From 15ddc2e5afa8408010fb0e35cba19c0f92b74011 Mon Sep 17 00:00:00 2001
From: Tim Meusel <tim@bastelfreak.de>
Date: Fri, 1 Nov 2024 17:09:28 +0100
Subject: [PATCH 1/4] Remove insecure pe_installer_source parameter

---
 REFERENCE.md              | 24 ------------------------
 plans/install.pp          |  7 -------
 plans/subplans/install.pp | 16 ++--------------
 plans/upgrade.pp          | 23 +++++------------------
 4 files changed, 7 insertions(+), 63 deletions(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index 2951060f..53185298 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -2022,7 +2022,6 @@ The following parameters are available in the `peadm::install` plan:
 * [`compiler_pool_address`](#-peadm--install--compiler_pool_address)
 * [`internal_compiler_a_pool_address`](#-peadm--install--internal_compiler_a_pool_address)
 * [`internal_compiler_b_pool_address`](#-peadm--install--internal_compiler_b_pool_address)
-* [`pe_installer_source`](#-peadm--install--pe_installer_source)
 * [`ldap_config`](#-peadm--install--ldap_config)
 * [`final_agent_state`](#-peadm--install--final_agent_state)
 * [`stagingdir`](#-peadm--install--stagingdir)
@@ -2078,17 +2077,6 @@ architectures.
 
 Default value: `undef`
 
-##### <a name="-peadm--install--pe_installer_source"></a>`pe_installer_source`
-
-Data type: `Optional[Stdlib::HTTPSUrl]`
-
-The URL to download the Puppet Enterprise installer media from. If not
-specified, PEAdm will attempt to download PE installation media from its
-standard public source. When specified, PEAdm will download directly from the
-URL given.
-
-Default value: `undef`
-
 ##### <a name="-peadm--install--ldap_config"></a>`ldap_config`
 
 Data type: `Optional[Peadm::Ldap_config]`
@@ -2503,7 +2491,6 @@ The following parameters are available in the `peadm::upgrade` plan:
 * [`compiler_pool_address`](#-peadm--upgrade--compiler_pool_address)
 * [`internal_compiler_a_pool_address`](#-peadm--upgrade--internal_compiler_a_pool_address)
 * [`internal_compiler_b_pool_address`](#-peadm--upgrade--internal_compiler_b_pool_address)
-* [`pe_installer_source`](#-peadm--upgrade--pe_installer_source)
 * [`final_agent_state`](#-peadm--upgrade--final_agent_state)
 * [`r10k_known_hosts`](#-peadm--upgrade--r10k_known_hosts)
 * [`stagingdir`](#-peadm--upgrade--stagingdir)
@@ -2548,17 +2535,6 @@ architectures.
 
 Default value: `undef`
 
-##### <a name="-peadm--upgrade--pe_installer_source"></a>`pe_installer_source`
-
-Data type: `Optional[Stdlib::HTTPSUrl]`
-
-The URL to download the Puppet Enterprise installer media from. If not
-specified, PEAdm will attempt to download PE installation media from its
-standard public source. When specified, PEAdm will download directly from the
-URL given.
-
-Default value: `undef`
-
 ##### <a name="-peadm--upgrade--final_agent_state"></a>`final_agent_state`
 
 Data type: `Enum['running', 'stopped']`
diff --git a/plans/install.pp b/plans/install.pp
index fc30e4be..7360bd35 100644
--- a/plans/install.pp
+++ b/plans/install.pp
@@ -11,11 +11,6 @@
 #   A load balancer address directing traffic to any of the "B" pool
 #   compilers. This is used for DR configuration in large and extra large
 #   architectures.
-# @param pe_installer_source
-#   The URL to download the Puppet Enterprise installer media from. If not
-#   specified, PEAdm will attempt to download PE installation media from its
-#   standard public source. When specified, PEAdm will download directly from the
-#   URL given.
 # @param ldap_config
 #   If specified, configures PE RBAC DS with the supplied configuration hash.
 #   The parameter should be set to a valid set of connection settings as
@@ -47,7 +42,6 @@
   # Common Configuration
   String                            $console_password,
   Peadm::Pe_version                 $version                          = '2021.7.9',
-  Optional[Stdlib::HTTPSUrl]        $pe_installer_source              = undef,
   Optional[Array[String]]           $dns_alt_names                    = undef,
   Optional[String]                  $compiler_pool_address            = undef,
   Optional[String]                  $internal_compiler_a_pool_address = undef,
@@ -94,7 +88,6 @@
 
     # Common Configuration
     version                        => $version,
-    pe_installer_source            => $pe_installer_source,
     console_password               => $console_password,
     dns_alt_names                  => $dns_alt_names,
     pe_conf_data                   => $pe_conf_data,
diff --git a/plans/subplans/install.pp b/plans/subplans/install.pp
index 693c056c..9a210246 100644
--- a/plans/subplans/install.pp
+++ b/plans/subplans/install.pp
@@ -28,12 +28,6 @@
 #   Config data to plane into pe.conf when generated on all hosts, this can be
 #   used for tuning data etc.
 #
-# @param pe_installer_source
-#   The URL to download the Puppet Enterprise installer media from. If not
-#   specified, PEAdm will attempt to download PE installation media from its
-#   standard public source. When specified, PEAdm will download directly from the
-#   URL given.
-#
 plan peadm::subplans::install (
   # Standard
   Peadm::SingleTargetSpec           $primary_host,
@@ -50,7 +44,6 @@
   # Common Configuration
   String               $console_password,
   Peadm::Pe_version    $version,
-  Optional[Stdlib::HTTPSUrl] $pe_installer_source = undef,
   Array[String]        $dns_alt_names       = [],
   Hash                 $pe_conf_data        = {},
 
@@ -237,13 +230,8 @@
     )
   }
 
-  if $pe_installer_source {
-    $pe_tarball_name = $pe_installer_source.split('/')[-1]
-    $pe_tarball_source = $pe_installer_source
-  } else {
-    $pe_tarball_name   = "puppet-enterprise-${version}-${platform}.tar.gz"
-    $pe_tarball_source = "https://s3.amazonaws.com/pe-builds/released/${version}/${pe_tarball_name}"
-  }
+  $pe_tarball_name   = "puppet-enterprise-${version}-${platform}.tar.gz"
+  $pe_tarball_source = "https://s3.amazonaws.com/pe-builds/released/${version}/${pe_tarball_name}"
 
   $upload_tarball_path = "${uploaddir}/${pe_tarball_name}"
 
diff --git a/plans/upgrade.pp b/plans/upgrade.pp
index 15b240fe..cae952fd 100644
--- a/plans/upgrade.pp
+++ b/plans/upgrade.pp
@@ -11,11 +11,6 @@
 #   A load balancer address directing traffic to any of the "B" pool
 #   compilers. This is used for DR configuration in large and extra large
 #   architectures.
-# @param pe_installer_source
-#   The URL to download the Puppet Enterprise installer media from. If not
-#   specified, PEAdm will attempt to download PE installation media from its
-#   standard public source. When specified, PEAdm will download directly from the
-#   URL given.
 # @param final_agent_state
 #   Configures the state the puppet agent should be in on infrastructure nodes
 #   after PE is upgraded successfully.
@@ -46,7 +41,6 @@
 
   # Common Configuration
   Optional[Peadm::Pe_version]  $version                          = undef,
-  Optional[Stdlib::HTTPSUrl]   $pe_installer_source              = undef,
   Optional[String]             $compiler_pool_address            = undef,
   Optional[String]             $internal_compiler_a_pool_address = undef,
   Optional[String]             $internal_compiler_b_pool_address = undef,
@@ -119,21 +113,14 @@
 
   $platform = run_task('peadm::precheck', $primary_target).first['platform']
 
-  if $pe_installer_source {
-    $pe_tarball_name   = $pe_installer_source.split('/')[-1]
-    $pe_tarball_source = $pe_installer_source
-    $_version          = $pe_tarball_name.split('-')[2]
-  } else {
-    $_version          = $version
-    $pe_tarball_name   = "puppet-enterprise-${_version}-${platform}.tar.gz"
-    $pe_tarball_source = "https://s3.amazonaws.com/pe-builds/released/${_version}/${pe_tarball_name}"
-  }
+  $pe_tarball_name   = "puppet-enterprise-${version}-${platform}.tar.gz"
+  $pe_tarball_source = "https://s3.amazonaws.com/pe-builds/released/${version}/${pe_tarball_name}"
 
   $upload_tarball_path = "${uploaddir}/${pe_tarball_name}"
 
   peadm::assert_supported_bolt_version()
 
-  peadm::assert_supported_pe_version($_version, $permit_unsafe_versions)
+  peadm::assert_supported_pe_version($version, $permit_unsafe_versions)
 
   # Gather certificate extension information from all systems
   $cert_extensions = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
@@ -386,7 +373,7 @@
     # doesn't deal well with the PuppetDB database being on a separate node.
     # So, move it aside before running the upgrade.
     $pdbapps = '/opt/puppetlabs/server/apps/puppetdb/cli/apps'
-    $workaround_delete_reports = $arch['disaster-recovery'] and $_version =~ SemVerRange('>= 2019.8')
+    $workaround_delete_reports = $arch['disaster-recovery'] and $version =~ SemVerRange('>= 2019.8')
     if $workaround_delete_reports {
 # lint:ignore:strict_indent
       run_command(@("COMMAND"/$), $replica_target)
@@ -438,7 +425,7 @@
     )
   }
 
-  peadm::check_version_and_known_hosts($current_pe_version, $_version, $r10k_known_hosts)
+  peadm::check_version_and_known_hosts($current_pe_version, $version, $r10k_known_hosts)
 
   return("Upgrade of Puppet Enterprise ${arch['architecture']} completed.")
 }

From cea49f13b599d8d9af69c025bcc360a00402fb82 Mon Sep 17 00:00:00 2001
From: Tim Meusel <tim@bastelfreak.de>
Date: Mon, 4 Nov 2024 15:34:19 +0100
Subject: [PATCH 2/4] mark the download task as private

---
 tasks/download.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tasks/download.json b/tasks/download.json
index 34c5e46f..7cf03829 100644
--- a/tasks/download.json
+++ b/tasks/download.json
@@ -23,5 +23,6 @@
   "implementations": [
     {"name": "download.sh", "requirements": ["shell"],  "input_method": "environment"},
     {"name": "download.ps1", "requirements": ["powershell"], "input_method": "powershell"}
-    ]
+  ],
+  "private": true
 }

From 828fa043c2861a0d22700958e9d0b23421cd1a33 Mon Sep 17 00:00:00 2001
From: Tim Meusel <tim@bastelfreak.de>
Date: Mon, 4 Nov 2024 16:24:13 +0100
Subject: [PATCH 3/4] install_test_cluster: Download custom PE archive before
 calling peadm

---
 .../peadm_spec/plans/install_test_cluster.pp  | 27 +++++++++++++++----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/spec/acceptance/peadm_spec/plans/install_test_cluster.pp b/spec/acceptance/peadm_spec/plans/install_test_cluster.pp
index d7693e24..7967a1ab 100644
--- a/spec/acceptance/peadm_spec/plans/install_test_cluster.pp
+++ b/spec/acceptance/peadm_spec/plans/install_test_cluster.pp
@@ -39,12 +39,10 @@
     download_mode          => $download_mode,
     code_manager_auto_configure => $code_manager_auto_configure,
     version                => $version,
-    pe_installer_source    => $pe_installer_source,
     permit_unsafe_versions => $permit_unsafe_versions,
   }
 
-  $arch_params =
-    case $architecture {
+  $arch_params = case $architecture {
     'standard': {{
         primary_host => $t.filter |$n| { $n.vars['role'] == 'primary' },
     } }
@@ -76,8 +74,27 @@
     default: { fail('Invalid architecture!') }
   }
 
-  $install_result =
-    run_plan('peadm::install', $arch_params + $common_params)
+  if $pe_installer_source {
+    $targets             = $arch_params.values.flatten
+    $platform            = run_task('peadm::precheck', $arch_params['primary_host']).first['platform']
+    $pe_tarball_name     = "puppet-enterprise-${version}-${platform}.tar.gz"
+    $upload_tarball_path = "/tmp/${pe_tarball_name}"
+
+    if $download_mode == 'bolthost' {
+      run_plan('peadm::util::retrieve_and_upload', $targets,
+        source      => $pe_installer_source,
+        local_path  => "/tmp/${pe_tarball_name}",
+        upload_path => $upload_tarball_path,
+      )
+    } else {
+      run_task('peadm::download', $targets,
+        source => $pe_installer_source,
+        path   => $upload_tarball_path,
+      )
+    }
+  }
+
+  $install_result = run_plan('peadm::install', $arch_params + $common_params)
 
   return($install_result)
 }

From 45abe8d5d53196f04f61981cf7045830cd1b5807 Mon Sep 17 00:00:00 2001
From: Tim Meusel <tim@bastelfreak.de>
Date: Mon, 4 Nov 2024 16:47:06 +0100
Subject: [PATCH 4/4] upgrade_test_cluster: Download custom PE archive before
 calling peadm

---
 .../peadm_spec/plans/upgrade_test_cluster.pp  | 24 ++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/spec/acceptance/peadm_spec/plans/upgrade_test_cluster.pp b/spec/acceptance/peadm_spec/plans/upgrade_test_cluster.pp
index a501d782..293093b5 100644
--- a/spec/acceptance/peadm_spec/plans/upgrade_test_cluster.pp
+++ b/spec/acceptance/peadm_spec/plans/upgrade_test_cluster.pp
@@ -16,12 +16,10 @@
   $common_params = {
     download_mode          => $download_mode,
     version                => $version,
-    pe_installer_source    => $pe_installer_source,
     permit_unsafe_versions => $permit_unsafe_versions,
   }
 
-  $arch_params =
-    case $architecture {
+  $arch_params = case $architecture {
     'standard': {{
         primary_host => $t.filter |$n| { $n.vars['role'] == 'primary' },
     } }
@@ -53,6 +51,26 @@
     default: { fail('Invalid architecture!') }
   }
 
+  if $pe_installer_source {
+    $targets             = $arch_params.values.flatten
+    $platform            = run_task('peadm::precheck', $arch_params['primary_host']).first['platform']
+    $pe_tarball_name     = "puppet-enterprise-${version}-${platform}.tar.gz"
+    $upload_tarball_path = "/tmp/${pe_tarball_name}"
+
+    if $download_mode == 'bolthost' {
+      run_plan('peadm::util::retrieve_and_upload', $targets,
+        source      => $pe_installer_source,
+        local_path  => "/tmp/${pe_tarball_name}",
+        upload_path => $upload_tarball_path,
+      )
+    } else {
+      run_task('peadm::download', $targets,
+        source => $pe_installer_source,
+        path   => $upload_tarball_path,
+      )
+    }
+  }
+
   $params = $arch_params + $common_params
   run_plan('peadm::upgrade', $params)
 }