mirror of
https://github.com/getsops/sops.git
synced 2026-02-05 12:45:21 +01:00
Match file path relative to config file's directory (2) (#853)
* Match file path relative to config file's directory * Update README.rst
This commit is contained in:
Paulo Lieuthier
@@ -8,7 +8,9 @@ import (
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"regexp"
|
||||
"strings"
|
||||
|
||||
"github.com/sirupsen/logrus"
|
||||
"go.mozilla.org/sops/v3"
|
||||
@@ -313,12 +315,20 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
|
||||
return config, nil
|
||||
}
|
||||
|
||||
func parseCreationRuleForFile(conf *configFile, filePath string, kmsEncryptionContext map[string]*string) (*Config, error) {
|
||||
func parseCreationRuleForFile(conf *configFile, confPath, filePath string, kmsEncryptionContext map[string]*string) (*Config, error) {
|
||||
// If config file doesn't contain CreationRules (it's empty or only contains DestionationRules), assume it does not exist
|
||||
if conf.CreationRules == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
configDir, err := filepath.Abs(filepath.Dir(confPath))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// compare file path relative to path of config file
|
||||
filePath = strings.TrimPrefix(filePath, configDir + string(filepath.Separator))
|
||||
|
||||
var rule *creationRule
|
||||
|
||||
for _, r := range conf.CreationRules {
|
||||
@@ -356,7 +366,8 @@ func LoadCreationRuleForFile(confPath string, filePath string, kmsEncryptionCont
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return parseCreationRuleForFile(conf, filePath, kmsEncryptionContext)
|
||||
|
||||
return parseCreationRuleForFile(conf, confPath, filePath, kmsEncryptionContext)
|
||||
}
|
||||
|
||||
// LoadDestinationRuleForFile works the same as LoadCreationRuleForFile, but gets the "creation_rule" from the matching destination_rule's
|
||||
|
||||
@@ -75,6 +75,15 @@ creation_rules:
|
||||
hc_vault_uris: https://foz:443/v1/foz/keys/foz
|
||||
`)
|
||||
|
||||
var sampleConfigWithAmbiguousPath = []byte(`
|
||||
creation_rules:
|
||||
- path_regex: foo/*
|
||||
kms: "1"
|
||||
pgp: "2"
|
||||
gcp_kms: "3"
|
||||
hc_vault_uris: http://4:8200/v1/4/keys/4
|
||||
`)
|
||||
|
||||
var sampleConfigWithGroups = []byte(`
|
||||
creation_rules:
|
||||
- path_regex: foobar*
|
||||
@@ -299,12 +308,12 @@ func TestLoadConfigFileWithGroups(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestLoadConfigFileWithNoMatchingRules(t *testing.T) {
|
||||
_, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithNoMatchingRules, t), "foobar2000", nil)
|
||||
_, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithNoMatchingRules, t), "/conf/path", "foobar2000", nil)
|
||||
assert.NotNil(t, err)
|
||||
}
|
||||
|
||||
func TestLoadConfigFileWithInvalidComplicatedRegexp(t *testing.T) {
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithInvalidComplicatedRegexp, t), "stage/prod/api.yml", nil)
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithInvalidComplicatedRegexp, t), "/conf/path", "stage/prod/api.yml", nil)
|
||||
assert.Equal(t, "can not compile regexp: error parsing regexp: invalid escape sequence: `\\K`", err.Error())
|
||||
assert.Nil(t, conf)
|
||||
}
|
||||
@@ -315,58 +324,58 @@ func TestLoadConfigFileWithComplicatedRegexp(t *testing.T) {
|
||||
"stage/dev/feature-foo.yml": "dev-feature",
|
||||
"stage/dev/api.yml": "dev",
|
||||
} {
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithComplicatedRegexp, t), filePath, nil)
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithComplicatedRegexp, t), "/conf/path", filePath, nil)
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, k, conf.KeyGroups[0][0].ToString())
|
||||
}
|
||||
}
|
||||
|
||||
func TestLoadEmptyConfigFile(t *testing.T) {
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleEmptyConfig, t), "foobar2000", nil)
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleEmptyConfig, t), "/conf/path", "foobar2000", nil)
|
||||
assert.Nil(t, conf)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestLoadConfigFileWithEmptyCreationRules(t *testing.T) {
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithEmptyCreationRules, t), "foobar2000", nil)
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithEmptyCreationRules, t), "/conf/path", "foobar2000", nil)
|
||||
assert.Nil(t, conf)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestLoadConfigFileWithOnlyDestinationRules(t *testing.T) {
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithOnlyDestinationRules, t), "foobar2000", nil)
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithOnlyDestinationRules, t), "/conf/path", "foobar2000", nil)
|
||||
assert.Nil(t, conf)
|
||||
assert.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestKeyGroupsForFile(t *testing.T) {
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfig, t), "foobar2000", nil)
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfig, t), "/conf/path", "foobar2000", nil)
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, "2", conf.KeyGroups[0][0].ToString())
|
||||
assert.Equal(t, "1", conf.KeyGroups[0][1].ToString())
|
||||
conf, err = parseCreationRuleForFile(parseConfigFile(sampleConfig, t), "whatever", nil)
|
||||
conf, err = parseCreationRuleForFile(parseConfigFile(sampleConfig, t), "/conf/path", "whatever", nil)
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, "bar", conf.KeyGroups[0][0].ToString())
|
||||
assert.Equal(t, "foo", conf.KeyGroups[0][1].ToString())
|
||||
}
|
||||
|
||||
func TestKeyGroupsForFileWithPath(t *testing.T) {
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithPath, t), "foo/bar2000", nil)
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithPath, t), "/conf/path", "foo/bar2000", nil)
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, "2", conf.KeyGroups[0][0].ToString())
|
||||
assert.Equal(t, "1", conf.KeyGroups[0][1].ToString())
|
||||
conf, err = parseCreationRuleForFile(parseConfigFile(sampleConfigWithPath, t), "somefilename.yml", nil)
|
||||
conf, err = parseCreationRuleForFile(parseConfigFile(sampleConfigWithPath, t), "/conf/path", "somefilename.yml", nil)
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, "baggins", conf.KeyGroups[0][0].ToString())
|
||||
assert.Equal(t, "bilbo", conf.KeyGroups[0][1].ToString())
|
||||
conf, err = parseCreationRuleForFile(parseConfigFile(sampleConfig, t), "whatever", nil)
|
||||
conf, err = parseCreationRuleForFile(parseConfigFile(sampleConfig, t), "/conf/path", "whatever", nil)
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, "bar", conf.KeyGroups[0][0].ToString())
|
||||
assert.Equal(t, "foo", conf.KeyGroups[0][1].ToString())
|
||||
}
|
||||
|
||||
func TestKeyGroupsForFileWithGroups(t *testing.T) {
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithGroups, t), "whatever", nil)
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithGroups, t), "/conf/path", "whatever", nil)
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, "bar", conf.KeyGroups[0][0].ToString())
|
||||
assert.Equal(t, "foo", conf.KeyGroups[0][1].ToString())
|
||||
@@ -375,31 +384,39 @@ func TestKeyGroupsForFileWithGroups(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestLoadConfigFileWithUnencryptedSuffix(t *testing.T) {
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithSuffixParameters, t), "foobar", nil)
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithSuffixParameters, t), "/conf/path", "foobar", nil)
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, "_unencrypted", conf.UnencryptedSuffix)
|
||||
}
|
||||
|
||||
func TestLoadConfigFileWithEncryptedSuffix(t *testing.T) {
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithSuffixParameters, t), "barfoo", nil)
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithSuffixParameters, t), "/conf/path", "barfoo", nil)
|
||||
assert.Nil(t, err)
|
||||
assert.Equal(t, "_enc", conf.EncryptedSuffix)
|
||||
}
|
||||
|
||||
func TestLoadConfigFileWithUnencryptedRegex(t *testing.T) {
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "barbar", nil)
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil)
|
||||
assert.Equal(t, nil, err)
|
||||
assert.Equal(t, "^dec:", conf.UnencryptedRegex)
|
||||
}
|
||||
|
||||
func TestLoadConfigFileWithEncryptedRegex(t *testing.T) {
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "barbar", nil)
|
||||
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil)
|
||||
assert.Equal(t, nil, err)
|
||||
assert.Equal(t, "^enc:", conf.EncryptedRegex)
|
||||
}
|
||||
|
||||
func TestLoadConfigFileWithInvalidParameters(t *testing.T) {
|
||||
_, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithInvalidParameters, t), "foobar", nil)
|
||||
_, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithInvalidParameters, t), "/conf/path", "foobar", nil)
|
||||
assert.NotNil(t, err)
|
||||
}
|
||||
|
||||
func TestLoadConfigFileWithAmbiguousPath(t *testing.T) {
|
||||
config := parseConfigFile(sampleConfigWithAmbiguousPath, t)
|
||||
_, err := parseCreationRuleForFile(config, "/foo/config", "/foo/foo/bar", nil)
|
||||
assert.Nil(t, err)
|
||||
_, err = parseCreationRuleForFile(config, "/foo/config", "/foo/fuu/bar", nil)
|
||||
assert.NotNil(t, err)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user