on_container 0.0.7 → 0.0.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 49a6b84a56344cf0119b822fd9f12277bb66fe70
-  data.tar.gz: 6676d161e20a802d3f75c765e04bfd6b0969972c
+SHA256:
+  metadata.gz: cc7ffb417b7d418f2415df1cd5c6cbd0325d78e576e71a701010bd44ead098f6
+  data.tar.gz: 260e06a5fa81789bc977cac9b02c8e092100a0896d9eccc4c4f88423592a1f9d
 SHA512:
-  metadata.gz: 9aa5a059a7ba11f6f658c08d32ead851ab667ad3c894f5442cd795febc3c8e6c9e65f1e8d126708a6a2a0702d18661e043a600768522caadc8cf90ae119f0c90
-  data.tar.gz: 6916cb665fa674c90a43634f2cf5bce4632c105c862f44caf8b08200b486440f305fc9f2ca01af4220ba59e87ef15b43969072b900e0c198f290c336ff341580
+  metadata.gz: 9e54869d4ec1c390a555731ac199ece8b804098eece937321123e48884d0b7fa0dff418147f97e811b4e05fb23517f433bf622b08fc4f4941d04801fa31f8570
+  data.tar.gz: 410eb4b5c14a632600ecccade83dcca9764965085dfa95177976365bc762516ac36e8d6ec70cdd51925d9204c19652afe80c50887774b67ffbe0990c9edeb18b

data/README.md

@@ -52,7 +52,7 @@ end if command_requires_setup?
 execute_given_or_default_command
 ```
 
-### Loading secrets into environment variables, and inserting credentials into URL environment variables
+### Loading secrets into environment variables
 
 When using Docker Swarm, the secrets are loaded as files mounted into the container's filesystem.
 
@@ -65,11 +65,58 @@ For our Rails example app, we added the following line to the `config/boot.rb` f
 
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
 
-require 'on_container/load_env_secrets' # Load secrets injected by Kubernetes/Swarm
-
 require 'bundler/setup' # Set up gems listed in the Gemfile.
 require 'bootsnap/setup' # Speed up boot time by caching expensive operations.
+
+# Load swarm/gcp secrets to ENV:
+require 'on_container/load_env_secrets'
+```
+
+#### Loading Google Cloud Secret Manager secrets into ENV
+
+If you require loading YAML data stored at [Google Cloud Secret Manager](https://cloud.google.com/secret-manager),
+you will require the following steps:
+
+1. Install the `google-cloud-secret_manager` gem
+
+On your gemfile:
+
+```ruby
+# Read secrets from Google Cloud Secret Manager
+gem 'google-cloud-secret_manager', '~> 1.0'
+```
+
+2. Require it at `config/boot.rb`
+
+On `config/boot`, right before requiring `on_container/load_env_secrets`:
+
+```ruby
+# Require Google Cloud Secret Manager to enable 'on_container/load_env_secrets'
+# loading secrets from GCP to ENV:
+require 'google/cloud/secret_manager'
+
+# Load swarm/gcp secrets to ENV:
+require 'on_container/load_env_secrets'
+```
+
+3. Make sure your app has google cloud credentials configured, and have access
+to the secrets your'e planning to use.
+
+4. Configure any number of environment variables ending with
+`_GOOGLE_CLOUD_SECRET`, each containing the secret you want to load. In the
+following example, the command to deploy an image into Google Cloud Run:
+
+```bash
+gcloud run deploy my-demo-app \
+  --platform "managed" \
+  --region us-central1 \
+  --allow-unauthenticated \
+  --set-env-vars A_GOOGLE_CLOUD_SECRET=my-super-secret \
+  --set-env-vars ANOTHER_GOOGLE_CLOUD_SECRET=project/another-project/secrets/another-secret/versions/1 \
+  --service-account=my-demo-service-account@google-cloud \
+  --image gcr.io/my-demo-project/my-demo-app:latest
 ```
+#### Inserting credentials into URL environment variables
 
 The `on_container/load_env_secrets` also merges any credential available in environment variables into any matching
 `_URL` environment variable. For example, consider the following environment variables:
@@ -96,7 +143,7 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/on_container. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/on_container/blob/master/CODE_OF_CONDUCT.md).
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/on_container. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/on_container/blob/main/CODE_OF_CONDUCT.md).
 
 
 ## License
@@ -105,4 +152,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
 
 ## Code of Conduct
 
-Everyone interacting in the OnContainer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/on_container/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the OnContainer project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/on_container/blob/main/CODE_OF_CONDUCT.md).

data/lib/on_container/common/performable.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module OnContainer
+  module Common
+    module Performable
+      def self.included(base)
+        base.extend ClassMethods
+      end
+
+      module ClassMethods
+        def perform!(*args, **kargs)
+          new(*args, **kargs).perform!
+        end
+      end
+    end
+  end
+end

data/lib/on_container/common/safe_performable.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'on_container/common/performable'
+
+module OnContainer
+  module Common
+    module SafePerformable
+      def self.included(base)
+        base.include OnContainer::Common::Performable
+        base.extend ClassMethods
+      end
+      
+      def perform(*args, **kargs)
+        perform!(*args, **kargs)
+      rescue
+        false
+      end
+
+      module ClassMethods
+        def perform(*args, **kargs)
+          new(*args, **kargs).perform
+        end
+      end
+    end
+  end
+end

data/lib/on_container/load_env_secrets.rb

@@ -1,50 +1,12 @@
 # frozen_string_literal: true
 
-# Reads the specified secret paths (i.e. Docker Secrets) into environment
-# variables:
-
-require 'active_support'
-require 'active_support/core_ext/object'
-
-# Process only a known list of env vars that can filled by reading a file (i.e.
-# a docker secret):
-Dir["#{ENV.fetch('SECRETS_PATH', '/run/secrets/')}*"].each do |secret_filepath|
-  next unless File.file?(secret_filepath)
-
-  secret_envvarname = File.basename(secret_filepath, '.*').upcase
-
-  # Skip if variable is already set - already-set variables have precedence over
-  # the secret files:
-  next if ENV.key?(secret_envvarname) && ENV[secret_envvarname].present?
-
-  ENV[secret_envvarname] = File.read(secret_filepath).strip
-end
-
-# For each *_URL environment variable where there's also a *_(USER|USERNAME) or
-# *_(PASS|PASSWORD), update the URL environment variable with the given
-# credentials. For example:
+# This script achieves a list of secret loading & processing:
 #
-# DATABASE_URL: postgres://postgres:5432/demo_production
-# DATABASE_USERNAME: lalito
-# DATABASE_PASSWORD: lepass
+# 1. Loads secrets from Google Cloud Secret Manager to ENV, if configured.
+# 2. Reads files in a configured Folder, and loads them into ENV variables.
+# 3. Processes "*_URL" env vars, adding their respective "*_USER" and "*_PASS".
 #
-# Results in the following updated DATABASE_URL:
-#  DATABASE_URL = postgres://lalito:lepass@postgres:5432/demo_production
-require 'uri' if (url_keys = ENV.keys.select { |key| key =~ /_URL/ }).any?
-
-url_keys.each do |url_key|
-  credential_pattern_string = url_key.gsub('_URL', '_(USER(NAME)?|PASS(WORD)?)')
-  credential_pattern = Regexp.new "\\A#{credential_pattern_string}\\z"
-  credential_keys = ENV.keys.select { |key| key =~ credential_pattern }
-  next unless credential_keys.any?
-
-  uri = URI(ENV[url_key])
-  username = URI.encode_www_form_component ENV[credential_keys.detect { |key| key =~ /USER/ }]
-  password = URI.encode_www_form_component ENV[credential_keys.detect { |key| key =~ /PASS/ }]
-
-  uri.user = username if username
-  uri.password = password if password
-  ENV[url_key] = uri.to_s
-end
+# - See https://github.com/IcaliaLabs/on-container-for-ruby#loading-secrets-into-environment-variables
 
-# STDERR.puts ENV.inspect
+require 'on_container/secrets/env_loader'
+OnContainer::Secrets::EnvLoader.perform!

data/lib/on_container/secrets/env_loader.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'on_container/common/safe_performable'
+require 'on_container/secrets/google_cloud/env_loader'
+require 'on_container/secrets/mounted_files/env_loader'
+require 'on_container/secrets/url_variable_processor'
+
+module OnContainer
+  module Secrets
+    #= EnvLoader
+    #
+    # Reads the specified secret paths (i.e. Docker Secrets) into environment
+    # variables:
+    class EnvLoader
+      include OnContainer::Common::SafePerformable
+
+      def perform!
+        load_secrets_from_google_cloud if google_cloud_secrets?
+        load_secrets_from_mounted_files
+        process_url_variables
+        true
+      end
+
+      private
+
+      def google_cloud_secrets?
+        OnContainer::Secrets::GoogleCloud::EnvLoader.secret_manager?
+      end
+
+      def load_secrets_from_google_cloud
+        OnContainer::Secrets::GoogleCloud::EnvLoader.perform!
+      end
+
+      def load_secrets_from_mounted_files
+        OnContainer::Secrets::MountedFiles::EnvLoader.perform!
+      end
+
+      def process_url_variables
+        OnContainer::Secrets::UrlVariableProcessor.perform!
+      end
+    end
+  end
+end

data/lib/on_container/secrets/google_cloud/env_loader.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require "on_container/secrets/google_cloud/fetcher"
+
+module OnContainer
+  module Secrets
+    module GoogleCloud
+      class EnvLoader < ServiceBase
+        ENV_KEY_SUFIX = '_GOOGLE_CLOUD_SECRET'
+    
+        def env_keys
+          @env_keys ||= ENV.keys.select do |key|
+            key.end_with?(ENV_KEY_SUFIX)
+          end.sort
+        end
+    
+        def env_keys?
+          env_keys.any?
+        end
+
+        def self.secret_manager?
+          defined?(Google::Cloud::SecretManager) == 'constant'
+        end
+    
+        def secret_manager?
+          self.class.secret_manager?
+        end
+    
+        def perform!
+          return unless env_keys? && secret_manager?
+    
+          env_keys.each do |key|
+            ENV.merge! Fetcher.perform! ENV[key], client: client
+          end
+    
+          true
+        end
+      end
+    end
+  end
+end

data/lib/on_container/secrets/google_cloud/fetcher.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require 'yaml'
+require 'on_container/secrets/google_cloud/service_base'
+
+module OnContainer
+  module Secrets
+    module GoogleCloud
+      class Fetcher < ServiceBase
+        PROJECT_PATTERN = %r{\Aprojects\/(\w+)\/.*}.freeze
+        SECRET_NAME_PATTERN = %r{secrets\/([\w-]+)\/?}.freeze
+        SECRET_VERSION_PATTERN = %r{versions\/(\d+|latest)\z}.freeze
+        
+        attr_reader :project, :secret_name, :secret_version
+    
+        def initialize(given_key, client: nil)
+          @client = client
+          @project = extract_project given_key
+          @secret_version = extract_secret_version given_key
+          @secret_name = extract_secret_name given_key
+        end
+    
+        def perform!
+          # Build the resource name of the secret version.
+          name = client.secret_version_path project:        @project,
+                                            secret:         @secret_name,
+                                            secret_version: @secret_version
+      
+          version = client.access_secret_version name: name
+      
+          YAML.load version.payload.data
+        end
+    
+        protected
+    
+        def default_project
+          ENV['GOOGLE_CLOUD_PROJECT']
+        end
+    
+        def extract_project(given_key)
+          match = given_key.match(PROJECT_PATTERN)
+          return default_project unless match
+    
+          match.captures.first
+        end
+    
+        def extract_secret_version(given_key)
+          match = given_key.match(SECRET_VERSION_PATTERN)
+          return 'latest' unless match
+    
+          match.captures.first
+        end
+    
+        def extract_secret_name(given_key)
+          given_key
+            .sub("projects/#{@project}/secrets/", '')
+            .sub("/versions/#{@secret_version}", '')
+        end
+      end
+    end
+  end
+end

data/lib/on_container/secrets/google_cloud/service_base.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "on_container/common/safe_performable"
+
+module OnContainer
+  module Secrets
+    module GoogleCloud
+      class ServiceBase
+        include OnContainer::Common::SafePerformable
+        
+        attr_reader :client
+    
+        def client
+          @client ||= Google::Cloud::SecretManager.secret_manager_service
+        end
+      end
+    end
+  end
+end

data/lib/on_container/secrets/mounted_files/env_loader.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'active_support'
+require 'active_support/core_ext/object'
+require 'on_container/common/safe_performable'
+
+module OnContainer
+  module Secrets
+    module MountedFiles
+      class EnvLoader
+        include OnContainer::Common::SafePerformable
+
+        def perform!
+          setup_secrets_path
+          scan_secrets_path_for_files
+          load_secret_files_to_env_vars
+        end
+
+        def secrets_path
+          @secrets_path ||= ENV.fetch('SECRETS_PATH', '/run/secrets')
+        end
+
+        def secret_mounted_file_paths
+          @secret_mounted_file_paths ||= Dir["#{secrets_path}/**/*"]
+            .map { |path| Pathname.new(path) }
+            .select(&:file?)
+        end
+
+        private
+
+        alias setup_secrets_path secrets_path
+        alias scan_secrets_path_for_files secret_mounted_file_paths
+
+        def load_secret_files_to_env_vars
+          return if @already_loaded
+
+          secret_mounted_file_paths
+            .each { |file_path| load_secret_file_to_env_var(file_path) }
+
+          @already_loaded = true
+        end
+
+        def load_secret_file_to_env_var(file_path)
+          env_var_name = file_path.basename('.*').to_s.upcase
+
+          # Skip if variable is already set - already-set variables have
+          # precedence over the secret files:
+          return if ENV.key?(env_var_name) && ENV[env_var_name].present?
+
+          contents = file_path.read.strip
+
+          # TODO: Do not load if content has null bytes
+          ENV[env_var_name] = file_path.read.strip
+        end
+      end
+    end
+  end
+end

data/lib/on_container/secrets/url_variable_processor.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'on_container/common/safe_performable'
+
+module OnContainer
+  module Secrets
+    #= UrlVariableProcessor
+    #
+    # For each *_URL environment variable where there's also a *_(USER|USERNAME)
+    # or *_(PASS|PASSWORD), updates the URL environment variable with the given
+    # credentials. For example:
+    #
+    # DATABASE_URL: postgres://postgres:5432/demo_production
+    # DATABASE_USERNAME: lalito
+    # DATABASE_PASSWORD: lepass
+    #
+    # Results in the following updated DATABASE_URL:
+    #  DATABASE_URL = postgres://lalito:lepass@postgres:5432/demo_production
+    class UrlVariableProcessor
+      include OnContainer::Common::SafePerformable
+
+      def perform!
+        require_uri_module if url_keys?
+        process_credential_keys
+      end
+
+      def url_keys
+        @url_keys ||= ENV.keys.select { |key| key =~ /_URL/ }
+      end
+
+      def url_keys?
+        url_keys.any?
+      end
+      
+      private
+
+      def process_credential_keys
+        url_keys.each { |url_key| process_credential_keys_for(url_key) }
+      end
+
+      def require_uri_module
+        require 'uri'
+      end
+
+      def credential_keys_for(url_key)
+        credential_pattern_string = url_key
+          .gsub('_URL', '_(USER(NAME)?|PASS(WORD)?)')
+
+        credential_pattern = Regexp.new "\\A#{credential_pattern_string}\\z"
+        ENV.keys.select { |key| key =~ credential_pattern }
+      end
+
+      def process_credential_keys_for(url_key)
+        return unless (credential_keys = credential_keys_for(url_key)).any?
+
+        uri = URI(ENV[url_key])
+
+        # Reverse sorting will place "*_USER" before "*_PASS":
+        credential_keys.sort.reverse.each do |credential_key|
+          credential_value = URI.encode_www_form_component ENV[credential_key]
+          case credential_key
+          when /USER/ then uri.user = credential_value
+          when /PASS/ then uri.password = credential_value
+          end
+        end
+
+        ENV[url_key] = uri.to_s
+      end
+    end
+  end
+end

data/lib/on_container/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OnContainer
-  VERSION = '0.0.7'
+  VERSION = '0.0.12'
 end

data/on_container.gemspec

@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
 
   spec.metadata['homepage_uri']    = spec.homepage
   spec.metadata['source_code_uri'] = spec.homepage
-  spec.metadata['changelog_uri']   = "#{spec.homepage}/blob/master/CHANGELOG.md"
+  spec.metadata['changelog_uri']   = "#{spec.homepage}/blob/main/CHANGELOG.md"
 
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.files         = `git ls-files -- lib/* *.md *.gemspec *.txt Rakefile`.split("\n")
@@ -24,5 +24,6 @@ Gem::Specification.new do |spec|
   spec.bindir        = 'exe'
   spec.require_paths = ['lib']
 
-  spec.add_development_dependency 'bundler', '~> 1.17'
+  spec.add_runtime_dependency 'activesupport', '>= 4'
+  spec.add_development_dependency 'bundler', '~> 2.1'
 end

metadata

@@ -1,29 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: on_container
 version: !ruby/object:Gem::Version
-  version: 0.0.7
+  version: 0.0.12
 platform: ruby
 authors:
 - Roberto Quintanilla
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-11-28 00:00:00.000000000 Z
+date: 2021-02-23 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '2.1'
 description: A small collection of scripts and routines to help ruby development within
   containers
 email:
@@ -38,6 +52,8 @@ files:
 - README.md
 - Rakefile
 - lib/on_container.rb
+- lib/on_container/common/performable.rb
+- lib/on_container/common/safe_performable.rb
 - lib/on_container/dev/active_record_ops.rb
 - lib/on_container/dev/bundler_ops.rb
 - lib/on_container/dev/container_command_ops.rb
@@ -47,12 +63,14 @@ files:
 - lib/on_container/dev/setup_ops.rb
 - lib/on_container/load_env_secrets.rb
 - lib/on_container/ops/service_connection_checks.rb
-- lib/on_container/step_down_from_root.rb
+- lib/on_container/secrets/env_loader.rb
+- lib/on_container/secrets/google_cloud/env_loader.rb
+- lib/on_container/secrets/google_cloud/fetcher.rb
+- lib/on_container/secrets/google_cloud/service_base.rb
+- lib/on_container/secrets/mounted_files/env_loader.rb
+- lib/on_container/secrets/url_variable_processor.rb
 - lib/on_container/version.rb
 - on_container.gemspec
-- spec/on_container_spec.rb
-- spec/spec_helper.rb
-- spec/step_down_from_root_spec.rb
 homepage: https://github.com/IcaliaLabs/on-container-for-ruby
 licenses:
 - MIT
@@ -60,7 +78,7 @@ metadata:
   allowed_push_host: https://rubygems.org
   homepage_uri: https://github.com/IcaliaLabs/on-container-for-ruby
   source_code_uri: https://github.com/IcaliaLabs/on-container-for-ruby
-  changelog_uri: https://github.com/IcaliaLabs/on-container-for-ruby/blob/master/CHANGELOG.md
+  changelog_uri: https://github.com/IcaliaLabs/on-container-for-ruby/blob/main/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -76,13 +94,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.2.3
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: A small collection of scripts and routines to help ruby development within
   containers
-test_files:
-- spec/on_container_spec.rb
-- spec/spec_helper.rb
-- spec/step_down_from_root_spec.rb
+test_files: []

data/lib/on_container/step_down_from_root.rb

@@ -1,55 +0,0 @@
-# frozen_string_literal: true
-
-require 'etc'
-
-module OnContainer
-  class StepDownFromRoot
-    attr_reader :curent_user, :target_user
-    
-    def initialize
-      @curent_user = Etc.getpwuid
-    end
-
-    def target_user
-      @target_user ||= Etc.getpwuid(developer_uid)
-    end
-
-    def perform
-      return unless root_user?
-      return warn_no_developer_uid unless developer_uid?
-
-      switch_to_developer_user
-    end
-
-    def root_user?
-      curent_user.name == 'root'
-    end
-
-    def developer_uid?
-      developer_uid > 0
-    end
-
-    def developer_uid
-      @developer_uid ||= ENV.fetch('DEVELOPER_UID', '').to_i
-    end
-
-    protected
-
-    def switch_to_developer_user
-      target_user_name = target_user.name
-      puts "Switching from 'root' user to '#{target_user_name}'..."
-      Kernel.exec 'su-exec', target_user_name, $0, *$*
-    end
-
-    def warn_no_developer_uid
-      puts "The 'DEVELOPER_UID' environment variable is not set... " \
-           'still running as root!'
-    end
-
-    def self.perform
-      new.perform
-    end
-  end
-end
-
-OnContainer::StepDownFromRoot.perform

data/spec/on_container_spec.rb

@@ -1,5 +0,0 @@
-RSpec.describe OnContainer do
-  it "has a version number" do
-    expect(OnContainer::VERSION).not_to be nil
-  end
-end

data/spec/spec_helper.rb

@@ -1,14 +0,0 @@
-require "bundler/setup"
-require "on_container"
-
-RSpec.configure do |config|
-  # Enable flags like --only-failures and --next-failure
-  config.example_status_persistence_file_path = ".rspec_status"
-
-  # Disable RSpec exposing methods globally on `Module` and `main`
-  config.disable_monkey_patching!
-
-  config.expect_with :rspec do |c|
-    c.syntax = :expect
-  end
-end

data/spec/step_down_from_root_spec.rb

@@ -1,63 +0,0 @@
-# frozen_string_literal: true
-
-require 'on_container/step_down_from_root'
-
-RSpec.describe OnContainer::StepDownFromRoot do
-  let(:root_user) do
-    instance_double "struct Etc::Passwd",
-                    name: 'root',
-                    passwd: 'x',
-                    uid: 0,
-                    gid: 0,
-                    gecos: 'root',
-                    dir: '/root',
-                    shell: '/bin/bash'
-  end
-
-  let(:developer_user) do
-    instance_double "struct Etc::Passwd",
-                    name: 'developer',
-                    passwd: 'x',
-                    uid: 1000,
-                    gid: 1000,
-                    gecos: 'Developer User,,,',
-                    dir: '/usr/src',
-                    shell: '/bin/bash'
-  end
-
-  let(:example_current_user) { root_user }
-  let(:example_target_user) { developer_user }
-  let(:example_developer_uid) { '1000' }
-
-  before do
-    allow(ENV).to receive(:fetch).with('DEVELOPER_UID', '') { example_developer_uid }
-    allow(Etc).to receive(:getpwuid) { example_current_user }
-    allow(Etc).to receive(:getpwuid).with(example_target_user.uid) { example_target_user }
-    allow(Kernel).to receive(:exec).with('su-exec', example_target_user.name, any_args)
-  end
-
-  describe '#perform' do
-    it 'changes to the target user' do
-      subject.perform
-      expect(Kernel).to have_received(:exec).with 'su-exec', example_target_user.name, any_args
-    end
-
-    context 'without a developer uid' do
-      let(:example_developer_uid) { '' }
-      
-      example 'does not change the current user' do
-        subject.perform
-        expect(Kernel).not_to have_received(:exec)
-      end
-    end
-
-    context 'when not as root' do
-      let(:example_current_user) { developer_user }
-      
-      example 'does not change the current user' do
-        subject.perform
-        expect(Kernel).not_to have_received(:exec)
-      end
-    end
-  end
-end