Private windows

REFERENCE.md

@@ -624,6 +624,7 @@ working with a remote https repository.
 The following parameters are available in the `puppet_agent::prepare::package` class:
 
 * [`source`](#-puppet_agent--prepare--package--source)
+* [`package_file_name`](#-puppet_agent--prepare--package--package_file_name)
 
 ##### <a name="-puppet_agent--prepare--package--source"></a>`source`
 
@@ -632,6 +633,16 @@ Data type: `Variant[String, Array]`
 The source file for the puppet-agent package. Can use any of the data types
 and protocols that the File resource's source attribute can.
 
+##### <a name="-puppet_agent--prepare--package--package_file_name"></a>`package_file_name`
+
+Data type: `Optional[String]`
+
+The destination file name for the puppet-agent package. If no destination
+is given, then the basename component of the source will be used as the
+destination filename.
+
+Default value: `undef`
+
 ### <a name="puppet_agent--prepare--puppet_config"></a>`puppet_agent::prepare::puppet_config`
 
 Private class called from puppet_agent::prepare class.
@@ -993,6 +1004,18 @@ Data type: `Optional[Integer]`
 
 The number of retries in case of network connectivity failures
 
+##### `username`
+
+Data type: `Optional[String]`
+
+The username to use when downloading from a source location requiring authentication
+
+##### `password`
+
+Data type: `Optional[String]`
+
+The password to use when downloading from a source location requiring authentication
+
 ### <a name="install_shell"></a>`install_shell`
 
 Install the Puppet agent package

manifests/osfamily/darwin.pp

@@ -20,12 +20,20 @@
     } else {
       $source = "puppet:///pe_packages/${pe_server_version}/${facts['platform_tag']}/${puppet_agent::package_name}-${puppet_agent::prepare::package_version}-1.osx${$productversion_major}.dmg"
     }
-  } else {
+  } elsif $puppet_agent::collection and $puppet_agent::collection =~ /core/ {
+    if $puppet_agent::prepare::package_version =~ /^\d+\.\d+\.\d+\.\d+\.g([a-f0-9]+)+$/ {
+      $source = "https://artifacts-puppetcore.puppet.com/v1/download?type=native&version=${puppet_agent::prepare::package_version}&os_name=osx&os_version=${productversion_major}&os_arch=${puppet_agent::arch}&dev=true"
+    } else {
+      $source = "https://artifacts-puppetcore.puppet.com/v1/download?type=native&version=${puppet_agent::prepare::package_version}&os_name=osx&os_version=${productversion_major}&os_arch=${puppet_agent::arch}"
+    }
+    $destination_name = "${puppet_agent::package_name}-${puppet_agent::prepare::package_version}-1.osx${productversion_major}.dmg"
+    } else {
     $source = "${puppet_agent::mac_source}/mac/${puppet_agent::collection}/${productversion_major}/${puppet_agent::arch}/${puppet_agent::package_name}-${puppet_agent::prepare::package_version}-1.osx${$productversion_major}.dmg"
   }
 
   class { 'puppet_agent::prepare::package':
     source => $source,
+    destination_name => $destination_name,
   }
 
   contain puppet_agent::prepare::package

manifests/osfamily/windows.pp

@@ -2,6 +2,8 @@
 class puppet_agent::osfamily::windows {
   assert_private()
 
+  $destination_name = undef
+
   if $puppet_agent::absolute_source {
     $source = $puppet_agent::absolute_source
   } elsif $puppet_agent::source {
@@ -23,13 +25,17 @@
   } else {
     if $puppet_agent::collection == 'PC1' {
       $source = "${puppet_agent::windows_source}/windows/${puppet_agent::package_name}-${puppet_agent::prepare::package_version}-${puppet_agent::arch}.msi"
+    } elsif $puppet_agent::collection =~ /core/ {
+      $source = 'https://artifacts-puppetcore.puppet.com/v1/download'
+      $destination_name = "${puppet_agent::package_name}-${puppet_agent::prepare::package_version}-${puppet_agent::arch}.msi"
     } else {
       $source = "${puppet_agent::windows_source}/windows/${puppet_agent::collection}/${puppet_agent::package_name}-${puppet_agent::prepare::package_version}-${puppet_agent::arch}.msi"
     }
   }
 
   class { 'puppet_agent::prepare::package':
-    source => $source,
+    source           => $source,
+    destination_name => $destination_name,
   }
 
   contain puppet_agent::prepare::package

manifests/prepare/package.pp

@@ -5,21 +5,31 @@
 # @param source
 #   The source file for the puppet-agent package. Can use any of the data types
 #   and protocols that the File resource's source attribute can.
+# @param destination_name
+#   The destination file name for the puppet-agent package. If no destination
+#   is given, then the basename component of the source will be used as the
+#   destination name.
 class puppet_agent::prepare::package (
   Variant[String, Array] $source,
+  Optional[String] $destination_name = undef
 ) {
   assert_private()
 
   file { $puppet_agent::params::local_packages_dir:
     ensure => directory,
   }
 
-  # In order for the 'basename' function to work correctly we need to change
-  # any \s to /s (even for windows UNC paths) so that it will correctly pull off
-  # the filename. Since this operation is only grabbing the base filename and not
-  # any part of the path this should be safe, since the source will simply remain
-  # what it was before and we can still pull off the filename.
-  $package_file_name = basename(regsubst($source, "\\\\", '/', 'G'))
+  if $destination_name {
+    $package_file_name = $destination_name
+  } else {
+    # In order for the 'basename' function to work correctly we need to change
+    # any \s to /s (even for windows UNC paths) so that it will correctly pull off
+    # the filename. Since this operation is only grabbing the base filename and not
+    # any part of the path this should be safe, since the source will simply remain
+    # what it was before and we can still pull off the filename.
+    $package_file_name = basename(regsubst($source, "\\\\", '/', 'G'))
+  }
+
   if $facts['os']['family'] =~ /windows/ {
     $local_package_file_path = windows_native_path("${puppet_agent::params::local_packages_dir}/${package_file_name}")
     $mode = undef
@@ -28,12 +38,79 @@
     $mode = '0644'
   }
 
-  file { $local_package_file_path:
-    ensure  => file,
-    owner   => $puppet_agent::params::user,
-    group   => $puppet_agent::params::group,
-    mode    => $mode,
-    source  => $source,
-    require => File[$puppet_agent::params::local_packages_dir],
+  # REMIND: redhat/suse with absolute_source
+  # REMIND: debian with absolute_source
+  # REMIND: solaris 10
+  # REMIND: solaris 11 with manage_repo
+  # REMIND: aix
+  # REMIND: darwin
+  # REMIND: suse 11 and PE
+  if $puppet_agent::collection and $puppet_agent::collection =~ /core/ and $facts['os']['family'] =~ /windows/ {
+    $download_username = getvar('puppet_agent::username', 'forge-key')
+    $download_password = unwrap(getvar('puppet_agent::password'))
+
+    $_download_puppet = windows_native_path("${facts['env_temp_variable']}/download_puppet.ps1")
+    file { $_download_puppet:
+      ensure  => file,
+      content => Sensitive(epp('puppet_agent/download_puppet.ps1.epp')),
+    }
+
+    exec { 'Download Puppet Agent':
+      command  => "${facts['os']['windows']['system32']}\\WindowsPowerShell\\v1.0\\powershell.exe \
+      -ExecutionPolicy Bypass \
+      -NoProfile \
+      -NoLogo \
+      -NonInteractive \
+      ${_download_puppet}",
+      creates  => $local_package_file_path,
+      provider => powershell,
+    }
+  } elsif $puppet_agent::collection and $puppet_agent::collection =~ /core/ and $facts['os']['family'] =~ /Darwin/ {
+    $download_username = getvar('puppet_agent::username', 'forge-key')
+    $download_password = unwrap(getvar('puppet_agent::password'))
+
+    $response_file = "${local_package_file_path}.response"
+    $netrc_file = "${facts['env_temp_variable']}/.netrc"
+    file { $netrc_file:
+      ensure  => file,
+      content => "machine artifacts-puppetcore.puppet.com\nlogin ${download_username}\npassword ${download_password}\n",
+      mode    => '0600',
+    }
+
+    $curl_command = "curl -1 -sL --netrc-file '${netrc_file}' -w '%{http_code}' -o '${local_package_file_path}' '${source}' > '${response_file}'"
+    exec { 'Download Puppet Agent for Darwin':
+      command => $curl_command,
+      creates => $local_package_file_path,
+      path    => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
+    }
+
+    exec { 'Remove .netrc file':
+      command => "rm -f '${netrc_file}'",
+      path    => ['/usr/bin', '/bin'],
+      onlyif  => "test -f '${netrc_file}'",
+      require => Exec['Download Puppet Agent for Darwin'],
+    }
+    #
+    # TODO: This is a temporary workaround to get the HTTP response code from the curl command.
+    #       For now just outputting the response is good enough.
+    #       We need to find a way to interspect this value and fail the catalog if the response
+    #       code is not 200, and then logging the output wont be as important.
+    #
+    exec { 'Read HTTP Response Code':
+      command => "cat '${response_file}'",
+      path    => ['/usr/bin', '/bin'],
+      onlyif  => "test -f '${response_file}'",
+      logoutput => true,
+      require => Exec['Download Puppet Agent for Darwin'],
+    }
+  } else {
+    file { $local_package_file_path:
+      ensure  => file,
+      owner   => $puppet_agent::params::user,
+      group   => $puppet_agent::params::group,
+      mode    => $mode,
+      source  => $source,
+      require => File[$puppet_agent::params::local_packages_dir],
+    }
   }
 }

tasks/install_powershell.json

@@ -42,6 +42,14 @@
       "description": "The number of retries in case of network connectivity failures",
       "type": "Optional[Integer]",
       "default": 5
+    },
+    "username": {
+      "description": "The username to use when downloading from a source location requiring authentication",
+      "type": "Optional[String]"
+    },
+    "password": {
+      "description": "The password to use when downloading from a source location requiring authentication",
+      "type": "Optional[String]"
     }
   },
   "supports_noop": true

tasks/install_powershell.ps1

@@ -7,11 +7,21 @@ Param(
   [String]$install_options = 'REINSTALLMODE="amus"',
   [Bool]$stop_service = $False,
   [Int]$retry = 5,
-  [Bool]$_noop = $False
+  [Bool]$_noop = $False,
+  [String]$username = 'forge-key',
+  [String]$password
 )
 # If an error is encountered, the script will stop instead of the default of "Continue"
 $ErrorActionPreference = "Stop"
 
+try {
+  $os_version = (Get-WmiObject Win32_OperatingSystem).Version
+}
+catch [System.Management.Automation.CommandNotFoundException] {
+  $os_version = (Get-CimInstance -ClassName win32_OperatingSystem).Version
+}
+$major_os_version = ($os_version -split '\.')[0]
+
 try {
   if ((Get-WmiObject Win32_OperatingSystem).OSArchitecture -match '^32') {
       $arch = "x86"
@@ -27,9 +37,19 @@ catch [System.Management.Automation.CommandNotFoundException] {
   }
 }
 
+$fips = 'false'
+try {
+  if ((Get-ItemPropertyValue -Path 'HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy' -Name Enabled) -ne 0) {
+    $fips = 'true'
+  }
+}
+catch {
+  Write-Output "Failed to lookup FIPS mode, assuming it is disabled"
+}
+
 function Test-PuppetInstalled {
   $rootPath = 'HKLM:\SOFTWARE\Puppet Labs\Puppet'
-  try { 
+  try {
     if (Get-ItemProperty -Path $rootPath) { RETURN $true }
   }
   catch {
@@ -98,12 +118,16 @@ if (Test-RunningServices) {
 # Change windows_source only if the collection is a nightly build, and the source was not explicitly specified.
 if (($collection -like '*nightly*') -And -Not ($PSBoundParameters.ContainsKey('windows_source'))) {
   $windows_source = 'https://nightlies.puppet.com/downloads'
+} elseif (($collection -like '*puppetcore*') -And -Not ($PSBoundParameters.ContainsKey('windows_source'))) {
+  $windows_source = 'https://artifacts-puppetcore.puppet.com/v1/download'
 }
 
 if ($absolute_source) {
     $msi_source = "$absolute_source"
 }
-else {
+elseif ($collection -like '*puppetcore*') {
+    $msi_source = "${windows_source}?version=${version}&os_name=windows&os_version=${major_os_version}&os_arch=${arch}&fips=${fips}"
+} else {
     $msi_source = "$windows_source/windows/${collection}/${msi_name}"
 }
 
@@ -125,22 +149,27 @@ function Set-Tls12 {
 }
 
 function DownloadPuppet {
-  Write-Output "Downloading the Puppet Agent installer on $env:COMPUTERNAME..."
+  Write-Output "Downloading the Puppet Agent installer on $env:COMPUTERNAME from ${msi_source}"
   Set-Tls12
 
   $webclient = New-Object system.net.webclient
-
+  if ($password) {
+    $credentials = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("${username}:${password}"))
+    $webclient.Headers.Add("Authorization", "Basic ${credentials}")
+  }
   try {
     $webclient.DownloadFile($msi_source,$msi_dest)
   }
   catch [System.Net.WebException] {
+    Write-Host "Download exception: $($_.Exception.Message)"
     For ($attempt_number = 1; $attempt_number -le $retry; $attempt_number++) {
       try {
         Write-Output "Retrying... [$attempt_number/$retry]"
         $webclient.DownloadFile($msi_source,$msi_dest)
         break
       }
       catch [System.Net.WebException] {
+        Write-Host "Download exception: $($_.Exception.Message)"
         if($attempt_number -eq $retry) {
           # If we can't find the msi, then we may not be configured correctly
           if($_.Exception.Response.StatusCode -eq [system.net.httpstatuscode]::NotFound) {