restore explanatory comments in ProcessData

dipto-truffle · dipto-truffle · commit d684545b7ba6 · 2026-04-07T09:55:12.000-04:00
Address review feedback: the prior commits removed too many comments
from ProcessData. Restore the ones that explain non-obvious intent
(cross-map deletion rationale, defensive-check notes, ambiguous-ID
clearing logic) while dropping the genuinely redundant ones.

Made-with: Cursor
diff --git a/pkg/detectors/azure_entra/serviceprincipal/v2/spv2.go b/pkg/detectors/azure_entra/serviceprincipal/v2/spv2.go
@@ -101,6 +101,7 @@ SecretLoop:
 				}
 				tenantId = tId
 
+				// Skip known-invalid client/tenant combinations.
 				invalidClients := invalidClientsForTenant[tenantId]
 				if invalidClients == nil {
 					invalidClients = map[string]struct{}{}
@@ -112,9 +113,11 @@ SecretLoop:
 
 				if verify {
 					if !azure_entra.TenantExists(logCtx, client, tenantId) {
+						// Tenant doesn't exist.
 						delete(activeTenants, tenantId)
 						continue
 					}
+					// Tenant exists, ensure this isn't attempted as a clientId.
 					delete(activeClients, tenantId)
 
 					isVerified, extraData, verificationErr := serviceprincipal.VerifyCredentials(ctx, client, tenantId, clientId, clientSecret)
@@ -127,14 +130,17 @@ SecretLoop:
 						case errors.Is(verificationErr, serviceprincipal.ErrSecretExpired):
 							continue SecretLoop
 						case errors.Is(verificationErr, serviceprincipal.ErrTenantNotFound):
+							// Tenant doesn't exist; shouldn't happen given the check above.
 							delete(activeTenants, tenantId)
 							continue
 						case errors.Is(verificationErr, serviceprincipal.ErrClientNotFoundInTenant):
+							// Tenant is valid but the client ID doesn't exist in it.
 							invalidClients[clientId] = struct{}{}
 							continue
 						}
 					}
 
+						// The result is verified or there's only one associated client and tenant.
 					if isVerified || (len(activeClients) == 1 && len(activeTenants) == 1) {
 						r = createResult(tenantId, clientId, clientSecret, isVerified, extraData, verificationErr)
 						break ClientLoop
@@ -144,6 +150,7 @@ SecretLoop:
 		}
 
 		if r == nil {
+			// Only include the clientId and tenantId if we're confident which one it is.
 			if len(activeClients) != 1 {
 				clientId = ""
 			}
