fix(vaults): batch bulk key operations to avoid query limits

2026-03-10 16:39:01 +00:00 · 2026-01-11 08:21:02 +00:00
parent ede38648db
commit 7e7bc7aecf
2 changed files with 58 additions and 25 deletions
--- a/unshackle/vaults/API.py
+++ b/unshackle/vaults/API.py
@@ -114,9 +114,24 @@ class API(Vault):
        return added or updated

    def add_keys(self, service: str, kid_keys: dict[Union[UUID, str], str]) -> int:
+        # Normalize keys
+        normalized_keys = {str(kid).replace("-", ""): key for kid, key in kid_keys.items()}
+        kid_list = list(normalized_keys.keys())
+
+        if not kid_list:
+            return 0
+
+        # Batch requests to avoid server limits
+        batch_size = 500
+        total_added = 0
+
+        for i in range(0, len(kid_list), batch_size):
+            batch_kids = kid_list[i : i + batch_size]
+            batch_keys = {kid: normalized_keys[kid] for kid in batch_kids}
+
            data = self.session.post(
                url=f"{self.uri}/{service.lower()}",
-            json={"content_keys": {str(kid).replace("-", ""): key for kid, key in kid_keys.items()}},
+                json={"content_keys": batch_keys},
                headers={"Accept": "application/json"},
            ).json()

@@ -135,11 +150,13 @@ class API(Vault):
                raise error(f"{message} ({code})")

            # each kid:key that was new to the vault (optional)
-        added = int(data.get("added"))
+            added = int(data.get("added", 0))
            # each key for a kid that was changed/updated (optional)
-        updated = int(data.get("updated"))
+            updated = int(data.get("updated", 0))

-        return added + updated
+            total_added += added + updated
+
+        return total_added

    def get_services(self) -> Iterator[str]:
        data = self.session.post(url=self.uri, headers={"Accept": "application/json"}).json()
--- a/unshackle/vaults/SQLite.py
+++ b/unshackle/vaults/SQLite.py
@@ -119,9 +119,25 @@ class SQLite(Vault):
        cursor = conn.cursor()

        try:
-            placeholders = ",".join(["?"] * len(kid_keys))
-            cursor.execute(f"SELECT kid FROM `{service}` WHERE kid IN ({placeholders})", list(kid_keys.keys()))
-            existing_kids = {row[0] for row in cursor.fetchall()}
+            # Query existing KIDs in batches to avoid SQLite variable limit
+            # Try larger batch first (newer SQLite supports 32766), fall back to 500 if needed
+            existing_kids: set[str] = set()
+            kid_list = list(kid_keys.keys())
+            batch_size = 32000
+
+            i = 0
+            while i < len(kid_list):
+                batch = kid_list[i : i + batch_size]
+                placeholders = ",".join(["?"] * len(batch))
+                try:
+                    cursor.execute(f"SELECT kid FROM `{service}` WHERE kid IN ({placeholders})", batch)
+                    existing_kids.update(row[0] for row in cursor.fetchall())
+                    i += batch_size
+                except sqlite3.OperationalError as e:
+                    if "too many SQL variables" in str(e) and batch_size > 500:
+                        batch_size = 500
+                        continue
+                    raise

            new_keys = {kid: key for kid, key in kid_keys.items() if kid not in existing_kids}