Remove ContainResourceType true, and improve CEL filtering

cedricherzog-passbolt · cedricherzog-passbolt · commit dc673f63f2e5 · 2025-12-23T13:30:42.000+01:00
diff --git a/resource/filter.go b/resource/filter.go
@@ -6,12 +6,10 @@ import (
 
 	"github.com/google/cel-go/cel"
 	"github.com/passbolt/go-passbolt-cli/util"
-	"github.com/passbolt/go-passbolt/api"
-	"github.com/passbolt/go-passbolt/helper"
 )
 
-// Environments for CEl
-var celEnvOptions = []cel.EnvOption{
+// CelEnvOptions defines the CEL environment for resource filtering
+var CelEnvOptions = []cel.EnvOption{
 	cel.Variable("ID", cel.StringType),
 	cel.Variable("FolderParentID", cel.StringType),
 	cel.Variable("Name", cel.StringType),
@@ -23,56 +21,42 @@ var celEnvOptions = []cel.EnvOption{
 	cel.Variable("ModifiedTimestamp", cel.TimestampType),
 }
 
-// Filters the slice resources by invoke CEL program for each resource
-// Note: Resources must have been fetched with ContainSecret and ContainResourceType options
-func filterResources(resources *[]api.Resource, celCmd string, ctx context.Context, client *api.Client) ([]api.Resource, error) {
+// filterDecryptedResources filters already-decrypted resources by evaluating a CEL expression.
+func filterDecryptedResources(resources []decryptedResource, celCmd string, ctx context.Context) ([]decryptedResource, error) {
 	if celCmd == "" {
-		return *resources, nil
+		return resources, nil
 	}
 
-	program, err := util.InitCELProgram(celCmd, celEnvOptions...)
+	program, err := util.InitCELProgram(celCmd, CelEnvOptions...)
 	if err != nil {
 		return nil, err
 	}
 
-	filteredResources := []api.Resource{}
-	for _, resource := range *resources {
-		if len(resource.Secrets) == 0 {
-			continue
-		}
-		_, name, username, uri, pass, desc, err := helper.GetResourceFromData(
-			client,
-			resource,
-			resource.Secrets[0],
-			resource.ResourceType,
-		)
-		if err != nil {
-			return nil, fmt.Errorf("Get Resource %w", err)
-		}
-
+	filtered := []decryptedResource{}
+	for _, d := range resources {
 		val, _, err := (*program).ContextEval(ctx, map[string]any{
-			"Id":                resource.ID,
-			"FolderParentID":    resource.FolderParentID,
-			"Name":              name,
-			"Username":          username,
-			"URI":               uri,
-			"Password":          pass,
-			"Description":       desc,
-			"CreatedTimestamp":  resource.Created.Time,
-			"ModifiedTimestamp": resource.Modified.Time,
+			"ID":                d.resource.ID,
+			"FolderParentID":    d.resource.FolderParentID,
+			"Name":              d.name,
+			"Username":          d.username,
+			"URI":               d.uri,
+			"Password":          d.password,
+			"Description":       d.description,
+			"CreatedTimestamp":  d.resource.Created.Time,
+			"ModifiedTimestamp": d.resource.Modified.Time,
 		})
 
 		if err != nil {
 			return nil, err
 		}
 
 		if val.Value() == true {
-			filteredResources = append(filteredResources, resource)
+			filtered = append(filtered, d)
 		}
 	}
 
-	if len(filteredResources) == 0 {
+	if len(filtered) == 0 {
 		return nil, fmt.Errorf("No such Resources found with filter %v!", celCmd)
 	}
-	return filteredResources, nil
+	return filtered, nil
 }
diff --git a/resource/list.go b/resource/list.go
@@ -1,6 +1,7 @@
 package resource
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"runtime"
@@ -65,16 +66,25 @@ func ResourceList(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	// Check if we need to decrypt secrets (expensive RSA operation)
+	// Check if we need to fetch secrets (expensive server join + RSA decryption)
 	// For v5 resources, metadata (name, username, uri) can be decrypted without secrets
-	needSecretDecryption := false
+	needSecrets := false
 	for _, col := range config.columns {
 		switch strings.ToLower(col) {
 		case "password", "description":
-			needSecretDecryption = true
+			needSecrets = true
 		}
 	}
 
+	// Check if CEL filter references Password or Description
+	if !needSecrets && config.celFilter != "" {
+		refsSecrets, err := util.CELExpressionReferencesFields(config.celFilter, []string{"Password", "Description"}, CelEnvOptions...)
+		if err != nil {
+			return fmt.Errorf("Parsing filter: %w", err)
+		}
+		needSecrets = refsSecrets
+	}
+
 	ctx := util.GetContext()
 
 	client, err := util.GetClient(ctx)
@@ -89,22 +99,24 @@ func ResourceList(cmd *cobra.Command, args []string) error {
 		FilterIsOwnedByMe:       config.own,
 		FilterIsSharedWithGroup: config.group,
 		FilterHasParent:         config.folderParents,
-		ContainSecret:           true,
-		ContainResourceType:     true,
+		ContainSecret:           needSecrets,
 	})
 	if err != nil {
 		return fmt.Errorf("Listing Resource: %w", err)
 	}
 
-	resources, err = filterResources(&resources, config.celFilter, ctx, client)
+	// Decrypt all resources in parallel
+	decrypted, err := decryptResourcesParallel(ctx, client, resources, needSecrets)
 	if err != nil {
 		return err
 	}
 
-	// Decrypt all resources in parallel
-	decrypted, err := decryptResourcesParallel(client, resources, needSecretDecryption)
-	if err != nil {
-		return err
+	// Apply CEL filter on already-decrypted data
+	if config.celFilter != "" {
+		decrypted, err = filterDecryptedResources(decrypted, config.celFilter, ctx)
+		if err != nil {
+			return err
+		}
 	}
 
 	if config.jsonOutput {
@@ -114,28 +126,29 @@ func ResourceList(cmd *cobra.Command, args []string) error {
 	return printTableResources(decrypted, config.columns)
 }
 
-func decryptResourcesParallel(client *api.Client, resources []api.Resource, needSecretDecryption bool) ([]decryptedResource, error) {
-	// Filter resources with secrets
+func decryptResourcesParallel(ctx context.Context, client *api.Client, resources []api.Resource, needSecrets bool) ([]decryptedResource, error) {
+	// Use parallel decryption with worker pool
+	numWorkers := runtime.NumCPU()
+	if numWorkers > 16 {
+		numWorkers = 16 // Cap at 16 workers
+	}
+	if len(resources) < numWorkers {
+		numWorkers = len(resources)
+	}
+
+	// Filter resources - only require secrets if we're fetching them
 	var validResources []api.Resource
 	for i := range resources {
-		if len(resources[i].Secrets) > 0 {
-			validResources = append(validResources, resources[i])
+		if needSecrets && len(resources[i].Secrets) == 0 {
+			continue
 		}
+		validResources = append(validResources, resources[i])
 	}
 
 	if len(validResources) == 0 {
 		return []decryptedResource{}, nil
 	}
 
-	// Use parallel decryption with worker pool
-	numWorkers := runtime.NumCPU()
-	if numWorkers > 16 {
-		numWorkers = 16 // Cap at 16 workers
-	}
-	if len(validResources) < numWorkers {
-		numWorkers = len(validResources)
-	}
-
 	// Channel for work items and results
 	// Note: Session keys are pre-fetched during Login() when the server supports v5 metadata,
 	// so no additional prefetching is needed here.
@@ -150,12 +163,43 @@ func decryptResourcesParallel(client *api.Client, resources []api.Resource, need
 			defer wg.Done()
 			for idx := range jobs {
 				resource := validResources[idx]
+
+				// Lookup resource type from cache (single API call for all types)
+				rType, err := client.GetResourceTypeCached(ctx, resource.ResourceTypeID)
+				if err != nil {
+					results <- decryptedResource{index: idx, err: fmt.Errorf("Get ResourceType: %w", err)}
+					continue
+				}
+
+				// For v4 resources without secret decryption, use plaintext fields directly
+				// This avoids unnecessary function calls for 10k+ resources
+				isV5 := strings.HasPrefix(rType.Slug, "v5-")
+				if !needSecrets && !isV5 {
+					// V4 resource - metadata is plaintext, no decryption needed
+					results <- decryptedResource{
+						index:       idx,
+						resource:    resource,
+						name:        resource.Name,
+						username:    resource.Username,
+						uri:         resource.URI,
+						password:    "",
+						description: resource.Description,
+					}
+					continue
+				}
+
+				// Handle case where secrets weren't fetched
+				var secret api.Secret
+				if len(resource.Secrets) > 0 {
+					secret = resource.Secrets[0]
+				}
+
 				_, name, username, uri, pass, desc, err := helper.GetResourceFromDataWithOptions(
 					client,
 					resource,
-					resource.Secrets[0],
-					resource.ResourceType,
-					needSecretDecryption,
+					secret,
+					*rType,
+					needSecrets,
 				)
 				results <- decryptedResource{
 					index:       idx,
diff --git a/util/cel.go b/util/cel.go
@@ -21,3 +21,37 @@ func InitCELProgram(celCmd string, options ...cel.EnvOption) (*cel.Program, erro
 
 	return &program, nil
 }
+
+// CELExpressionReferencesFields checks if a CEL expression references any of the given field names.
+// Returns true if the expression references at least one of the specified fields.
+func CELExpressionReferencesFields(celCmd string, fieldNames []string, options ...cel.EnvOption) (bool, error) {
+	if celCmd == "" {
+		return false, nil
+	}
+
+	env, err := cel.NewEnv(options...)
+	if err != nil {
+		return false, err
+	}
+
+	ast, issue := env.Compile(celCmd)
+	if issue.Err() != nil {
+		return false, issue.Err()
+	}
+
+	// Build a set of field names to check
+	fieldSet := make(map[string]bool)
+	for _, name := range fieldNames {
+		fieldSet[name] = true
+	}
+
+	// Get the native AST representation which has ReferenceMap
+	nativeAST := ast.NativeRep()
+	refMap := nativeAST.ReferenceMap()
+	for _, refInfo := range refMap {
+		if fieldSet[refInfo.Name] {
+			return true, nil
+		}
+	}
+	return false, nil
+}
diff --git a/util/client.go b/util/client.go
@@ -22,7 +22,7 @@ func ReadPassword(prompt string) (string, error) {
 	fd := int(os.Stdin.Fd())
 	var pass string
 	if term.IsTerminal(fd) {
-		fmt.Fprint(os.Stderr, prompt);
+		fmt.Fprint(os.Stderr, prompt)
 
 		inputPass, err := term.ReadPassword(fd)
 		if err != nil {
