Ignore unmatched creation rules with inline keys#2150
Ignore unmatched creation rules with inline keys#2150lawrence3699 wants to merge 1 commit intogetsops:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes the behavior where sops would fail to encrypt when a .sops.yaml exists but none of its creation_rules match the target file path, even if master keys are provided via CLI flags (e.g., --age, --kms). With this change, “no matching creation rules” is treated as a non-applicable config only when inline master keys are present, allowing encryption to proceed using the inline keys.
Changes:
- Introduce a sentinel error (
config.ErrNoMatchingCreationRules) for the “no matching creation rules” condition. - Update
cmd/sopsconfig loading to ignore that specific error when inline master key flags are provided. - Add CLI-level tests to validate the new behavior for matching vs non-matching creation rules with/without inline keys.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
config/config.go |
Adds a typed/sentinel error for unmatched creation rules and returns it from creation rule parsing. |
cmd/sops/main.go |
Ignores unmatched creation rules when inline master key flags are present, allowing fallback to CLI-provided keys. |
cmd/sops/main_test.go |
Adds regression tests covering the new fallback behavior and ensuring the old error remains without inline keys. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| func hasInlineMasterKeyFlags(c *cli.Context) bool { | ||
| return c.String("kms") != "" || | ||
| c.String("pgp") != "" || | ||
| c.String("gcp-kms") != "" || | ||
| c.String("hckms") != "" || | ||
| c.String("azure-kv") != "" || | ||
| c.String("hc-vault-transit") != "" || | ||
| c.String("age") != "" |
There was a problem hiding this comment.
hasInlineMasterKeyFlags duplicates the same inline-key presence check already implemented in keyGroups (the long c.String(...) == "" condition). This creates a maintenance risk where new master-key flags would need to be updated in multiple places. Consider reusing this helper in keyGroups (or deriving both checks from a shared list of flag names) to keep the logic in sync.
Fixes #1790.
Before
When
.sops.yamlwas present but none of itscreation_rulesmatched the target path,sops -e --age ... filestill failed witherror loading config: no matching creation rules found.After
If master keys are provided through CLI flags, unmatched creation rules are treated as non-applicable config and encryption falls back to the inline keys.
Commands without inline keys still fail as before, and other config-loading errors still surface unchanged.
Validation
go test ./cmd/sops -run 'TestLoadConfig'go test ./config -run 'TestLoadConfig|TestKeyGroupsForFile|TestLoadEmptyConfigFile|TestLoadConfigFileWithEmptyCreationRules'sops --age=... -e mysecret.jsonsucceeding with a non-matching.sops.yamlmake teststill fails in this environment for unrelatedage,hcvault, andkmstests (gpg-agentpassphrase IPC error and missing Docker socket)