Cache the generateCipherKey function and add profiling support to lint

The lint/apply/dry-run had become slow, and profiling showed up that we were
calling generateCipherKey many times as the yaml base grows.

This patch adds caching to the generateCipherKey function avoiding
the regeneration for the same password/salt. This reduces our lint run time
from 17s to 0.4s

Author: mangelajo

cmd/lint.go

@@ -18,6 +18,9 @@ package main
 
 import (
 	"fmt"
+	"os"
+	"runtime/pprof"
+	"time"
 
 	"github.com/spf13/cobra"
 
@@ -33,6 +36,7 @@ var lintCmd = &cobra.Command{
 	SilenceUsage: true,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		vaultPassFile, _ := cmd.Flags().GetString("vault-password-file")
+		cpuProfile, _ := cmd.Flags().GetString("cpu-profile")
 		// Determine config file path
 		configFilePath := defaultConfigFile
 		if len(args) > 0 {
@@ -47,7 +51,37 @@ var lintCmd = &cobra.Command{
 
 		fmt.Println("🔍 Validating configuration...")
 
-		config_lint.Validate(cfg)
+		// Start CPU profiling if requested
+		if cpuProfile != "" {
+			f, err := os.Create(cpuProfile)
+			if err != nil {
+				return fmt.Errorf("could not create CPU profile: %w", err)
+			}
+			defer func() {
+				if closeErr := f.Close(); closeErr != nil {
+					fmt.Printf("Warning: failed to close profile file: %v\n", closeErr)
+				}
+			}()
+
+			if err := pprof.StartCPUProfile(f); err != nil {
+				return fmt.Errorf("could not start CPU profile: %w", err)
+			}
+			defer pprof.StopCPUProfile()
+
+			fmt.Printf("📊 CPU profiling enabled, output will be saved to: %s\n", cpuProfile)
+		}
+
+		// Time the validation
+		start := time.Now()
+		err = config_lint.ValidateWithError(cfg)
+		duration := time.Since(start)
+
+		if err != nil {
+			fmt.Printf("❌ Configuration validation failed in %v\n", duration)
+			return err
+		}
+
+		fmt.Printf("✅ Configuration validation completed in %v\n", duration)
 
 		return nil
 	},
@@ -56,6 +90,8 @@ var lintCmd = &cobra.Command{
 func init() {
 	// Add the vault password file flag
 	lintCmd.Flags().String("vault-password-file", "", "Path to the vault password file for decrypting variables")
+	// Add the CPU profiling flag
+	lintCmd.Flags().String("cpu-profile", "", "Enable CPU profiling and save output to the specified file")
 	// Add the lint command to the root command
 	rootCmd.AddCommand(lintCmd)
 }

internal/config_lint/lint.go

@@ -24,6 +24,21 @@ func Validate(cfg *config.Config) {
 	fmt.Println("✅ All configurations are valid")
 }
 
+// ValidateWithError checks the loaded configuration for errors and returns an error if any are found.
+// This version does not call os.Exit() and is suitable for use with profiling.
+func ValidateWithError(cfg *config.Config) error {
+	errorsByFile := Lint(cfg)
+	if len(errorsByFile) > 0 {
+		reportAllErrors(errorsByFile)
+		return fmt.Errorf("validation failed with %d error(s)", len(errorsByFile))
+	}
+	keys := cfg.Loaded.GetVariables().GetAllKeys()
+	fmt.Printf("📚 Total Variables: %d\n", len(keys))
+	fmt.Println("")
+	fmt.Println("✅ All configurations are valid")
+	return nil
+}
+
 func Lint(cfg *config.Config) map[string][]error {
 	// This function is a placeholder for the linting logic.
 	// Currently, it only validates cross-references between objects.

internal/vars/vault.go

@@ -8,6 +8,7 @@ import (
 	"encoding/hex"
 	"errors"
 	"strings"
+	"sync"
 
 	"golang.org/x/crypto/pbkdf2"
 )
@@ -38,6 +39,8 @@ type CipherKey struct {
 // VaultDecryptor handles Ansible Vault decryption
 type VaultDecryptor struct {
 	password string
+	cache    map[string]*CipherKey
+	mutex    sync.RWMutex
 }
 
 // NewVaultDecryptor creates a new vault decryptor with the given password
@@ -47,7 +50,10 @@ func NewVaultDecryptor(password string) *VaultDecryptor {
 	password = strings.ReplaceAll(password, "\n", "")
 	password = strings.ReplaceAll(password, "\r", "")
 	password = strings.ReplaceAll(password, "\t", "")
-	return &VaultDecryptor{password: password}
+	return &VaultDecryptor{
+		password: password,
+		cache:    make(map[string]*CipherKey),
+	}
 }
 
 // IsVaultEncrypted checks if a variable value is Ansible Vault encrypted
@@ -76,7 +82,7 @@ func (vd *VaultDecryptor) Decrypt(vaultData string) (string, error) {
 		return "", err
 	}
 	// Generate keys
-	key := generateCipherKey(vd.password, salt)
+	key := vd.generateCipherKey(salt)
 
 	// Verify checksum
 	if !isChecksumValid(checkSum, encryptedData, key.HMACKey) {
@@ -134,21 +140,40 @@ func parseVaultData(vaultData string) (salt, checkSum, data []byte, err error) {
 	return salt, checkSum, data, nil
 }
 
-// generateCipherKey generates cipher keys from password and salt
-func generateCipherKey(password string, salt []byte) *CipherKey {
+// generateCipherKey generates cipher keys from password and salt with caching
+func (vd *VaultDecryptor) generateCipherKey(salt []byte) *CipherKey {
+	// Create cache key from salt (password is already stored in the struct)
+	cacheKey := hex.EncodeToString(salt)
+
+	// Try to get from cache first (read lock)
+	vd.mutex.RLock()
+	if cached, exists := vd.cache[cacheKey]; exists {
+		vd.mutex.RUnlock()
+		return cached
+	}
+	vd.mutex.RUnlock()
+
+	// Generate new cipher key
 	k := pbkdf2.Key(
-		[]byte(password),
+		[]byte(vd.password),
 		salt,
 		iteration,
 		(cipherKeyLength + hmacKeyLength + ivLength),
 		sha256.New,
 	)
 
-	return &CipherKey{
+	cipherKey := &CipherKey{
 		Key:     k[:cipherKeyLength],
 		HMACKey: k[cipherKeyLength:(cipherKeyLength + hmacKeyLength)],
 		IV:      k[(cipherKeyLength + hmacKeyLength):(cipherKeyLength + hmacKeyLength + ivLength)],
 	}
+
+	// Store in cache (write lock)
+	vd.mutex.Lock()
+	vd.cache[cacheKey] = cipherKey
+	vd.mutex.Unlock()
+
+	return cipherKey
 }
 
 // isChecksumValid validates HMAC checksum