telemetry: add tracing

- telemetry/tace: add traces throughout code - telemetry/metrics: nest metrics and trace under telemetry - telemetry/tace: add service name span to HTTPMetricsHandler. - telemetry/metrics: removed chain dependency middleware_tests. - telemetry/metrics: wrap and encapsulate variatic view registration. - telemetry/tace: add jaeger support for tracing. - cmd/pomerium: move `parseOptions` to internal/config. - cmd/pomerium: offload server handling to httputil and sub pkgs. - httputil: standardize creation/shutdown of http listeners. - httputil: prefer curve X25519 to P256 when negotiating TLS. - fileutil: use standardized Getw Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-05-21 13:07:13 +02:00 · 2019-07-24 09:20:16 -07:00 · 2019-07-24 09:20:16 -07:00 · 5edfa7b03f
commit 5edfa7b03f
parent 6b61a48fce
49 changed files with 1524 additions and 758 deletions
--- a/internal/middleware/grpc.go
+++ b/internal/middleware/grpc.go
@ -3,6 +3,8 @@ package middleware // import "github.com/pomerium/pomerium/internal/middleware"
 import (
 	"context"

+	"github.com/pomerium/pomerium/internal/telemetry/trace"
+
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
@ -30,6 +32,9 @@ func (s SharedSecretCred) RequireTransportSecurity() bool { return false }
 // handler and returns an error. Otherwise, the interceptor invokes the unary
 // handler.
 func (s SharedSecretCred) ValidateRequest(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+	ctx, span := trace.StartSpan(ctx, "middleware.grpc.ValidateRequest")
+	defer span.End()
+
 	md, ok := metadata.FromIncomingContext(ctx)
 	if !ok {
 		return nil, status.Errorf(codes.InvalidArgument, "missing metadata")
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@ -12,6 +12,8 @@ import (

 	"github.com/pomerium/pomerium/internal/cryptutil"
 	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/telemetry/trace"
+
 	"golang.org/x/net/publicsuffix"
 )

@ -19,10 +21,12 @@ import (
 func SetHeaders(securityHeaders map[string]string) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx, span := trace.StartSpan(r.Context(), "middleware.SetHeaders")
+			defer span.End()
 			for key, val := range securityHeaders {
 				w.Header().Set(key, val)
 			}
-			next.ServeHTTP(w, r)
+			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }
@ -32,6 +36,9 @@ func SetHeaders(securityHeaders map[string]string) func(next http.Handler) http.
 func ValidateClientSecret(sharedSecret string) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx, span := trace.StartSpan(r.Context(), "middleware.ValidateClientSecret")
+			defer span.End()
+
 			if err := r.ParseForm(); err != nil {
 				httpErr := &httputil.Error{Message: err.Error(), Code: http.StatusBadRequest}
 				httputil.ErrorResponse(w, r, httpErr)
@ -47,7 +54,7 @@ func ValidateClientSecret(sharedSecret string) func(next http.Handler) http.Hand
 				httputil.ErrorResponse(w, r, &httputil.Error{Code: http.StatusInternalServerError})
 				return
 			}
-			next.ServeHTTP(w, r)
+			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }
@ -57,6 +64,8 @@ func ValidateClientSecret(sharedSecret string) func(next http.Handler) http.Hand
 func ValidateRedirectURI(rootDomain *url.URL) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx, span := trace.StartSpan(r.Context(), "middleware.ValidateRedirectURI")
+			defer span.End()
 			err := r.ParseForm()
 			if err != nil {
 				httpErr := &httputil.Error{
@ -80,7 +89,7 @@ func ValidateRedirectURI(rootDomain *url.URL) func(next http.Handler) http.Handl
 				httputil.ErrorResponse(w, r, httpErr)
 				return
 			}
-			next.ServeHTTP(w, r)
+			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }
@ -103,6 +112,9 @@ func SameDomain(u, j *url.URL) bool {
 func ValidateSignature(sharedSecret string) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx, span := trace.StartSpan(r.Context(), "middleware.ValidateSignature")
+			defer span.End()
+
 			err := r.ParseForm()
 			if err != nil {
 				httpErr := &httputil.Error{Message: err.Error(), Code: http.StatusBadRequest}
@ -120,7 +132,7 @@ func ValidateSignature(sharedSecret string) func(next http.Handler) http.Handler
 				return
 			}

-			next.ServeHTTP(w, r)
+			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }
@ -129,11 +141,14 @@ func ValidateSignature(sharedSecret string) func(next http.Handler) http.Handler
 func ValidateHost(validHost func(host string) bool) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx, span := trace.StartSpan(r.Context(), "middleware.ValidateHost")
+			defer span.End()
+
 			if !validHost(r.Host) {
 				httputil.ErrorResponse(w, r, &httputil.Error{Code: http.StatusNotFound})
 				return
 			}
-			next.ServeHTTP(w, r)
+			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }
@ -145,13 +160,16 @@ func ValidateHost(validHost func(host string) bool) func(next http.Handler) http
 func Healthcheck(endpoint, msg string) func(http.Handler) http.Handler {
 	f := func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
+			ctx, span := trace.StartSpan(r.Context(), "middleware.Healthcheck")
+			defer span.End()
+
 			if r.Method == "GET" && strings.EqualFold(r.URL.Path, endpoint) {
 				w.Header().Set("Content-Type", "text/plain")
 				w.WriteHeader(http.StatusOK)
 				w.Write([]byte(msg))
 				return
 			}
-			next.ServeHTTP(w, r)
+			next.ServeHTTP(w, r.WithContext(ctx))
 		}
 		return http.HandlerFunc(fn)
 	}
--- a/internal/middleware/reverse_proxy.go
+++ b/internal/middleware/reverse_proxy.go
@ -6,11 +6,14 @@ import (

 	"github.com/pomerium/pomerium/internal/cryptutil"
 	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/internal/telemetry/trace"
 )

 func SignRequest(signer cryptutil.JWTSigner, id, email, groups, header string) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx, span := trace.StartSpan(r.Context(), "middleware.SignRequest")
+			defer span.End()
 			jwt, err := signer.SignJWT(
 				r.Header.Get(id),
 				r.Header.Get(email),
@ -20,7 +23,7 @@ func SignRequest(signer cryptutil.JWTSigner, id, email, groups, header string) f
 			} else {
 				r.Header.Set(header, jwt)
 			}
-			next.ServeHTTP(w, r)
+			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }
@ -29,6 +32,9 @@ func SignRequest(signer cryptutil.JWTSigner, id, email, groups, header string) f
 func StripPomeriumCookie(cookieName string) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx, span := trace.StartSpan(r.Context(), "middleware.SignRequest")
+			defer span.End()
+
 			headers := make([]string, len(r.Cookies()))
 			for _, cookie := range r.Cookies() {
 				if cookie.Name != cookieName {
@ -36,7 +42,7 @@ func StripPomeriumCookie(cookieName string) func(next http.Handler) http.Handler
 				}
 			}
 			r.Header.Set("Cookie", strings.Join(headers, ";"))
-			next.ServeHTTP(w, r)
+			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }