clc-cheffish 0.8.clc

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 579bebaf5cce935439331e89b3ce39236e012bbf
+  data.tar.gz: ce355bc6e80774b6a17a44640a832fb4f5b82bb7
+SHA512:
+  metadata.gz: 573774848e4ed345c30677ffc381824853053857bc024a02372148aaffc5d9026c1238cb4a43c2edd07846d787717e6f6a43f81c1589ff265b664a1a2929e87c
+  data.tar.gz: 00f427b83499d5b73c374e4468a95340be2b8e4fad6d61e4edd2135c4ce86fcfa6f28e77849f280a69bbe60eda417839699ac28edcc3db705fcafe51e887813c

data/LICENSE

@@ -0,0 +1,201 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+   To apply the Apache License to your work, attach the following
+   boilerplate notice, with the fields enclosed by brackets "[]"
+   replaced with your own identifying information. (Don't include
+   the brackets!)  The text should be enclosed in the appropriate
+   comment syntax for the file format. We also recommend that a
+   file or class name and description of purpose be included on the
+   same "printed page" as the copyright notice for easier
+   identification within third-party archives.
+
+Copyright [yyyy] [name of copyright owner]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,4 @@
+Cheffish
+========
+
+This library lets you manipulate Chef in Chef.

data/Rakefile

@@ -0,0 +1,23 @@
+require 'bundler'
+require 'rubygems'
+require 'rubygems/package_task'
+require 'rdoc/task'
+require 'rspec/core/rake_task'
+
+Bundler::GemHelper.install_tasks
+
+task :default => :spec
+
+desc "Run specs"
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = 'spec/**/*_spec.rb'
+end
+
+gem_spec = eval(File.read("cheffish.gemspec"))
+
+RDoc::Task.new do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "cheffish #{gem_spec.version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/lib/chef/provider/chef_acl.rb

@@ -0,0 +1,434 @@
+require 'cheffish/chef_provider_base'
+require 'chef/resource/chef_acl'
+require 'chef/chef_fs/data_handler/acl_data_handler'
+require 'chef/chef_fs/parallelizer'
+require 'uri'
+
+class Chef::Provider::ChefAcl < Cheffish::ChefProviderBase
+
+  def whyrun_supported?
+    true
+  end
+
+  action :create do
+    if new_resource.remove_rights && new_resource.complete
+      Chef::Log.warn("'remove_rights' is redundant when 'complete' is specified: all rights not specified in a 'rights' declaration will be removed.")
+    end
+    # Verify that we're not destroying all hope of ACL recovery here
+    if new_resource.complete && (!new_resource.rights || !new_resource.rights.any? { |r| r[:permissions].include?(:all) || r[:permissions].include?(:grant) })
+      # NOTE: if superusers exist, this should turn into a warning.
+      raise "'complete' specified on chef_acl resource, but no GRANT permissions were granted.  I'm sorry Dave, I can't let you remove all access to an object with no hope of recovery."
+    end
+
+    # Find all matching paths so we can update them (resolve * and **)
+    paths = match_paths(new_resource.path)
+    if paths.size == 0 && !new_resource.path.split('/').any? { |p| p == '*' }
+      raise "Path #{new_resource.path} cannot have an ACL set on it!"
+    end
+
+    # Go through the matches and update the ACLs for them
+    paths.each do |path|
+      create_acl(path)
+    end
+  end
+
+  # Update the ACL if necessary.
+  def create_acl(path)
+    changed = false
+    # There may not be an ACL path for some valid paths (/ and /organizations,
+    # for example).  We want to recurse into these, but we don't want to try to
+    # update nonexistent ACLs for them.
+    acl = acl_path(path)
+    if acl
+      # It's possible to make a custom container
+      current_json = current_acl(acl)
+      if current_json
+
+        # Compare the desired and current json for the ACL, and update if different.
+        modify = {}
+        desired_acl(acl).each do |permission, desired_json|
+          differences = json_differences(current_json[permission], desired_json)
+
+          if differences.size > 0
+            # Verify we aren't trying to destroy grant permissions
+            if permission == 'grant' && desired_json['actors'] == [] && desired_json['groups'] == []
+              # NOTE: if superusers exist, this should turn into a warning.
+              raise "chef_acl attempted to remove all actors from GRANT!  I'm sorry Dave, I can't let you remove access to an object with no hope of recovery."
+            end
+            modify[differences] ||= {}
+            modify[differences][permission] = desired_json
+          end
+        end
+
+        if modify.size > 0
+          changed = true
+          description = [ "update acl #{path} at #{rest_url(path)}" ] + modify.map do |diffs, permissions|
+            diffs.map { |diff| "  #{permissions.keys.join(', ')}:#{diff}" }
+          end.flatten(1)
+          converge_by description do
+            modify.values.each do |permissions|
+              permissions.each do |permission, desired_json|
+                rest.put(rest_url("#{acl}/#{permission}"), { permission => desired_json })
+              end
+            end
+          end
+        end
+      end
+    end
+
+    # If we have been asked to recurse, do so.
+    # If recurse is on_change, then we will recurse if there is no ACL, or if
+    # the ACL has changed.
+    if new_resource.recursive == true || (new_resource.recursive == :on_change && (!acl || changed))
+      children, error = list(path, '*')
+      Chef::ChefFS::Parallelizer.parallel_do(children) do |child|
+        next if child.split('/')[-1] == 'containers'
+        create_acl(child)
+      end
+      # containers mess up our descent, so we do them last
+      Chef::ChefFS::Parallelizer.parallel_do(children) do |child|
+        next if child.split('/')[-1] != 'containers'
+        create_acl(child)
+      end
+
+    end
+  end
+
+  # Get the current ACL for the given path
+  def current_acl(acl_path)
+    @current_acls ||= {}
+    if !@current_acls.has_key?(acl_path)
+      @current_acls[acl_path] = begin
+        rest.get(rest_url(acl_path))
+      rescue Net::HTTPServerException => e
+        unless e.response.code == '404' && new_resource.path.split('/').any? { |p| p == '*' }
+          raise
+        end
+      end
+    end
+    @current_acls[acl_path]
+  end
+
+  # Get the desired acl for the given acl path
+  def desired_acl(acl_path)
+    result = new_resource.raw_json ? new_resource.raw_json.dup : {}
+
+    # Calculate the JSON based on rights
+    add_rights(acl_path, result)
+
+    if new_resource.complete
+      result = Chef::ChefFS::DataHandler::AclDataHandler.new.normalize(result, nil)
+    else
+      # If resource is incomplete, use current json to fill any holes
+      current_acl(acl_path).each do |permission, perm_hash|
+        if !result[permission]
+          result[permission] = perm_hash.dup
+        else
+          result[permission] = result[permission].dup
+          perm_hash.each do |type, actors|
+            if !result[permission][type]
+              result[permission][type] = actors
+            else
+              result[permission][type] = result[permission][type].dup
+              result[permission][type] |= actors
+            end
+          end
+        end
+      end
+
+      remove_rights(result)
+    end
+    result
+  end
+
+  def add_rights(acl_path, json)
+    if new_resource.rights
+      new_resource.rights.each do |rights|
+        if rights[:permissions].delete(:all)
+          rights[:permissions] |= current_acl(acl_path).keys
+        end
+
+        Array(rights[:permissions]).each do |permission|
+          ace = json[permission.to_s] ||= {}
+          # WTF, no distinction between users and clients?  The Chef API doesn't
+          # let us distinguish, so we have no choice :/  This means that:
+          # 1. If you specify :users => 'foo', and client 'foo' exists, it will
+          #    pick that (whether user 'foo' exists or not)
+          # 2. If you specify :clients => 'foo', and user 'foo' exists but
+          #    client 'foo' does not, it will pick user 'foo' and put it in the
+          #    ACL
+          # 3. If an existing item has user 'foo' on it and you specify :clients
+          #    => 'foo' instead, idempotence will not notice that anything needs
+          #    to be updated and nothing will happen.
+          if rights[:users]
+            ace['actors'] ||= []
+            ace['actors'] |= Array(rights[:users])
+          end
+          if rights[:clients]
+            ace['actors'] ||= []
+            ace['actors'] |= Array(rights[:clients])
+          end
+          if rights[:groups]
+            ace['groups'] ||= []
+            ace['groups'] |= Array(rights[:groups])
+          end
+        end
+      end
+    end
+  end
+
+  def remove_rights(json)
+    if new_resource.remove_rights
+      new_resource.remove_rights.each do |rights|
+        rights[:permissions].each do |permission|
+          if permission == :all
+            json.each_key do |key|
+              ace = json[key] = json[key.dup]
+              ace['actors'] = ace['actors'] - Array(rights[:users])   if rights[:users]   && ace['actors']
+              ace['actors'] = ace['actors'] - Array(rights[:clients]) if rights[:clients] && ace['actors']
+              ace['groups'] = ace['groups'] - Array(rights[:groups])  if rights[:groups]  && ace['groups']
+            end
+          else
+            ace = json[permission.to_s] = json[permission.to_s].dup
+            if ace
+              ace['actors'] = ace['actors'] - Array(rights[:users])   if rights[:users]   && ace['actors']
+              ace['actors'] = ace['actors'] - Array(rights[:clients]) if rights[:clients] && ace['actors']
+              ace['groups'] = ace['groups'] - Array(rights[:groups])  if rights[:groups]  && ace['groups']
+            end
+          end
+        end
+      end
+    end
+  end
+
+  def load_current_resource
+  end
+
+  #
+  # Matches chef_acl paths like nodes, nodes/*.
+  #
+  # == Examples
+  # match_paths('nodes'): [ 'nodes' ]
+  # match_paths('nodes/*'): [ 'nodes/x', 'nodes/y', 'nodes/z' ]
+  # match_paths('*'): [ 'clients', 'environments', 'nodes', 'roles', ... ]
+  # match_paths('/'): [ '/' ]
+  # match_paths(''): [ '' ]
+  # match_paths('/*'): [ '/organizations', '/users' ]
+  # match_paths('/organizations/*/*'): [ '/organizations/foo/clients', '/organizations/foo/environments', ..., '/organizations/bar/clients', '/organizations/bar/environments', ... ]
+  #
+  def match_paths(path)
+    # Turn multiple slashes into one
+    # nodes//x -> nodes/x
+    path = path.gsub(/[\/]+/, '/')
+    # If it's absolute, start the matching with /.  If it's relative, start with '' (relative root).
+    if path[0] == '/'
+      matches = [ '/' ]
+    else
+      matches = [ '' ]
+    end
+
+    # Split the path, and get rid of the empty path at the beginning and end
+    # (/a/b/c/ -> [ 'a', 'b', 'c' ])
+    parts = path.split('/').select { |x| x != '' }.to_a
+
+    # Descend until we find the matches:
+    # path = 'a/b/c'
+    # parts = [ 'a', 'b', 'c' ]
+    # Starting matches = [ '' ]
+    parts.each_with_index do |part, index|
+      # For each match, list <match>/<part> and set matches to that.
+      #
+      # Example: /*/foo
+      # 1. To start,
+      #    matches = [ '/' ], part = '*'.
+      #    list('/', '*')                = [ '/organizations, '/users' ]
+      # 2. matches = [ '/organizations', '/users' ], part = 'foo'
+      #    list('/organizations', 'foo') = [ '/organizations/foo' ]
+      #    list('/users', 'foo')         = [ '/users/foo' ]
+      #
+      # Result: /*/foo = [ '/organizations/foo', '/users/foo' ]
+      #
+      matches = Chef::ChefFS::Parallelizer.parallelize(matches) do |path|
+        found, error = list(path, part)
+        if error
+          if parts[0..index-1].all? { |p| p != '*' }
+            raise error
+          end
+          []
+        else
+          found
+        end
+      end.flatten(1).to_a
+    end
+
+    matches
+  end
+
+  #
+  # Takes a normal path and finds the Chef path to get / set its ACL.
+  #
+  # nodes/x -> nodes/x/_acl
+  # nodes -> containers/nodes/_acl
+  # '' -> organizations/_acl (the org acl)
+  # /organizations/foo -> /organizations/foo/organizations/_acl
+  # /users/foo -> /users/foo/_acl
+  # /organizations/foo/nodes/x -> /organizations/foo/nodes/x/_acl
+  #
+  def acl_path(path)
+    parts = path.split('/').select { |x| x != '' }.to_a
+    prefix = (path[0] == '/') ? '/' : ''
+
+    case parts.size
+    when 0
+      # /, empty (relative root)
+      # The root of the server has no publicly visible ACLs.  Only nodes/*, etc.
+      if prefix == ''
+        ::File.join('organizations', '_acl')
+      end
+
+    when 1
+      # nodes, roles, etc.
+      # The top level organizations and users containers have no publicly
+      # visible ACLs.  Only nodes/*, etc.
+      if prefix == ''
+        ::File.join('containers', path, '_acl')
+      end
+
+    when 2
+      # /organizations/NAME, /users/NAME, nodes/NAME, roles/NAME, etc.
+      if prefix == '/' && parts[0] == 'organizations'
+        ::File.join(path, 'organizations', '_acl')
+      else
+        ::File.join(path, '_acl')
+      end
+
+    when 3
+      # /organizations/NAME/nodes, cookbooks/NAME/VERSION, etc.
+      if prefix == '/'
+        ::File.join('/', parts[0], parts[1], 'containers', parts[2], '_acl')
+      else
+        ::File.join(parts[0], parts[1], '_acl')
+      end
+
+    when 4
+      # /organizations/NAME/nodes/NAME, cookbooks/NAME/VERSION/BLAH
+      # /organizations/NAME/nodes/NAME, cookbooks/NAME/VERSION, etc.
+      if prefix == '/'
+        ::File.join(path, '_acl')
+      else
+        ::File.join(parts[0], parts[1], '_acl')
+      end
+
+    else
+      # /organizations/NAME/cookbooks/NAME/VERSION/..., cookbooks/NAME/VERSION/A/B/...
+      if prefix == '/'
+        ::File.join('/', parts[0], parts[1], parts[2], parts[3], '_acl')
+      else
+        ::File.join(parts[0], parts[1], '_acl')
+      end
+    end
+  end
+
+  #
+  # Lists the securable children under a path (the ones that either have ACLs
+  # or have children with ACLs).
+  #
+  # list('nodes', 'x') -> [ 'nodes/x' ]
+  # list('nodes', '*') -> [ 'nodes/x', 'nodes/y', 'nodes/z' ]
+  # list('', '*') -> [ 'clients', 'environments', 'nodes', 'roles', ... ]
+  # list('/', '*') -> [ '/organizations']
+  # list('cookbooks', 'x') -> [ 'cookbooks/x' ]
+  # list('cookbooks/x', '*') -> [ ] # Individual cookbook versions do not have their own ACLs
+  # list('/organizations/foo/nodes', '*') -> [ '/organizations/foo/nodes/x', '/organizations/foo/nodes/y' ]
+  #
+  # The list of children of an organization is == the list of containers.  If new
+  # containers are added, the list of children will grow.  This allows the system
+  # to extend to new types of objects and allow cheffish to work with them.
+  #
+  def list(path, child)
+    # TODO make ChefFS understand top level organizations and stop doing this altogether.
+    parts = path.split('/').select { |x| x != '' }.to_a
+    absolute = (path[0] == '/')
+    if absolute && parts[0] == 'organizations'
+      return [ [], "ACLs cannot be set on children of #{path}" ] if parts.size > 3
+    else
+      return [ [], "ACLs cannot be set on children of #{path}" ] if parts.size > 1
+    end
+
+    error = nil
+
+    if child == '*'
+      case parts.size
+      when 0
+        # /*, *
+        if absolute
+          results = [ "/organizations", "/users" ]
+        else
+          results, error = rest_list("containers")
+        end
+
+      when 1
+        # /organizations/*, /users/*, roles/*, nodes/*, etc.
+        results, error = rest_list(path)
+        if !error
+          results = results.map { |result| ::File.join(path, result) }
+        end
+
+      when 2
+        # /organizations/NAME/*
+        results, error = rest_list(::File.join(path, 'containers'))
+        if !error
+          results = results.map { |result| ::File.join(path, result) }
+        end
+
+      when 3
+        # /organizations/NAME/TYPE/*
+        results, error = rest_list(path)
+        if !error
+          results = results.map { |result| ::File.join(path, result) }
+        end
+      end
+
+    else
+      if child == 'data_bags' &&
+        (parts.size == 0 || (parts.size == 2 && parts[0] == 'organizations'))
+        child = 'data'
+      end
+
+      if absolute
+        # /<child>, /users/<child>, /organizations/<child>, /organizations/foo/<child>, /organizations/foo/nodes/<child> ...
+        results = [ ::File.join('/', parts[0..2], child) ]
+      elsif parts.size == 0
+        # <child> (nodes, roles, etc.)
+        results = [ child ]
+      else
+        # nodes/<child>, roles/<child>, etc.
+        results = [ ::File.join(parts[0], child) ]
+      end
+    end
+
+    [ results, error ]
+  end
+
+  def rest_url(path)
+    path[0] == '/' ? URI.join(rest.url, path) : path
+  end
+
+  def rest_list(path)
+    begin
+      # All our rest lists are hashes where the keys are the names
+      [ rest.get(rest_url(path)).keys, nil ]
+    rescue Net::HTTPServerException => e
+      if e.response.code == '405' || e.response.code == '404'
+        parts = path.split('/').select { |p| p != '' }.to_a
+
+        # We KNOW we expect these to exist.  Other containers may or may not.
+        unless (parts.size == 1 || (parts.size == 3 && parts[0] == 'organizations')) &&
+          %w(clients containers cookbooks data environments groups nodes roles).include?(parts[-1])
+          return [ [], "Cannot get list of #{path}: HTTP response code #{e.response.code}" ]
+        end
+      end
+      raise
+    end
+  end
+end