chore: validate that both sudo_secret and sudo_path are set and that either interactive_sudo or sops decryption is used

weriomat · weriomat · commit d61ae848db84 · 2025-06-05T13:55:50.000+02:00
diff --git a/src/lib.rs b/src/lib.rs
@@ -365,6 +365,12 @@ enum ProfileInfo {
 pub enum DeployDataDefsError {
     #[error("Neither `user` nor `sshUser` are set for profile {0} of node {1}")]
     NoProfileUser(String, String),
+    #[error("No sudo path set but sudo secret for profile {0} of node {1}")]
+    NoSopsFile(String, String),
+    #[error("No sudo secret but sudo path set for profile {0} of node {1}")]
+    NoSopsSecret(String, String),
+    #[error("Interactive Sudo set but sudo secret set as well for profile {0} of node {1}")]
+    SopsButInteractive(String, String),
 }
 
 impl<'a> DeployData<'a> {
@@ -381,6 +387,31 @@ impl<'a> DeployData<'a> {
             _ => None,
         };
 
+        // Check if one of sudo_file or sudo_secret is missing
+        if self.merged_settings.sudo_file.is_some() && self.merged_settings.sudo_secret.is_none() {
+            return Err(DeployDataDefsError::NoSopsSecret(
+                self.profile_name.to_owned(),
+                self.node_name.to_owned(),
+            ));
+        }
+
+        if self.merged_settings.sudo_file.is_none() && self.merged_settings.sudo_secret.is_some() {
+            return Err(DeployDataDefsError::NoSopsFile(
+                self.profile_name.to_owned(),
+                self.node_name.to_owned(),
+            ));
+        }
+
+        // Check that only either sudo_secret or interactive sudo is set
+        if self.merged_settings.interactive_sudo.is_some()
+            && self.merged_settings.sudo_secret.is_some()
+        {
+            return Err(DeployDataDefsError::SopsButInteractive(
+                self.profile_name.to_owned(),
+                self.node_name.to_owned(),
+            ));
+        }
+
         Ok(DeployDefs {
             ssh_user,
             profile_user,
