From 5f1ca1dd4837e98686218b1a441f3c5734bdfda4 Mon Sep 17 00:00:00 2001
From: Mitar <mitar.git@tnode.com>
Date: Fri, 22 Sep 2023 11:20:35 +0200
Subject: [PATCH] Fix descriptions of unencrypted-regex and encrypted-regex
 flags.

Signed-off-by: Mitar <mitar.git@tnode.com>
---
 cmd/sops/main.go      |  4 ++--
 config/config.go      |  5 ++++-
 config/config_test.go | 15 +++++++++++----
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/cmd/sops/main.go b/cmd/sops/main.go
index 50ec20355..b902c186f 100644
--- a/cmd/sops/main.go
+++ b/cmd/sops/main.go
@@ -678,11 +678,11 @@ func main() {
 		},
 		cli.StringFlag{
 			Name:  "unencrypted-regex",
-			Usage: "set the unencrypted key suffix. When specified, only keys matching the regex will be left unencrypted.",
+			Usage: "set the unencrypted key regex. When specified, only keys matching the regex will be left unencrypted.",
 		},
 		cli.StringFlag{
 			Name:  "encrypted-regex",
-			Usage: "set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.",
+			Usage: "set the encrypted key regex. When specified, only keys matching the regex will be encrypted.",
 		},
 		cli.StringFlag{
 			Name:  "config",
diff --git a/config/config.go b/config/config.go
index 311604634..c2475a2b9 100644
--- a/config/config.go
+++ b/config/config.go
@@ -242,12 +242,15 @@ func configFromRule(rule *creationRule, kmsEncryptionContext map[string]*string)
 	if rule.EncryptedSuffix != "" {
 		cryptRuleCount++
 	}
+	if rule.UnencryptedRegex != "" {
+		cryptRuleCount++
+	}
 	if rule.EncryptedRegex != "" {
 		cryptRuleCount++
 	}
 
 	if cryptRuleCount > 1 {
-		return nil, fmt.Errorf("error loading config: cannot use more than one of encrypted_suffix, unencrypted_suffix, or encrypted_regex for the same rule")
+		return nil, fmt.Errorf("error loading config: cannot use more than one of encrypted_suffix, unencrypted_suffix, encrypted_regex, or unencrypted_regex for the same rule")
 	}
 
 	groups, err := getKeyGroupsFromCreationRule(rule, kmsEncryptionContext)
diff --git a/config/config_test.go b/config/config_test.go
index a653fcb8e..4c43686c0 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -140,12 +140,19 @@ creation_rules:
           version: fooversion
     `)
 
-var sampleConfigWithRegexParameters = []byte(`
+var sampleConfigWithEncryptedRegexParameters = []byte(`
 creation_rules:
   - path_regex: barbar*
     kms: "1"
     pgp: "2"
     encrypted_regex: "^enc:"
+    `)
+
+var sampleConfigWithUnencryptedRegexParameters = []byte(`
+creation_rules:
+  - path_regex: barbar*
+    kms: "1"
+    pgp: "2"
     unencrypted_regex: "^dec:"
     `)
 
@@ -226,7 +233,7 @@ creation_rules:
 var sampleConfigWithComplicatedRegexp = []byte(`
 creation_rules:
   - path_regex: "stage/dev/feature-.*"
-    kms: dev-feature 
+    kms: dev-feature
   - path_regex: "stage/dev/.*"
     kms: dev
   - path_regex: "stage/staging/.*"
@@ -396,13 +403,13 @@ func TestLoadConfigFileWithEncryptedSuffix(t *testing.T) {
 }
 
 func TestLoadConfigFileWithUnencryptedRegex(t *testing.T) {
-	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil)
+	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithUnencryptedRegexParameters, t), "/conf/path", "barbar", nil)
 	assert.Equal(t, nil, err)
 	assert.Equal(t, "^dec:", conf.UnencryptedRegex)
 }
 
 func TestLoadConfigFileWithEncryptedRegex(t *testing.T) {
-	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil)
+	conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithEncryptedRegexParameters, t), "/conf/path", "barbar", nil)
 	assert.Equal(t, nil, err)
 	assert.Equal(t, "^enc:", conf.EncryptedRegex)
 }