chef 18.1.0-x64-mingw-ucrt → 18.2.7-x64-mingw-ucrt

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 448a7d27ab27f9a0c39566270e5d99dfa5717ba32bd893505fd3f1d9d50ad339
-  data.tar.gz: be60df259d416a70dc1c6447edab19ec1d4b9fb32f1429a4fc09c62c4cb8e022
+  metadata.gz: a313783b0386b4ed50ef119bf7b37e014adccab2341396d7d11c9bc0e5a6ce3d
+  data.tar.gz: 74be0fa290f08d00d77b0cdb68caf7dd84b929ce289fd2b80b11114a488f0597
 SHA512:
-  metadata.gz: 833f265e523ce7924016ee802f599548361c94ec5e837f85b1263a39935f5a8443953b06d9b753fe2cbc154d0d9a6f1d5fd363caaaf2a14ccab08f6d952344ee
-  data.tar.gz: 25c72dc0a3d5e6e4a6c414ecea9260a363b033a657d1626cdf1cdd6be683a8f51968655715b5b693e643bbf44b605c99d27d98d6cdf6a58d0d1481f43e687300
+  metadata.gz: ddafcb71010f1ef7bf289d450b2d2851016d9e3cae93fb04b9fcc17255fdba206ae105eaf585f56aebce0c9e1284a7fe07da198dae33796d714b47fb1a269ad9
+  data.tar.gz: cece71ceaef6808e4c9b966d906004e8ecc5bbfc3102f4bbcf619d28e9fd27acd22799fffe34ab4c19c7e4acd74e3823333a9870df9546881316431ad98f27ad

data/Gemfile

@@ -37,9 +37,6 @@ group(:omnibus_package, :pry) do
   gem "pry-stack_explorer"
 end
 
-# proxifier gem is busted on ruby 3.1 and seems abandoned so use git fork of gem
-gem "proxifier", git: "https://github.com/chef/ruby-proxifier", branch: "lcg/ruby-3"
-
 # Everything except AIX and Windows
 group(:ruby_shadow) do
   # if ruby-shadow does a release that supports ruby-3.0 this can be removed

data/chef-universal-mingw-ucrt.gemspec

@@ -15,9 +15,9 @@ gemspec.add_dependency "wmi-lite", "~> 1.0"
 gemspec.add_dependency "win32-taskscheduler", "~> 2.0"
 gemspec.add_dependency "iso8601", ">= 0.12.1", "< 0.14" # validate 0.14 when it comes out
 gemspec.add_dependency "win32-certstore", "~> 0.6.15" # 0.5+ required for specifying user vs. system store
-gemspec.add_dependency "chef-powershell", "~> 1.0.12" # The guts of the powershell_exec code have been moved to its own gem, chef-powershell. It's part of the chef-powershell-shim repo.
+gemspec.add_dependency "chef-powershell", "~> 18.0.0" # The guts of the powershell_exec code have been moved to its own gem, chef-powershell. It's part of the chef-powershell-shim repo.
 
 gemspec.extensions << "ext/win32-eventlog/Rakefile"
 gemspec.files += Dir.glob("{distro,ext}/**/*")
 
-gemspec
+gemspec

data/chef.gemspec

@@ -61,7 +61,7 @@ Gem::Specification.new do |s|
   s.add_dependency "unf_ext", ">= 0.0.8.2" # This is ruby31 compatible ucrt gem version
   s.add_dependency "corefoundation", "~> 0.3.4" # macos_userdefaults resource
 
-  s.add_dependency "proxifier", "~> 1.0"
+  s.add_dependency "proxifier2", "~> 1.1"
 
   s.add_dependency "aws-sdk-s3", "~> 1.91" # s3 recipe-url support
   s.add_dependency "aws-sdk-secretsmanager", "~> 1.46"

data/distro/powershell/chef/chef.psm1

@@ -0,0 +1,459 @@
+
+function Load-Win32Bindings {
+  Add-Type -TypeDefinition @"
+using System;
+using System.Diagnostics;
+using System.Runtime.InteropServices;
+
+namespace Chef
+{
+
+[StructLayout(LayoutKind.Sequential)]
+public struct PROCESS_INFORMATION
+{
+  public IntPtr hProcess;
+  public IntPtr hThread;
+  public uint dwProcessId;
+  public uint dwThreadId;
+}
+
+[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+public struct STARTUPINFO
+{
+  public uint cb;
+  public string lpReserved;
+  public string lpDesktop;
+  public string lpTitle;
+  public uint dwX;
+  public uint dwY;
+  public uint dwXSize;
+  public uint dwYSize;
+  public uint dwXCountChars;
+  public uint dwYCountChars;
+  public uint dwFillAttribute;
+  public STARTF dwFlags;
+  public ShowWindow wShowWindow;
+  public short cbReserved2;
+  public IntPtr lpReserved2;
+  public IntPtr hStdInput;
+  public IntPtr hStdOutput;
+  public IntPtr hStdError;
+}
+
+[StructLayout(LayoutKind.Sequential)]
+public struct SECURITY_ATTRIBUTES
+{
+  public int length;
+  public IntPtr lpSecurityDescriptor;
+  public bool bInheritHandle;
+}
+
+[Flags]
+public enum CreationFlags : int
+{
+  NONE = 0,
+  DEBUG_PROCESS = 0x00000001,
+  DEBUG_ONLY_THIS_PROCESS = 0x00000002,
+  CREATE_SUSPENDED = 0x00000004,
+  DETACHED_PROCESS = 0x00000008,
+  CREATE_NEW_CONSOLE = 0x00000010,
+  CREATE_NEW_PROCESS_GROUP = 0x00000200,
+  CREATE_UNICODE_ENVIRONMENT = 0x00000400,
+  CREATE_SEPARATE_WOW_VDM = 0x00000800,
+  CREATE_SHARED_WOW_VDM = 0x00001000,
+  CREATE_PROTECTED_PROCESS = 0x00040000,
+  EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
+  CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
+  CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
+  CREATE_DEFAULT_ERROR_MODE = 0x04000000,
+  CREATE_NO_WINDOW = 0x08000000,
+}
+
+[Flags]
+public enum STARTF : uint
+{
+  STARTF_USESHOWWINDOW = 0x00000001,
+  STARTF_USESIZE = 0x00000002,
+  STARTF_USEPOSITION = 0x00000004,
+  STARTF_USECOUNTCHARS = 0x00000008,
+  STARTF_USEFILLATTRIBUTE = 0x00000010,
+  STARTF_RUNFULLSCREEN = 0x00000020,  // ignored for non-x86 platforms
+  STARTF_FORCEONFEEDBACK = 0x00000040,
+  STARTF_FORCEOFFFEEDBACK = 0x00000080,
+  STARTF_USESTDHANDLES = 0x00000100,
+}
+
+public enum ShowWindow : short
+{
+    SW_HIDE = 0,
+    SW_SHOWNORMAL = 1,
+    SW_NORMAL = 1,
+    SW_SHOWMINIMIZED = 2,
+    SW_SHOWMAXIMIZED = 3,
+    SW_MAXIMIZE = 3,
+    SW_SHOWNOACTIVATE = 4,
+    SW_SHOW = 5,
+    SW_MINIMIZE = 6,
+    SW_SHOWMINNOACTIVE = 7,
+    SW_SHOWNA = 8,
+    SW_RESTORE = 9,
+    SW_SHOWDEFAULT = 10,
+    SW_FORCEMINIMIZE = 11,
+    SW_MAX = 11
+}
+
+public enum StandardHandle : int
+{
+  Input = -10,
+  Output = -11,
+  Error = -12
+}
+
+public enum HandleFlags : int
+{
+  HANDLE_FLAG_INHERIT = 0x00000001,
+  HANDLE_FLAG_PROTECT_FROM_CLOSE = 0x00000002
+}
+
+public static class Kernel32
+{
+  [DllImport("kernel32.dll", SetLastError=true)]
+  [return: MarshalAs(UnmanagedType.Bool)]
+  public static extern bool CreateProcess(
+    string lpApplicationName,
+    string lpCommandLine,
+    ref SECURITY_ATTRIBUTES lpProcessAttributes,
+    ref SECURITY_ATTRIBUTES lpThreadAttributes,
+    [MarshalAs(UnmanagedType.Bool)] bool bInheritHandles,
+    CreationFlags dwCreationFlags,
+    IntPtr lpEnvironment,
+    string lpCurrentDirectory,
+    ref STARTUPINFO lpStartupInfo,
+    out PROCESS_INFORMATION lpProcessInformation);
+
+  [DllImport("kernel32.dll", SetLastError=true)]
+  public static extern IntPtr GetStdHandle(
+    StandardHandle nStdHandle);
+    
+  [DllImport("kernel32.dll")]
+  public static extern bool SetHandleInformation(
+    IntPtr hObject, 
+    int dwMask, 
+    uint dwFlags);
+
+  [DllImport("kernel32", SetLastError=true)]
+  [return: MarshalAs(UnmanagedType.Bool)]
+  public static extern bool CloseHandle(
+    IntPtr hObject);
+
+  [DllImport("kernel32", SetLastError=true)]
+  [return: MarshalAs(UnmanagedType.Bool)]
+  public static extern bool GetExitCodeProcess(
+    IntPtr hProcess,
+    out int lpExitCode);
+    
+  [DllImport("kernel32.dll", SetLastError = true)]
+  public static extern bool CreatePipe(
+    out IntPtr phReadPipe, 
+    out IntPtr phWritePipe, 
+    IntPtr lpPipeAttributes, 
+    uint nSize);
+        
+  [DllImport("kernel32.dll", SetLastError = true)]
+  public static extern bool ReadFile(
+    IntPtr hFile, 
+    [Out] byte[] lpBuffer, 
+    uint nNumberOfBytesToRead, 
+    ref int lpNumberOfBytesRead, 
+    IntPtr lpOverlapped);
+
+  [DllImport("kernel32.dll", SetLastError = true)]
+  public static extern bool PeekNamedPipe(
+    IntPtr handle,
+    byte[] buffer, 
+    uint nBufferSize, 
+    ref uint bytesRead,
+    ref uint bytesAvail, 
+    ref uint BytesLeftThisMessage);
+
+  public const int STILL_ACTIVE = 259;
+}
+}
+"@
+}
+
+function Run-ExecutableAndWait($AppPath, $ArgumentString) {
+  # Use the Win32 API to create a new process and wait for it to terminate.
+  $null = Load-Win32Bindings
+
+  $si = New-Object Chef.STARTUPINFO
+  $pi = New-Object Chef.PROCESS_INFORMATION
+
+  $pSec = New-Object Chef.SECURITY_ATTRIBUTES
+  $pSec.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($pSec)
+  $pSec.bInheritHandle = $true
+  $tSec = New-Object Chef.SECURITY_ATTRIBUTES
+  $tSec.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($tSec)
+  $tSec.bInheritHandle = $true
+
+  # Create pipe for process stdout
+  $ptr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf($si))
+  [System.Runtime.InteropServices.Marshal]::StructureToPtr($pSec, $ptr, $true)
+  $hReadOut = [IntPtr]::Zero
+  $hWriteOut = [IntPtr]::Zero
+  $success = [Chef.Kernel32]::CreatePipe([ref] $hReadOut, [ref] $hWriteOut, $ptr, 0)
+  if (-Not $success) {
+    $reason = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
+    throw "Unable to create output pipe.  Error code $reason."
+  }
+  $success = [Chef.Kernel32]::SetHandleInformation($hReadOut, [Chef.HandleFlags]::HANDLE_FLAG_INHERIT, 0)
+  if (-Not $success) {
+    $reason = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
+    throw "Unable to set output pipe handle information.  Error code $reason."
+  }
+
+  $si.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($si)
+  $si.wShowWindow = [Chef.ShowWindow]::SW_SHOW
+  $si.dwFlags = [Chef.STARTF]::STARTF_USESTDHANDLES
+  $si.hStdOutput = $hWriteOut
+  $si.hStdError = $hWriteOut
+  $si.hStdInput = [Chef.Kernel32]::GetStdHandle([Chef.StandardHandle]::Input)
+  
+  $success = [Chef.Kernel32]::CreateProcess(
+      $AppPath, 
+      $ArgumentString, 
+      [ref] $pSec, 
+      [ref] $tSec, 
+      $true, 
+      [Chef.CreationFlags]::NONE, 
+      [IntPtr]::Zero, 
+      $pwd, 
+      [ref] $si, 
+      [ref] $pi
+  )
+  if (-Not $success) {
+    $reason = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
+    throw "Unable to create process [$ArgumentString].  Error code $reason."
+  }
+
+  $buffer = New-Object byte[] 1024
+
+  # Initialize reference variables
+  $bytesRead = 0
+  $bytesAvailable = 0
+  $bytesLeftThisMsg = 0
+  $global:LASTEXITCODE = [Chef.Kernel32]::STILL_ACTIVE
+
+  $isActive = $true
+  while ($isActive) {
+    $success = [Chef.Kernel32]::GetExitCodeProcess($pi.hProcess, [ref] $global:LASTEXITCODE)
+    if (-Not $success) {
+      $reason = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
+      throw "Process exit code unavailable.  Error code $reason."
+    }
+
+    $success = [Chef.Kernel32]::PeekNamedPipe(
+        $hReadOut, 
+        $null, 
+        $buffer.Length, 
+        [ref] $bytesRead, 
+        [ref] $bytesAvailable, 
+        [ref] $bytesLeftThisMsg
+    )
+    if (-Not $success) {
+      $reason = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
+      throw "Output pipe unavailable for peeking.  Error code $reason."
+    }
+
+    if ($bytesRead -gt 0) {
+      while ([Chef.Kernel32]::ReadFile($hReadOut, $buffer, $buffer.Length, [ref] $bytesRead, 0)) {
+        $output = [Text.Encoding]::UTF8.GetString($buffer, 0, $bytesRead)
+        if ($output) {
+          $output
+        }
+        if ($bytesRead -lt $buffer.Length) {
+          # Partial buffer indicating the end of stream, break out of ReadFile loop
+          # ReadFile will block until:
+          #    The number of bytes requested is read.
+          #    A write operation completes on the write end of the pipe.
+          #    An asynchronous handle is being used and the read is occurring asynchronously.
+          #    An error occurs.
+          break
+        }
+      }
+    } else {
+      # For some reason, you can't read from the read-end of the read-pipe before the write end has started
+      # to write.  Otherwise the process just blocks forever and never returns from the read.  So we peek
+      # at the pipe until there is something.  But don't peek too eagerly.  This is stupid stupid stupid.
+      # There must be a way to do this without having to peek at a pipe first but I have not found it.
+      #
+      # Note to the future intrepid soul who wants to fix this:
+      # 0) This is related to unreasonable CPU usage by the wrapper PS script on a 1 VCPU VM (either Hyper-V
+      #    or VirtualBox) running a consumer Windows SKU (Windows 10 for example...).  Test it there.
+      # 1) Maybe this entire script is unnecessary and the bugs mentioned below have been fixed or don't need
+      #    to be supported.
+      # 2) The server and consumer windows schedulers have different defaults. I had a hard time reproducing
+      #    any issue on a win 2008 on win 2012 server default setup.  See the "foreground application scheduler
+      #    priority" setting to see if it's relevant.
+      # 3) This entire endeavor is silly anyway - why are we reimplementing process forking all over? Maybe try
+      #    to get the folks above to accept patches instead of extending this crazy script.
+      Start-Sleep -s 1
+      # Start-Sleep -m 100
+    }
+    
+    if ($global:LASTEXITCODE -ne [Chef.Kernel32]::STILL_ACTIVE) {
+      $isActive = $false
+    }
+  }
+
+  # Cleanup handles
+  $success = [Chef.Kernel32]::CloseHandle($pi.hProcess)
+  if (-Not $success) {
+    $reason = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
+    throw "Unable to release process handle.  Error code $reason."
+  }
+  $success = [Chef.Kernel32]::CloseHandle($pi.hThread)
+  if (-Not $success) {
+    $reason = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
+    throw "Unable to release thread handle.  Error code $reason."
+  }
+  $success = [Chef.Kernel32]::CloseHandle($hWriteOut)
+  if (-Not $success) {
+    $reason = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
+    throw "Unable to release output write handle.  Error code $reason."
+  }
+  $success = [Chef.Kernel32]::CloseHandle($hReadOut)
+  if (-Not $success) {
+    $reason = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
+    throw "Unable to release output read handle.  Error code $reason."
+  }
+  [System.Runtime.InteropServices.Marshal]::FreeHGlobal($ptr)
+}
+
+function Get-ScriptDirectory {
+  if (!$PSScriptRoot) {
+    $Invocation = (Get-Variable MyInvocation -Scope 1).Value
+    $PSScriptRoot = Split-Path $Invocation.MyCommand.Path
+  }
+  $PSScriptRoot
+}
+
+function Run-RubyCommand($command, $argList) {
+  # This method exists to take the given list of arguments and get it past ruby's command-line
+  # interpreter unscathed and untampered.  See https://github.com/ruby/ruby/blob/trunk/win32/win32.c#L1582
+  # for a list of transformations that ruby attempts to perform with your command-line arguments
+  # before passing it onto a script.  The most important task is to defeat the globbing
+  # and wild-card expansion that ruby performs.  Note that ruby does not use MSVCRT's argc/argv
+  # and deliberately reparses the raw command-line instead.
+  #
+  # To stop ruby from interpreting command-line arguments as globs, they need to be enclosed in '
+  # Ruby doesn't allow any escape characters inside '.  This unfortunately prevents us from sending
+  # any strings which themselves contain '.  Ruby does allow multi-fragment arguments though.
+  # "foo bar"'baz qux'123"foo" is interpreted as 1 argument because there are no un-escaped
+  # whitespace there.  The argument would be interpreted as the string "foo barbaz qux123foo".
+  # This lets us escape ' characters by exiting the ' quoted string, injecting a "'" fragment and
+  # then resuming the ' quoted string again.
+  #
+  # In the process of defeating ruby, one must also defeat the helpfulness of powershell.
+  # When arguments come into this method, the standard PS rules for interpreting cmdlet arguments
+  # apply.  When using & (call operator) and providing an array of arguments, powershell (verified
+  # on PS 4.0 on Windows Server 2012R2) will not evaluate them but (contrary to documentation),
+  # it will still marginally interpret them.  The behavior of PS 5.0 seems to be different but
+  # ignore that for now.  If any of the provided arguments has a space in it, powershell checks
+  # the first and last character to ensure that they are " characters (and that's all it checks).
+  # If they are not, it will blindly surround that argument with " characters.  It won't do this
+  # operation if no space is present, even if other special characters are present. If it notices
+  # leading and trailing " characters, it won't actually check to see if there are other "
+  # characters in the string.  Since PS 5.0 changes this behavior, we could consider using the --%
+  # "stop screwing up my arguments" operator, which is available since PS 3.0.  When encountered
+  # --% indicates that the rest of line is to be sent literally...  except if the parser encounters
+  # %FOO% cmd style environment variables.  Because reasons.  And there is no way to escape the
+  # % character in *any* waym shape or form.
+  # https://connect.microsoft.com/PowerShell/feedback/details/376207/executing-commands-which-require-quotes-and-variables-is-practically-impossible
+  #
+  # In case you think that you're either reading this incorrectly or that I'm full of shit, here
+  # are some examples.  These use EchoArgs.exe from the PowerShell Community Extensions package.
+  # I have not included the argument parsing output from EchoArgs.exe to prevent confusing you with
+  # more details about MSVCRT's parsing algorithm.
+  #
+  # $x = "foo '' bar `"baz`""
+  # & EchoArgs @($x, $x)
+  # Command line:
+  # "C:\Program Files (x86)\PowerShell Community Extensions\Pscx3\Pscx\Apps\EchoArgs.exe"  "foo '' bar "baz"" "foo '' bar "baz""
+  #
+  # $x = "abc'123'nospace`"lol`"!!!"
+  # & EchoArgs @($x, $x)
+  # Command line:
+  # "C:\Program Files (x86)\PowerShell Community Extensions\Pscx3\Pscx\Apps\EchoArgs.exe"  abc'123'nospace"lol"!!! abc'123'nospace"lol"!!!
+  #
+  # $x = "`"`"Look ma! Tonnes of spaces! 'foo' 'bar'`"`""
+  # & EchoArgs @($x, $x)
+  # Command line:
+  # "C:\Program Files (x86)\PowerShell Community Extensions\Pscx3\Pscx\Apps\EchoArgs.exe"  ""Look ma! Tonnes of spaces! 'foo' 'bar'"" ""Look ma! Tonnes of spaces! 'foo' 'bar'""
+  #
+  # Given all this, we can now device a strategy to work around all these immensely helpful, well
+  # documented and useful tools by looking at each incoming argument, escaping any ' characters
+  # with a '"'"' sequence, surrounding each argument with ' & joining them with a space separating
+  # them.
+  # There is another bug (https://bugs.ruby-lang.org/issues/11142) that causes ruby to mangle any
+  # "" two-character double quote sequence but since we always emit our strings inside ' except for
+  # ' characters, this should be ok.  Just remember that an argument '' should get translated to
+  # ''"'"''"'"'' on the command line.  If those intervening empty ''s are not present, the presence
+  # of "" will cause ruby to mangle that argument.
+  $transformedList = $argList | foreach { "'" + ( $_ -replace "'","'`"'`"'" ) + "'" }
+  $fortifiedArgString = $transformedList -join ' '
+
+  # Use the correct embedded ruby path.  We'll be deployed at a path that looks like
+  # [C:\opscode or some other prefix]\chef\modules\chef
+  $ruby = Join-Path (Get-ScriptDirectory)  "..\..\embedded\bin\ruby.exe"
+  $commandPath = Join-Path (Get-ScriptDirectory) "..\..\bin\$command"
+
+  Run-ExecutableAndWait $ruby """$ruby"" '$commandPath' $fortifiedArgString"
+}
+
+
+function chef-apply {
+  Run-RubyCommand 'chef-apply' $args
+}
+
+function chef-client {
+  Run-RubyCommand 'chef-client' $args
+}
+
+function chef-service-manager {
+  Run-RubyCommand 'chef-service-manager' $args
+}
+
+function chef-shell {
+  Run-RubyCommand 'chef-shell' $args
+}
+
+function chef-solo {
+  Run-RubyCommand 'chef-solo' $args
+}
+
+function chef-windows-service {
+  Run-RubyCommand 'chef-windows-service' $args
+}
+
+function knife {
+  Run-RubyCommand 'knife' $args
+}
+
+Export-ModuleMember -function chef-apply
+Export-ModuleMember -function chef-client
+Export-ModuleMember -function chef-service-manager
+Export-ModuleMember -function chef-shell
+Export-ModuleMember -function chef-solo
+Export-ModuleMember -function chef-windows-service
+Export-ModuleMember -function knife
+
+# To debug this module, uncomment the line below
+# Export-ModuleMember -function Run-RubyCommand
+
+# Then run the following to reload the module.  Use puts_argv as a helpful debug executable.
+# Remove-Module chef
+# Import-Module chef
+# "puts ARGV" | Out-File C:\opscode\chef\bin\puts_args -Encoding ASCII
+# Copy-Item C:\opscode\chef\bin\ohai.bat C:\opscode\chef\bin\puts_args.bat
+# Run-RubyCommand puts_args 'Here' "are" some '"very interesting"' 'arguments[to]' "`"try out`""

data/lib/chef/application/base.rb

@@ -386,8 +386,10 @@ class Chef::Application::Base < Chef::Application
     elsif uri.scheme == "s3"
       require "aws-sdk-s3" unless defined?(Aws::S3)
 
-      s3 = Aws::S3::Client.new
-      object = s3.get_object(bucket: uri.hostname, key: uri.path[1..-1])
+      bucket_name = uri.hostname
+      s3 = Aws::S3::Client.new(region: s3_bucket_location(bucket_name))
+
+      object = s3.get_object(bucket: bucket_name, key: uri.path[1..-1])
       File.open(path, "wb") do |f|
         f.write(object.body.read)
       end
@@ -403,6 +405,20 @@ class Chef::Application::Base < Chef::Application
     end
   end
 
+  def s3_bucket_location(bucket_name)
+    s3 = Aws::S3::Client.new(region: aws_api_region)
+
+    resp = s3.get_bucket_location(bucket: bucket_name)
+    resp.location_constraint
+  rescue Aws::S3::Errors::AccessDenied => _e
+    Chef::Log.warn("Missing s3:GetBucketLocation privilege, trying currently configured region #{aws_api_region}")
+    aws_api_region
+  end
+
+  def aws_api_region
+    ENV["AWS_REGION"] || Aws.shared_config.region || Aws::EC2Metadata.new.get("/latest/meta-data/placement/region")
+  end
+
   def interval_run_chef_client
     if Chef::Config[:daemonize]
       Chef::Daemon.daemonize(ChefUtils::Dist::Infra::PRODUCT)

data/lib/chef/client.rb

@@ -66,6 +66,15 @@ class Chef
   class Client
     CRYPT_EXPORTABLE = 0x00000001
 
+    # adding these
+    # certstore 65536 == 0x00010000 == CurrentUser
+    # certstore 131072 == 0x00020000 == LocalMachine
+    # Reference: https://github.com/chef/win32-certstore/blob/main/lib/win32/certstore/mixin/crypto.rb#L90
+    CERT_SYSTEM_STORE_LOCAL_MACHINE                     = 0x00020000
+    CERT_SYSTEM_STORE_CURRENT_USER                      = 0x00010000
+    CERT_SYSTEM_STORE_SERVICES                          = 0x00050000
+    CERT_SYSTEM_STORE_USERS                             = 0x00060000
+
     attr_reader :local_context
 
     extend Chef::Mixin::Deprecation
@@ -674,9 +683,15 @@ class Chef
 
     # In the brave new world of No Certs On Disk, we want to put the pem file into Keychain or the Certstore
     # But is it already there?
+    # We're solving the multi-user scenario where both a system/admin user can run on the box but also someone without
+    # admin rights can also run correctly locally.
     def check_certstore_for_key(cert_name)
       require "win32-certstore"
-      win32certstore = ::Win32::Certstore.open("MY")
+      if Chef::Config[:auth_key_registry_type] == "user"
+        win32certstore = ::Win32::Certstore.open("MY", store_location: CERT_SYSTEM_STORE_CURRENT_USER)
+      else
+        win32certstore = ::Win32::Certstore.open("MY")
+      end
       win32certstore.search("#{cert_name}")
     end
 
@@ -783,8 +798,6 @@ class Chef
       require "time" unless defined?(Time)
       autoload :URI, "uri"
 
-      # KeyMigration.instance.key_migrated = true
-
       node = Chef::Config[:node_name]
       d = Time.now
       if d.month == 10 || d.month == 11 || d.month == 12
@@ -818,9 +831,13 @@ class Chef
       require "win32-certstore"
       tempfile = Tempfile.new("#{Chef::Config[:node_name]}.pfx")
       File.open(tempfile, "wb") { |f| f.print new_pfx.to_der }
-
-      store = ::Win32::Certstore.open("MY")
-      store.add_pfx(tempfile, password, CRYPT_EXPORTABLE)
+      # Need to determine where to store the key
+      if Chef::Config[:auth_key_registry_type] == "user"
+        win32certstore = ::Win32::Certstore.open("MY", store_location: CERT_SYSTEM_STORE_CURRENT_USER)
+      else
+        win32certstore = ::Win32::Certstore.open("MY")
+      end
+      win32certstore.add_pfx(tempfile, password, CRYPT_EXPORTABLE)
       tempfile.unlink
     end