Skip to content

Commit

Permalink
Merge pull request #1300 from tozd/fix-unencrypted-regex
Browse files Browse the repository at this point in the history
  • Loading branch information
hiddeco authored Sep 25, 2023
2 parents b7da2fc + 5f1ca1d commit d24fe0c
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 7 deletions.
4 changes: 2 additions & 2 deletions cmd/sops/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -678,11 +678,11 @@ func main() {
},
cli.StringFlag{
Name: "unencrypted-regex",
Usage: "set the unencrypted key suffix. When specified, only keys matching the regex will be left unencrypted.",
Usage: "set the unencrypted key regex. When specified, only keys matching the regex will be left unencrypted.",
},
cli.StringFlag{
Name: "encrypted-regex",
Usage: "set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.",
Usage: "set the encrypted key regex. When specified, only keys matching the regex will be encrypted.",
},
cli.StringFlag{
Name: "config",
Expand Down
5 changes: 4 additions & 1 deletion config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -242,12 +242,15 @@ func configFromRule(rule *creationRule, kmsEncryptionContext map[string]*string)
if rule.EncryptedSuffix != "" {
cryptRuleCount++
}
if rule.UnencryptedRegex != "" {
cryptRuleCount++
}
if rule.EncryptedRegex != "" {
cryptRuleCount++
}

if cryptRuleCount > 1 {
return nil, fmt.Errorf("error loading config: cannot use more than one of encrypted_suffix, unencrypted_suffix, or encrypted_regex for the same rule")
return nil, fmt.Errorf("error loading config: cannot use more than one of encrypted_suffix, unencrypted_suffix, encrypted_regex, or unencrypted_regex for the same rule")
}

groups, err := getKeyGroupsFromCreationRule(rule, kmsEncryptionContext)
Expand Down
15 changes: 11 additions & 4 deletions config/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -140,12 +140,19 @@ creation_rules:
version: fooversion
`)

var sampleConfigWithRegexParameters = []byte(`
var sampleConfigWithEncryptedRegexParameters = []byte(`
creation_rules:
- path_regex: barbar*
kms: "1"
pgp: "2"
encrypted_regex: "^enc:"
`)

var sampleConfigWithUnencryptedRegexParameters = []byte(`
creation_rules:
- path_regex: barbar*
kms: "1"
pgp: "2"
unencrypted_regex: "^dec:"
`)

Expand Down Expand Up @@ -226,7 +233,7 @@ creation_rules:
var sampleConfigWithComplicatedRegexp = []byte(`
creation_rules:
- path_regex: "stage/dev/feature-.*"
kms: dev-feature
kms: dev-feature
- path_regex: "stage/dev/.*"
kms: dev
- path_regex: "stage/staging/.*"
Expand Down Expand Up @@ -396,13 +403,13 @@ func TestLoadConfigFileWithEncryptedSuffix(t *testing.T) {
}

func TestLoadConfigFileWithUnencryptedRegex(t *testing.T) {
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil)
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithUnencryptedRegexParameters, t), "/conf/path", "barbar", nil)
assert.Equal(t, nil, err)
assert.Equal(t, "^dec:", conf.UnencryptedRegex)
}

func TestLoadConfigFileWithEncryptedRegex(t *testing.T) {
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil)
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithEncryptedRegexParameters, t), "/conf/path", "barbar", nil)
assert.Equal(t, nil, err)
assert.Equal(t, "^enc:", conf.EncryptedRegex)
}
Expand Down

0 comments on commit d24fe0c

Please sign in to comment.