Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change BulkDecrypt to not rely on type tests #9373

Merged
merged 3 commits into from Apr 11, 2022
Merged

Change BulkDecrypt to not rely on type tests #9373

merged 3 commits into from Apr 11, 2022

Conversation

Frassle
Copy link
Member

@Frassle Frassle commented Apr 8, 2022
edited

Description

BulkDecrypt only made use of the bulk decryption if the Decrypter passed in was itself a BulkDecrypter. Only the serviceCrypter implemented this interface but most of the time it's wrapped with a cachingCrypter.

Rather than just adding BulkDecrypt to cachingCrypter I've just moved it to the Decrypter interface and ensured that every implementation either does something efficient if it can, or calls DefaultBulkDecrypt to just loop over 1-by-1.

Fixes #9350

Checklist

  • I have added tests that prove my fix is effective or that my feature works
  • Yes, there are changes in this PR that warrants bumping the Pulumi Service API version

@Frassle Frassle requested review from pgavlin and stack72 April 8, 2022 19:37
pgavlin
pgavlin reviewed Apr 8, 2022
View reviewed changes
Copy link
Member

@pgavlin pgavlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It makes me sad that we need to do this, but it does seem like the right choice given the bug. LGTM.

pkg/resource/stack/secrets.go
Comment on lines +196 to +231
func (c *mapDecrypter) BulkDecrypt(ciphertexts []string) (map[string]string, error) {
// Loop and find the entries that are already cached, then BulkDecrypt the rest
secretMap := map[string]string{}
var toDecrypt []string
if c.cache == nil {
// Don't bother searching for the cached subset if the cache is nil
toDecrypt = ciphertexts
} else {
toDecrypt = make([]string, 0)
for _, ct := range ciphertexts {
if plaintext, ok := c.cache[ct]; ok {
secretMap[ct] = plaintext
} else {
toDecrypt = append(toDecrypt, ct)
}
}
}

// try and bulk decrypt the rest
decrypted, err := c.decrypter.BulkDecrypt(toDecrypt)
if err != nil {
return nil, err
}

// And add them to the cache
if c.cache == nil {
c.cache = make(map[string]string)
}

for ct, pt := range decrypted {
secretMap[ct] = pt
c.cache[ct] = pt
}

return secretMap, nil
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we actually need this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think current data flow is such that no this will never be hit, but it was pretty easy to write and means we won't trip up on a bad method if we refactor things slightly in the future that cause it to start being hit.

@Frassle Frassle merged commit 5528cde into master Apr 11, 2022
@pulumi-bot pulumi-bot deleted the fraser/fixBulkDecrypt branch April 11, 2022 07:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pgavlin pgavlin pgavlin approved these changes

@stack72 stack72 Awaiting requested review from stack72

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CLI Performance Issues when using stackReferences
2 participants
@Frassle @pgavlin