3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-05 04:13:11 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/authenticate/authenticate.go
Caleb Doxsey 13554ec78d
core: more metrics (#5629) 
## Summary
Add some more metrics:

- Authenticate token verification
- Authorization log duration
- Authorization evaluator and header evaluator
- IDP token session creator

HTTP and gRPC endpoints are already instrumented via middleware, which
covers authenticate, proxy and databroker endpoints. Postgres is also
already instrumented using `otelpgx`.

## Related issues
-
[ENG-2407](https://linear.app/pomerium/issue/ENG-2407/add-additional-metrics-and-tracing-spans-to-pomerium)


## Checklist

- [x] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-05-29 09:34:41 -06:00

125 lines
5 KiB
Go
Raw Blame History

// Package authenticate is a pomerium service that handles user authentication
// and refersh (AuthN).
package authenticate
import (
"context"
"errors"
"fmt"
"go.opentelemetry.io/otel/metric"
oteltrace "go.opentelemetry.io/otel/trace"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/atomicutil"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/telemetry/metrics"
"github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/telemetry/trace"
)
// ValidateOptions checks that configuration are complete and valid.
// Returns on first error found.
func ValidateOptions(o *config.Options) error {
sharedKey, err := o.GetSharedKey()
if err != nil {
return fmt.Errorf("authenticate: 'SHARED_SECRET' invalid: %w", err)
}
if _, err := cryptutil.NewAEADCipher(sharedKey); err != nil {
return fmt.Errorf("authenticate: 'SHARED_SECRET' invalid: %w", err)
}
cookieSecret, err := o.GetCookieSecret()
if err != nil {
return fmt.Errorf("authenticate: 'COOKIE_SECRET' invalid: %w", err)
}
if _, err := cryptutil.NewAEADCipher(cookieSecret); err != nil {
return fmt.Errorf("authenticate: 'COOKIE_SECRET' invalid %w", err)
}
if o.AuthenticateCallbackPath == "" {
return errors.New("authenticate: 'AUTHENTICATE_CALLBACK_PATH' is required")
}
return nil
}
// Authenticate contains data required to run the authenticate service.
type Authenticate struct {
accessTokenVerificationCount metric.Int64Counter
accessTokenValidVerificationCount metric.Int64Counter
accessTokenInvalidVerificationCount metric.Int64Counter
accessTokenVerificationDuration metric.Int64Histogram
identityTokenVerificationCount metric.Int64Counter
identityTokenValidVerificationCount metric.Int64Counter
identityTokenInvalidVerificationCount metric.Int64Counter
identityTokenVerificationDuration metric.Int64Histogram
cfg *authenticateConfig
options *atomicutil.Value[*config.Options]
state *atomicutil.Value[*authenticateState]
tracerProvider oteltrace.TracerProvider
tracer oteltrace.Tracer
}
// New validates and creates a new authenticate service from a set of Options.
func New(ctx context.Context, cfg *config.Config, options ...Option) (*Authenticate, error) {
authenticateConfig := getAuthenticateConfig(options...)
tracerProvider := trace.NewTracerProvider(ctx, "Authenticate")
tracer := tracerProvider.Tracer(trace.PomeriumCoreTracer)
a := &Authenticate{
accessTokenVerificationCount: metrics.Int64Counter("authenticate.idp_access_token.verifications",
metric.WithDescription("Number of IDP access token verifications."),
metric.WithUnit("{verification}")),
accessTokenValidVerificationCount: metrics.Int64Counter("authenticate.idp_access_token.valid_verifications",
metric.WithDescription("Number of valid IDP access token verifications."),
metric.WithUnit("{verification}")),
accessTokenInvalidVerificationCount: metrics.Int64Counter("authenticate.idp_access_token.invalid_verifications",
metric.WithDescription("Number of invalid IDP access token verifications."),
metric.WithUnit("{verification}")),
accessTokenVerificationDuration: metrics.Int64Histogram("authenticate.idp_access_token.verification.duration",
metric.WithDescription("Duration of access token verification."),
metric.WithUnit("ms")),
identityTokenVerificationCount: metrics.Int64Counter("authenticate.idp_identity_token.verifications",
metric.WithDescription("Number of IDP identity token verifications."),
metric.WithUnit("{verification}")),
identityTokenValidVerificationCount: metrics.Int64Counter("authenticate.idp_identity_token.valid_verifications",
metric.WithDescription("Number of valid IDP identity token verifications."),
metric.WithUnit("{verification}")),
identityTokenInvalidVerificationCount: metrics.Int64Counter("authenticate.idp_identity_token.invalid_verifications",
metric.WithDescription("Number of invalid IDP identity token verifications."),
metric.WithUnit("{verification}")),
identityTokenVerificationDuration: metrics.Int64Histogram("authenticate.idp_identity_token.verification.duration",
metric.WithDescription("Duration of identity token verification."),
metric.WithUnit("ms")),
cfg: authenticateConfig,
options: config.NewAtomicOptions(),
state: atomicutil.NewValue(newAuthenticateState()),
tracerProvider: tracerProvider,
tracer: tracer,
}
a.options.Store(cfg.Options)
state, err := newAuthenticateStateFromConfig(ctx, tracerProvider, cfg, authenticateConfig)
if err != nil {
return nil, err
}
a.state.Store(state)
return a, nil
}
// OnConfigChange updates internal structures based on config.Options
func (a *Authenticate) OnConfigChange(ctx context.Context, cfg *config.Config) {
if a == nil {
return
}
a.options.Store(cfg.Options)
if state, err := newAuthenticateStateFromConfig(ctx, a.tracerProvider, cfg, a.cfg); err != nil {
log.Ctx(ctx).Error().Err(err).Msg("authenticate: failed to update state")
} else {
a.state.Store(state)
}
}
Reference in a new issue View git blame Copy permalink