 6.0.2 < 7.0.0"
     }
   ],
   "operatingsystem_support": [

templates/download_puppet.ps1.epp

@@ -0,0 +1,19 @@
+$body = @{
+    "version" = "<%= $puppet_agent::prepare::package_version %>"
+    "os_name" = "<%= $facts['os']['family'] %>"
+    "os_version" = "<%= $facts['os']['release']['major'] %>"
+    "os_arch" = "<%= $facts['os']['architecture'] %>"
+    "fips" = "<%= $facts['fips_enabled'] %>"
+}
+$username = "<%= $puppet_agent::prepare::package::download_username %>"
+$password = ConvertTo-SecureString "<%= $puppet_agent::prepare::package::download_password %>" -AsPlainText -Force
+$credential = New-Object System.Management.Automation.PSCredential($username, $password)
+try {
+    Invoke-WebRequest -Uri "<%= $puppet_agent::prepare::package::source %>" `
+      -Body $body `
+      -Credential $credential `
+      -OutFile "<%= $puppet_agent::prepare::package::local_package_file_path %>"
+} catch [System.Net.WebException] {
+    Write-Host "Network-related error: $($_.Exception.Message)"
+    exit 1
+}