(PA-7586) Upgrade puppetcore* dmg from artifacts-puppetcore.puppet.com

When using the puppetcore collection on macOS, if we detect the version does not
match, then upgrade the DMG. Due to a puppet bug, we cannot pass credentials in
the `source` parameter, so curl using 'netrc' to pass credentials securely.

Note facter's `os.release.major` returns the Darwin kernel version (23), but our
packages are named after the OS version (14), so use `os.macosx.version.major`.

```
class { 'puppet_agent':
  package_version => '8.13.1',
  collection      => 'puppetcore8',
  username        => 'forge-key',
  password        => Sensitive(...)
}
include 'puppet_agent'
```

Author: joshcooper

manifests/osfamily/darwin.pp

@@ -20,12 +20,21 @@
     } else {
       $source = "puppet:///pe_packages/${pe_server_version}/${facts['platform_tag']}/${puppet_agent::package_name}-${puppet_agent::prepare::package_version}-1.osx${$productversion_major}.dmg"
     }
+  } elsif $puppet_agent::collection =~ /core/ {
+    $source = 'https://artifacts-puppetcore.puppet.com/v1/download'
   } else {
     $source = "${puppet_agent::mac_source}/mac/${puppet_agent::collection}/${productversion_major}/${puppet_agent::arch}/${puppet_agent::package_name}-${puppet_agent::prepare::package_version}-1.osx${$productversion_major}.dmg"
   }
 
+  $destination_name = if $puppet_agent::collection =~ /core/ {
+    "${puppet_agent::package_name}-${puppet_agent::prepare::package_version}-1.osx${$productversion_major}.dmg"
+  } else {
+    undef
+  }
+
   class { 'puppet_agent::prepare::package':
-    source => $source,
+    source           => $source,
+    destination_name => $destination_name,
   }
 
   contain puppet_agent::prepare::package

manifests/prepare/package.pp

@@ -56,6 +56,29 @@
       creates => $local_package_file_path,
       require => File[$puppet_agent::params::local_packages_dir],
     }
+  } elsif $puppet_agent::collection =~ /core/ and $facts['os']['family'] =~ /Darwin/ {
+    $download_username = getvar('puppet_agent::username', 'forge-key')
+    $download_password = unwrap(getvar('puppet_agent::password'))
+    $osname = 'osx'
+    $osversion = $facts['os']['macosx']['version']['major']
+    $osarch = $facts['os']['architecture']
+    $fips = 'false'
+    $dev = count(split($puppet_agent::prepare::package_version, '\.')) > 3
+
+    $_download_puppet = "${puppet_agent::params::local_packages_dir}/download_puppet.sh"
+    file { $_download_puppet:
+      ensure  => file,
+      owner   => $puppet_agent::params::user,
+      group   => $puppet_agent::params::group,
+      mode    => '0700',
+      content => Sensitive(epp('puppet_agent/download_puppet.sh.epp')),
+    }
+
+    exec { 'Download Puppet Agent':
+      command => [$_download_puppet],
+      creates => $local_package_file_path,
+      require => File[$puppet_agent::params::local_packages_dir],
+    }
   } else {
     file { $local_package_file_path:
       ensure  => file,

templates/download_puppet.sh.epp

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -x
+netrc=$(mktemp)
+trap 'rm -f "$netrc"' EXIT
+chmod 0600 "$netrc"
+cat <<EOF > "$netrc"
+machine artifacts-puppetcore.puppet.com
+login <%= $puppet_agent::prepare::package::download_username %>
+password <%= $puppet_agent::prepare::package::download_password %>
+EOF
+/opt/puppetlabs/puppet/bin/curl \
+ --get \
+ --fail \
+ --location \
+ --netrc-file "$netrc" \
+ --retry 3 \
+ --data-urlencode "version=<%= $puppet_agent::prepare::package_version %>" \
+ --data-urlencode "dev=<%= $puppet_agent::prepare::package::dev %>" \
+ --data-urlencode "os_name=<%= $puppet_agent::prepare::package::osname %>" \
+ --data-urlencode "os_version=<%= $puppet_agent::prepare::package::osversion %>" \
+ --data-urlencode "os_arch=<%= $puppet_agent::prepare::package::osarch %>" \
+ --data-urlencode "fips=<%= $puppet_agent::prepare::package::fips %>" \
+ --output "<%= $puppet_agent::prepare::package::local_package_file_path %>" \
+ "<%= $puppet_agent::prepare::package::source %>"
+