Skip to content

Commit d1a41e8

Browse files
felixfonteinfelixfontein
committed
When encrypting, load the config only once.
Signed-off-by: Felix Fontein <[email protected]>
1 parent 225546e commit d1a41e8

File tree

1 file changed

+28
-15
lines changed

1 file changed

+28
-15
lines changed

cmd/sops/main.go

Lines changed: 28 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1022,7 +1022,7 @@ func main() {
10221022
}
10231023
svcs := keyservices(c)
10241024

1025-
encConfig, err := getEncryptConfig(c, fileNameOverride)
1025+
encConfig, err := getEncryptConfig(c, fileNameOverride, nil)
10261026
if err != nil {
10271027
return toExitError(err)
10281028
}
@@ -1368,7 +1368,7 @@ func main() {
13681368
}
13691369
} else {
13701370
// File doesn't exist, edit the example file instead
1371-
encConfig, err := getEncryptConfig(c, fileName)
1371+
encConfig, err := getEncryptConfig(c, fileName, nil)
13721372
if err != nil {
13731373
return toExitError(err)
13741374
}
@@ -1883,8 +1883,9 @@ func main() {
18831883
// Load configuration here for backwards compatibility (error out in case of bad config files),
18841884
// but only when not just decrypting (https://github.com/getsops/sops/issues/868)
18851885
needsCreationRule := isEncryptMode || isRotateMode || isSetMode || isEditMode
1886+
var config *config.Config
18861887
if needsCreationRule {
1887-
_, err = loadConfig(c, fileNameOverride, nil)
1888+
config, err = loadConfig(c, fileNameOverride, nil)
18881889
if err != nil {
18891890
return toExitError(err)
18901891
}
@@ -1906,7 +1907,7 @@ func main() {
19061907
}
19071908
var output []byte
19081909
if isEncryptMode {
1909-
encConfig, err := getEncryptConfig(c, fileNameOverride)
1910+
encConfig, err := getEncryptConfig(c, fileNameOverride, config)
19101911
if err != nil {
19111912
return toExitError(err)
19121913
}
@@ -1994,7 +1995,7 @@ func main() {
19941995
output, err = edit(opts)
19951996
} else {
19961997
// File doesn't exist, edit the example file instead
1997-
encConfig, err := getEncryptConfig(c, fileNameOverride)
1998+
encConfig, err := getEncryptConfig(c, fileNameOverride, config)
19981999
if err != nil {
19992000
return toExitError(err)
20002001
}
@@ -2048,17 +2049,21 @@ func main() {
20482049
}
20492050
}
20502051

2051-
func getEncryptConfig(c *cli.Context, fileName string) (encryptConfig, error) {
2052+
func getEncryptConfig(c *cli.Context, fileName string, optionalConfig *config.Config) (encryptConfig, error) {
20522053
unencryptedSuffix := c.String("unencrypted-suffix")
20532054
encryptedSuffix := c.String("encrypted-suffix")
20542055
encryptedRegex := c.String("encrypted-regex")
20552056
unencryptedRegex := c.String("unencrypted-regex")
20562057
encryptedCommentRegex := c.String("encrypted-comment-regex")
20572058
unencryptedCommentRegex := c.String("unencrypted-comment-regex")
20582059
macOnlyEncrypted := c.Bool("mac-only-encrypted")
2059-
conf, err := loadConfig(c, fileName, nil)
2060-
if err != nil {
2061-
return encryptConfig{}, toExitError(err)
2060+
var err error
2061+
conf := optionalConfig
2062+
if conf == nil {
2063+
conf, err = loadConfig(c, fileName, nil)
2064+
if err != nil {
2065+
return encryptConfig{}, toExitError(err)
2066+
}
20622067
}
20632068
if conf != nil {
20642069
// command line options have precedence
@@ -2115,13 +2120,13 @@ func getEncryptConfig(c *cli.Context, fileName string) (encryptConfig, error) {
21152120
}
21162121

21172122
var groups []sops.KeyGroup
2118-
groups, err = keyGroups(c, fileName)
2123+
groups, err = keyGroups(c, fileName, conf)
21192124
if err != nil {
21202125
return encryptConfig{}, err
21212126
}
21222127

21232128
var threshold int
2124-
threshold, err = shamirThreshold(c, fileName)
2129+
threshold, err = shamirThreshold(c, fileName, conf)
21252130
if err != nil {
21262131
return encryptConfig{}, err
21272132
}
@@ -2318,7 +2323,7 @@ func parseTreePath(arg string) ([]interface{}, error) {
23182323
return path, nil
23192324
}
23202325

2321-
func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
2326+
func keyGroups(c *cli.Context, file string, optionalConfig *config.Config) ([]sops.KeyGroup, error) {
23222327
var kmsKeys []keys.MasterKey
23232328
var pgpKeys []keys.MasterKey
23242329
var cloudKmsKeys []keys.MasterKey
@@ -2372,7 +2377,11 @@ func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
23722377
}
23732378
}
23742379
if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" && c.String("age") == "" {
2375-
conf, err := loadConfig(c, file, kmsEncryptionContext)
2380+
conf := optionalConfig
2381+
var err error
2382+
if conf == nil {
2383+
conf, err = loadConfig(c, file, kmsEncryptionContext)
2384+
}
23762385
// config file might just not be supplied, without any error
23772386
if conf == nil {
23782387
errMsg := "config file not found, or has no creation rules, and no keys provided through command line options"
@@ -2414,11 +2423,15 @@ func loadConfig(c *cli.Context, file string, kmsEncryptionContext map[string]*st
24142423
return conf, nil
24152424
}
24162425

2417-
func shamirThreshold(c *cli.Context, file string) (int, error) {
2426+
func shamirThreshold(c *cli.Context, file string, optionalConfig *config.Config) (int, error) {
24182427
if c.Int("shamir-secret-sharing-threshold") != 0 {
24192428
return c.Int("shamir-secret-sharing-threshold"), nil
24202429
}
2421-
conf, err := loadConfig(c, file, nil)
2430+
var err error
2431+
conf := optionalConfig
2432+
if conf == nil {
2433+
conf, err = loadConfig(c, file, nil)
2434+
}
24222435
if conf == nil {
24232436
// This takes care of the following two case:
24242437
// 1. No config was provided, or contains no creation rules. Err will be nil and ShamirThreshold will be the default value of 0.

0 commit comments

Comments
 (0)