Fix descriptions of unencrypted-regex and encrypted-regex flags, and ensure unencrypted_regex is considered in config validation

cmd/sops/main.go

@@ -678,11 +678,11 @@ func main() {
 		},
 		cli.StringFlag{
 			Name:  "unencrypted-regex",
-			Usage: "set the unencrypted key suffix. When specified, only keys matching the regex will be left unencrypted.",
+			Usage: "set the unencrypted key regex. When specified, only keys matching the regex will be left unencrypted.",
 		},
 		cli.StringFlag{
 			Name:  "encrypted-regex",
-			Usage: "set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.",
+			Usage: "set the encrypted key regex. When specified, only keys matching the regex will be encrypted.",
 		},
 		cli.StringFlag{
 			Name:  "config",

config/config.go

@@ -242,12 +242,15 @@ func configFromRule(rule *creationRule, kmsEncryptionContext map[string]*string)
 	if rule.EncryptedSuffix != "" {
 		cryptRuleCount++
 	}
+	if rule.UnencryptedRegex != "" {
+		cryptRuleCount++
+	}
 	if rule.EncryptedRegex != "" {
 		cryptRuleCount++
 	}
 
 	if cryptRuleCount > 1 {
-		return nil, fmt.Errorf("error loading config: cannot use more than one of encrypted_suffix, unencrypted_suffix, or encrypted_regex for the same rule")
+		return nil, fmt.Errorf("error loading config: cannot use more than one of encrypted_suffix, unencrypted_suffix, encrypted_regex, or unencrypted_regex for the same rule")
 	}
 
 	groups, err := getKeyGroupsFromCreationRule(rule, kmsEncryptionContext)

config/config_test.go

@@ -140,12 +140,19 @@ creation_rules:
           version: fooversion
     `)
 
-var sampleConfigWithRegexParameters = []byte(`
+var sampleConfigWithEncryptedRegexParameters = []byte(`
 creation_rules:
   - path_regex: barbar*
     kms: "1"
     pgp: "2"
     encrypted_regex: "^enc:"
+    `)
+
+var sampleConfigWithUnencryptedRegexParameters = []byte(`
+creation_rules:
+  - path_regex: barbar*
+    kms: "1"
+    pgp: "2"
     unencrypted_regex: "^dec:"
     `)
 
@@ -226,7 +233,7 @@ creation_rules:
 var sampleConfigWithComplicatedRegexp = []byte(`
 creation_rules:
   - path_regex: "stage/dev/feature-.*"
-    kms: dev-feature 
+    kms: dev-feature
   - path_regex: "stage/dev/.*"
     kms: dev
   - path_regex: "stage/staging/.*"
@@ -396,13 +403,13 @@ func TestLoadConfigFileWithEncryptedSuffix(t *testing.T) {
 }
 
 func TestLoadConfigFileWithUnencryptedRegex(t *testing.T) {
-	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil)
+	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithUnencryptedRegexParameters, t), "/conf/path", "barbar", nil)
 	assert.Equal(t, nil, err)
 	assert.Equal(t, "^dec:", conf.UnencryptedRegex)
 }
 
 func TestLoadConfigFileWithEncryptedRegex(t *testing.T) {
-	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil)
+	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithEncryptedRegexParameters, t), "/conf/path", "barbar", nil)
 	assert.Equal(t, nil, err)
 	assert.Equal(t, "^enc:", conf.EncryptedRegex)
 }