PM-32077 - Add override to KDF iterations from RustSdk for Seeder#7225
PM-32077 - Add override to KDF iterations from RustSdk for Seeder#7225theMickster merged 5 commits intomainfrom
Conversation
|
Great job! No new security vulnerabilities introduced in this pull request |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #7225 +/- ##
==========================================
- Coverage 61.58% 57.53% -4.06%
==========================================
Files 2032 2032
Lines 89476 89476
Branches 7957 7957
==========================================
- Hits 55108 51478 -3630
- Misses 32441 36153 +3712
+ Partials 1927 1845 -82 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
We use 5k iterations rather than 600k due to the inherit slowness of PBKDF. If you seed large data sets with a high iteration count it will be very slow. This is the same reason we don't generate private keys.
If you want this, we need to ensure existing tests like the large organization performance test still have ways to run efficiently.
🤔 I didn't see a terrible performance hit when testing locally which is why I raised the pull request without a configurable override. I can work to include the override as part of the entire solution. Where is the large account performance test that you mentioned? Will you drop me a link to it? UPDATE: Matt Gibson and I connected today about a number of Seeder items. Having the full picture of the work; we're going to invert this so we have a default of 5000 KDFs and a configurable override for higher iterations. |
theMickster
force-pushed
the
seeder/resolve-kdf-iterations-bug
branch
from
efd30de to
ab7c592
Compare
theMickster
added
ai-review-vnext
and removed
ai-review
Code Review: PR #7225Overall Assessment: APPROVE This is a re-review after commit All prior findings are resolved. No new findings. The full PR cleanly threads a configurable
|
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
theMickster
changed the title
|
Overall Assessment: APPROVE Re-reviewed after commit 1c63785 which adds the previously flagged KDF iteration validation to the seed command. The fix correctly mirrors the organization command validation, guarding against values below 5000 when explicitly provided. All prior findings are resolved. Code Review DetailsNo outstanding findings. The PR cleanly threads a configurable kdfIterations parameter from CLI args through the preset system, pipeline DI, step execution, and Rust FFI layer. Validation is consistent across both CLI entry points (organization and seed commands), the JSON schema enforces bounds for preset files, and the Rust layer gracefully handles zero-iteration input. |
|
|
Overall Assessment: APPROVE Re-reviewed after commit 1c63785 which adds the previously flagged KDF iteration validation to the seed command. The fix correctly mirrors the organization command validation, guarding against values below 5000 when explicitly provided. All prior findings are resolved. Code Review DetailsNo outstanding findings. The PR cleanly threads a configurable kdfIterations parameter from CLI args through the preset system, pipeline DI, step execution, and Rust FFI layer. Validation is consistent across both CLI entry points (organization and seed commands), the JSON schema enforces bounds for preset files, and the Rust layer gracefully handles zero-iteration input. |
| UserKeys? keys = null, | ||
| string? password = null) | ||
| string? password = null, | ||
| int kdfIterations = 5_000) |
There was a problem hiding this comment.
This method really needs xml docs to help unwrap parameter actions. With this latest, we need to call out that if keys are provided, the kdfIterations must match whatever generated those keys or nothing will decrypt properly.
There was a problem hiding this comment.
Agreed; I will replace the input params with one of the POCO Dtos this week
| throw new ArgumentException("--preset must be specified. Use --list to see available presets."); | ||
| } | ||
|
|
||
| if (KdfIterations.HasValue && KdfIterations.Value < 5_000) |
There was a problem hiding this comment.
technically there's a maximum as well...
There was a problem hiding this comment.
Is it approaching infinity ;-)
|
The performance test is |
3 participants
🎟️ Tracking
Fix KDF Iterations to Meet Minimum Threshold
📔 Objective
Update the Seeder to allow a user to override the 5000 KDF Iterations.
The new option allows for a user to set higher thresholds while still allowing for our automated tests to function as they did before.
🧪 Testing
CLI Override Verification (50 users, 500 ciphers)
--kdf-iterationsKdfIterationsKDF iteration count has zero measurable impact on seeding performance on my local machine (Claude estimates that wall-clock time is dominated by RSA keypair generation and MSSQL bulk insert, not PBKDF2).
Going from 5,000 → 600,000 iterations (120x increase) adds no detectable time even at 50 users.