Allow CLI flags to override config file settings with empty values#2195
Open
toller892 wants to merge 1 commit into
Open
Allow CLI flags to override config file settings with empty values#2195toller892 wants to merge 1 commit into
toller892 wants to merge 1 commit into
Conversation
When a user passes --encrypted-regex='' on the command line, the intent is to unset the config file's encrypted_regex setting. Previously, the code checked if the CLI value was empty and fell back to the config, making it impossible to override config settings with empty strings. Use cli.Context.IsSet() to distinguish 'flag not provided' from 'flag explicitly set to empty string'. This applies to all six suffix/regex flags: encrypted-suffix, unencrypted-suffix, encrypted-regex, unencrypted-regex, encrypted-comment-regex, unencrypted-comment-regex. Fixes getsops#617
felixfontein
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When a user passes
--encrypted-regex=''on the command line, the intent is to unset the config file'sencrypted_regexsetting. Previously, the code checked if the CLI value was empty string and fell back to the config file value, making it impossible to override config settings with empty strings.This affects all six suffix/regex flags:
--encrypted-suffix,--unencrypted-suffix,--encrypted-regex,--unencrypted-regex,--encrypted-comment-regex,--unencrypted-comment-regex.Fixes #617
Root Cause
In
getEncryptConfig()(cmd/sops/main.go), the precedence logic was:This treats "flag not provided" and "flag explicitly set to empty" identically.
Fix
Use
cli.Context.IsSet()to distinguish between "flag not provided" (use config) and "flag explicitly set to empty string" (use CLI value):This pattern is already used elsewhere in the codebase (
c.GlobalIsSet("indent")at line 2391).Testing
go build ./cmd/sops/passesgo test ./config/passesgo test ./... -shortpasses (only pre-existing PGP keyring test fails, unrelated to this change)