Merge pull request #39567 from jonathanhefner/credentials-diff-disenroll

Add `credentials:diff --disenroll`

railties/lib/rails/commands/credentials/USAGE

@@ -32,8 +32,8 @@ You could prepend that to your server's start command like this:
 
 === Set up Git to Diff Credentials
 
-Rails provides `rails credentials:diff --enroll` to instruct Git to call `rails credentials:diff`
-when `git diff` is run on a credentials file.
+Rails provides `bin/rails credentials:diff --enroll` to instruct Git to call
+`bin/rails credentials:diff` when `git diff` is run on a credentials file.
 
 Running the command enrolls the project such that all credentials files use the
 "rails_credentials" diff driver in .gitattributes.
@@ -45,6 +45,8 @@ that isn't tracked Rails automatically ensures it's configured when running
 Otherwise each co-worker would have to run enable manually, including on each new
 repo clone.
 
+To disenroll from this feature, run `bin/rails credentials:diff --disenroll`.
+
 === Editing Credentials
 
 This will open a temporary file in `$EDITOR` with the decrypted contents to edit

railties/lib/rails/commands/credentials/credentials_command.rb

@@ -32,7 +32,7 @@ module Rails
 
         ensure_encryption_key_has_been_added if credentials.key.nil?
         ensure_credentials_have_been_added
-        ensure_rails_credentials_driver_is_set
+        ensure_diffing_driver_is_configured
 
         catch_editing_exceptions do
           change_credentials_in_system_editor
@@ -51,7 +51,10 @@ module Rails
       end
 
       option :enroll, type: :boolean, default: false,
-        desc: "Enrolls project in credential file diffing with `git diff`"
+        desc: "Enrolls project in credentials file diffing with `git diff`"
+
+      option :disenroll, type: :boolean, default: false,
+        desc: "Disenrolls project from credentials file diffing"
 
       def diff(content_path = nil)
         if @content_path = content_path
@@ -61,6 +64,7 @@ module Rails
           say credentials.read.presence || credentials.content_path.read
         else
           require_application!
+          disenroll_project_from_credentials_diffing if options[:disenroll]
           enroll_project_in_credentials_diffing if options[:enroll]
         end
       rescue ActiveSupport::MessageEncryptor::InvalidMessage

railties/lib/rails/commands/credentials/credentials_command/diffing.rb

@@ -1,37 +1,47 @@
 # frozen_string_literal: true
 
 module Rails::Command::CredentialsCommand::Diffing # :nodoc:
-  def enroll_project_in_credentials_diffing
-    if enrolled?
-      true
-    else
-      gitattributes.write(<<~end_of_template, mode: "a")
-        config/credentials/*.yml.enc diff=rails_credentials
-        config/credentials.yml.enc diff=rails_credentials
-      end_of_template
+  GITATTRIBUTES_ENTRY = <<~END
+    config/credentials/*.yml.enc diff=rails_credentials
+    config/credentials.yml.enc diff=rails_credentials
+  END
 
-      say "Project successfully enrolled!"
+  def enroll_project_in_credentials_diffing
+    if enrolled_in_credentials_diffing?
+      say "Project is already enrolled in credentials file diffing."
+    else
+      gitattributes.write(GITATTRIBUTES_ENTRY, mode: "a")
+
+      say "Enrolled project in credentials file diffing!"
       say "Rails ensures the rails_credentials diff driver is set when running `credentials:edit`. See `credentials:help` for more."
     end
   end
 
-  def ensure_rails_credentials_driver_is_set
-    set_driver if enrolled? && !driver_configured?
+  def disenroll_project_from_credentials_diffing
+    if enrolled_in_credentials_diffing?
+      gitattributes.write(gitattributes.read.gsub(GITATTRIBUTES_ENTRY, ""))
+      gitattributes.delete if gitattributes.empty?
+
+      say "Disenrolled project from credentials file diffing!"
+    else
+      say "Project is not enrolled in credentials file diffing."
+    end
+  end
+
+  def ensure_diffing_driver_is_configured
+    configure_diffing_driver if enrolled_in_credentials_diffing? && !diffing_driver_configured?
   end
 
   private
-    def enrolled?
-      gitattributes.read.match?(/config\/credentials(\/\*)?\.yml\.enc diff=rails_credentials/)
-    rescue Errno::ENOENT
-      false
+    def enrolled_in_credentials_diffing?
+      gitattributes.file? && gitattributes.read.include?(GITATTRIBUTES_ENTRY)
     end
 
-    def driver_configured?
+    def diffing_driver_configured?
       system "git config --get diff.rails_credentials.textconv", out: File::NULL
     end
 
-    def set_driver
-      puts "running"
+    def configure_diffing_driver
       system "git config diff.rails_credentials.textconv 'bin/rails credentials:diff'"
     end
 

railties/test/commands/credentials_test.rb

@@ -124,7 +124,7 @@ class Rails::Command::CredentialsCommandTest < ActiveSupport::TestCase
 
 
   test "diff enroll diffing" do
-    assert_match("successfully enrolled", run_diff_command(enroll: true))
+    assert_match(/\benrolled project/i, run_diff_command(enroll: true))
 
     assert_includes File.read(app_path(".gitattributes")), <<~EOM
       config/credentials/*.yml.enc diff=rails_credentials
@@ -132,6 +132,40 @@ class Rails::Command::CredentialsCommandTest < ActiveSupport::TestCase
     EOM
   end
 
+  test "diff enroll diffing when already enrolled" do
+    run_diff_command(enroll: true)
+
+    assert_match(/already enrolled/i, run_diff_command(enroll: true))
+
+    assert_equal 1, File.read(app_path(".gitattributes")).scan("config/credentials.yml.enc").length
+  end
+
+  test "diff disenroll diffing" do
+    FileUtils.rm(app_path(".gitattributes"))
+    run_diff_command(enroll: true)
+
+    assert_match(/\bdisenrolled project/i, run_diff_command(disenroll: true))
+
+    assert_not File.exist?(app_path(".gitattributes"))
+  end
+
+  test "diff disenroll diffing with existing .gitattributes" do
+    File.write(app_path(".gitattributes"), "foo bar\n")
+    run_diff_command(enroll: true)
+
+    run_diff_command(disenroll: true)
+
+    assert_equal("foo bar\n", File.read(app_path(".gitattributes")))
+  end
+
+  test "diff disenroll diffing when not enrolled" do
+    FileUtils.rm(app_path(".gitattributes"))
+
+    assert_match(/not enrolled/i, run_diff_command(disenroll: true))
+
+    assert_not File.exist?(app_path(".gitattributes"))
+  end
+
   test "running edit after enrolling in diffing sets diff driver" do
     run_diff_command(enroll: true)
     run_edit_command
@@ -191,8 +225,8 @@ class Rails::Command::CredentialsCommandTest < ActiveSupport::TestCase
       rails "credentials:show", args, **options
     end
 
-    def run_diff_command(path = nil, enroll: nil, **options)
-      args = enroll ? ["--enroll"] : [path]
+    def run_diff_command(path = nil, enroll: nil, disenroll: nil, **options)
+      args = [path, ("--enroll" if enroll), ("--disenroll" if disenroll)].compact
       rails "credentials:diff", args, **options
     end
 end