RubyGems - cheffish - Versions diffs - 1.3.1 → 1.4.0 - Mend

cheffish 1.3.1 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (76) hide show

checksums.yaml +4 -4
data/LICENSE +201 -201
data/README.md +120 -117
data/Rakefile +23 -23
data/lib/chef/provider/chef_acl.rb +439 -434
data/lib/chef/provider/chef_client.rb +53 -48
data/lib/chef/provider/chef_container.rb +55 -50
data/lib/chef/provider/chef_data_bag.rb +55 -50
data/lib/chef/provider/chef_data_bag_item.rb +278 -273
data/lib/chef/provider/chef_environment.rb +83 -78
data/lib/chef/provider/chef_group.rb +83 -78
data/lib/chef/provider/chef_mirror.rb +169 -164
data/lib/chef/provider/chef_node.rb +87 -82
data/lib/chef/provider/chef_organization.rb +155 -150
data/lib/chef/provider/chef_resolved_cookbooks.rb +46 -41
data/lib/chef/provider/chef_role.rb +84 -79
data/lib/chef/provider/chef_user.rb +59 -54
data/lib/chef/provider/private_key.rb +225 -220
data/lib/chef/provider/public_key.rb +88 -82
data/lib/chef/resource/chef_acl.rb +69 -65
data/lib/chef/resource/chef_client.rb +48 -44
data/lib/chef/resource/chef_container.rb +22 -18
data/lib/chef/resource/chef_data_bag.rb +22 -18
data/lib/chef/resource/chef_data_bag_item.rb +121 -114
data/lib/chef/resource/chef_environment.rb +77 -71
data/lib/chef/resource/chef_group.rb +53 -49
data/lib/chef/resource/chef_mirror.rb +52 -48
data/lib/chef/resource/chef_node.rb +22 -18
data/lib/chef/resource/chef_organization.rb +69 -64
data/lib/chef/resource/chef_resolved_cookbooks.rb +35 -31
data/lib/chef/resource/chef_role.rb +110 -104
data/lib/chef/resource/chef_user.rb +56 -52
data/lib/chef/resource/private_key.rb +48 -44
data/lib/chef/resource/public_key.rb +25 -21
data/lib/cheffish.rb +235 -233
data/lib/cheffish/actor_provider_base.rb +131 -131
data/lib/cheffish/basic_chef_client.rb +184 -184
data/lib/cheffish/chef_provider_base.rb +246 -246
data/lib/cheffish/chef_run.rb +162 -155
data/lib/cheffish/chef_run_data.rb +19 -19
data/lib/cheffish/chef_run_listener.rb +30 -30
data/lib/cheffish/key_formatter.rb +113 -113
data/lib/cheffish/merged_config.rb +94 -94
data/lib/cheffish/recipe_dsl.rb +157 -157
data/lib/cheffish/rspec.rb +8 -8
data/lib/cheffish/rspec/chef_run_support.rb +83 -83
data/lib/cheffish/rspec/matchers.rb +4 -4
data/lib/cheffish/rspec/matchers/be_idempotent.rb +16 -16
data/lib/cheffish/rspec/matchers/emit_no_warnings_or_errors.rb +15 -15
data/lib/cheffish/rspec/matchers/have_updated.rb +37 -37
data/lib/cheffish/rspec/matchers/partially_match.rb +63 -63
data/lib/cheffish/rspec/recipe_run_wrapper.rb +59 -47
data/lib/cheffish/rspec/repository_support.rb +108 -108
data/lib/cheffish/server_api.rb +52 -52
data/lib/cheffish/version.rb +3 -3
data/lib/cheffish/with_pattern.rb +21 -21
data/spec/functional/fingerprint_spec.rb +64 -64
data/spec/functional/merged_config_spec.rb +19 -19
data/spec/functional/server_api_spec.rb +13 -13
data/spec/integration/chef_acl_spec.rb +879 -879
data/spec/integration/chef_client_spec.rb +105 -105
data/spec/integration/chef_container_spec.rb +33 -33
data/spec/integration/chef_group_spec.rb +309 -309
data/spec/integration/chef_mirror_spec.rb +491 -491
data/spec/integration/chef_node_spec.rb +786 -786
data/spec/integration/chef_organization_spec.rb +226 -226
data/spec/integration/chef_role_spec.rb +78 -0
data/spec/integration/chef_user_spec.rb +85 -85
data/spec/integration/private_key_spec.rb +399 -399
data/spec/integration/recipe_dsl_spec.rb +28 -28
data/spec/integration/rspec/converge_spec.rb +183 -183
data/spec/support/key_support.rb +29 -29
data/spec/support/spec_support.rb +15 -15
data/spec/unit/get_private_key_spec.rb +131 -131
data/spec/unit/recipe_run_wrapper_spec.rb +37 -0
metadata +8 -5

data/spec/functional/fingerprint_spec.rb CHANGED

@@ -1,64 +1,64 @@
-require 'cheffish/key_formatter'
-require 'support/key_support'
-describe 'Cheffish fingerprint key formatter' do
-  # Sample key: 0x9a6fa4c43b328c3d04c1fbc0498539218b6728e41cd35f6d27d491ef705f0b2083dc1ac977da19f54ba82b044773f20667e9627c543abb3b41b6eb9e4318ca3c68f487bbd0f1c9eea9a3101b7d1d180983c5440ac4183e78e9e256fa687d8aac63b21617a4b02b35bf5e307a3b76961a16cd8493e923536b34cc2b2da8d45220d57ef2243b081b555b84f1da0ade0e896c2aa96911b41430b59eaf75dbffb7eaa7c5b3a686f2d47a24e3b7f1acb0844f84a2fedc63660ae366b800cd9448093d6b1d96503ebb7807b48257e16c3d8a7c9a8cc5dd63116aa673bd9e09754de09358486e743e34c6a3642eeb64b2208efc96df39151572557a75638bd059c21a55 = 0xd6e92677d4e1d2aa6d14f87b5f49ee6916c6b92411536254fae4a21e82eebb0a40600247c701c1c938b21ca9f25b7b330c35fded57b4de3a951e83329a80bdbf2ba138fe2f190bffce43967b5fa93b179367bcd15cb1db7f9e3ab62caca95dc9489b62bc0a10b53841b932455a43409f96eed90dc80abc8cce5593ead8f0a26d * 0xb7f68cd427045788d5e315375f71d3a416784ec2597776a60ed77c821294d9bd66e96658bdcb43072cee0c849d297bd9f94991738f1a0df313ceb51b093a9372f12a61987f40e7a03d773911deb270916a574962ae8ff4f2d8bfcedee1c885e9c3e54212471636a6330b05b78c3a7ddf96b013be389a08ab7971db2f68fb2689
-  sample_private_key = <<EOF
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAmm+kxDsyjD0EwfvASYU5IYtnKOQc019tJ9SR73BfCyCD3BrJd9oZ9UuoKwRH
-c/IGZ+lifFQ6uztBtuueQxjKPGj0h7vQ8cnuqaMQG30dGAmDxUQKxBg+eOniVvpofYqsY7IWF6Sw
-KzW/XjB6O3aWGhbNhJPpI1NrNMwrLajUUiDVfvIkOwgbVVuE8doK3g6JbCqpaRG0FDC1nq912/+3
-6qfFs6aG8tR6JOO38aywhE+Eov7cY2YK42a4AM2USAk9ax2WUD67eAe0glfhbD2KfJqMxd1jEWqm
-c72eCXVN4JNYSG50PjTGo2Qu62SyII78lt85FRVyVXp1Y4vQWcIaVQIDAQABAoIBABY+JC37FLGs
-DCZgOvab0HmrWUVDbX9oDBGjhQ1GUvoISdWGqiOv7vMsXWEssZnabt/CdmPPwdG7nCBbWSTyyhXf
-S/DMtTBN1CjsimJbJ7iRjj/4J9DMaRsDHI1IbYo/UcreGF55YsImcJSBSOmNj9rcE+eXYgmrdxJY
-oZNm8IWPaZ1/8KdPHSq6/HfTzRxXhcGOMGnf3lGfzkzIbV9Ee88Lv9sSV3bYrOsWMNabOe2TeTpC
-UTfFkC++0RkFjEDINSCnoCi+ybzHLUDnurANCwnRWLTVEAeffwNVmiDfgimuqFtzCInW5/5bOTPz
-rBmcC6QAFbyk2WKAlY8Zd4SBYqECgYEA1ukmd9Th0qptFPh7X0nuaRbGuSQRU2JU+uSiHoLuuwpA
-YAJHxwHByTiyHKnyW3szDDX97Ve03jqVHoMymoC9vyuhOP4vGQv/zkOWe1+pOxeTZ7zRXLHbf546
-tiysqV3JSJtivAoQtThBuTJFWkNAn5bu2Q3ICryMzlWT6tjwom0CgYEAt/aM1CcEV4jV4xU3X3HT
-pBZ4TsJZd3amDtd8ghKU2b1m6WZYvctDByzuDISdKXvZ+UmRc48aDfMTzrUbCTqTcvEqYZh/QOeg
-PXc5Ed6ycJFqV0liro/08ti/zt7hyIXpw+VCEkcWNqYzCwW3jDp935awE744mgireXHbL2j7JokC
-gYAOHErRTWHyYgw9dz8qd4E21y7/EvYsQmWP/5kBZdlk4HxvkVbDI0NlAdr39NSb2w/z+kuM3Nhc
-Sv5lfXnCGTfcKHIyesX+4AHQujFUMmi7H4YnJoecjXT7ARmbwn0ntae0o7cs34BPVb1C+qEBFy9U
-CyXtjHEY+15HYekPX2UVVQKBgBT8Nwxsdv5VSbDh1rM4lN//ADJb0UDjdAX1ZuqfnANKq9asKitc
-aIUFBxK+ff8hdbgOQF1iUaKNvBC0cCUZXYCbKi5/6uRIh+r7ErOLJ+fXbr4OTQeEvHiHaTn8Ct2J
-CSWjnWngWhRZ2TDEsi947Kr40ZUu+d34ZzcvWcWKwDuhAoGBAJzCRoGOu6YGy+rBPxaIg0vB+Grx
-rxs0NeNqGdrzmyAPN35OHXYclPwfp+DbtbJHgGMRc/9VFPqW9PeTKjIByeEsXyrcdreR35AR/fwR
-AUcSSKTvw+PobCpXhdkiw4TgJhFNuZnoC63FOjNqA5mu1ICZYBb4ZVlgUAgSmDQxSIgK
------END RSA PRIVATE KEY-----
-EOF
-  sample_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCab6TEOzKMPQTB+8BJhTkhi2co5BzTX20n1JHvcF8LIIPcGsl32hn1S6grBEdz8gZn6WJ8VDq7O0G2655DGMo8aPSHu9Dxye6poxAbfR0YCYPFRArEGD546eJW+mh9iqxjshYXpLArNb9eMHo7dpYaFs2Ek+kjU2s0zCstqNRSINV+8iQ7CBtVW4Tx2greDolsKqlpEbQUMLWer3Xb/7fqp8Wzpoby1Hok47fxrLCET4Si/txjZgrjZrgAzZRICT1rHZZQPrt4B7SCV+FsPYp8mozF3WMRaqZzvZ4JdU3gk1hIbnQ+NMajZC7rZLIgjvyW3zkVFXJVenVji9BZwhpV"
-  def key_to_format(key, format)
-    keyobj, f = Cheffish::KeyFormatter.decode(key)
-    Cheffish::KeyFormatter.encode(keyobj, {:format => format})
-  end
-  context 'when computing key fingperprints' do
-    it 'computes the PKCS#8 SHA1 private key fingerprint correctly', :pending => (RUBY_VERSION.to_f >= 2.0) do
-      expect(key_to_format(sample_private_key, :pkcs8sha1fingerprint)).to eq(
-        '88:7e:3a:bd:26:9f:b5:c5:d8:ae:52:f9:df:0b:64:a4:5c:17:0a:87')
-    end
-    it 'computes the PKCS#1 MD5 public key fingerprint correctly' do
-      expect(key_to_format(sample_public_key, :pkcs1md5fingerprint)).to eq(
-        '1f:e8:da:c1:16:c3:72:7d:90:e2:b7:64:c4:b4:55:20')
-    end
-    it 'computes the RFC4716 MD5 public key fingerprint correctly' do
-      expect(key_to_format(sample_public_key, :rfc4716md5fingerprint)).to eq(
-        'b0:13:4f:da:cf:8c:dc:a7:4a:1f:d2:3a:51:92:cf:6b')
-    end
-    it 'defaults to the PKCS#1 MD5 public key fingerprint' do
-      expect(key_to_format(sample_public_key, :fingerprint)).to eq(
-        key_to_format(sample_public_key, :pkcs1md5fingerprint))
-    end
-  end
-end
+require 'cheffish/key_formatter'
+require 'support/key_support'
+describe 'Cheffish fingerprint key formatter' do
+  # Sample key: 0x9a6fa4c43b328c3d04c1fbc0498539218b6728e41cd35f6d27d491ef705f0b2083dc1ac977da19f54ba82b044773f20667e9627c543abb3b41b6eb9e4318ca3c68f487bbd0f1c9eea9a3101b7d1d180983c5440ac4183e78e9e256fa687d8aac63b21617a4b02b35bf5e307a3b76961a16cd8493e923536b34cc2b2da8d45220d57ef2243b081b555b84f1da0ade0e896c2aa96911b41430b59eaf75dbffb7eaa7c5b3a686f2d47a24e3b7f1acb0844f84a2fedc63660ae366b800cd9448093d6b1d96503ebb7807b48257e16c3d8a7c9a8cc5dd63116aa673bd9e09754de09358486e743e34c6a3642eeb64b2208efc96df39151572557a75638bd059c21a55 = 0xd6e92677d4e1d2aa6d14f87b5f49ee6916c6b92411536254fae4a21e82eebb0a40600247c701c1c938b21ca9f25b7b330c35fded57b4de3a951e83329a80bdbf2ba138fe2f190bffce43967b5fa93b179367bcd15cb1db7f9e3ab62caca95dc9489b62bc0a10b53841b932455a43409f96eed90dc80abc8cce5593ead8f0a26d * 0xb7f68cd427045788d5e315375f71d3a416784ec2597776a60ed77c821294d9bd66e96658bdcb43072cee0c849d297bd9f94991738f1a0df313ceb51b093a9372f12a61987f40e7a03d773911deb270916a574962ae8ff4f2d8bfcedee1c885e9c3e54212471636a6330b05b78c3a7ddf96b013be389a08ab7971db2f68fb2689
+  sample_private_key = <<EOF
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAmm+kxDsyjD0EwfvASYU5IYtnKOQc019tJ9SR73BfCyCD3BrJd9oZ9UuoKwRH
+c/IGZ+lifFQ6uztBtuueQxjKPGj0h7vQ8cnuqaMQG30dGAmDxUQKxBg+eOniVvpofYqsY7IWF6Sw
+KzW/XjB6O3aWGhbNhJPpI1NrNMwrLajUUiDVfvIkOwgbVVuE8doK3g6JbCqpaRG0FDC1nq912/+3
+6qfFs6aG8tR6JOO38aywhE+Eov7cY2YK42a4AM2USAk9ax2WUD67eAe0glfhbD2KfJqMxd1jEWqm
+c72eCXVN4JNYSG50PjTGo2Qu62SyII78lt85FRVyVXp1Y4vQWcIaVQIDAQABAoIBABY+JC37FLGs
+DCZgOvab0HmrWUVDbX9oDBGjhQ1GUvoISdWGqiOv7vMsXWEssZnabt/CdmPPwdG7nCBbWSTyyhXf
+S/DMtTBN1CjsimJbJ7iRjj/4J9DMaRsDHI1IbYo/UcreGF55YsImcJSBSOmNj9rcE+eXYgmrdxJY
+oZNm8IWPaZ1/8KdPHSq6/HfTzRxXhcGOMGnf3lGfzkzIbV9Ee88Lv9sSV3bYrOsWMNabOe2TeTpC
+UTfFkC++0RkFjEDINSCnoCi+ybzHLUDnurANCwnRWLTVEAeffwNVmiDfgimuqFtzCInW5/5bOTPz
+rBmcC6QAFbyk2WKAlY8Zd4SBYqECgYEA1ukmd9Th0qptFPh7X0nuaRbGuSQRU2JU+uSiHoLuuwpA
+YAJHxwHByTiyHKnyW3szDDX97Ve03jqVHoMymoC9vyuhOP4vGQv/zkOWe1+pOxeTZ7zRXLHbf546
+tiysqV3JSJtivAoQtThBuTJFWkNAn5bu2Q3ICryMzlWT6tjwom0CgYEAt/aM1CcEV4jV4xU3X3HT
+pBZ4TsJZd3amDtd8ghKU2b1m6WZYvctDByzuDISdKXvZ+UmRc48aDfMTzrUbCTqTcvEqYZh/QOeg
+PXc5Ed6ycJFqV0liro/08ti/zt7hyIXpw+VCEkcWNqYzCwW3jDp935awE744mgireXHbL2j7JokC
+gYAOHErRTWHyYgw9dz8qd4E21y7/EvYsQmWP/5kBZdlk4HxvkVbDI0NlAdr39NSb2w/z+kuM3Nhc
+Sv5lfXnCGTfcKHIyesX+4AHQujFUMmi7H4YnJoecjXT7ARmbwn0ntae0o7cs34BPVb1C+qEBFy9U
+CyXtjHEY+15HYekPX2UVVQKBgBT8Nwxsdv5VSbDh1rM4lN//ADJb0UDjdAX1ZuqfnANKq9asKitc
+aIUFBxK+ff8hdbgOQF1iUaKNvBC0cCUZXYCbKi5/6uRIh+r7ErOLJ+fXbr4OTQeEvHiHaTn8Ct2J
+CSWjnWngWhRZ2TDEsi947Kr40ZUu+d34ZzcvWcWKwDuhAoGBAJzCRoGOu6YGy+rBPxaIg0vB+Grx
+rxs0NeNqGdrzmyAPN35OHXYclPwfp+DbtbJHgGMRc/9VFPqW9PeTKjIByeEsXyrcdreR35AR/fwR
+AUcSSKTvw+PobCpXhdkiw4TgJhFNuZnoC63FOjNqA5mu1ICZYBb4ZVlgUAgSmDQxSIgK
+-----END RSA PRIVATE KEY-----
+EOF
+  sample_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCab6TEOzKMPQTB+8BJhTkhi2co5BzTX20n1JHvcF8LIIPcGsl32hn1S6grBEdz8gZn6WJ8VDq7O0G2655DGMo8aPSHu9Dxye6poxAbfR0YCYPFRArEGD546eJW+mh9iqxjshYXpLArNb9eMHo7dpYaFs2Ek+kjU2s0zCstqNRSINV+8iQ7CBtVW4Tx2greDolsKqlpEbQUMLWer3Xb/7fqp8Wzpoby1Hok47fxrLCET4Si/txjZgrjZrgAzZRICT1rHZZQPrt4B7SCV+FsPYp8mozF3WMRaqZzvZ4JdU3gk1hIbnQ+NMajZC7rZLIgjvyW3zkVFXJVenVji9BZwhpV"
+  def key_to_format(key, format)
+    keyobj, f = Cheffish::KeyFormatter.decode(key)
+    Cheffish::KeyFormatter.encode(keyobj, {:format => format})
+  end
+  context 'when computing key fingperprints' do
+    it 'computes the PKCS#8 SHA1 private key fingerprint correctly', :pending => (RUBY_VERSION.to_f >= 2.0) do
+      expect(key_to_format(sample_private_key, :pkcs8sha1fingerprint)).to eq(
+        '88:7e:3a:bd:26:9f:b5:c5:d8:ae:52:f9:df:0b:64:a4:5c:17:0a:87')
+    end
+    it 'computes the PKCS#1 MD5 public key fingerprint correctly' do
+      expect(key_to_format(sample_public_key, :pkcs1md5fingerprint)).to eq(
+        '1f:e8:da:c1:16:c3:72:7d:90:e2:b7:64:c4:b4:55:20')
+    end
+    it 'computes the RFC4716 MD5 public key fingerprint correctly' do
+      expect(key_to_format(sample_public_key, :rfc4716md5fingerprint)).to eq(
+        'b0:13:4f:da:cf:8c:dc:a7:4a:1f:d2:3a:51:92:cf:6b')
+    end
+    it 'defaults to the PKCS#1 MD5 public key fingerprint' do
+      expect(key_to_format(sample_public_key, :fingerprint)).to eq(
+        key_to_format(sample_public_key, :pkcs1md5fingerprint))
+    end
+  end
+end

data/spec/functional/merged_config_spec.rb CHANGED

@@ -1,20 +1,20 @@
-require 'cheffish/merged_config'
-describe "merged_config" do
-  let(:config) do
-  	Cheffish::MergedConfig.new({:test=>'val'})
-  end
-  it "returns value in config" do
-    expect(config.test).to eq('val')
-  end
-  it "raises a NoMethodError if calling an unknown method with arguments" do
-    expect{config.merge({:some => 'hash'})}.to raise_error(NoMethodError)
-  end
-  it "has an informative string representation" do
-  	expect("#{config}").to eq("{:test=>\"val\"}")
-  end
+require 'cheffish/merged_config'
+describe "merged_config" do
+  let(:config) do
+  	Cheffish::MergedConfig.new({:test=>'val'})
+  end
+  it "returns value in config" do
+    expect(config.test).to eq('val')
+  end
+  it "raises a NoMethodError if calling an unknown method with arguments" do
+    expect{config.merge({:some => 'hash'})}.to raise_error(NoMethodError)
+  end
+  it "has an informative string representation" do
+  	expect("#{config}").to eq("{:test=>\"val\"}")
+  end
 end

data/spec/functional/server_api_spec.rb CHANGED

@@ -1,13 +1,13 @@
-require 'cheffish'
-describe "api version" do
-  let(:server_api) do
-  	Cheffish.chef_server_api({:chef_server_url => "my.chef.server"})
-  end
-  it "is pinned to 0" do
-    expect(Cheffish::ServerAPI).to receive(:new).with("my.chef.server", {api_version: "0"})
-    server_api
-  end
-end
+require 'cheffish'
+describe "api version" do
+  let(:server_api) do
+  	Cheffish.chef_server_api({:chef_server_url => "my.chef.server"})
+  end
+  it "is pinned to 0" do
+    expect(Cheffish::ServerAPI).to receive(:new).with("my.chef.server", {api_version: "0"})
+    server_api
+  end
+end

data/spec/integration/chef_acl_spec.rb CHANGED

@@ -1,879 +1,879 @@
-require 'support/spec_support'
-require 'cheffish/rspec/chef_run_support'
-require 'chef/resource/chef_acl'
-require 'chef/provider/chef_acl'
-require 'chef_zero/version'
-require 'uri'
-if Gem::Version.new(ChefZero::VERSION) >= Gem::Version.new('3.1')
-  describe Chef::Resource::ChefAcl do
-    extend Cheffish::RSpec::ChefRunSupport
-    #        let(:chef_config) { super().merge(log_level: :debug, stdout: STDOUT, stderr: STDERR, log_location: STDOUT) }
-    context "Rights attributes" do
-      when_the_chef_server 'has a node named x', :osc_compat => false do
-        node 'x', {}
-        it 'Converging chef_acl "nodes/x" changes nothing' do
-          expect_recipe {
-            chef_acl 'nodes/x'
-          }.to be_up_to_date
-          expect(get('nodes/x/_acl')).to partially_match({})
-        end
-        it 'Converging chef_acl "nodes/x" with "complete true" and no rights raises an error' do
-          expect_converge {
-            chef_acl 'nodes/x' do
-              complete true
-            end
-          }.to raise_error(RuntimeError)
-        end
-        it 'Removing all :grant rights from a node raises an error' do
-          expect_converge {
-            chef_acl 'nodes/x' do
-              remove_rights :grant, users: %w(pivotal), groups:  %w(admins users clients)
-            end
-          }.to raise_error(RuntimeError)
-        end
-        context 'and a user "blarghle"' do
-          user 'blarghle', {}
-          it 'Converging chef_acl "nodes/x" with user "blarghle" adds the user' do
-            expect_recipe {
-              chef_acl 'nodes/x' do
-                rights :read, users: %w(blarghle)
-              end
-            }.to be_updated
-            expect(get('nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
-          end
-          it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified' do
-            expect_recipe {
-              chef_acl 'nodes/x' do
-                rights :grant, users: %w(blarghle)
-                complete true
-              end
-            }.to be_updated
-            expect(get('nodes/x/_acl')).to eq(
-              "create"=>{"actors"=>[], "groups"=>[]},
-              "read"  =>{"actors"=>[], "groups"=>[]},
-              "update"=>{"actors"=>[], "groups"=>[]},
-              "delete"=>{"actors"=>[], "groups"=>[]},
-              "grant" =>{"actors"=>["blarghle"], "groups"=>[]}
-            )
-          end
-        end
-        it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified in :all' do
-          expect_recipe {
-            chef_acl 'nodes/x' do
-              rights :all, users: %w(blarghle)
-              complete true
-            end
-          }.to be_updated
-          expect(get('nodes/x/_acl')).to eq(
-            "create"=>{"actors"=>["blarghle"], "groups"=>[]},
-            "read"  =>{"actors"=>["blarghle"], "groups"=>[]},
-            "update"=>{"actors"=>["blarghle"], "groups"=>[]},
-            "delete"=>{"actors"=>["blarghle"], "groups"=>[]},
-            "grant" =>{"actors"=>["blarghle"], "groups"=>[]}
-          )
-        end
-        context 'and a client "blarghle"' do
-          user 'blarghle', {}
-          it 'Converging chef_acl "nodes/x" with client "blarghle" adds the client' do
-            expect_recipe {
-              chef_acl 'nodes/x' do
-                rights :read, clients: %w(blarghle)
-              end
-            }.to be_updated
-            expect(get('nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
-          end
-        end
-        context 'and a group "blarghle"' do
-          group 'blarghle', {}
-          it 'Converging chef_acl "nodes/x" with group "blarghle" adds the group' do
-            expect_recipe {
-              chef_acl 'nodes/x' do
-                rights :read, groups: %w(blarghle)
-              end
-            }.to be_updated
-            expect(get('nodes/x/_acl')).to partially_match('read' => { 'groups' => %w(blarghle) })
-          end
-        end
-        context 'and multiple users and groups' do
-          user 'u1', {}
-          user 'u2', {}
-          user 'u3', {}
-          client 'c1', {}
-          client 'c2', {}
-          client 'c3', {}
-          group 'g1', {}
-          group 'g2', {}
-          group 'g3', {}
-          it 'Converging chef_acl "nodes/x" with multiple groups, users and clients in an acl makes the appropriate changes' do
-            expect_recipe {
-              chef_acl 'nodes/x' do
-                rights :create, users:  [ 'u1', 'u2', 'u3' ], clients:  [ 'c1', 'c2', 'c3' ], groups:  [ 'g1', 'g2', 'g3' ]
-              end
-            }.to be_updated
-            expect(get('nodes/x/_acl')).to partially_match(
-              'create' => { 'groups' => %w(g1 g2 g3), 'actors' => %w(u1 u2 u3 c1 c2 c3) }
-            )
-          end
-          it 'Converging chef_acl "nodes/x" with multiple groups, users and clients across multiple "rights" groups makes the appropriate changes' do
-            expect_recipe {
-              chef_acl 'nodes/x' do
-                rights :create, users:  %w(u1), clients: %w(c1), groups: %w(g1)
-                rights :create, users:  %w(u2 u3), clients:  %w(c2 c3), groups: %w(g2)
-                rights :read, users: %w(u1)
-                rights :read, groups: %w(g1)
-              end
-            }.to be_updated
-            expect(get('nodes/x/_acl')).to partially_match(
-              'create' => { 'groups' => %w(g1 g2), 'actors' => %w(u1 u2 u3 c1 c2 c3) },
-              'read' => { 'groups' => %w(g1), 'actors' => %w(u1) }
-            )
-          end
-          it 'Converging chef_acl "nodes/x" with rights [ :read, :create, :update, :delete, :grant ] modifies all rights' do
-            expect_recipe {
-              chef_acl 'nodes/x' do
-                rights [ :create, :read, :update, :delete, :grant ], users:  %w(u1 u2), clients: %w(c1), groups: %w(g1)
-              end
-            }.to be_updated
-            expect(get('nodes/x/_acl')).to partially_match(
-              'create' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
-              'read' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
-              'update' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
-              'delete' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
-              'grant' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
-            )
-          end
-          it 'Converging chef_acl "nodes/x" with rights :all modifies all rights' do
-            expect_recipe {
-              chef_acl 'nodes/x' do
-                rights :all, users:  %w(u1 u2), clients: %w(c1), groups: %w(g1)
-              end
-            }.to be_updated
-            expect(get('nodes/x/_acl')).to partially_match(
-              'create' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
-              'read' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
-              'update' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
-              'delete' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
-              'grant' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
-            )
-          end
-        end
-        it 'Converging chef_acl "nodes/y" throws a 404' do
-          expect_converge {
-            chef_acl 'nodes/y'
-          }.to raise_error(Net::HTTPServerException)
-        end
-      end
-      when_the_chef_server 'has a node named x with user blarghle in its acl', :osc_compat => false do
-        user 'blarghle', {}
-        node 'x', {} do
-          acl 'read' => { 'actors' => %w(blarghle) }
-        end
-        it 'Converging chef_acl "nodes/x" with that user changes nothing' do
-          expect_recipe {
-            chef_acl 'nodes/x' do
-              rights :read, users: %w(blarghle)
-            end
-          }.to be_up_to_date
-          expect(get('nodes/x/_acl')).to partially_match({})
-        end
-      end
-      when_the_chef_server 'has a node named x with users foo and bar in all its acls', :osc_compat => false do
-        user 'foo', {}
-        user 'bar', {}
-        node 'x', {} do
-          acl 'create' => { 'actors' => %w(foo bar) },
-              'read' => { 'actors' => %w(foo bar) },
-              'update' => { 'actors' => %w(foo bar) },
-              'delete' => { 'actors' => %w(foo bar) },
-              'grant' => { 'actors' => %w(foo bar) }
-        end
-        it 'Converging chef_acl "nodes/x" with remove_rights :all removes foo from everything' do
-          expect_recipe {
-            chef_acl 'nodes/x' do
-              remove_rights :all, users: %w(foo)
-            end
-          }.to be_updated
-          expect(get('nodes/x/_acl')).to partially_match(
-                           'create' => { 'actors' => exclude('foo') },
-                           'read'   => { 'actors' => exclude('foo') },
-                           'update' => { 'actors' => exclude('foo') },
-                           'delete' => { 'actors' => exclude('foo') },
-                           'grant'  => { 'actors' => exclude('foo') },
-          )
-        end
-      end
-      ::RSpec::Matchers.define_negated_matcher :exclude, :include
-      context 'recursive' do
-        when_the_chef_server 'has a nodes container with user blarghle in its acl', :osc_compat => false do
-          user 'blarghle', {}
-          acl_for 'containers/nodes', 'read' => { 'actors' => %w(blarghle) }
-          node 'x', {} do
-            acl 'read' => { 'actors' => [] }
-          end
-          it 'Converging chef_acl "nodes" makes no changes' do
-            expect {
-              expect_recipe {
-                chef_acl 'nodes' do
-                  rights :read, users: %w(blarghle)
-                end
-                }.to be_up_to_date
-              }.to not_change { get('containers/nodes/_acl') }.
-               and not_change { get('nodes/x/_acl') }
-          end
-          RSpec::Matchers.define_negated_matcher :not_change, :change
-          it 'Converging chef_acl "nodes" with recursive :on_change makes no changes' do
-            expect {
-              expect_recipe {
-                chef_acl 'nodes' do
-                  rights :read, users: %w(blarghle)
-                  recursive :on_change
-                end
-                }.to be_up_to_date
-              }.to not_change { get('containers/nodes/_acl') }.
-               and not_change { get('nodes/x/_acl') }
-          end
-          it 'Converging chef_acl "nodes" with recursive true changes nodes/x\'s acls' do
-            expect_recipe {
-              chef_acl 'nodes' do
-                rights :read, users: %w(blarghle)
-                recursive true
-              end
-            }.to be_updated
-            expect(get('nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
-          end
-          it 'Converging chef_acl "" with recursive false does not change nodes/x\'s acls' do
-            expect_recipe {
-              chef_acl '' do
-                rights :read, users: %w(blarghle)
-                recursive false
-              end
-            }.to be_updated
-            expect(get('containers/nodes/_acl')).to partially_match({})
-            expect(get('nodes/x/_acl')).to partially_match({})
-          end
-          it 'Converging chef_acl "" with recursive :on_change does not change nodes/x\'s acls' do
-            expect_recipe {
-              chef_acl '' do
-                rights :read, users: %w(blarghle)
-                recursive :on_change
-              end
-            }.to be_updated
-            expect(get('containers/nodes/_acl')).to partially_match({})
-            expect(get('nodes/x/_acl')).to partially_match({})
-          end
-          it 'Converging chef_acl "" with recursive true changes nodes/x\'s acls' do
-            expect_recipe {
-              chef_acl '' do
-                rights :read, users: %w(blarghle)
-                recursive true
-              end
-            }.to be_updated
-            expect(get('/organizations/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
-            expect(get('nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
-          end
-        end
-      end
-    end
-    context 'ACLs on each type of thing' do
-      when_the_chef_server 'has an organization named foo', :osc_compat => false, :single_org => false do
-        organization 'foo' do
-          user 'u', {}
-          client 'x', {}
-          container 'x', {}
-          cookbook 'x', '1.0.0', {}
-          data_bag 'x', { 'y' => {} }
-          environment 'x', {}
-          group 'x', {}
-          node 'x', {}
-          role 'x', {}
-          sandbox 'x', {}
-          user 'x', {}
-        end
-        organization 'bar' do
-          user 'u', {}
-          node 'x', {}
-        end
-        context 'and the chef server URL points at /organizations/foo' do
-          before :each do
-            Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url, '/organizations/foo').to_s
-          end
-          context 'relative paths' do
-            it "chef_acl 'nodes/x' changes the acls" do
-              expect_recipe {
-                chef_acl "nodes/x" do
-                  rights :read, users: %w(u)
-                end
-              }.to be_updated
-              expect(get("nodes/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
-            end
-            it "chef_acl '*/*' changes the acls" do
-              expect_recipe {
-                chef_acl "*/*" do
-                  rights :read, users: %w(u)
-                end
-              }.to be_updated
-              %w(clients containers cookbooks data environments groups nodes roles).each do |type|
-                expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
-                                 'read' => { 'actors' => %w(u) })
-              end
-            end
-          end
-          context 'absolute paths' do
-            %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
-              it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
-                expect_recipe {
-                  chef_acl "/organizations/foo/#{type}/x" do
-                    rights :read, users: %w(u)
-                  end
-                }.to be_updated
-                expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
-              end
-            end
-            %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
-              it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
-                expect_recipe {
-                  chef_acl "/organizations/foo/#{type}/x" do
-                    rights :read, users: %w(u)
-                  end
-                }.to be_updated
-                expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
-              end
-            end
-            %w(clients containers cookbooks data environments groups nodes roles).each do |type|
-              it "chef_acl '/*/*/#{type}/*' changes the acl" do
-                expect_recipe {
-                  chef_acl "/*/*/#{type}/*" do
-                    rights :read, users: %w(u)
-                  end
-                }.to be_updated
-                expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
-              end
-            end
-            it "chef_acl '/*/*/*/x' changes the acls" do
-              expect_recipe {
-                chef_acl "/*/*/*/x" do
-                  rights :read, users: %w(u)
-                end
-              }.to be_updated
-              %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
-                expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
-                                 'read' => { 'actors' => %w(u) })
-              end
-            end
-            it "chef_acl '/*/*/*/*' changes the acls" do
-              expect_recipe {
-                chef_acl "/*/*/*/*" do
-                  rights :read, users: %w(u)
-                end
-              }.to be_updated
-              %w(clients containers cookbooks data environments groups nodes roles).each do |type|
-                expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
-                                 'read' => { 'actors' => %w(u) })
-              end
-            end
-            it 'chef_acl "/organizations/foo/data_bags/x" changes the acl' do
-              expect_recipe {
-                chef_acl '/organizations/foo/data_bags/x' do
-                  rights :read, users: %w(u)
-                end
-              }.to be_updated
-              expect(get('/organizations/foo/data/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-            end
-            it 'chef_acl "/*/*/data_bags/*" changes the acl' do
-              expect_recipe {
-                chef_acl '/*/*/data_bags/*' do
-                  rights :read, users: %w(u)
-                end
-              }.to be_updated
-              expect(get('/organizations/foo/data/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-            end
-            it "chef_acl '/organizations/foo/cookbooks/x/1.0.0' raises an error" do
-              expect_converge {
-                chef_acl "/organizations/foo/cookbooks/x/1.0.0" do
-                  rights :read, users: %w(u)
-                end
-              }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/x/)
-            end
-            it "chef_acl '/organizations/foo/cookbooks/*/*' raises an error" do
-              pending
-              expect_converge {
-                chef_acl "/organizations/foo/cookbooks/*/*" do
-                  rights :read, users: %w(u)
-                end
-              }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/*/)
-            end
-            it 'chef_acl "/organizations/foo/data/x/y" raises an error' do
-              expect_converge {
-                chef_acl '/organizations/foo/data/x/y' do
-                  rights :read, users: %w(u)
-                end
-              }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/x/)
-            end
-            it 'chef_acl "/organizations/foo/data/*/*" raises an error' do
-              pending
-              expect_converge {
-                chef_acl '/organizations/foo/data/*/*' do
-                  rights :read, users: %w(u)
-                end
-              }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/*/)
-            end
-            it 'chef_acl "/organizations/foo" changes the acl' do
-              expect_recipe {
-                chef_acl '/organizations/foo' do
-                  rights :read, users: %w(u)
-                end
-              }.to be_updated
-              expect(get('/organizations/foo/organizations/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-              expect(get('/organizations/foo/nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-            end
-            it 'chef_acl "/organizations/*" changes the acl' do
-              expect_recipe {
-                chef_acl '/organizations/*' do
-                  rights :read, users: %w(u)
-                end
-              }.to be_updated
-              expect(get('/organizations/foo/organizations/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-              expect(get('/organizations/foo/nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-            end
-            it 'chef_acl "/users/x" changes the acl' do
-              expect_recipe {
-                chef_acl '/users/x' do
-                  rights :read, users: %w(u)
-                end
-              }.to be_updated
-              expect(get('/users/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-            end
-            it 'chef_acl "/users/*" changes the acl' do
-              expect_recipe {
-                chef_acl '/users/*' do
-                  rights :read, users: %w(u)
-                end
-              }.to be_updated
-              expect(get('/users/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-            end
-            it 'chef_acl "/*/x" changes the acl' do
-              expect_recipe {
-                chef_acl '/*/x' do
-                  rights :read, users: %w(u)
-                end
-              }.to be_updated
-              expect(get('/users/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-            end
-            it 'chef_acl "/*/*" changes the acl' do
-              expect_recipe {
-                chef_acl '/*/*' do
-                  rights :read, users: %w(u)
-                end
-              }.to be_updated
-              expect(get('/organizations/foo/organizations/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-              expect(get('/users/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-            end
-          end
-        end
-        context 'and the chef server URL points at /organizations/bar' do
-          before :each do
-            Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, '/organizations/bar').to_s
-          end
-          it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
-            expect_recipe {
-              chef_acl "/organizations/foo/nodes/*" do
-                rights :read, users: %w(u)
-              end
-            }.to be_updated
-            expect(get("/organizations/foo/nodes/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
-          end
-        end
-        context 'and the chef server URL points at /' do
-          before :each do
-            Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, '/').to_s
-          end
-          it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
-            expect_recipe {
-              chef_acl "/organizations/foo/nodes/*" do
-                rights :read, users: %w(u)
-              end
-            }.to be_updated
-            expect(get("/organizations/foo/nodes/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
-          end
-        end
-      end
-      when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
-        user 'u', {}
-        client 'x', {}
-        container 'x', {}
-        cookbook 'x', '1.0.0', {}
-        data_bag 'x', { 'y' => {} }
-        environment 'x', {}
-        group 'x', {}
-        node 'x', {}
-        role 'x', {}
-        sandbox 'x', {}
-        user 'x', {}
-        %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
-          it "chef_acl #{type}/x' changes the acl" do
-            expect_recipe {
-              chef_acl "#{type}/x" do
-                rights :read, users: %w(u)
-              end
-            }.to be_updated
-            expect(get("#{type}/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
-          end
-        end
-        %w(clients containers cookbooks data environments groups nodes roles).each do |type|
-          it "chef_acl '#{type}/*' changes the acl" do
-            expect_recipe {
-              chef_acl "#{type}/*" do
-                rights :read, users: %w(u)
-              end
-            }.to be_updated
-            expect(get("#{type}/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
-          end
-        end
-        it "chef_acl '*/x' changes the acls" do
-          expect_recipe {
-            chef_acl "*/x" do
-              rights :read, users: %w(u)
-            end
-          }.to be_updated
-          %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
-            expect(get("#{type}/x/_acl")).to partially_match(
-                             'read' => { 'actors' => %w(u) })
-          end
-        end
-        it "chef_acl '*/*' changes the acls" do
-          expect_recipe {
-            chef_acl "*/*" do
-              rights :read, users: %w(u)
-            end
-          }.to be_updated
-          %w(clients containers cookbooks data environments groups nodes roles).each do |type|
-            expect(get("#{type}/x/_acl")).to partially_match(
-                             'read' => { 'actors' => %w(u) })
-          end
-        end
-        it "chef_acl 'groups/*' changes the acl" do
-          expect_recipe {
-            chef_acl "groups/*" do
-              rights :read, users: %w(u)
-            end
-          }.to be_updated
-          %w(admins billing-admins clients users x).each do |n|
-            expect(get("groups/#{n}/_acl")).to partially_match(
-                             'read' => { 'actors' => %w(u) })
-          end
-        end
-        it 'chef_acl "data_bags/x" changes the acl' do
-          expect_recipe {
-            chef_acl 'data_bags/x' do
-              rights :read, users: %w(u)
-            end
-          }.to be_updated
-          expect(get('data/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-        end
-        it 'chef_acl "data_bags/*" changes the acl' do
-          expect_recipe {
-            chef_acl 'data_bags/*' do
-              rights :read, users: %w(u)
-            end
-          }.to be_updated
-          expect(get('data/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-        end
-        it 'chef_acl "" changes the organization acl' do
-          expect_recipe {
-            chef_acl '' do
-              rights :read, users: %w(u)
-            end
-          }.to be_updated
-          expect(get('/organizations/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-          expect(get('nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-        end
-      end
-    end
-    context 'ACLs on each container type' do
-      when_the_chef_server 'has an organization named foo', :osc_compat => false, :single_org => false do
-        organization 'foo' do
-          user 'u', {}
-          client 'x', {}
-          container 'x', {}
-          cookbook 'x', '1.0.0', {}
-          data_bag 'x', { 'y' => {} }
-          environment 'x', {}
-          group 'x', {}
-          node 'x', {}
-          role 'x', {}
-          sandbox 'x', {}
-          user 'x', {}
-        end
-        %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
-          it "chef_acl '/organizations/foo/#{type}' changes the acl" do
-            expect_recipe {
-              chef_acl "/organizations/foo/#{type}" do
-                rights :read, users: %w(u)
-              end
-            }.to be_updated
-            expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match('read' => { 'actors' => %w(u) })
-          end
-        end
-        %w(clients containers cookbooks data environments groups nodes roles).each do |type|
-          it "chef_acl '/*/*/#{type}' changes the acl" do
-            expect_recipe {
-              chef_acl "/*/*/#{type}" do
-                rights :read, users: %w(u)
-              end
-            }.to be_updated
-            expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match('read' => { 'actors' => %w(u) })
-          end
-        end
-        it "chef_acl '/*/*/*' changes the acls" do
-          expect_recipe {
-            chef_acl "/*/*/*" do
-              rights :read, users: %w(u)
-            end
-          }.to be_updated
-          %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
-            expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match(
-                             'read' => { 'actors' => %w(u) })
-          end
-        end
-        it 'chef_acl "/organizations/foo/data_bags" changes the acl' do
-          expect_recipe {
-            chef_acl '/organizations/foo/data_bags' do
-              rights :read, users: %w(u)
-            end
-          }.to be_updated
-          expect(get('/organizations/foo/containers/data/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-        end
-        it 'chef_acl "/*/*/data_bags" changes the acl' do
-          expect_recipe {
-            chef_acl '/*/*/data_bags' do
-              rights :read, users: %w(u)
-            end
-          }.to be_updated
-          expect(get('/organizations/foo/containers/data/_acl')).to partially_match('read' => { 'actors' => %w(u) })
-        end
-      end
-      when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
-        user 'u', {}
-        client 'x', {}
-        container 'x', {}
-        cookbook 'x', '1.0.0', {}
-        data_bag 'x', { 'y' => {} }
-        environment 'x', {}
-        group 'x', {}
-        node 'x', {}
-        role 'x', {}
-        sandbox 'x', {}
-        user 'x', {}
-        %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
-          it "chef_acl #{type}' changes the acl" do
-            expect_recipe {
-              chef_acl "#{type}" do
-                rights :read, users: %w(u)
-              end
-            }.to be_updated
-            expect(get("containers/#{type}/_acl")).to partially_match('read' => { 'actors' => %w(u) })
-          end
-        end
-        it "chef_acl '*' changes the acls" do
-          expect_recipe {
-            chef_acl "*" do
-              rights :read, users: %w(u)
-            end
-          }.to be_updated
-          %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
-            expect(get("containers/#{type}/_acl")).to partially_match(
-                             'read' => { 'actors' => %w(u) })
-          end
-        end
-      end
-    end
-    context 'remove_rights' do
-      when_the_chef_server 'has a node "x" with "u", "c" and "g" in its acl', :osc_compat => false do
-        user 'u', {}
-        user 'u2', {}
-        client 'c', {}
-        client 'c2', {}
-        group 'g', {}
-        group 'g2', {}
-        node 'x', {} do
-          acl 'create' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] },
-              'read'   => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] },
-              'update' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] }
-        end
-        it 'chef_acl with remove_rights "u" removes the user\'s rights' do
-          expect_recipe {
-            chef_acl "nodes/x" do
-              remove_rights :read, users: %w(u)
-            end
-          }.to be_updated
-          expect(get("nodes/x/_acl")).to partially_match('read' => { 'actors' => exclude('u') })
-        end
-        it 'chef_acl with remove_rights "c" removes the client\'s rights' do
-          expect_recipe {
-            chef_acl "nodes/x" do
-              remove_rights :read, clients: %w(c)
-            end
-          }.to be_updated
-          expect(get("nodes/x/_acl")).to partially_match('read' => { 'actors' => exclude('c') })
-        end
-        it 'chef_acl with remove_rights "g" removes the group\'s rights' do
-          expect_recipe {
-            chef_acl "nodes/x" do
-              remove_rights :read, groups: %w(g)
-            end
-          }.to be_updated
-          expect(get("nodes/x/_acl")).to partially_match(
-            'read' => { 'groups' => exclude('g') }
-          )
-        end
-        it 'chef_acl with remove_rights [ :create, :read ], "u", "c", "g" removes all three' do
-          expect_recipe {
-            chef_acl "nodes/x" do
-              remove_rights [ :create, :read ], users: %w(u), clients: %w(c), groups: %w(g)
-            end
-          }.to be_updated
-          expect(get("nodes/x/_acl")).to partially_match(
-            'create' => { 'actors' => exclude('u').and(exclude('c')), 'groups' => exclude('g') },
-            'read'   => { 'actors' => exclude('u').and(exclude('c')), 'groups' => exclude('g') }
-          )
-        end
-        it 'chef_acl with remove_rights "u2", "c2", "g2" has no effect' do
-          expect {
-            expect_recipe {
-              chef_acl "nodes/x" do
-                remove_rights :read, users: %w(u2), clients: %w(c2), groups: %w(g2)
-              end
-            }.to be_up_to_date
-          }.not_to change { get("nodes/x/_acl") }
-        end
-      end
-    end
-    when_the_chef_server 'has a node named data_bags', :osc_compat => false do
-      user 'blarghle', {}
-      node 'data_bags', {}
-      it 'Converging chef_acl "nodes/data_bags" with user "blarghle" adds the user' do
-        expect_recipe {
-          chef_acl 'nodes/data_bags' do
-            rights :read, users: %w(blarghle)
-          end
-        }.to be_updated
-        expect(get('nodes/data_bags/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
-      end
-    end
-    when_the_chef_server 'has a node named data_bags in multi-org mode', :osc_compat => false, :single_org => false do
-      user 'blarghle', {}
-      organization 'foo' do
-        node 'data_bags', {}
-      end
-      it 'Converging chef_acl "/organizations/foo/nodes/data_bags" with user "blarghle" adds the user' do
-        expect_recipe {
-          chef_acl '/organizations/foo/nodes/data_bags' do
-            rights :read, users: %w(blarghle)
-          end
-        }.to be_updated
-        expect(get('/organizations/foo/nodes/data_bags/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
-      end
-    end
-    when_the_chef_server 'has a user named data_bags in multi-org mode', :osc_compat => false, :single_org => false do
-      user 'data_bags', {}
-      user 'blarghle', {}
-      it 'Converging chef_acl "/users/data_bags" with user "blarghle" adds the user' do
-        expect_recipe {
-          chef_acl '/users/data_bags' do
-            rights :read, users: %w(blarghle)
-          end
-        }.to be_updated
-        expect(get('/users/data_bags/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
-      end
-    end
-  end
-end
+require 'support/spec_support'
+require 'cheffish/rspec/chef_run_support'
+require 'chef/resource/chef_acl'
+require 'chef/provider/chef_acl'
+require 'chef_zero/version'
+require 'uri'
+if Gem::Version.new(ChefZero::VERSION) >= Gem::Version.new('3.1')
+  describe Chef::Resource::ChefAcl do
+    extend Cheffish::RSpec::ChefRunSupport
+    #        let(:chef_config) { super().merge(log_level: :debug, stdout: STDOUT, stderr: STDERR, log_location: STDOUT) }
+    context "Rights attributes" do
+      when_the_chef_server 'has a node named x', :osc_compat => false do
+        node 'x', {}
+        it 'Converging chef_acl "nodes/x" changes nothing' do
+          expect_recipe {
+            chef_acl 'nodes/x'
+          }.to be_up_to_date
+          expect(get('nodes/x/_acl')).to partially_match({})
+        end
+        it 'Converging chef_acl "nodes/x" with "complete true" and no rights raises an error' do
+          expect_converge {
+            chef_acl 'nodes/x' do
+              complete true
+            end
+          }.to raise_error(RuntimeError)
+        end
+        it 'Removing all :grant rights from a node raises an error' do
+          expect_converge {
+            chef_acl 'nodes/x' do
+              remove_rights :grant, users: %w(pivotal), groups:  %w(admins users clients)
+            end
+          }.to raise_error(RuntimeError)
+        end
+        context 'and a user "blarghle"' do
+          user 'blarghle', {}
+          it 'Converging chef_acl "nodes/x" with user "blarghle" adds the user' do
+            expect_recipe {
+              chef_acl 'nodes/x' do
+                rights :read, users: %w(blarghle)
+              end
+            }.to be_updated
+            expect(get('nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
+          end
+          it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified' do
+            expect_recipe {
+              chef_acl 'nodes/x' do
+                rights :grant, users: %w(blarghle)
+                complete true
+              end
+            }.to be_updated
+            expect(get('nodes/x/_acl')).to eq(
+              "create"=>{"actors"=>[], "groups"=>[]},
+              "read"  =>{"actors"=>[], "groups"=>[]},
+              "update"=>{"actors"=>[], "groups"=>[]},
+              "delete"=>{"actors"=>[], "groups"=>[]},
+              "grant" =>{"actors"=>["blarghle"], "groups"=>[]}
+            )
+          end
+        end
+        it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified in :all' do
+          expect_recipe {
+            chef_acl 'nodes/x' do
+              rights :all, users: %w(blarghle)
+              complete true
+            end
+          }.to be_updated
+          expect(get('nodes/x/_acl')).to eq(
+            "create"=>{"actors"=>["blarghle"], "groups"=>[]},
+            "read"  =>{"actors"=>["blarghle"], "groups"=>[]},
+            "update"=>{"actors"=>["blarghle"], "groups"=>[]},
+            "delete"=>{"actors"=>["blarghle"], "groups"=>[]},
+            "grant" =>{"actors"=>["blarghle"], "groups"=>[]}
+          )
+        end
+        context 'and a client "blarghle"' do
+          user 'blarghle', {}
+          it 'Converging chef_acl "nodes/x" with client "blarghle" adds the client' do
+            expect_recipe {
+              chef_acl 'nodes/x' do
+                rights :read, clients: %w(blarghle)
+              end
+            }.to be_updated
+            expect(get('nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
+          end
+        end
+        context 'and a group "blarghle"' do
+          group 'blarghle', {}
+          it 'Converging chef_acl "nodes/x" with group "blarghle" adds the group' do
+            expect_recipe {
+              chef_acl 'nodes/x' do
+                rights :read, groups: %w(blarghle)
+              end
+            }.to be_updated
+            expect(get('nodes/x/_acl')).to partially_match('read' => { 'groups' => %w(blarghle) })
+          end
+        end
+        context 'and multiple users and groups' do
+          user 'u1', {}
+          user 'u2', {}
+          user 'u3', {}
+          client 'c1', {}
+          client 'c2', {}
+          client 'c3', {}
+          group 'g1', {}
+          group 'g2', {}
+          group 'g3', {}
+          it 'Converging chef_acl "nodes/x" with multiple groups, users and clients in an acl makes the appropriate changes' do
+            expect_recipe {
+              chef_acl 'nodes/x' do
+                rights :create, users:  [ 'u1', 'u2', 'u3' ], clients:  [ 'c1', 'c2', 'c3' ], groups:  [ 'g1', 'g2', 'g3' ]
+              end
+            }.to be_updated
+            expect(get('nodes/x/_acl')).to partially_match(
+              'create' => { 'groups' => %w(g1 g2 g3), 'actors' => %w(u1 u2 u3 c1 c2 c3) }
+            )
+          end
+          it 'Converging chef_acl "nodes/x" with multiple groups, users and clients across multiple "rights" groups makes the appropriate changes' do
+            expect_recipe {
+              chef_acl 'nodes/x' do
+                rights :create, users:  %w(u1), clients: %w(c1), groups: %w(g1)
+                rights :create, users:  %w(u2 u3), clients:  %w(c2 c3), groups: %w(g2)
+                rights :read, users: %w(u1)
+                rights :read, groups: %w(g1)
+              end
+            }.to be_updated
+            expect(get('nodes/x/_acl')).to partially_match(
+              'create' => { 'groups' => %w(g1 g2), 'actors' => %w(u1 u2 u3 c1 c2 c3) },
+              'read' => { 'groups' => %w(g1), 'actors' => %w(u1) }
+            )
+          end
+          it 'Converging chef_acl "nodes/x" with rights [ :read, :create, :update, :delete, :grant ] modifies all rights' do
+            expect_recipe {
+              chef_acl 'nodes/x' do
+                rights [ :create, :read, :update, :delete, :grant ], users:  %w(u1 u2), clients: %w(c1), groups: %w(g1)
+              end
+            }.to be_updated
+            expect(get('nodes/x/_acl')).to partially_match(
+              'create' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
+              'read' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
+              'update' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
+              'delete' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
+              'grant' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
+            )
+          end
+          it 'Converging chef_acl "nodes/x" with rights :all modifies all rights' do
+            expect_recipe {
+              chef_acl 'nodes/x' do
+                rights :all, users:  %w(u1 u2), clients: %w(c1), groups: %w(g1)
+              end
+            }.to be_updated
+            expect(get('nodes/x/_acl')).to partially_match(
+              'create' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
+              'read' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
+              'update' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
+              'delete' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
+              'grant' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
+            )
+          end
+        end
+        it 'Converging chef_acl "nodes/y" throws a 404' do
+          expect_converge {
+            chef_acl 'nodes/y'
+          }.to raise_error(Net::HTTPServerException)
+        end
+      end
+      when_the_chef_server 'has a node named x with user blarghle in its acl', :osc_compat => false do
+        user 'blarghle', {}
+        node 'x', {} do
+          acl 'read' => { 'actors' => %w(blarghle) }
+        end
+        it 'Converging chef_acl "nodes/x" with that user changes nothing' do
+          expect_recipe {
+            chef_acl 'nodes/x' do
+              rights :read, users: %w(blarghle)
+            end
+          }.to be_up_to_date
+          expect(get('nodes/x/_acl')).to partially_match({})
+        end
+      end
+      when_the_chef_server 'has a node named x with users foo and bar in all its acls', :osc_compat => false do
+        user 'foo', {}
+        user 'bar', {}
+        node 'x', {} do
+          acl 'create' => { 'actors' => %w(foo bar) },
+              'read' => { 'actors' => %w(foo bar) },
+              'update' => { 'actors' => %w(foo bar) },
+              'delete' => { 'actors' => %w(foo bar) },
+              'grant' => { 'actors' => %w(foo bar) }
+        end
+        it 'Converging chef_acl "nodes/x" with remove_rights :all removes foo from everything' do
+          expect_recipe {
+            chef_acl 'nodes/x' do
+              remove_rights :all, users: %w(foo)
+            end
+          }.to be_updated
+          expect(get('nodes/x/_acl')).to partially_match(
+                           'create' => { 'actors' => exclude('foo') },
+                           'read'   => { 'actors' => exclude('foo') },
+                           'update' => { 'actors' => exclude('foo') },
+                           'delete' => { 'actors' => exclude('foo') },
+                           'grant'  => { 'actors' => exclude('foo') },
+          )
+        end
+      end
+      ::RSpec::Matchers.define_negated_matcher :exclude, :include
+      context 'recursive' do
+        when_the_chef_server 'has a nodes container with user blarghle in its acl', :osc_compat => false do
+          user 'blarghle', {}
+          acl_for 'containers/nodes', 'read' => { 'actors' => %w(blarghle) }
+          node 'x', {} do
+            acl 'read' => { 'actors' => [] }
+          end
+          it 'Converging chef_acl "nodes" makes no changes' do
+            expect {
+              expect_recipe {
+                chef_acl 'nodes' do
+                  rights :read, users: %w(blarghle)
+                end
+                }.to be_up_to_date
+              }.to not_change { get('containers/nodes/_acl') }.
+               and not_change { get('nodes/x/_acl') }
+          end
+          RSpec::Matchers.define_negated_matcher :not_change, :change
+          it 'Converging chef_acl "nodes" with recursive :on_change makes no changes' do
+            expect {
+              expect_recipe {
+                chef_acl 'nodes' do
+                  rights :read, users: %w(blarghle)
+                  recursive :on_change
+                end
+                }.to be_up_to_date
+              }.to not_change { get('containers/nodes/_acl') }.
+               and not_change { get('nodes/x/_acl') }
+          end
+          it 'Converging chef_acl "nodes" with recursive true changes nodes/x\'s acls' do
+            expect_recipe {
+              chef_acl 'nodes' do
+                rights :read, users: %w(blarghle)
+                recursive true
+              end
+            }.to be_updated
+            expect(get('nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
+          end
+          it 'Converging chef_acl "" with recursive false does not change nodes/x\'s acls' do
+            expect_recipe {
+              chef_acl '' do
+                rights :read, users: %w(blarghle)
+                recursive false
+              end
+            }.to be_updated
+            expect(get('containers/nodes/_acl')).to partially_match({})
+            expect(get('nodes/x/_acl')).to partially_match({})
+          end
+          it 'Converging chef_acl "" with recursive :on_change does not change nodes/x\'s acls' do
+            expect_recipe {
+              chef_acl '' do
+                rights :read, users: %w(blarghle)
+                recursive :on_change
+              end
+            }.to be_updated
+            expect(get('containers/nodes/_acl')).to partially_match({})
+            expect(get('nodes/x/_acl')).to partially_match({})
+          end
+          it 'Converging chef_acl "" with recursive true changes nodes/x\'s acls' do
+            expect_recipe {
+              chef_acl '' do
+                rights :read, users: %w(blarghle)
+                recursive true
+              end
+            }.to be_updated
+            expect(get('/organizations/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
+            expect(get('nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
+          end
+        end
+      end
+    end
+    context 'ACLs on each type of thing' do
+      when_the_chef_server 'has an organization named foo', :osc_compat => false, :single_org => false do
+        organization 'foo' do
+          user 'u', {}
+          client 'x', {}
+          container 'x', {}
+          cookbook 'x', '1.0.0', {}
+          data_bag 'x', { 'y' => {} }
+          environment 'x', {}
+          group 'x', {}
+          node 'x', {}
+          role 'x', {}
+          sandbox 'x', {}
+          user 'x', {}
+        end
+        organization 'bar' do
+          user 'u', {}
+          node 'x', {}
+        end
+        context 'and the chef server URL points at /organizations/foo' do
+          before :each do
+            Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url, '/organizations/foo').to_s
+          end
+          context 'relative paths' do
+            it "chef_acl 'nodes/x' changes the acls" do
+              expect_recipe {
+                chef_acl "nodes/x" do
+                  rights :read, users: %w(u)
+                end
+              }.to be_updated
+              expect(get("nodes/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
+            end
+            it "chef_acl '*/*' changes the acls" do
+              expect_recipe {
+                chef_acl "*/*" do
+                  rights :read, users: %w(u)
+                end
+              }.to be_updated
+              %w(clients containers cookbooks data environments groups nodes roles).each do |type|
+                expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
+                                 'read' => { 'actors' => %w(u) })
+              end
+            end
+          end
+          context 'absolute paths' do
+            %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
+              it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
+                expect_recipe {
+                  chef_acl "/organizations/foo/#{type}/x" do
+                    rights :read, users: %w(u)
+                  end
+                }.to be_updated
+                expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
+              end
+            end
+            %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
+              it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
+                expect_recipe {
+                  chef_acl "/organizations/foo/#{type}/x" do
+                    rights :read, users: %w(u)
+                  end
+                }.to be_updated
+                expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
+              end
+            end
+            %w(clients containers cookbooks data environments groups nodes roles).each do |type|
+              it "chef_acl '/*/*/#{type}/*' changes the acl" do
+                expect_recipe {
+                  chef_acl "/*/*/#{type}/*" do
+                    rights :read, users: %w(u)
+                  end
+                }.to be_updated
+                expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
+              end
+            end
+            it "chef_acl '/*/*/*/x' changes the acls" do
+              expect_recipe {
+                chef_acl "/*/*/*/x" do
+                  rights :read, users: %w(u)
+                end
+              }.to be_updated
+              %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
+                expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
+                                 'read' => { 'actors' => %w(u) })
+              end
+            end
+            it "chef_acl '/*/*/*/*' changes the acls" do
+              expect_recipe {
+                chef_acl "/*/*/*/*" do
+                  rights :read, users: %w(u)
+                end
+              }.to be_updated
+              %w(clients containers cookbooks data environments groups nodes roles).each do |type|
+                expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
+                                 'read' => { 'actors' => %w(u) })
+              end
+            end
+            it 'chef_acl "/organizations/foo/data_bags/x" changes the acl' do
+              expect_recipe {
+                chef_acl '/organizations/foo/data_bags/x' do
+                  rights :read, users: %w(u)
+                end
+              }.to be_updated
+              expect(get('/organizations/foo/data/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+            end
+            it 'chef_acl "/*/*/data_bags/*" changes the acl' do
+              expect_recipe {
+                chef_acl '/*/*/data_bags/*' do
+                  rights :read, users: %w(u)
+                end
+              }.to be_updated
+              expect(get('/organizations/foo/data/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+            end
+            it "chef_acl '/organizations/foo/cookbooks/x/1.0.0' raises an error" do
+              expect_converge {
+                chef_acl "/organizations/foo/cookbooks/x/1.0.0" do
+                  rights :read, users: %w(u)
+                end
+              }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/x/)
+            end
+            it "chef_acl '/organizations/foo/cookbooks/*/*' raises an error" do
+              pending
+              expect_converge {
+                chef_acl "/organizations/foo/cookbooks/*/*" do
+                  rights :read, users: %w(u)
+                end
+              }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/*/)
+            end
+            it 'chef_acl "/organizations/foo/data/x/y" raises an error' do
+              expect_converge {
+                chef_acl '/organizations/foo/data/x/y' do
+                  rights :read, users: %w(u)
+                end
+              }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/x/)
+            end
+            it 'chef_acl "/organizations/foo/data/*/*" raises an error' do
+              pending
+              expect_converge {
+                chef_acl '/organizations/foo/data/*/*' do
+                  rights :read, users: %w(u)
+                end
+              }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/*/)
+            end
+            it 'chef_acl "/organizations/foo" changes the acl' do
+              expect_recipe {
+                chef_acl '/organizations/foo' do
+                  rights :read, users: %w(u)
+                end
+              }.to be_updated
+              expect(get('/organizations/foo/organizations/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+              expect(get('/organizations/foo/nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+            end
+            it 'chef_acl "/organizations/*" changes the acl' do
+              expect_recipe {
+                chef_acl '/organizations/*' do
+                  rights :read, users: %w(u)
+                end
+              }.to be_updated
+              expect(get('/organizations/foo/organizations/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+              expect(get('/organizations/foo/nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+            end
+            it 'chef_acl "/users/x" changes the acl' do
+              expect_recipe {
+                chef_acl '/users/x' do
+                  rights :read, users: %w(u)
+                end
+              }.to be_updated
+              expect(get('/users/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+            end
+            it 'chef_acl "/users/*" changes the acl' do
+              expect_recipe {
+                chef_acl '/users/*' do
+                  rights :read, users: %w(u)
+                end
+              }.to be_updated
+              expect(get('/users/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+            end
+            it 'chef_acl "/*/x" changes the acl' do
+              expect_recipe {
+                chef_acl '/*/x' do
+                  rights :read, users: %w(u)
+                end
+              }.to be_updated
+              expect(get('/users/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+            end
+            it 'chef_acl "/*/*" changes the acl' do
+              expect_recipe {
+                chef_acl '/*/*' do
+                  rights :read, users: %w(u)
+                end
+              }.to be_updated
+              expect(get('/organizations/foo/organizations/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+              expect(get('/users/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+            end
+          end
+        end
+        context 'and the chef server URL points at /organizations/bar' do
+          before :each do
+            Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, '/organizations/bar').to_s
+          end
+          it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
+            expect_recipe {
+              chef_acl "/organizations/foo/nodes/*" do
+                rights :read, users: %w(u)
+              end
+            }.to be_updated
+            expect(get("/organizations/foo/nodes/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
+          end
+        end
+        context 'and the chef server URL points at /' do
+          before :each do
+            Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, '/').to_s
+          end
+          it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
+            expect_recipe {
+              chef_acl "/organizations/foo/nodes/*" do
+                rights :read, users: %w(u)
+              end
+            }.to be_updated
+            expect(get("/organizations/foo/nodes/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
+          end
+        end
+      end
+      when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
+        user 'u', {}
+        client 'x', {}
+        container 'x', {}
+        cookbook 'x', '1.0.0', {}
+        data_bag 'x', { 'y' => {} }
+        environment 'x', {}
+        group 'x', {}
+        node 'x', {}
+        role 'x', {}
+        sandbox 'x', {}
+        user 'x', {}
+        %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
+          it "chef_acl #{type}/x' changes the acl" do
+            expect_recipe {
+              chef_acl "#{type}/x" do
+                rights :read, users: %w(u)
+              end
+            }.to be_updated
+            expect(get("#{type}/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
+          end
+        end
+        %w(clients containers cookbooks data environments groups nodes roles).each do |type|
+          it "chef_acl '#{type}/*' changes the acl" do
+            expect_recipe {
+              chef_acl "#{type}/*" do
+                rights :read, users: %w(u)
+              end
+            }.to be_updated
+            expect(get("#{type}/x/_acl")).to partially_match('read' => { 'actors' => %w(u) })
+          end
+        end
+        it "chef_acl '*/x' changes the acls" do
+          expect_recipe {
+            chef_acl "*/x" do
+              rights :read, users: %w(u)
+            end
+          }.to be_updated
+          %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
+            expect(get("#{type}/x/_acl")).to partially_match(
+                             'read' => { 'actors' => %w(u) })
+          end
+        end
+        it "chef_acl '*/*' changes the acls" do
+          expect_recipe {
+            chef_acl "*/*" do
+              rights :read, users: %w(u)
+            end
+          }.to be_updated
+          %w(clients containers cookbooks data environments groups nodes roles).each do |type|
+            expect(get("#{type}/x/_acl")).to partially_match(
+                             'read' => { 'actors' => %w(u) })
+          end
+        end
+        it "chef_acl 'groups/*' changes the acl" do
+          expect_recipe {
+            chef_acl "groups/*" do
+              rights :read, users: %w(u)
+            end
+          }.to be_updated
+          %w(admins billing-admins clients users x).each do |n|
+            expect(get("groups/#{n}/_acl")).to partially_match(
+                             'read' => { 'actors' => %w(u) })
+          end
+        end
+        it 'chef_acl "data_bags/x" changes the acl' do
+          expect_recipe {
+            chef_acl 'data_bags/x' do
+              rights :read, users: %w(u)
+            end
+          }.to be_updated
+          expect(get('data/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+        end
+        it 'chef_acl "data_bags/*" changes the acl' do
+          expect_recipe {
+            chef_acl 'data_bags/*' do
+              rights :read, users: %w(u)
+            end
+          }.to be_updated
+          expect(get('data/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+        end
+        it 'chef_acl "" changes the organization acl' do
+          expect_recipe {
+            chef_acl '' do
+              rights :read, users: %w(u)
+            end
+          }.to be_updated
+          expect(get('/organizations/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+          expect(get('nodes/x/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+        end
+      end
+    end
+    context 'ACLs on each container type' do
+      when_the_chef_server 'has an organization named foo', :osc_compat => false, :single_org => false do
+        organization 'foo' do
+          user 'u', {}
+          client 'x', {}
+          container 'x', {}
+          cookbook 'x', '1.0.0', {}
+          data_bag 'x', { 'y' => {} }
+          environment 'x', {}
+          group 'x', {}
+          node 'x', {}
+          role 'x', {}
+          sandbox 'x', {}
+          user 'x', {}
+        end
+        %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
+          it "chef_acl '/organizations/foo/#{type}' changes the acl" do
+            expect_recipe {
+              chef_acl "/organizations/foo/#{type}" do
+                rights :read, users: %w(u)
+              end
+            }.to be_updated
+            expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match('read' => { 'actors' => %w(u) })
+          end
+        end
+        %w(clients containers cookbooks data environments groups nodes roles).each do |type|
+          it "chef_acl '/*/*/#{type}' changes the acl" do
+            expect_recipe {
+              chef_acl "/*/*/#{type}" do
+                rights :read, users: %w(u)
+              end
+            }.to be_updated
+            expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match('read' => { 'actors' => %w(u) })
+          end
+        end
+        it "chef_acl '/*/*/*' changes the acls" do
+          expect_recipe {
+            chef_acl "/*/*/*" do
+              rights :read, users: %w(u)
+            end
+          }.to be_updated
+          %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
+            expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match(
+                             'read' => { 'actors' => %w(u) })
+          end
+        end
+        it 'chef_acl "/organizations/foo/data_bags" changes the acl' do
+          expect_recipe {
+            chef_acl '/organizations/foo/data_bags' do
+              rights :read, users: %w(u)
+            end
+          }.to be_updated
+          expect(get('/organizations/foo/containers/data/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+        end
+        it 'chef_acl "/*/*/data_bags" changes the acl' do
+          expect_recipe {
+            chef_acl '/*/*/data_bags' do
+              rights :read, users: %w(u)
+            end
+          }.to be_updated
+          expect(get('/organizations/foo/containers/data/_acl')).to partially_match('read' => { 'actors' => %w(u) })
+        end
+      end
+      when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
+        user 'u', {}
+        client 'x', {}
+        container 'x', {}
+        cookbook 'x', '1.0.0', {}
+        data_bag 'x', { 'y' => {} }
+        environment 'x', {}
+        group 'x', {}
+        node 'x', {}
+        role 'x', {}
+        sandbox 'x', {}
+        user 'x', {}
+        %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
+          it "chef_acl #{type}' changes the acl" do
+            expect_recipe {
+              chef_acl "#{type}" do
+                rights :read, users: %w(u)
+              end
+            }.to be_updated
+            expect(get("containers/#{type}/_acl")).to partially_match('read' => { 'actors' => %w(u) })
+          end
+        end
+        it "chef_acl '*' changes the acls" do
+          expect_recipe {
+            chef_acl "*" do
+              rights :read, users: %w(u)
+            end
+          }.to be_updated
+          %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
+            expect(get("containers/#{type}/_acl")).to partially_match(
+                             'read' => { 'actors' => %w(u) })
+          end
+        end
+      end
+    end
+    context 'remove_rights' do
+      when_the_chef_server 'has a node "x" with "u", "c" and "g" in its acl', :osc_compat => false do
+        user 'u', {}
+        user 'u2', {}
+        client 'c', {}
+        client 'c2', {}
+        group 'g', {}
+        group 'g2', {}
+        node 'x', {} do
+          acl 'create' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] },
+              'read'   => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] },
+              'update' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] }
+        end
+        it 'chef_acl with remove_rights "u" removes the user\'s rights' do
+          expect_recipe {
+            chef_acl "nodes/x" do
+              remove_rights :read, users: %w(u)
+            end
+          }.to be_updated
+          expect(get("nodes/x/_acl")).to partially_match('read' => { 'actors' => exclude('u') })
+        end
+        it 'chef_acl with remove_rights "c" removes the client\'s rights' do
+          expect_recipe {
+            chef_acl "nodes/x" do
+              remove_rights :read, clients: %w(c)
+            end
+          }.to be_updated
+          expect(get("nodes/x/_acl")).to partially_match('read' => { 'actors' => exclude('c') })
+        end
+        it 'chef_acl with remove_rights "g" removes the group\'s rights' do
+          expect_recipe {
+            chef_acl "nodes/x" do
+              remove_rights :read, groups: %w(g)
+            end
+          }.to be_updated
+          expect(get("nodes/x/_acl")).to partially_match(
+            'read' => { 'groups' => exclude('g') }
+          )
+        end
+        it 'chef_acl with remove_rights [ :create, :read ], "u", "c", "g" removes all three' do
+          expect_recipe {
+            chef_acl "nodes/x" do
+              remove_rights [ :create, :read ], users: %w(u), clients: %w(c), groups: %w(g)
+            end
+          }.to be_updated
+          expect(get("nodes/x/_acl")).to partially_match(
+            'create' => { 'actors' => exclude('u').and(exclude('c')), 'groups' => exclude('g') },
+            'read'   => { 'actors' => exclude('u').and(exclude('c')), 'groups' => exclude('g') }
+          )
+        end
+        it 'chef_acl with remove_rights "u2", "c2", "g2" has no effect' do
+          expect {
+            expect_recipe {
+              chef_acl "nodes/x" do
+                remove_rights :read, users: %w(u2), clients: %w(c2), groups: %w(g2)
+              end
+            }.to be_up_to_date
+          }.not_to change { get("nodes/x/_acl") }
+        end
+      end
+    end
+    when_the_chef_server 'has a node named data_bags', :osc_compat => false do
+      user 'blarghle', {}
+      node 'data_bags', {}
+      it 'Converging chef_acl "nodes/data_bags" with user "blarghle" adds the user' do
+        expect_recipe {
+          chef_acl 'nodes/data_bags' do
+            rights :read, users: %w(blarghle)
+          end
+        }.to be_updated
+        expect(get('nodes/data_bags/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
+      end
+    end
+    when_the_chef_server 'has a node named data_bags in multi-org mode', :osc_compat => false, :single_org => false do
+      user 'blarghle', {}
+      organization 'foo' do
+        node 'data_bags', {}
+      end
+      it 'Converging chef_acl "/organizations/foo/nodes/data_bags" with user "blarghle" adds the user' do
+        expect_recipe {
+          chef_acl '/organizations/foo/nodes/data_bags' do
+            rights :read, users: %w(blarghle)
+          end
+        }.to be_updated
+        expect(get('/organizations/foo/nodes/data_bags/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
+      end
+    end
+    when_the_chef_server 'has a user named data_bags in multi-org mode', :osc_compat => false, :single_org => false do
+      user 'data_bags', {}
+      user 'blarghle', {}
+      it 'Converging chef_acl "/users/data_bags" with user "blarghle" adds the user' do
+        expect_recipe {
+          chef_acl '/users/data_bags' do
+            rights :read, users: %w(blarghle)
+          end
+        }.to be_updated
+        expect(get('/users/data_bags/_acl')).to partially_match('read' => { 'actors' => %w(blarghle) })
+      end
+    end
+  end
+end