chef 18.0.185-x64-mingw-ucrt → 18.1.29-x64-mingw-ucrt

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7c1122c2620c6af08992ae09d67f314ac5b96734570a645e2f9cd8884f2dd377
-  data.tar.gz: 20bc9d8e1ee79d6eb62643889f4eb03bacdc9da1bac21d3f80df2da1687a887e
+  metadata.gz: 937611f440a583a253b01525212c4d6214da8f25aee63891ab928b9a3d53de67
+  data.tar.gz: 7d69aeb9e4df6f13d76b464c08178f9935bc9be01eed136539d5d123315f0fea
 SHA512:
-  metadata.gz: 3afda04ca448d98ff93d09766628ce5482a8cefda00b1f08c86b46f5049e8d332e89dae62ac32226bf141ab27aac4491214dd855f65c96dcfb9b7493e93c96f4
-  data.tar.gz: 1081a2c6449d32ff1f922aeacdb25e1cfecd71d1b47491f626e8db533d9c29a64a06f8833f30ba82f4c606397061dd1392e994241e836b2e84c38a3f15edb59c
+  metadata.gz: 2bc789e6367a7ba5277f905d460f7b5390854f62c98f0ba07270e6659e7e70bb92b2d4fc64c8d87e524a972da75657f64022d3f01305558e00f90348f8d6811a
+  data.tar.gz: dea177b817a903ef86d7b8bacef0aca894ca778c26615339a041186276da976eb23abede8c47c1a3b9ee459a392961ff75fbc8532475186a1d21d77a1a528fde

data/Gemfile

@@ -37,9 +37,6 @@ group(:omnibus_package, :pry) do
   gem "pry-stack_explorer"
 end
 
-# proxifier gem is busted on ruby 3.1 and seems abandoned so use git fork of gem
-gem "proxifier", git: "https://github.com/chef/ruby-proxifier", branch: "lcg/ruby-3"
-
 # Everything except AIX and Windows
 group(:ruby_shadow) do
   # if ruby-shadow does a release that supports ruby-3.0 this can be removed

data/chef.gemspec

@@ -49,7 +49,8 @@ Gem::Specification.new do |s|
   s.add_dependency "net-ftp" # remote_file resource
   s.add_dependency "erubis", "~> 2.7" # template resource / cookbook syntax check
   s.add_dependency "diff-lcs", ">= 1.2.4", "!= 1.4.0", "< 1.6.0" # 1.4 breaks output. Used in lib/chef/util/diff
-  s.add_dependency "ffi-libarchive", "~> 1.0", ">= 1.0.3" # archive_file resource
+  # s.add_dependency "ffi-libarchive", "~> 1.0", ">= 1.0.3" # archive_file resource
+  s.add_dependency "ffi-libarchive", "~> 1.1", ">= 1.1.3"
   s.add_dependency "chef-zero", ">= 14.0.11"
   s.add_dependency "chef-vault" # chef-vault resources and helpers
 
@@ -61,7 +62,7 @@ Gem::Specification.new do |s|
   s.add_dependency "unf_ext", ">= 0.0.8.2" # This is ruby31 compatible ucrt gem version
   s.add_dependency "corefoundation", "~> 0.3.4" # macos_userdefaults resource
 
-  s.add_dependency "proxifier", "~> 1.0"
+  s.add_dependency "proxifier2", "~> 1.1"
 
   s.add_dependency "aws-sdk-s3", "~> 1.91" # s3 recipe-url support
   s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"

data/lib/chef/application/base.rb

@@ -386,8 +386,10 @@ class Chef::Application::Base < Chef::Application
     elsif uri.scheme == "s3"
       require "aws-sdk-s3" unless defined?(Aws::S3)
 
-      s3 = Aws::S3::Client.new
-      object = s3.get_object(bucket: uri.hostname, key: uri.path[1..-1])
+      bucket_name = uri.hostname
+      s3 = Aws::S3::Client.new(region: s3_bucket_location(bucket_name))
+
+      object = s3.get_object(bucket: bucket_name, key: uri.path[1..-1])
       File.open(path, "wb") do |f|
         f.write(object.body.read)
       end
@@ -403,6 +405,20 @@ class Chef::Application::Base < Chef::Application
     end
   end
 
+  def s3_bucket_location(bucket_name)
+    s3 = Aws::S3::Client.new(region: aws_api_region)
+
+    resp = s3.get_bucket_location(bucket: bucket_name)
+    resp.location_constraint
+  rescue Aws::S3::Errors::AccessDenied => _e
+    Chef::Log.warn("Missing s3:GetBucketLocation privilege, trying currently configured region #{aws_api_region}")
+    aws_api_region
+  end
+
+  def aws_api_region
+    ENV["AWS_REGION"] || Aws.shared_config.region || Aws::EC2Metadata.new.get("/latest/meta-data/placement/region")
+  end
+
   def interval_run_chef_client
     if Chef::Config[:daemonize]
       Chef::Daemon.daemonize(ChefUtils::Dist::Infra::PRODUCT)

data/lib/chef/chef_fs/file_system.rb

@@ -140,17 +140,18 @@ class Chef
       def self.copy_to(pattern, src_root, dest_root, recurse_depth, options, ui = nil, format_path = nil)
         found_result = false
         error = false
+        result = {}
         list_pairs(pattern, src_root, dest_root).parallel_each do |src, dest|
           found_result = true
           new_dest_parent = get_or_create_parent(dest, options, ui, format_path)
-          child_error = copy_entries(src, dest, new_dest_parent, recurse_depth, options, ui, format_path)
+          child_error, result = copy_entries(src, dest, new_dest_parent, recurse_depth, options, ui, format_path)
           error ||= child_error
         end
         if !found_result && pattern.exact_path
           ui.error "#{pattern}: No such file or directory on remote or local" if ui
           error = true
         end
-        error
+        [error, result]
       end
 
       # Yield entries for children that are in either +a_root+ or +b_root+, with
@@ -275,6 +276,7 @@ class Chef
           # case we shouldn't waste time trying PUT if we know the file doesn't
           # exist.
           # Will need to decide how that works with checksums, though.
+          result = { "total" => 0, "success_count" => 0, "failed" => [] }
           error = false
           begin
             dest_path = format_path.call(dest_entry) if ui
@@ -290,6 +292,8 @@ class Chef
                       dest_entry.delete(true)
                       ui.output "Deleted extra entry #{dest_path} (purge is on)" if ui
                     rescue Chef::ChefFS::FileSystem::NotFoundError
+                      failure = { "src_path" => src_path, "reason" => "Entry #{dest_path} does not exist" }
+                      result["failed"].append(failure)
                       ui.output "Entry #{dest_path} does not exist. Nothing to do. (purge is on)" if ui
                     end
                   end
@@ -323,7 +327,7 @@ class Chef
                   if recurse_depth != 0
                     src_entry.children.parallel_each do |src_child|
                       new_dest_child = new_dest_dir.child(src_child.name)
-                      child_error = copy_entries(src_child, new_dest_child, new_dest_dir, recurse_depth ? recurse_depth - 1 : recurse_depth, options, ui, format_path)
+                      child_error, result = copy_entries(src_child, new_dest_child, new_dest_dir, recurse_depth ? recurse_depth - 1 : recurse_depth, options, ui, format_path)
                       error ||= child_error
                     end
                   end
@@ -339,14 +343,15 @@ class Chef
 
             else
               # Both exist.
-
               # If the entry can do a copy directly, do that.
               if dest_entry.respond_to?(:copy_from)
                 if options[:force] || compare(src_entry, dest_entry)[0] == false
                   if options[:dry_run]
                     ui.output "Would update #{dest_path}" if ui
                   else
+                    result["total"] += 1
                     dest_entry.copy_from(src_entry, options)
+                    result["success_count"] += 1
                     ui.output "Updated #{dest_path}" if ui
                   end
                 end
@@ -359,7 +364,7 @@ class Chef
                   # If both are directories, recurse into their children
                   if recurse_depth != 0
                     child_pairs(src_entry, dest_entry).parallel_each do |src_child, dest_child|
-                      child_error = copy_entries(src_child, dest_child, dest_entry, recurse_depth ? recurse_depth - 1 : recurse_depth, options, ui, format_path)
+                      child_error, result = copy_entries(src_child, dest_child, dest_entry, recurse_depth ? recurse_depth - 1 : recurse_depth, options, ui, format_path)
                       error ||= child_error
                     end
                   end
@@ -373,7 +378,6 @@ class Chef
                   ui.error("File #{src_path} is a regular file while file #{dest_path} is a directory\n") if ui
                   return
                 else
-
                   # Both are files!  Copy them unless we're sure they are the same.'
                   if options[:diff] == false
                     should_copy = false
@@ -389,7 +393,9 @@ class Chef
                       ui.output "Would update #{dest_path}" if ui
                     else
                       src_value = src_entry.read if src_value.nil?
+                      result["total"] += 1
                       dest_entry.write(src_value)
+                      result["success_count"] += 1
                       ui.output "Updated #{dest_path}" if ui
                     end
                   end
@@ -397,17 +403,25 @@ class Chef
               end
             end
           rescue RubyFileError => e
+            failure = { "src_path" => src_path, "reason" => e.reason }
+            result["failed"].append(failure)
             ui.warn "#{format_path.call(e.entry)} #{e.reason}." if ui
           rescue DefaultEnvironmentCannotBeModifiedError => e
+            failure = { "src_path" => src_path, "reason" => e.reason }
+            result["failed"].append(failure)
             ui.warn "#{format_path.call(e.entry)} #{e.reason}." if ui
           rescue OperationFailedError => e
+            failure = { "src_path" => src_path, "reason" => e.reason }
+            result["failed"].append(failure)
             ui.error "#{format_path.call(e.entry)} failed to #{e.operation}: #{e.message}" if ui
             error = true
           rescue OperationNotAllowedError => e
+            failure = { "src_path" => src_path, "reason" => e.reason }
+            result["failed"].append(failure)
             ui.error "#{format_path.call(e.entry)} #{e.reason}." if ui
             error = true
           end
-          error
+          [error, result]
         end
 
         def get_or_create_parent(entry, options, ui, format_path)

data/lib/chef/client.rb

@@ -66,6 +66,15 @@ class Chef
   class Client
     CRYPT_EXPORTABLE = 0x00000001
 
+    # adding these
+    # certstore 65536 == 0x00010000 == CurrentUser
+    # certstore 131072 == 0x00020000 == LocalMachine
+    # Reference: https://github.com/chef/win32-certstore/blob/main/lib/win32/certstore/mixin/crypto.rb#L90
+    CERT_SYSTEM_STORE_LOCAL_MACHINE                     = 0x00020000
+    CERT_SYSTEM_STORE_CURRENT_USER                      = 0x00010000
+    CERT_SYSTEM_STORE_SERVICES                          = 0x00050000
+    CERT_SYSTEM_STORE_USERS                             = 0x00060000
+
     attr_reader :local_context
 
     extend Chef::Mixin::Deprecation
@@ -674,9 +683,15 @@ class Chef
 
     # In the brave new world of No Certs On Disk, we want to put the pem file into Keychain or the Certstore
     # But is it already there?
+    # We're solving the multi-user scenario where both a system/admin user can run on the box but also someone without
+    # admin rights can also run correctly locally.
     def check_certstore_for_key(cert_name)
       require "win32-certstore"
-      win32certstore = ::Win32::Certstore.open("MY")
+      if Chef::Config[:auth_key_registry_type] == "user"
+        win32certstore = ::Win32::Certstore.open("MY", store_location: CERT_SYSTEM_STORE_CURRENT_USER)
+      else
+        win32certstore = ::Win32::Certstore.open("MY")
+      end
       win32certstore.search("#{cert_name}")
     end
 
@@ -783,8 +798,6 @@ class Chef
       require "time" unless defined?(Time)
       autoload :URI, "uri"
 
-      # KeyMigration.instance.key_migrated = true
-
       node = Chef::Config[:node_name]
       d = Time.now
       if d.month == 10 || d.month == 11 || d.month == 12
@@ -818,9 +831,13 @@ class Chef
       require "win32-certstore"
       tempfile = Tempfile.new("#{Chef::Config[:node_name]}.pfx")
       File.open(tempfile, "wb") { |f| f.print new_pfx.to_der }
-
-      store = ::Win32::Certstore.open("MY")
-      store.add_pfx(tempfile, password, CRYPT_EXPORTABLE)
+      # Need to determine where to store the key
+      if Chef::Config[:auth_key_registry_type] == "user"
+        win32certstore = ::Win32::Certstore.open("MY", store_location: CERT_SYSTEM_STORE_CURRENT_USER)
+      else
+        win32certstore = ::Win32::Certstore.open("MY")
+      end
+      win32certstore.add_pfx(tempfile, password, CRYPT_EXPORTABLE)
       tempfile.unlink
     end
 

data/lib/chef/http/authenticator.rb

@@ -102,12 +102,12 @@ class Chef
         self.class.get_cert_password
       end
 
-      def encrypt_pfx_pass
-        self.class.encrypt_pfx_pass
+      def encrypt_pfx_pass_with_vector
+        self.class.encrypt_pfx_pass_with_vector
       end
 
-      def decrypt_pfx_pass
-        self.class.decrypt_pfx_pass
+      def decrypt_pfx_pass_with_vector
+        self.class.decrypt_pfx_pass_with_vector
       end
 
       # Detects if a private key exists in a certificate repository like Keychain (macOS) or Certificate Store (Windows)
@@ -123,9 +123,18 @@ class Chef
         end
       end
 
+      def self.get_cert_user
+        Chef::Config[:auth_key_registry_type] == "user" ? store = "CurrentUser" : store = "LocalMachine"
+      end
+
+      def self.get_registry_user
+        Chef::Config[:auth_key_registry_type] == "user" ? store = "HKEY_CURRENT_USER" : store = "HKEY_LOCAL_MACHINE"
+      end
+
       def self.check_certstore_for_key(client_name)
+        store = get_cert_user
         powershell_code = <<~CODE
-          $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse -Force  | Where-Object { $_.Subject -Match "chef-#{client_name}" } -ErrorAction Stop
+          $cert = Get-ChildItem -path cert:\\#{store}\\My -Recurse -Force  | Where-Object { $_.Subject -Match "chef-#{client_name}" } -ErrorAction Stop
           if (($cert.HasPrivateKey -eq $true) -and ($cert.PrivateKey.Key.ExportPolicy -ne "NonExportable")) {
             return $true
           }
@@ -164,49 +173,86 @@ class Chef
       end
 
       def self.get_cert_password
+        store = get_registry_user
         @win32registry = Chef::Win32::Registry.new
-        path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        path = "#{store}\\Software\\Progress\\Authentication"
         # does the registry key even exist?
-        present = @win32registry.get_values(path)
-        if present.nil? || present.empty?
+        # password_blob should be an array of hashes
+        password_blob = @win32registry.get_values(path)
+        if password_blob.nil? || password_blob.empty?
           raise Chef::Exceptions::Win32RegKeyMissing
         end
 
-        present.each do |secret|
-          if secret[:name] == "PfxPass"
-            password = decrypt_pfx_pass(secret[:data])
-            return password
+        # Did someone have just the password stored in the registry?
+        raw_data = password_blob.map { |x| x[:data] }
+        vector = raw_data[2]
+        if !!vector
+          decrypted_password = decrypt_pfx_pass_with_vector(password_blob)
+        else
+          decrypted_password = decrypt_pfx_pass_with_password(password_blob)
+          if !!decrypted_password
+            migrate_pass_to_use_vector(decrypted_password)
+          else
+            Chef::Log.error("Failed to retrieve certificate password")
           end
         end
-
-        raise Chef::Exceptions::Win32RegKeyMissing
-
+        decrypted_password
       rescue Chef::Exceptions::Win32RegKeyMissing
         # if we don't have a password, log that and generate one
-        Chef::Log.warn "Authentication Hive and values not present in registry, creating them now"
-        new_path = "HKEY_LOCAL_MACHINE\\Software\\Progress\\Authentication"
+        store = get_registry_user
+        new_path = "#{store}\\Software\\Progress\\Authentication"
         unless @win32registry.key_exists?(new_path)
           @win32registry.create_key(new_path, true)
         end
-        require "securerandom" unless defined?(SecureRandom)
-        size = 14
-        password = SecureRandom.alphanumeric(size)
-        encrypted_pass = encrypt_pfx_pass(password)
-        values = { name: "PfxPass", type: :string, data: encrypted_pass }
-        @win32registry.set_value(new_path, values)
-        password
+        create_and_store_new_password
       end
 
-      def self.encrypt_pfx_pass(password)
+      def self.encrypt_pfx_pass_with_vector(password)
         powershell_code = <<~CODE
-          $encrypted_string = ConvertTo-SecureString "#{password}" -AsPlainText -Force
-          $secure_string = ConvertFrom-SecureString $encrypted_string
-          return $secure_string
+          $AES = [System.Security.Cryptography.Aes]::Create()
+          $key_temp = [System.Convert]::ToBase64String($AES.Key)
+          $iv_temp = [System.Convert]::ToBase64String($AES.IV)
+          $encryptor = $AES.CreateEncryptor()
+          [System.Byte[]]$Bytes =  [System.Text.Encoding]::Unicode.GetBytes("#{password}")
+          $EncryptedBytes = $encryptor.TransformFinalBlock($Bytes,0,$Bytes.Length)
+          $EncryptedBase64String = [System.Convert]::ToBase64String($EncryptedBytes)
+          # create array of encrypted pass, key, iv
+          $password_blob = @($EncryptedBase64String, $key_temp, $iv_temp)
+          return $password_blob
         CODE
         powershell_exec!(powershell_code).result
       end
 
-      def self.decrypt_pfx_pass(password)
+      def self.decrypt_pfx_pass_with_vector(password_blob)
+        raw_data = password_blob.map { |x| x[:data] }
+        password = raw_data[0]
+        key = raw_data[1]
+        vector = raw_data[2]
+
+        powershell_code = <<~CODE
+          $KeyBytes = [System.Convert]::FromBase64String("#{key}")
+          $IVBytes = [System.Convert]::FromBase64String("#{vector}")
+          $aes = [System.Security.Cryptography.Aes]::Create()
+          $aes.Key = $KeyBytes
+          $aes.IV = $IVBytes
+          $EncryptedBytes = [System.Convert]::FromBase64String("#{password}")
+          $Decryptor = $aes.CreateDecryptor()
+          $DecryptedBytes = $Decryptor.TransformFinalBlock($EncryptedBytes,0,$EncryptedBytes.Length)
+          $DecryptedString = [System.Text.Encoding]::Unicode.GetString($DecryptedBytes)
+          return $DecryptedString
+        CODE
+        results = powershell_exec!(powershell_code).result
+      end
+
+      def self.decrypt_pfx_pass_with_password(password_blob)
+        password = ""
+        password_blob.each do |secret|
+          if secret[:name] == "PfxPass"
+            password = secret[:data]
+          else
+            Chef::Log.error("Failed to retrieve a password for the private key")
+          end
+        end
         powershell_code = <<~CODE
           $secure_string = "#{password}" | ConvertTo-SecureString
           $string = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((($secure_string))))
@@ -215,14 +261,49 @@ class Chef
         powershell_exec!(powershell_code).result
       end
 
-      def self.retrieve_certificate_key(client_name)
-        require "openssl" unless defined?(OpenSSL)
+      def self.migrate_pass_to_use_vector(password)
+        store = get_cert_user
+        corrected_store = (store == "CurrentUser" ? "HKCU" : "HKLM")
+        powershell_code = <<~CODE
+          Remove-ItemProperty -Path "#{corrected_store}:\\Software\\Progress\\Authentication" -Name "PfXPass"
+        CODE
+        powershell_exec!(powershell_code)
+        create_and_store_new_password(password)
+      end
 
+      # This method name is a bit of a misnomer. We call it to legit create a new password using the vector format.
+      # But we also call it with a password that needs to be migrated to use the vector format too.
+      def self.create_and_store_new_password(password = nil)
+        @win32registry = Chef::Win32::Registry.new
+        store = get_registry_user
+        path = "#{store}\\Software\\Progress\\Authentication"
+        if password.nil?
+          require "securerandom" unless defined?(SecureRandom)
+          size = 14
+          password = SecureRandom.alphanumeric(size)
+        end
+        encrypted_blob = encrypt_pfx_pass_with_vector(password)
+        encrypted_password = encrypted_blob[0]
+        key = encrypted_blob[1]
+        vector = encrypted_blob[2]
+        values = [
+                  { name: "PfxPass", type: :string, data: encrypted_password },
+                  { name: "PfxKey", type: :string, data: key },
+                  { name: "PfxIV", type: :string, data: vector },
+                ]
+        values.each do |i|
+          @win32registry.set_value(path, i)
+        end
+        password
+      end
+
+      def self.retrieve_certificate_key(client_name)
         if ChefUtils.windows?
+          require "openssl" unless defined?(OpenSSL)
           password = get_cert_password
           return false unless password
 
-          if check_certstore_for_key(client_name)
+          if !!check_certstore_for_key(client_name)
             ps_blob = powershell_exec!(get_the_key_ps(client_name, password)).result
             file_path = ps_blob["PSPath"].split("::")[1]
             pkcs = OpenSSL::PKCS12.new(File.binread(file_path), password)
@@ -252,10 +333,11 @@ class Chef
       end
 
       def self.get_the_key_ps(client_name, password)
+        store = get_cert_user
         powershell_code = <<~CODE
             Try {
               $my_pwd = ConvertTo-SecureString -String "#{password}" -Force -AsPlainText;
-              $cert = Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } -ErrorAction Stop;
+              $cert = Get-ChildItem -path cert:\\#{store}\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } -ErrorAction Stop;
               $tempfile = [System.IO.Path]::GetTempPath() + "export_pfx.pfx";
               Export-PfxCertificate -Cert $cert -Password $my_pwd -FilePath $tempfile;
             }
@@ -266,8 +348,9 @@ class Chef
       end
 
       def self.delete_old_key_ps(client_name)
+        store = get_cert_user
         powershell_code = <<~CODE
-          Get-ChildItem -path cert:\\LocalMachine\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop;
+          Get-ChildItem -path cert:\\#{store}\\My -Recurse | Where-Object { $_.Subject -match "chef-#{client_name}$" } | Remove-Item -ErrorAction Stop;
         CODE
       end
 

data/lib/chef/mixin/proxified_socket.rb

@@ -15,7 +15,7 @@
 # limitations under the License.
 #
 
-require "proxifier"
+require "proxifier2"
 require "chef-config/mixin/fuzzy_hostname_matcher"
 
 class Chef

data/lib/chef/property.rb

@@ -307,7 +307,7 @@ class Chef
     #
     def required?(action = nil)
       if !action.nil? && options[:required].is_a?(Array)
-        options[:required].include?(action)
+        (options[:required] & Array(action)).any?
       else
         !!options[:required]
       end
@@ -426,7 +426,7 @@ class Chef
         end
       end
 
-      if value.nil? && required?
+      if value.nil? && required?(resource_action(resource))
         raise Chef::Exceptions::ValidationFailed, "#{name} is a required property"
       else
         value
@@ -455,7 +455,7 @@ class Chef
         Chef.deprecated(:property, options[:deprecated])
       end
 
-      if value.nil? && required?
+      if value.nil? && required?(resource_action(resource))
         raise Chef::Exceptions::ValidationFailed, "#{name} is a required property"
       else
         value
@@ -768,5 +768,10 @@ class Chef
       end
       visitor.call(value)
     end
+
+    # action from resource, if available
+    def resource_action(resource)
+      resource.action if resource.respond_to?(:action)
+    end
   end
 end

data/lib/chef/provider/launchd.rb

@@ -153,6 +153,7 @@ class Chef
           "program" => "Program",
           "program_arguments" => "ProgramArguments",
           "abandon_process_group" => "AbandonProcessGroup",
+          "associated_bundle_identifiers" => "AssociatedBundleIdentifiers",
           "debug" => "Debug",
           "disabled" => "Disabled",
           "enable_globbing" => "EnableGlobbing",

data/lib/chef/provider/package/yum/yum_helper.py

@@ -53,16 +53,14 @@ def install_only_packages(base, name):
     outpipe.flush()
 
 def query(base, command):
-    enabled_repos = base.repos.listEnabled()
-
     # Handle any repocontrols passed in with our options
 
     if 'repos' in command:
         for repo in command['repos']:
             if 'enable' in repo:
                 base.repos.enableRepo(repo['enable'])
-        if 'disable' in repo:
-            base.repos.disableRepo(repo['disable'])
+            if 'disable' in repo:
+                base.repos.disableRepo(repo['disable'])
 
     args = { 'name': command['provides'] }
     do_nevra = False
@@ -94,8 +92,8 @@ def query(base, command):
     #     then the result was searchNevra'd.  please be extremely careful if attempting to fix that
     #     since searchNevra does not support prco tuples.
     if bool(re.search('\\s+', command['provides'])):
-        # handles flags (<, >, =, etc) and versions, but no wildcareds
-        # raises error for any invalid input like: 'FOO BAR BAZ' 
+        # handles flags (<, >, =, etc) and versions, but no wildcards
+        # raises error for any invalid input like: 'FOO BAR BAZ'
         pkgs = obj.getProvides(*string_to_prco_tuple(command['provides']))
     elif do_nevra:
         # now if we're given version or arch properties explicitly, then we do a SearchNevra.
@@ -123,16 +121,6 @@ def query(base, command):
         outpipe.write("%(n)s %(e)s:%(v)s-%(r)s %(a)s\n" % { 'n': pkg.name, 'e': pkg.epoch, 'v': pkg.version, 'r': pkg.release, 'a': pkg.arch })
         outpipe.flush()
 
-    # Reset any repos we were passed in enablerepo/disablerepo to the original state in enabled_repos
-    if 'repos' in command:
-        for repo in command['repos']:
-            if 'enable' in repo:
-                if base.repos.getRepo(repo['enable']) not in enabled_repos:
-                    base.repos.disableRepo(repo['enable'])
-        if 'disable' in repo:
-            if base.repos.getRepo(repo['disable']) in enabled_repos:
-                base.repos.enableRepo(repo['disable'])
-
 # the design of this helper is that it should try to be 'brittle' and fail hard and exit in order
 # to keep process tables clean.  additional error handling should probably be added to the retry loop
 # on the ruby side.
@@ -178,7 +166,7 @@ try:
 
         try:
             command = json.loads(line)
-        except ValueError, e:
+        except ValueError as e:
             raise RuntimeError("bad json parse")
 
         if base is None:

data/lib/chef/provider/yum_repository.rb

@@ -44,7 +44,12 @@ class Chef
           mode new_resource.mode
           if new_resource.make_cache
             notifies :run, "execute[yum clean metadata #{new_resource.repositoryid}]", :immediately if new_resource.clean_metadata || new_resource.clean_headers
-            notifies :run, "execute[yum-makecache-#{new_resource.repositoryid}]", :immediately
+            # makecache fast only works on non-dnf systems.
+            if !which "dnf" && new_resource.makecache_fast
+              notifies :run, "execute[yum-makecache-fast-#{new_resource.repositoryid}]", :immediately
+            else
+              notifies :run, "execute[yum-makecache-#{new_resource.repositoryid}]", :immediately
+            end
             notifies :flush_cache, "package[package-cache-reload-#{new_resource.repositoryid}]", :immediately
           end
         end
@@ -63,6 +68,13 @@ class Chef
             only_if { new_resource.enabled }
           end
 
+          # download only the minimum required metadata
+          execute "yum-makecache-fast-#{new_resource.repositoryid}" do
+            command "yum -q -y makecache fast --disablerepo=* --enablerepo=#{new_resource.repositoryid}"
+            action :nothing
+            only_if { new_resource.enabled }
+          end
+
           package "package-cache-reload-#{new_resource.repositoryid}" do
             action :nothing
           end

data/lib/chef/resource/apt_repository.rb

@@ -187,6 +187,24 @@ class Chef
           end.compact
         end
 
+        # run the specified command and extract the public key ids
+        # accepts the command so it can be used to extract both the current keys
+        # and the new keys
+        # @param [Array<String>] cmd the command to run
+        #
+        # @return [Array] an array of key ids
+        def extract_public_keys_from_cmd(*cmd)
+          so = shell_out(*cmd)
+          # Sample output
+          # pub:-:4096:1:D94AA3F0EFE21092:1336774248:::-:::scSC::::::23::0:
+          so.stdout.split(/\n/).map do |t|
+            if t.match(/^pub:/)
+              f = t.split(":")
+              f.slice(0, 6).join(":")
+            end
+          end.compact
+        end
+
         # validate the key against the apt keystore to see if that version is expired
         # @param [String] key
         #
@@ -222,8 +240,8 @@ class Chef
         def no_new_keys?(file)
           # Now we are using the option --with-colons that works across old os versions
           # as well as the latest (16.10). This for both `apt-key` and `gpg` commands
-          installed_keys = extract_fingerprints_from_cmd(*LIST_APT_KEY_FINGERPRINTS)
-          proposed_keys = extract_fingerprints_from_cmd("gpg", "--with-fingerprint", "--with-colons", file)
+          installed_keys = extract_public_keys_from_cmd(*LIST_APT_KEY_FINGERPRINTS)
+          proposed_keys = extract_public_keys_from_cmd("gpg", "--with-fingerprint", "--with-colons", file)
           (installed_keys & proposed_keys).sort == proposed_keys.sort
         end