From 2e31b601ac425aeaabdefe58b2159cfd9f54f9d1 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Fri, 9 Feb 2024 21:27:03 +0100
Subject: [PATCH] Do not fail old-style decryption if no matching creation_rule
 is present in config file.

Signed-off-by: Felix Fontein <felix@fontein.de>
---
 cmd/sops/main.go | 41 +++++++++++++++++++++++++----------------
 1 file changed, 25 insertions(+), 16 deletions(-)

diff --git a/cmd/sops/main.go b/cmd/sops/main.go
index cc8078424..09d0b8cf4 100644
--- a/cmd/sops/main.go
+++ b/cmd/sops/main.go
@@ -1500,6 +1500,12 @@ func main() {
 	}, keyserviceFlags...)
 
 	app.Action = func(c *cli.Context) error {
+		isDecryptMode := c.Bool("decrypt")
+		isEncryptMode := c.Bool("encrypt")
+		isRotateMode := c.Bool("rotate")
+		isSetMode := c.String("set") != ""
+		isEditMode := !isEncryptMode && !isDecryptMode && !isRotateMode && !isSetMode
+
 		if c.Bool("verbose") {
 			logging.SetLevel(logrus.DebugLevel)
 		}
@@ -1519,7 +1525,7 @@ func main() {
 				c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" {
 				return common.NewExitError("Error: cannot add or remove keys on non-existent files, use `--kms` and `--pgp` instead.", codes.CannotChangeKeysFromNonExistentFile)
 			}
-			if c.Bool("encrypt") || c.Bool("decrypt") || c.Bool("rotate") {
+			if isEncryptMode || isDecryptMode || isRotateMode {
 				return common.NewExitError("Error: cannot operate on non-existent file", codes.NoFileSpecified)
 			}
 		}
@@ -1529,26 +1535,30 @@ func main() {
 		}
 
 		commandCount := 0
-		if c.Bool("encrypt") {
+		if isDecryptMode {
 			commandCount++
 		}
-		if c.Bool("decrypt") {
+		if isEncryptMode {
 			commandCount++
 		}
-		if c.Bool("rotate") {
+		if isRotateMode {
 			commandCount++
 		}
-		if c.String("set") != "" {
+		if isSetMode {
 			commandCount++
 		}
 		if commandCount > 1 {
 			log.Warn("More than one command (--encrypt, --decrypt, --rotate, --set) has been specified. Only the changes made by the last one will be visible. Note that this behavior is deprecated and will cause an error eventually.")
 		}
 
-		// Load configuration here for backwards compatibility (error out in case of bad config files)
-		_, err = loadConfig(c, fileNameOverride, nil)
-		if err != nil {
-			return toExitError(err)
+		// Load configuration here for backwards compatibility (error out in case of bad config files),
+		// but only when not just decrypting (https://github.com/getsops/sops/issues/868)
+		needsCreationRule := isEncryptMode || isRotateMode || isSetMode || isEditMode
+		if needsCreationRule {
+			_, err = loadConfig(c, fileNameOverride, nil)
+			if err != nil {
+				return toExitError(err)
+			}
 		}
 
 		inputStore := inputStore(c, fileNameOverride)
@@ -1560,7 +1570,7 @@ func main() {
 			return toExitError(err)
 		}
 		var output []byte
-		if c.Bool("encrypt") {
+		if isEncryptMode {
 			encConfig, err := getEncryptConfig(c, fileNameOverride)
 			if err != nil {
 				return toExitError(err)
@@ -1576,12 +1586,12 @@ func main() {
 			// While this check is also done below, the `err` in this scope shadows
 			// the `err` in the outer scope.  **Only** do this in case --decrypt,
 			// --rotate-, and --set are not specified, though, to keep old behavior.
-			if err != nil && !c.Bool("decrypt") && !c.Bool("rotate") && c.String("set") == "" {
+			if err != nil && !isDecryptMode && !isRotateMode && !isSetMode {
 				return toExitError(err)
 			}
 		}
 
-		if c.Bool("decrypt") {
+		if isDecryptMode {
 			var extract []interface{}
 			extract, err = parseTreePath(c.String("extract"))
 			if err != nil {
@@ -1598,7 +1608,7 @@ func main() {
 				IgnoreMAC:       c.Bool("ignore-mac"),
 			})
 		}
-		if c.Bool("rotate") {
+		if isRotateMode {
 			rotateOpts, err := getRotateOpts(c, fileName, inputStore, outputStore, svcs, order)
 			if err != nil {
 				return toExitError(err)
@@ -1612,7 +1622,7 @@ func main() {
 			}
 		}
 
-		if c.String("set") != "" {
+		if isSetMode {
 			var path []interface{}
 			var value interface{}
 			path, value, err = extractSetArguments(c.String("set"))
@@ -1632,7 +1642,6 @@ func main() {
 			})
 		}
 
-		isEditMode := !c.Bool("encrypt") && !c.Bool("decrypt") && !c.Bool("rotate") && c.String("set") == ""
 		if isEditMode {
 			_, statErr := os.Stat(fileName)
 			fileExists := statErr == nil
@@ -1672,7 +1681,7 @@ func main() {
 
 		// We open the file *after* the operations on the tree have been
 		// executed to avoid truncating it when there's errors
-		if c.Bool("in-place") || isEditMode || c.String("set") != "" {
+		if c.Bool("in-place") || isEditMode || isSetMode {
 			file, err := os.Create(fileName)
 			if err != nil {
 				return common.NewExitError(fmt.Sprintf("Could not open in-place file for writing: %s", err), codes.CouldNotWriteOutputFile)