diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 50ec203553..b902c186fd 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -678,11 +678,11 @@ func main() { }, cli.StringFlag{ Name: "unencrypted-regex", - Usage: "set the unencrypted key suffix. When specified, only keys matching the regex will be left unencrypted.", + Usage: "set the unencrypted key regex. When specified, only keys matching the regex will be left unencrypted.", }, cli.StringFlag{ Name: "encrypted-regex", - Usage: "set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.", + Usage: "set the encrypted key regex. When specified, only keys matching the regex will be encrypted.", }, cli.StringFlag{ Name: "config", diff --git a/config/config.go b/config/config.go index 3116046344..c2475a2b93 100644 --- a/config/config.go +++ b/config/config.go @@ -242,12 +242,15 @@ func configFromRule(rule *creationRule, kmsEncryptionContext map[string]*string) if rule.EncryptedSuffix != "" { cryptRuleCount++ } + if rule.UnencryptedRegex != "" { + cryptRuleCount++ + } if rule.EncryptedRegex != "" { cryptRuleCount++ } if cryptRuleCount > 1 { - return nil, fmt.Errorf("error loading config: cannot use more than one of encrypted_suffix, unencrypted_suffix, or encrypted_regex for the same rule") + return nil, fmt.Errorf("error loading config: cannot use more than one of encrypted_suffix, unencrypted_suffix, encrypted_regex, or unencrypted_regex for the same rule") } groups, err := getKeyGroupsFromCreationRule(rule, kmsEncryptionContext) diff --git a/config/config_test.go b/config/config_test.go index a653fcb8ed..4c43686c00 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -140,12 +140,19 @@ creation_rules: version: fooversion `) -var sampleConfigWithRegexParameters = []byte(` +var sampleConfigWithEncryptedRegexParameters = []byte(` creation_rules: - path_regex: barbar* kms: "1" pgp: "2" encrypted_regex: "^enc:" + `) + +var sampleConfigWithUnencryptedRegexParameters = []byte(` +creation_rules: + - path_regex: barbar* + kms: "1" + pgp: "2" unencrypted_regex: "^dec:" `) @@ -226,7 +233,7 @@ creation_rules: var sampleConfigWithComplicatedRegexp = []byte(` creation_rules: - path_regex: "stage/dev/feature-.*" - kms: dev-feature + kms: dev-feature - path_regex: "stage/dev/.*" kms: dev - path_regex: "stage/staging/.*" @@ -396,13 +403,13 @@ func TestLoadConfigFileWithEncryptedSuffix(t *testing.T) { } func TestLoadConfigFileWithUnencryptedRegex(t *testing.T) { - conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil) + conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithUnencryptedRegexParameters, t), "/conf/path", "barbar", nil) assert.Equal(t, nil, err) assert.Equal(t, "^dec:", conf.UnencryptedRegex) } func TestLoadConfigFileWithEncryptedRegex(t *testing.T) { - conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil) + conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithEncryptedRegexParameters, t), "/conf/path", "barbar", nil) assert.Equal(t, nil, err) assert.Equal(t, "^enc:", conf.EncryptedRegex) }