From ab40664e5b0fb26b9056066fdb6fa2224ffd74a5 Mon Sep 17 00:00:00 2001
From: Dave Mihalcik <dmihalcik@virtru.com>
Date: Mon, 18 Nov 2024 13:20:09 -0500
Subject: [PATCH] fix(cli): Enables concurrent rewrap in cli (#391)

- Adds `--concurrencyLimit` parameter
- Defaults to 100
- Also, if not explicitly set to `1`, triggers an access token lookup to try to get the race condition we were seeing internally
---
 cli/bin/opentdf.bats |  2 +-
 cli/src/cli.ts       | 18 +++++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/cli/bin/opentdf.bats b/cli/bin/opentdf.bats
index 9593258c..4084dc4f 100755
--- a/cli/bin/opentdf.bats
+++ b/cli/bin/opentdf.bats
@@ -13,7 +13,7 @@
 }
 
 @test "fails with missing file arguments" {
-  run $BATS_TEST_DIRNAME/opentdf.mjs --kasEndpoint "https://example.com" --oidcEndpoint "http://invalid" --auth "b:c" encrypt
+  run $BATS_TEST_DIRNAME/opentdf.mjs --kasEndpoint "https://example.com" --oidcEndpoint "http://invalid" --concurrencyLimit 1 --auth "b:c" encrypt
   [ "$status" -eq 1 ]
   echo "$output"
   [[ $output == *"Must specify file or pipe"* ]]
diff --git a/cli/src/cli.ts b/cli/src/cli.ts
index c20555b9..ecf3b86c 100644
--- a/cli/src/cli.ts
+++ b/cli/src/cli.ts
@@ -27,6 +27,7 @@ type AuthToProcess = {
   auth?: string;
   clientId?: string;
   clientSecret?: string;
+  concurrencyLimit?: number;
   oidcEndpoint: string;
   userId?: string;
 };
@@ -51,6 +52,7 @@ async function processAuth({
   auth,
   clientId,
   clientSecret,
+  concurrencyLimit,
   oidcEndpoint,
   userId,
 }: AuthToProcess): Promise<LoggedAuthProvider> {
@@ -75,6 +77,9 @@ async function processAuth({
     exchange: 'client',
     clientSecret,
   });
+  if (concurrencyLimit !== 1) {
+    await actual.oidcAuth.get();
+  }
   const requestLog: AuthProviders.HttpRequest[] = [];
   return {
     requestLog,
@@ -120,6 +125,11 @@ async function tdf3DecryptParamsFor(argv: Partial<mainArgs>): Promise<DecryptPar
   if (argv.noVerifyAssertions) {
     c.withNoVerifyAssertions(true);
   }
+  if (argv.concurrencyLimit) {
+    c.withConcurrencyLimit(argv.concurrencyLimit);
+  } else {
+    c.withConcurrencyLimit(100);
+  }
   c.setFileSource(await openAsBlob(argv.file as string));
   return c.build();
 }
@@ -235,10 +245,16 @@ export const handleArgs = (args: string[]) => {
       })
       .option('noVerifyAssertions', {
         alias: 'no-verify-assertions',
-        group: 'Security',
+        group: 'Decrypt',
         desc: 'Do not verify assertions',
         type: 'boolean',
       })
+      .option('concurrencyLimit', {
+        alias: 'concurrency-limit',
+        group: 'Decrypt',
+        desc: 'Enable concurrent key split and share lookups',
+        type: 'number',
+      })
       .option('auth', {
         group: 'OAuth and OIDC:',
         type: 'string',