From 618b60e99cc7be173390248aa5cb34c3b2a9ce52 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Fri, 29 Dec 2023 22:55:57 +0100
Subject: [PATCH 1/2] Create a constant for the 'sops' metadata key.

Signed-off-by: Felix Fontein <felix@fontein.de>
---
 cmd/sops/encrypt.go    | 9 +++++----
 stores/dotenv/store.go | 2 +-
 stores/ini/store.go    | 6 +++---
 stores/json/store.go   | 4 ++--
 stores/stores.go       | 7 ++++++-
 stores/yaml/store.go   | 4 ++--
 6 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/cmd/sops/encrypt.go b/cmd/sops/encrypt.go
index 266f48ae3..9d8d10ceb 100644
--- a/cmd/sops/encrypt.go
+++ b/cmd/sops/encrypt.go
@@ -9,6 +9,7 @@ import (
 	"github.com/getsops/sops/v3/cmd/sops/codes"
 	"github.com/getsops/sops/v3/cmd/sops/common"
 	"github.com/getsops/sops/v3/keyservice"
+	"github.com/getsops/sops/v3/stores"
 	"github.com/getsops/sops/v3/version"
 	"github.com/mitchellh/go-wordwrap"
 )
@@ -36,12 +37,12 @@ func (err *fileAlreadyEncryptedError) Error() string {
 
 func (err *fileAlreadyEncryptedError) UserError() string {
 	message := "The file you have provided contains a top-level entry called " +
-		"'sops', or for flat file formats top-level entries starting with " +
-		"'sops_'. This is generally due to the file already being encrypted. " +
-		"SOPS uses a top-level entry called 'sops' to store the metadata " +
+		"'" + stores.SopsMetadataKey + "', or for flat file formats top-level entries starting with " +
+		"'" + stores.SopsMetadataKey + "_'. This is generally due to the file already being encrypted. " +
+		"SOPS uses a top-level entry called '" + stores.SopsMetadataKey + "' to store the metadata " +
 		"required to decrypt the file. For this reason, SOPS can not " +
 		"encrypt files that already contain such an entry.\n\n" +
-		"If this is an unencrypted file, rename the 'sops' entry.\n\n" +
+		"If this is an unencrypted file, rename the '" + stores.SopsMetadataKey + "' entry.\n\n" +
 		"If this is an encrypted file and you want to edit it, use the " +
 		"editor mode, for example: `sops my_file.yaml`"
 	return wordwrap.WrapString(message, 75)
diff --git a/stores/dotenv/store.go b/stores/dotenv/store.go
index 88eb0442f..09f118aa8 100644
--- a/stores/dotenv/store.go
+++ b/stores/dotenv/store.go
@@ -12,7 +12,7 @@ import (
 )
 
 // SopsPrefix is the prefix for all metadatada entry keys
-const SopsPrefix = "sops_"
+const SopsPrefix = stores.SopsMetadataKey + "_"
 
 // Store handles storage of dotenv data
 type Store struct {
diff --git a/stores/ini/store.go b/stores/ini/store.go
index c44b89302..350142d85 100644
--- a/stores/ini/store.go
+++ b/stores/ini/store.go
@@ -148,7 +148,7 @@ func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) {
 		return sops.Tree{}, err
 	}
 
-	sopsSection, err := iniFileOuter.GetSection("sops")
+	sopsSection, err := iniFileOuter.GetSection(stores.SopsMetadataKey)
 	if err != nil {
 		return sops.Tree{}, sops.MetadataNotFound
 	}
@@ -170,7 +170,7 @@ func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) {
 	// Discard metadata, as we already loaded it.
 	for bi, branch := range branches {
 		for s, sectionBranch := range branch {
-			if sectionBranch.Key == "sops" {
+			if sectionBranch.Key == stores.SopsMetadataKey {
 				branch = append(branch[:s], branch[s+1:]...)
 				branches[bi] = branch
 			}
@@ -213,7 +213,7 @@ func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	sectionItem := sops.TreeItem{Key: "sops", Value: newBranch}
+	sectionItem := sops.TreeItem{Key: stores.SopsMetadataKey, Value: newBranch}
 	branch := sops.TreeBranch{sectionItem}
 
 	in.Branches = append(in.Branches, branch)
diff --git a/stores/json/store.go b/stores/json/store.go
index 2f0f7a721..e9df1b554 100644
--- a/stores/json/store.go
+++ b/stores/json/store.go
@@ -295,7 +295,7 @@ func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) {
 	}
 	// Discard metadata, as we already loaded it.
 	for i, item := range branch {
-		if item.Key == "sops" {
+		if item.Key == stores.SopsMetadataKey {
 			branch = append(branch[:i], branch[i+1:]...)
 		}
 	}
@@ -321,7 +321,7 @@ func (store *Store) LoadPlainFile(in []byte) (sops.TreeBranches, error) {
 // EmitEncryptedFile returns the encrypted bytes of the json file corresponding to a
 // sops.Tree runtime object
 func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) {
-	tree := append(in.Branches[0], sops.TreeItem{Key: "sops", Value: stores.MetadataFromInternal(in.Metadata)})
+	tree := append(in.Branches[0], sops.TreeItem{Key: stores.SopsMetadataKey, Value: stores.MetadataFromInternal(in.Metadata)})
 	out, err := store.jsonFromTreeBranch(tree)
 	if err != nil {
 		return nil, fmt.Errorf("Error marshaling to json: %s", err)
diff --git a/stores/stores.go b/stores/stores.go
index f4f8f2354..a1279b07e 100644
--- a/stores/stores.go
+++ b/stores/stores.go
@@ -23,6 +23,11 @@ import (
 	"github.com/getsops/sops/v3/pgp"
 )
 
+const (
+	// The key used to store SOPS metadata at in SOPS encrypted files.
+	SopsMetadataKey = "sops"
+)
+
 // SopsFile is a struct used by the stores as a helper to unmarshal the SOPS metadata
 type SopsFile struct {
 	// Metadata is a pointer so we can easily tell when the field is not present
@@ -510,7 +515,7 @@ var ExampleFlatTree = sops.Tree{
 // HasSopsTopLevelKey returns true if the given branch has a top-level key called "sops".
 func HasSopsTopLevelKey(branch sops.TreeBranch) bool {
 	for _, b := range branch {
-		if b.Key == "sops" {
+		if b.Key == SopsMetadataKey {
 			return true
 		}
 	}
diff --git a/stores/yaml/store.go b/stores/yaml/store.go
index 86ca00672..697ff10e9 100644
--- a/stores/yaml/store.go
+++ b/stores/yaml/store.go
@@ -291,7 +291,7 @@ func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) {
 		}
 
 		for i, elt := range branch {
-			if elt.Key == "sops" { // Erase
+			if elt.Key == stores.SopsMetadataKey { // Erase
 				branch = append(branch[:i], branch[i+1:]...)
 			}
 		}
@@ -357,7 +357,7 @@ func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) {
 		// Create copy of branch with metadata appended
 		branch = append(sops.TreeBranch(nil), branch...)
 		branch = append(branch, sops.TreeItem{
-			Key:   "sops",
+			Key:   stores.SopsMetadataKey,
 			Value: stores.MetadataFromInternal(in.Metadata),
 		})
 		// Marshal branch to global mapping node

From 00de085c3490aee42d04616a18324c2d4448333d Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Fri, 29 Dec 2023 23:22:25 +0100
Subject: [PATCH 2/2] Improve comment.

Co-authored-by: Devin Stein <devstein@alumni.upenn.edu>
Signed-off-by: Felix Fontein <felix@fontein.de>
---
 stores/stores.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stores/stores.go b/stores/stores.go
index a1279b07e..9ab308d14 100644
--- a/stores/stores.go
+++ b/stores/stores.go
@@ -24,7 +24,7 @@ import (
 )
 
 const (
-	// The key used to store SOPS metadata at in SOPS encrypted files.
+	// SopsMetadataKey is the key used to store SOPS metadata at in SOPS encrypted files.
 	SopsMetadataKey = "sops"
 )