From 79d5dac9ffe8ca3f4214f6aba6d157dce89cbbab Mon Sep 17 00:00:00 2001
From: Brice Colucci <brice.colucci@gmail.com>
Date: Wed, 10 Mar 2021 15:23:11 -0500
Subject: [PATCH] feat: Support more complicated path_regexp (issues/826)
 (#829)

* feat: Support more complicated path_regexp (https://github.com/mozilla/sops/issues/826)

* feat: Support more complicated path_regexp (https://github.com/mozilla/sops/issues/826)

* fix review: do not panic and return an error instead if the regexp is not valid.

* fix merge mess

Co-authored-by: AJ Bahnken <1144310+ajvb@users.noreply.github.com>
---
 config/config.go      | 14 ++++++++------
 config/config_test.go | 36 ++++++++++++++++++++++++++++++++++++
 go.sum                |  2 --
 3 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/config/config.go b/config/config.go
index 18a71c3df..e89336ddc 100644
--- a/config/config.go
+++ b/config/config.go
@@ -10,7 +10,6 @@ import (
 	"path"
 	"regexp"
 
-	"gopkg.in/yaml.v3"
 	"github.com/sirupsen/logrus"
 	"go.mozilla.org/sops/v3"
 	"go.mozilla.org/sops/v3/age"
@@ -21,6 +20,7 @@ import (
 	"go.mozilla.org/sops/v3/logging"
 	"go.mozilla.org/sops/v3/pgp"
 	"go.mozilla.org/sops/v3/publish"
+	"gopkg.in/yaml.v3"
 )
 
 var log *logrus.Logger
@@ -326,11 +326,13 @@ func parseCreationRuleForFile(conf *configFile, filePath string, kmsEncryptionCo
 			rule = &r
 			break
 		}
-		if r.PathRegex != "" {
-			if match, _ := regexp.MatchString(r.PathRegex, filePath); match {
-				rule = &r
-				break
-			}
+		reg, err := regexp.Compile(r.PathRegex)
+		if err != nil {
+			return nil, fmt.Errorf("can not compile regexp: %w", err)
+		}
+		if reg.MatchString(filePath) {
+			rule = &r
+			break
 		}
 	}
 
diff --git a/config/config_test.go b/config/config_test.go
index 183eb7836..ac8aca6f3 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -208,6 +208,24 @@ destination_rules:
     path_regex: "vault-v1/*"
 `)
 
+var sampleConfigWithInvalidComplicatedRegexp = []byte(`
+creation_rules:
+  - path_regex: "[ ]\\K(?<!\\d )(?="
+    kms: default
+`)
+
+var sampleConfigWithComplicatedRegexp = []byte(`
+creation_rules:
+  - path_regex: "stage/dev/feature-.*"
+    kms: dev-feature 
+  - path_regex: "stage/dev/.*"
+    kms: dev
+  - path_regex: "stage/staging/.*"
+    kms: staging
+  - path_regex: "stage/.*/.*"
+    kms: default
+`)
+
 func parseConfigFile(confBytes []byte, t *testing.T) *configFile {
 	conf := &configFile{}
 	err := conf.load(confBytes)
@@ -285,6 +303,24 @@ func TestLoadConfigFileWithNoMatchingRules(t *testing.T) {
 	assert.NotNil(t, err)
 }
 
+func TestLoadConfigFileWithInvalidComplicatedRegexp(t *testing.T) {
+	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithInvalidComplicatedRegexp, t), "stage/prod/api.yml", nil)
+	assert.Equal(t, "can not compile regexp: error parsing regexp: invalid escape sequence: `\\K`", err.Error())
+	assert.Nil(t, conf)
+}
+
+func TestLoadConfigFileWithComplicatedRegexp(t *testing.T) {
+	for filePath, k := range map[string]string{
+		"stage/prod/api.yml":        "default",
+		"stage/dev/feature-foo.yml": "dev-feature",
+		"stage/dev/api.yml":         "dev",
+	} {
+		conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithComplicatedRegexp, t), filePath, nil)
+		assert.Nil(t, err)
+		assert.Equal(t, k, conf.KeyGroups[0][0].ToString())
+	}
+}
+
 func TestLoadEmptyConfigFile(t *testing.T) {
 	conf, err := parseCreationRuleForFile(parseConfigFile(sampleEmptyConfig, t), "foobar2000", nil)
 	assert.Nil(t, conf)
diff --git a/go.sum b/go.sum
index d865ef210..976e3519a 100644
--- a/go.sum
+++ b/go.sum
@@ -332,7 +332,6 @@ golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXR
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -410,7 +409,6 @@ gopkg.in/urfave/cli.v1 v1.20.0/go.mod h1:vuBzUtMdQeixQj8LVd+/98pzhxNGQoyuPBlsXHO
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=