chef-zero 4.2.3 → 4.3.0

data/Rakefile

@@ -1,31 +1,31 @@
-require 'bundler'
-require 'bundler/gem_tasks'
-
-require 'chef_zero/version'
-
-task :default => :pedant
-
-desc "run specs"
-task :spec do
-  system('rspec spec/*_spec.rb')
-end
-
-desc "run pedant"
-task :pedant do
-  require File.expand_path('spec/run_pedant')
-end
-
-desc "run oc pedant"
-task :oc_pedant do
-  require File.expand_path('spec/run_oc_pedant')
-end
-
-task :chef_spec do
-  gem_path = Bundler.environment.specs['chef'].first.full_gem_path
-  system("cd #{gem_path} && rspec spec/integration")
-end
-
-task :berkshelf_spec do
-  gem_path = Bundler.environment.specs['berkshelf'].first.full_gem_path
-  system("cd #{gem_path} && thor spec:ci")
-end
+require 'bundler'
+require 'bundler/gem_tasks'
+
+require 'chef_zero/version'
+
+task :default => :pedant
+
+desc "run specs"
+task :spec do
+  system('rspec spec/*_spec.rb')
+end
+
+desc "run oc pedant"
+task :pedant do
+  require File.expand_path('spec/run_oc_pedant')
+end
+
+desc "run oc pedant"
+task :oc_pedant do
+  require File.expand_path('spec/run_oc_pedant')
+end
+
+task :chef_spec do
+  gem_path = Bundler.environment.specs['chef'].first.full_gem_path
+  system("cd #{gem_path} && rspec spec/integration")
+end
+
+task :berkshelf_spec do
+  gem_path = Bundler.environment.specs['berkshelf'].first.full_gem_path
+  system("cd #{gem_path} && thor spec:ci")
+end

data/bin/chef-zero

@@ -1,100 +1,100 @@
-#!/usr/bin/env ruby
-
-# Trap interrupts to quit cleanly.
-Signal.trap('INT') { exit 1 }
-
-require 'rubygems'
-$:.unshift(File.expand_path(File.join(File.dirname(__FILE__), "..", "lib")))
-
-require 'chef_zero/log'
-require 'chef_zero/version'
-require 'chef_zero/server'
-require 'chef_zero/data_store/raw_file_store'
-require 'optparse'
-
-def parse_port(port)
-  array = []
-  port.split(',').each do |part|
-    a,b = part.split('-',2)
-    if b
-      array = array.concat(a.to_i.upto(b.to_i).to_a)
-    else
-      array = array.concat([a.to_i])
-    end
-  end
-  array
-end
-
-options = {}
-
-OptionParser.new do |opts|
-  opts.banner = "Usage: chef-zero [ARGS]"
-
-  opts.on("-H", "--host HOST", "Host to bind to (default: 127.0.0.1)") do |value|
-    options[:host] = value
-  end
-
-  opts.on("-p", "--port PORT", "Port to listen on (e.g. 8889, or 8500-8600 or 8885,8888)") do |value|
-    options[:port] ||= []
-    options[:port] += parse_port(value)
-  end
-
-  opts.on("--[no-]generate-keys", "Whether to generate actual keys or fake it (faster).  Default: false.") do |value|
-    options[:generate_real_keys] = value
-  end
-
-  opts.on("-d", "--daemon", "Run as a daemon process") do |value|
-    options[:daemon] = value
-  end
-
-  opts.on("-l", "--log-level LEVEL", "Set the output log level") do |value|
-    options[:log_level] = value
-  end
-
-  opts.on("--log-file FILE", "Log to a file") do |value|
-    options[:log_file] = value
-  end
-
-  opts.on("--multi-org", "Whether to run in multi-org mode") do |value|
-    options[:single_org] = nil
-  end
-
-  opts.on("--file-store PATH", "Persist data to files at the given path") do |value|
-    options[:data_store] = ChefZero::DataStore::RawFileStore.new(value)
-  end
-
-  opts.on("--[no-]ssl", "Use SSL with self-signed certificate(Auto generate before every run).  Default: false.") do |value|
-    options[:ssl] = value
-  end
-
-  opts.on_tail("-h", "--help", "Show this message") do
-    puts opts
-    exit
-  end
-
-  opts.on_tail("--version", "Show version") do
-    puts ChefZero::VERSION
-    exit
-  end
-end.parse!
-
-if options[:data_store]
-  options[:data_store] = ChefZero::DataStore::DefaultFacade.new(options[:data_store], options[:single_org], false)
-end
-
-if options[:log_file]
-  ChefZero::Log.init(options[:log_file])
-end
-
-server = ChefZero::Server.new(options)
-
-if options[:daemon]
-  if Process.respond_to?(:daemon)
-    Process.daemon(true)
-    server.start(true)
-  else
-    abort 'Process.daemon requires Ruby >= 1.9'
-  end
-else
-  server.start(true)
-end
+#!/usr/bin/env ruby
+
+# Trap interrupts to quit cleanly.
+Signal.trap('INT') { exit 1 }
+
+require 'rubygems'
+$:.unshift(File.expand_path(File.join(File.dirname(__FILE__), "..", "lib")))
+
+require 'chef_zero/log'
+require 'chef_zero/version'
+require 'chef_zero/server'
+require 'chef_zero/data_store/raw_file_store'
+require 'optparse'
+
+def parse_port(port)
+  array = []
+  port.split(',').each do |part|
+    a,b = part.split('-',2)
+    if b
+      array = array.concat(a.to_i.upto(b.to_i).to_a)
+    else
+      array = array.concat([a.to_i])
+    end
+  end
+  array
+end
+
+options = {}
+
+OptionParser.new do |opts|
+  opts.banner = "Usage: chef-zero [ARGS]"
+
+  opts.on("-H", "--host HOST", "Host to bind to (default: 127.0.0.1)") do |value|
+    options[:host] = value
+  end
+
+  opts.on("-p", "--port PORT", "Port to listen on (e.g. 8889, or 8500-8600 or 8885,8888)") do |value|
+    options[:port] ||= []
+    options[:port] += parse_port(value)
+  end
+
+  opts.on("--[no-]generate-keys", "Whether to generate actual keys or fake it (faster).  Default: false.") do |value|
+    options[:generate_real_keys] = value
+  end
+
+  opts.on("-d", "--daemon", "Run as a daemon process") do |value|
+    options[:daemon] = value
+  end
+
+  opts.on("-l", "--log-level LEVEL", "Set the output log level") do |value|
+    options[:log_level] = value
+  end
+
+  opts.on("--log-file FILE", "Log to a file") do |value|
+    options[:log_file] = value
+  end
+
+  opts.on("--multi-org", "Whether to run in multi-org mode") do |value|
+    options[:single_org] = nil
+  end
+
+  opts.on("--file-store PATH", "Persist data to files at the given path") do |value|
+    options[:data_store] = ChefZero::DataStore::RawFileStore.new(value)
+  end
+
+  opts.on("--[no-]ssl", "Use SSL with self-signed certificate(Auto generate before every run).  Default: false.") do |value|
+    options[:ssl] = value
+  end
+
+  opts.on_tail("-h", "--help", "Show this message") do
+    puts opts
+    exit
+  end
+
+  opts.on_tail("--version", "Show version") do
+    puts ChefZero::VERSION
+    exit
+  end
+end.parse!
+
+if options[:data_store]
+  options[:data_store] = ChefZero::DataStore::DefaultFacade.new(options[:data_store], options[:single_org], false)
+end
+
+if options[:log_file]
+  ChefZero::Log.init(options[:log_file])
+end
+
+server = ChefZero::Server.new(options)
+
+if options[:daemon]
+  if Process.respond_to?(:daemon)
+    Process.daemon(true)
+    server.start(true)
+  else
+    abort 'Process.daemon requires Ruby >= 1.9'
+  end
+else
+  server.start(true)
+end

data/lib/chef_zero.rb

@@ -1,7 +1,10 @@
-module ChefZero
-  require 'chef_zero/log'
-
-  CERTIFICATE = "-----BEGIN CERTIFICATE-----\nMIIDMzCCApygAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCVVMx\nEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFjAUBgNVBAoM\nDU9wc2NvZGUsIEluYy4xHDAaBgNVBAsME0NlcnRpZmljYXRlIFNlcnZpY2UxMjAw\nBgNVBAMMKW9wc2NvZGUuY29tL2VtYWlsQWRkcmVzcz1hdXRoQG9wc2NvZGUuY29t\nMB4XDTEyMTEyMTAwMzQyMVoXDTIyMTExOTAwMzQyMVowgZsxEDAOBgNVBAcTB1Nl\nYXR0bGUxEzARBgNVBAgTCldhc2hpbmd0b24xCzAJBgNVBAYTAlVTMRwwGgYDVQQL\nExNDZXJ0aWZpY2F0ZSBTZXJ2aWNlMRYwFAYDVQQKEw1PcHNjb2RlLCBJbmMuMS8w\nLQYDVQQDFCZVUkk6aHR0cDovL29wc2NvZGUuY29tL0dVSURTL3VzZXJfZ3VpZDCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANLDmPbR71bS2esZlZh/HfC6\n0azXFjl2677wq2ovk9xrUb0Ui4ZLC66TqQ9C/RBzOjXU4TRf3hgPTqvlCgHusl0d\nIcLCrsSl6kPEhJpYWWfRoroIAwf82A9yLQekhqXZEXu5EKkwoUMqyF6m0ZCasaE1\ny8niQxdLAsk3ady/CGQlFqHTPKFfU5UASR2LRtYC1MCIvJHDFRKAp9kPJbQo9P37\nZ8IU7cDudkZFgNLmDixlWsh7C0ghX8fgAlj1P6FgsFufygam973k79GhIP54dELB\nc0S6E8ekkRSOXU9jX/IoiXuFglBvFihAdhvED58bMXzj2AwXUyeAlxItnvs+NVUC\nAwEAATANBgkqhkiG9w0BAQUFAAOBgQBkFZRbMoywK3hb0/X7MXmPYa7nlfnd5UXq\nr2n32ettzZNmEPaI2d1j+//nL5qqhOlrWPS88eKEPnBOX/jZpUWOuAAddnrvFzgw\nrp/C2H7oMT+29F+5ezeViLKbzoFYb4yECHBoi66IFXNae13yj7taMboBeUmE664G\nTB/MZpRr8g==\n-----END CERTIFICATE-----\n"
-  PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0sOY9tHvVtLZ6xmVmH8d\n8LrRrNcWOXbrvvCrai+T3GtRvRSLhksLrpOpD0L9EHM6NdThNF/eGA9Oq+UKAe6y\nXR0hwsKuxKXqQ8SEmlhZZ9GiuggDB/zYD3ItB6SGpdkRe7kQqTChQyrIXqbRkJqx\noTXLyeJDF0sCyTdp3L8IZCUWodM8oV9TlQBJHYtG1gLUwIi8kcMVEoCn2Q8ltCj0\n/ftnwhTtwO52RkWA0uYOLGVayHsLSCFfx+ACWPU/oWCwW5/KBqb3veTv0aEg/nh0\nQsFzRLoTx6SRFI5dT2Nf8iiJe4WCUG8WKEB2G8QPnxsxfOPYDBdTJ4CXEi2e+z41\nVQIDAQAB\n-----END PUBLIC KEY-----\n"
-  PRIVATE_KEY = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA0sOY9tHvVtLZ6xmVmH8d8LrRrNcWOXbrvvCrai+T3GtRvRSL\nhksLrpOpD0L9EHM6NdThNF/eGA9Oq+UKAe6yXR0hwsKuxKXqQ8SEmlhZZ9GiuggD\nB/zYD3ItB6SGpdkRe7kQqTChQyrIXqbRkJqxoTXLyeJDF0sCyTdp3L8IZCUWodM8\noV9TlQBJHYtG1gLUwIi8kcMVEoCn2Q8ltCj0/ftnwhTtwO52RkWA0uYOLGVayHsL\nSCFfx+ACWPU/oWCwW5/KBqb3veTv0aEg/nh0QsFzRLoTx6SRFI5dT2Nf8iiJe4WC\nUG8WKEB2G8QPnxsxfOPYDBdTJ4CXEi2e+z41VQIDAQABAoIBAALhqbW2KQ+G0nPk\nZacwFbi01SkHx8YBWjfCEpXhEKRy0ytCnKW5YO+CFU2gHNWcva7+uhV9OgwaKXkw\nKHLeUJH1VADVqI4Htqw2g5mYm6BPvWnNsjzpuAp+BR+VoEGkNhj67r9hatMAQr0I\nitTvSH5rvd2EumYXIHKfz1K1SegUk1u1EL1RcMzRmZe4gDb6eNBs9Sg4im4ybTG6\npPIytA8vBQVWhjuAR2Tm+wZHiy0Az6Vu7c2mS07FSX6FO4E8SxWf8idaK9ijMGSq\nFvIS04mrY6XCPUPUC4qm1qNnhDPpOr7CpI2OO98SqGanStS5NFlSFXeXPpM280/u\nfZUA0AECgYEA+x7QUnffDrt7LK2cX6wbvn4mRnFxet7bJjrfWIHf+Rm0URikaNma\nh0/wNKpKBwIH+eHK/LslgzcplrqPytGGHLOG97Gyo5tGAzyLHUWBmsNkRksY2sPL\nuHq6pYWJNkqhnWGnIbmqCr0EWih82x/y4qxbJYpYqXMrit0wVf7yAgkCgYEA1twI\ngFaXqesetTPoEHSQSgC8S4D5/NkdriUXCYb06REcvo9IpFMuiOkVUYNN5d3MDNTP\nIdBicfmvfNELvBtXDomEUD8ls1UuoTIXRNGZ0VsZXu7OErXCK0JKNNyqRmOwcvYL\nJRqLfnlei5Ndo1lu286yL74c5rdTLs/nI2p4e+0CgYB079ZmcLeILrmfBoFI8+Y/\ngJLmPrFvXBOE6+lRV7kqUFPtZ6I3yQzyccETZTDvrnx0WjaiFavUPH27WMjY01S2\nTMtO0Iq1MPsbSrglO1as8MvjB9ldFcvp7gy4Q0Sv6XT0yqJ/S+vo8Df0m+H4UBpU\nf5o6EwBSd/UQxwtZIE0lsQKBgQCswfjX8Eg8KL/lJNpIOOE3j4XXE9ptksmJl2sB\njxDnQYoiMqVO808saHVquC/vTrpd6tKtNpehWwjeTFuqITWLi8jmmQ+gNTKsC9Gn\n1Pxf2Gb67PqnEpwQGln+TRtgQ5HBrdHiQIi+5am+gnw89pDrjjO5rZwhanAo6KPJ\n1zcPNQKBgQDxFu8v4frDmRNCVaZS4f1B6wTrcMrnibIDlnzrK9GG6Hz1U7dDv8s8\nNf4UmeMzDXjlPWZVOvS5+9HKJPdPj7/onv8B2m18+lcgTTDJBkza7R1mjL1Cje/Z\nKcVGsryKN6cjE7yCDasnA7R2rVBV/7NWeJV77bmzT5O//rW4yIfUIg==\n-----END RSA PRIVATE KEY-----\n"
-end
+module ChefZero
+  require 'chef_zero/log'
+
+  MIN_API_VERSION = 0
+  MAX_API_VERSION = 1
+
+  CERTIFICATE = "-----BEGIN CERTIFICATE-----\nMIIDMzCCApygAwIBAgIBATANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCVVMx\nEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFjAUBgNVBAoM\nDU9wc2NvZGUsIEluYy4xHDAaBgNVBAsME0NlcnRpZmljYXRlIFNlcnZpY2UxMjAw\nBgNVBAMMKW9wc2NvZGUuY29tL2VtYWlsQWRkcmVzcz1hdXRoQG9wc2NvZGUuY29t\nMB4XDTEyMTEyMTAwMzQyMVoXDTIyMTExOTAwMzQyMVowgZsxEDAOBgNVBAcTB1Nl\nYXR0bGUxEzARBgNVBAgTCldhc2hpbmd0b24xCzAJBgNVBAYTAlVTMRwwGgYDVQQL\nExNDZXJ0aWZpY2F0ZSBTZXJ2aWNlMRYwFAYDVQQKEw1PcHNjb2RlLCBJbmMuMS8w\nLQYDVQQDFCZVUkk6aHR0cDovL29wc2NvZGUuY29tL0dVSURTL3VzZXJfZ3VpZDCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANLDmPbR71bS2esZlZh/HfC6\n0azXFjl2677wq2ovk9xrUb0Ui4ZLC66TqQ9C/RBzOjXU4TRf3hgPTqvlCgHusl0d\nIcLCrsSl6kPEhJpYWWfRoroIAwf82A9yLQekhqXZEXu5EKkwoUMqyF6m0ZCasaE1\ny8niQxdLAsk3ady/CGQlFqHTPKFfU5UASR2LRtYC1MCIvJHDFRKAp9kPJbQo9P37\nZ8IU7cDudkZFgNLmDixlWsh7C0ghX8fgAlj1P6FgsFufygam973k79GhIP54dELB\nc0S6E8ekkRSOXU9jX/IoiXuFglBvFihAdhvED58bMXzj2AwXUyeAlxItnvs+NVUC\nAwEAATANBgkqhkiG9w0BAQUFAAOBgQBkFZRbMoywK3hb0/X7MXmPYa7nlfnd5UXq\nr2n32ettzZNmEPaI2d1j+//nL5qqhOlrWPS88eKEPnBOX/jZpUWOuAAddnrvFzgw\nrp/C2H7oMT+29F+5ezeViLKbzoFYb4yECHBoi66IFXNae13yj7taMboBeUmE664G\nTB/MZpRr8g==\n-----END CERTIFICATE-----\n"
+  PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0sOY9tHvVtLZ6xmVmH8d\n8LrRrNcWOXbrvvCrai+T3GtRvRSLhksLrpOpD0L9EHM6NdThNF/eGA9Oq+UKAe6y\nXR0hwsKuxKXqQ8SEmlhZZ9GiuggDB/zYD3ItB6SGpdkRe7kQqTChQyrIXqbRkJqx\noTXLyeJDF0sCyTdp3L8IZCUWodM8oV9TlQBJHYtG1gLUwIi8kcMVEoCn2Q8ltCj0\n/ftnwhTtwO52RkWA0uYOLGVayHsLSCFfx+ACWPU/oWCwW5/KBqb3veTv0aEg/nh0\nQsFzRLoTx6SRFI5dT2Nf8iiJe4WCUG8WKEB2G8QPnxsxfOPYDBdTJ4CXEi2e+z41\nVQIDAQAB\n-----END PUBLIC KEY-----\n"
+  PRIVATE_KEY = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA0sOY9tHvVtLZ6xmVmH8d8LrRrNcWOXbrvvCrai+T3GtRvRSL\nhksLrpOpD0L9EHM6NdThNF/eGA9Oq+UKAe6yXR0hwsKuxKXqQ8SEmlhZZ9GiuggD\nB/zYD3ItB6SGpdkRe7kQqTChQyrIXqbRkJqxoTXLyeJDF0sCyTdp3L8IZCUWodM8\noV9TlQBJHYtG1gLUwIi8kcMVEoCn2Q8ltCj0/ftnwhTtwO52RkWA0uYOLGVayHsL\nSCFfx+ACWPU/oWCwW5/KBqb3veTv0aEg/nh0QsFzRLoTx6SRFI5dT2Nf8iiJe4WC\nUG8WKEB2G8QPnxsxfOPYDBdTJ4CXEi2e+z41VQIDAQABAoIBAALhqbW2KQ+G0nPk\nZacwFbi01SkHx8YBWjfCEpXhEKRy0ytCnKW5YO+CFU2gHNWcva7+uhV9OgwaKXkw\nKHLeUJH1VADVqI4Htqw2g5mYm6BPvWnNsjzpuAp+BR+VoEGkNhj67r9hatMAQr0I\nitTvSH5rvd2EumYXIHKfz1K1SegUk1u1EL1RcMzRmZe4gDb6eNBs9Sg4im4ybTG6\npPIytA8vBQVWhjuAR2Tm+wZHiy0Az6Vu7c2mS07FSX6FO4E8SxWf8idaK9ijMGSq\nFvIS04mrY6XCPUPUC4qm1qNnhDPpOr7CpI2OO98SqGanStS5NFlSFXeXPpM280/u\nfZUA0AECgYEA+x7QUnffDrt7LK2cX6wbvn4mRnFxet7bJjrfWIHf+Rm0URikaNma\nh0/wNKpKBwIH+eHK/LslgzcplrqPytGGHLOG97Gyo5tGAzyLHUWBmsNkRksY2sPL\nuHq6pYWJNkqhnWGnIbmqCr0EWih82x/y4qxbJYpYqXMrit0wVf7yAgkCgYEA1twI\ngFaXqesetTPoEHSQSgC8S4D5/NkdriUXCYb06REcvo9IpFMuiOkVUYNN5d3MDNTP\nIdBicfmvfNELvBtXDomEUD8ls1UuoTIXRNGZ0VsZXu7OErXCK0JKNNyqRmOwcvYL\nJRqLfnlei5Ndo1lu286yL74c5rdTLs/nI2p4e+0CgYB079ZmcLeILrmfBoFI8+Y/\ngJLmPrFvXBOE6+lRV7kqUFPtZ6I3yQzyccETZTDvrnx0WjaiFavUPH27WMjY01S2\nTMtO0Iq1MPsbSrglO1as8MvjB9ldFcvp7gy4Q0Sv6XT0yqJ/S+vo8Df0m+H4UBpU\nf5o6EwBSd/UQxwtZIE0lsQKBgQCswfjX8Eg8KL/lJNpIOOE3j4XXE9ptksmJl2sB\njxDnQYoiMqVO808saHVquC/vTrpd6tKtNpehWwjeTFuqITWLi8jmmQ+gNTKsC9Gn\n1Pxf2Gb67PqnEpwQGln+TRtgQ5HBrdHiQIi+5am+gnw89pDrjjO5rZwhanAo6KPJ\n1zcPNQKBgQDxFu8v4frDmRNCVaZS4f1B6wTrcMrnibIDlnzrK9GG6Hz1U7dDv8s8\nNf4UmeMzDXjlPWZVOvS5+9HKJPdPj7/onv8B2m18+lcgTTDJBkza7R1mjL1Cje/Z\nKcVGsryKN6cjE7yCDasnA7R2rVBV/7NWeJV77bmzT5O//rW4yIfUIg==\n-----END RSA PRIVATE KEY-----\n"
+end

data/lib/chef_zero/chef_data/acl_path.rb

@@ -1,139 +1,139 @@
-module ChefZero
-  module ChefData
-    # Manages translations between REST and ACL data paths
-    # and parent paths.
-    #
-    # Suggestions
-    # - make /organizations/ORG/_acl and deprecate organization/_acl and organizations/_acl
-    # - add endpoints for /containers/(users|organizations|containers)(/_acl)
-    # - add PUT for */_acl
-    # - add endpoints for /organizations/ORG/data/containers and /organizations/ORG/cookbooks/containers
-    # - sane, fully documented ACL model
-    # - sane inheritance / override model: if actors or groups are explicitly
-    #   specified on X, they are not inherited from X's parent
-    # - stop adding pivotal to acls (he already has access to what he needs)
-    module AclPath
-      ORG_DATA_TYPES = %w(clients cookbooks containers data environments groups nodes roles sandboxes)
-      TOP_DATA_TYPES = %w(containers organizations users)
-
-      # ACL data paths for a partition are:
-      # /          -> /acls/root
-      # /TYPE      -> /acls/containers/TYPE
-      # /TYPE/NAME -> /acls/TYPE/NAME
-      #
-      # The root partition "/" has its own acls, so it looks like this:
-      #
-      # / -> /acls/root
-      # /users -> /acls/containers/users
-      # /organizations -> /acls/containers/organizations
-      # /users/schlansky -> /acls/users/schlansky
-      #
-      # Each organization is its own partition, so it looks like this:
-      #
-      # /organizations/blah           -> /organizations/blah/acls/root
-      # /organizations/blah/roles     -> /organizations/blah/acls/containers/roles
-      # /organizations/blah/roles/web -> /organizations/blah/acls/roles/web
-      # /organizations/ORG is its own partition.  ACLs for anything under it follow
-
-      # This method takes a Chef REST path and returns the chef-zero path
-      # used to look up the ACL.  If an object does not have an ACL directly,
-      # it will return nil.  Paths like /organizations/ORG/data/bag/item will
-      # return nil, because it is the parent path (data/bag) that has an ACL.
-      def self.get_acl_data_path(path)
-        # Things under organizations have their own acls hierarchy
-        if path[0] == 'organizations' && path.size >= 2
-          under_org = partition_acl_data_path(path[2..-1], ORG_DATA_TYPES)
-          if under_org
-            path[0..1] + under_org
-          end
-        else
-          partition_acl_data_path(path, TOP_DATA_TYPES)
-        end
-      end
-
-      #
-      # Reverse transform from acl_data_path to path.
-      # /acls/root -> /
-      # /acls/** -> /**
-      # /organizations/ORG/acls/root -> /organizations/ORG
-      # /organizations/ORG/acls/** -> /organizations/ORG/**
-      #
-      # This means that /acls/containers/nodes maps to
-      # /containers/nodes, not /nodes.
-      #
-      def self.get_object_path(acl_data_path)
-        if acl_data_path[0] == 'acls'
-          if acl_data_path[1] == 'root'
-            []
-          else
-            acl_data_path[1..-1]
-          end
-        elsif acl_data_path[0] == 'organizations' && acl_data_path[2] == 'acls'
-          if acl_data_path[3] == 'root'
-            acl_data_path[0..1]
-          else
-            acl_data_path[0..1] + acl_data_path[3..-1]
-          end
-        end
-      end
-
-      # Method *assumes* acl_data_path is valid.
-      # /organizations/BLAH's parent is /organizations
-      #
-      # An example traversal up the whole tree:
-      # /organizations/foo/acls/nodes/mario ->
-      # /organizations/foo/acls/containers/nodes ->
-      # /organizations/foo/acls/containers/containers ->
-      # /organizations/foo/acls/root ->
-      # /acls/containers/organizations ->
-      # /acls/containers/containers ->
-      # /acls/root ->
-      # nil
-      def self.parent_acl_data_path(acl_data_path)
-        if acl_data_path[0] == 'organizations'
-          under_org = partition_parent_acl_data_path(acl_data_path[2..-1])
-          if under_org
-            acl_data_path[0..1] + under_org
-          else
-            # ACL data path is /organizations/X/acls/root; therefore parent is "/organizations"
-            [ 'acls', 'containers', 'organizations' ]
-          end
-        else
-          partition_parent_acl_data_path(acl_data_path)
-        end
-      end
-
-      private
-
-      # /acls/root -> nil
-      # /acls/containers/containers -> /acls/root
-      # /acls/TYPE/X -> /acls/containers/TYPE
-      #
-      # Method *assumes* acl_data_path is valid.
-      # Returns nil if the path is /acls/root
-      def self.partition_parent_acl_data_path(acl_data_path)
-        if acl_data_path.size == 3
-          if acl_data_path == %w(acls containers containers)
-            [ 'acls', 'root' ]
-          else
-            [ 'acls', 'containers', acl_data_path[1]]
-          end
-        else
-          nil
-        end
-      end
-
-      def self.partition_acl_data_path(path, data_types)
-        if path.size == 0
-          [ 'acls', 'root']
-        elsif data_types.include?(path[0])
-          if path.size == 0
-            [ 'acls', 'containers', path[0] ]
-          elsif path.size == 2
-            [ 'acls', path[0], path[1] ]
-          end
-        end
-      end
-    end
-  end
-end
+module ChefZero
+  module ChefData
+    # Manages translations between REST and ACL data paths
+    # and parent paths.
+    #
+    # Suggestions
+    # - make /organizations/ORG/_acl and deprecate organization/_acl and organizations/_acl
+    # - add endpoints for /containers/(users|organizations|containers)(/_acl)
+    # - add PUT for */_acl
+    # - add endpoints for /organizations/ORG/data/containers and /organizations/ORG/cookbooks/containers
+    # - sane, fully documented ACL model
+    # - sane inheritance / override model: if actors or groups are explicitly
+    #   specified on X, they are not inherited from X's parent
+    # - stop adding pivotal to acls (he already has access to what he needs)
+    module AclPath
+      ORG_DATA_TYPES = %w(clients cookbooks containers data environments groups nodes roles sandboxes)
+      TOP_DATA_TYPES = %w(containers organizations users)
+
+      # ACL data paths for a partition are:
+      # /          -> /acls/root
+      # /TYPE      -> /acls/containers/TYPE
+      # /TYPE/NAME -> /acls/TYPE/NAME
+      #
+      # The root partition "/" has its own acls, so it looks like this:
+      #
+      # / -> /acls/root
+      # /users -> /acls/containers/users
+      # /organizations -> /acls/containers/organizations
+      # /users/schlansky -> /acls/users/schlansky
+      #
+      # Each organization is its own partition, so it looks like this:
+      #
+      # /organizations/blah           -> /organizations/blah/acls/root
+      # /organizations/blah/roles     -> /organizations/blah/acls/containers/roles
+      # /organizations/blah/roles/web -> /organizations/blah/acls/roles/web
+      # /organizations/ORG is its own partition.  ACLs for anything under it follow
+
+      # This method takes a Chef REST path and returns the chef-zero path
+      # used to look up the ACL.  If an object does not have an ACL directly,
+      # it will return nil.  Paths like /organizations/ORG/data/bag/item will
+      # return nil, because it is the parent path (data/bag) that has an ACL.
+      def self.get_acl_data_path(path)
+        # Things under organizations have their own acls hierarchy
+        if path[0] == 'organizations' && path.size >= 2
+          under_org = partition_acl_data_path(path[2..-1], ORG_DATA_TYPES)
+          if under_org
+            path[0..1] + under_org
+          end
+        else
+          partition_acl_data_path(path, TOP_DATA_TYPES)
+        end
+      end
+
+      #
+      # Reverse transform from acl_data_path to path.
+      # /acls/root -> /
+      # /acls/** -> /**
+      # /organizations/ORG/acls/root -> /organizations/ORG
+      # /organizations/ORG/acls/** -> /organizations/ORG/**
+      #
+      # This means that /acls/containers/nodes maps to
+      # /containers/nodes, not /nodes.
+      #
+      def self.get_object_path(acl_data_path)
+        if acl_data_path[0] == 'acls'
+          if acl_data_path[1] == 'root'
+            []
+          else
+            acl_data_path[1..-1]
+          end
+        elsif acl_data_path[0] == 'organizations' && acl_data_path[2] == 'acls'
+          if acl_data_path[3] == 'root'
+            acl_data_path[0..1]
+          else
+            acl_data_path[0..1] + acl_data_path[3..-1]
+          end
+        end
+      end
+
+      # Method *assumes* acl_data_path is valid.
+      # /organizations/BLAH's parent is /organizations
+      #
+      # An example traversal up the whole tree:
+      # /organizations/foo/acls/nodes/mario ->
+      # /organizations/foo/acls/containers/nodes ->
+      # /organizations/foo/acls/containers/containers ->
+      # /organizations/foo/acls/root ->
+      # /acls/containers/organizations ->
+      # /acls/containers/containers ->
+      # /acls/root ->
+      # nil
+      def self.parent_acl_data_path(acl_data_path)
+        if acl_data_path[0] == 'organizations'
+          under_org = partition_parent_acl_data_path(acl_data_path[2..-1])
+          if under_org
+            acl_data_path[0..1] + under_org
+          else
+            # ACL data path is /organizations/X/acls/root; therefore parent is "/organizations"
+            [ 'acls', 'containers', 'organizations' ]
+          end
+        else
+          partition_parent_acl_data_path(acl_data_path)
+        end
+      end
+
+      private
+
+      # /acls/root -> nil
+      # /acls/containers/containers -> /acls/root
+      # /acls/TYPE/X -> /acls/containers/TYPE
+      #
+      # Method *assumes* acl_data_path is valid.
+      # Returns nil if the path is /acls/root
+      def self.partition_parent_acl_data_path(acl_data_path)
+        if acl_data_path.size == 3
+          if acl_data_path == %w(acls containers containers)
+            [ 'acls', 'root' ]
+          else
+            [ 'acls', 'containers', acl_data_path[1]]
+          end
+        else
+          nil
+        end
+      end
+
+      def self.partition_acl_data_path(path, data_types)
+        if path.size == 0
+          [ 'acls', 'root']
+        elsif data_types.include?(path[0])
+          if path.size == 0
+            [ 'acls', 'containers', path[0] ]
+          elsif path.size == 2
+            [ 'acls', path[0], path[1] ]
+          end
+        end
+      end
+    end
+  end
+end