Add additional counters for cert and auth operations (#516)

servers/zts/src/main/java/com/yahoo/athenz/zts/RsrcCtxWrapper.java

@@ -19,6 +19,7 @@
 import com.yahoo.athenz.auth.Principal;
 import com.yahoo.athenz.auth.impl.KerberosAuthority;
 import com.yahoo.athenz.common.server.rest.Http;
+import com.yahoo.athenz.common.metrics.Metric;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -32,10 +33,13 @@ public class RsrcCtxWrapper implements ResourceContext {
 
     com.yahoo.athenz.common.server.rest.ResourceContext ctx;
     boolean optionalAuth;
+    Metric metric;
 
     public RsrcCtxWrapper(HttpServletRequest request, HttpServletResponse response,
-            Http.AuthorityList authList,  boolean optionalAuth, Authorizer authorizer) {
+            Http.AuthorityList authList,  boolean optionalAuth, Authorizer authorizer,
+            Metric metric) {
         this.optionalAuth = optionalAuth;
+        this.metric = metric;
         ctx = new com.yahoo.athenz.common.server.rest.ResourceContext(request, response,
                 authList, authorizer);
     }
@@ -116,6 +120,9 @@ public void logPrincipal(final String principal) {
     }
 
     public void throwZtsException(com.yahoo.athenz.common.server.rest.ResourceException restExc) {
+
+        metric.increment("authfailure");
+
         String msg = null;
         Object data = restExc.getData();
         if (data instanceof String) {

servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java

@@ -486,7 +486,7 @@ void loadMetricObject() {
         // create our metric and increment our startup count
 
         metric = metricFactory.create();
-        metric.increment("zms_sa_startup");
+        metric.increment("zts_startup");
     }
 
     void loadServicePrivateKey() {
@@ -1815,11 +1815,13 @@ public void postInstanceRegisterInformation(ResourceContext ctx, InstanceRegiste
 
         // make sure to close our provider when its no longer needed
 
+        Object timerProviderMetric = metric.startTiming("providerregister_timing", provider);
         try {
             instance = instanceProvider.confirmInstance(instance);
         } catch (Exception ex) {
             throw forbiddenError("unable to verify attestation data: " + ex.getMessage(), caller, domain);
         } finally {
+            metric.stopTiming(timerProviderMetric);
             instanceProvider.close();
         }
 
@@ -1849,16 +1851,21 @@ public void postInstanceRegisterInformation(ResourceContext ctx, InstanceRegiste
 
         // generate certificate for the instance
 
+        Object timerX509CertMetric = metric.startTiming("certsignx509_timing", null);
         InstanceIdentity identity = instanceCertManager.generateIdentity(info.getCsr(), cn,
                 certUsage, certExpiryTime);
+        metric.stopTiming(timerX509CertMetric);
+
         if (identity == null) {
             throw serverError("unable to generate identity", caller, domain);
         }
-        
+
         // if we're asked then we should also generate a ssh
         // certificate for the instance as well
-
+
+        Object timerSSHCertMetric = metric.startTiming("certsignssh_timing", null);
         instanceCertManager.generateSshIdentity(identity, info.getSsh(), ZTSConsts.ZTS_SSH_HOST);
+        metric.stopTiming(timerSSHCertMetric);
 
         // set the other required attributes in the identity object
 
@@ -1951,6 +1958,7 @@ public InstanceIdentity postInstanceRefreshInformation(ResourceContext ctx, Stri
 
         final String caller = "postinstancerefreshinformation";
         final String callerTiming = "postinstancerefreshinformation_timing";
+
         metric.increment(HTTP_POST);
         logPrincipal(ctx);
 
@@ -2076,7 +2084,7 @@ InstanceIdentity processProviderX509RefreshRequest(ResourceContext ctx, final Pr
             final Principal providerService, final String instanceId,
             InstanceRefreshInformation info, X509CertRecord x509CertRecord,
             X509Certificate cert, final String caller) {
-        
+
         // parse and validate our CSR
 
         X509CertRequest certReq;
@@ -2112,6 +2120,7 @@ InstanceIdentity processProviderX509RefreshRequest(ResourceContext ctx, final Pr
 
         // make sure to close our provider when its no longer needed
 
+        Object timerProviderMetric = metric.startTiming("providerrefresh_timing", provider);
         try {
             instance = instanceProvider.refreshInstance(instance);
         } catch (com.yahoo.athenz.instance.provider.ResourceException ex) {
@@ -2125,6 +2134,7 @@ InstanceIdentity processProviderX509RefreshRequest(ResourceContext ctx, final Pr
                 throw forbiddenError("unable to verify attestation data: " + ex.getMessage(), caller, domain);
             }
         } finally {
+            metric.stopTiming(timerProviderMetric);
             instanceProvider.close();
         }
 
@@ -2185,19 +2195,24 @@ InstanceIdentity processProviderX509RefreshRequest(ResourceContext ctx, final Pr
         }
 
         // generate identity with the certificate
-
+
+        Object timerX509CertMetric = metric.startTiming("certsignx509_timing", null);
         InstanceIdentity identity = instanceCertManager.generateIdentity(info.getCsr(), principalName,
                 x509CertRecord.getClientCert() ? ZTSConsts.ZTS_CERT_USAGE_CLIENT : certUsage,
                 certExpiryTime);
+        metric.stopTiming(timerX509CertMetric);
+
         if (identity == null) {
             throw serverError("unable to generate identity", caller, domain);
         }
-        
+
         // if we're asked then we should also generate a ssh
         // certificate for the instance as well
-
+
+        Object timerSSHCertMetric = metric.startTiming("certsignssh_timing", null);
         instanceCertManager.generateSshIdentity(identity, info.getSsh(), null);
-
+        metric.stopTiming(timerSSHCertMetric);
+
         // set the other required attributes in the identity object
 
         identity.setProvider(provider);
@@ -2280,10 +2295,12 @@ InstanceIdentity processProviderSSHRefreshRequest(ResourceContext ctx, final Pri
         // generate identity with the ssh certificate
 
         InstanceIdentity identity = new InstanceIdentity().setName(principalName);
+        Object timerSSHCertMetric = metric.startTiming("certsignssh_timing", null);
         if (!instanceCertManager.generateSshIdentity(identity, sshCsr, null)) {
             throw serverError("unable to generate ssh identity", caller, domain);
         }
-
+        metric.stopTiming(timerSSHCertMetric);
+
         // set the other required attributes in the identity object
 
         identity.setProvider(provider);
@@ -3149,7 +3166,7 @@ public ResourceContext newResourceContext(HttpServletRequest request, HttpServle
 
         boolean optionalAuth = StringUtils.requestUriMatch(request.getRequestURI(),
                 authFreeUriSet, authFreeUriList);
-        return new RsrcCtxWrapper(request, response, authorities, optionalAuth, authorizer);
+        return new RsrcCtxWrapper(request, response, authorities, optionalAuth, authorizer, metric);
     }
 
     Authority getAuthority(String className) {

servers/zts/src/test/java/com/yahoo/athenz/zts/RsrcCtxWrapperTest.java

@@ -26,6 +26,7 @@
 
 import org.mockito.Mockito;
 import org.testng.annotations.Test;
+import com.yahoo.athenz.common.metrics.Metric;
 
 import com.yahoo.athenz.common.server.rest.Http.AuthorityList;
 
@@ -39,7 +40,7 @@ public void TestRsrcCtxWrapperSimpleAssertion() {
         AuthorityList authListMock = new AuthorityList();
         Authorizer authorizerMock = Mockito.mock(Authorizer.class);
         Authority authMock = Mockito.mock(Authority.class);
-
+        Metric metricMock = Mockito.mock(Metric.class);
         Principal prin = Mockito.mock(Principal.class);
 
         Mockito.when(authMock.getHeader()).thenReturn("testheader");
@@ -51,7 +52,7 @@ public void TestRsrcCtxWrapperSimpleAssertion() {
         Mockito.when(reqMock.getMethod()).thenReturn("POST");
         authListMock.add(authMock);
 
-        RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock);
+        RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock, metricMock);
 
         assertNotNull(wrapper.context());
 
@@ -83,7 +84,7 @@ public void TestAuthorize() {
         AuthorityList authListMock = new AuthorityList();
         Authorizer authorizerMock = Mockito.mock(Authorizer.class);
         Authority authMock = Mockito.mock(Authority.class);
-
+        Metric metricMock = Mockito.mock(Metric.class);
         Principal prin = Mockito.mock(Principal.class);
 
         Mockito.when(authMock.getHeader()).thenReturn("testheader");
@@ -99,7 +100,7 @@ public void TestAuthorize() {
         Mockito.when(authorizerMock.access(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any()))
                 .thenReturn(true);
 
-        RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock);
+        RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock, metricMock);
 
         wrapper.authorize("add-domain", "test", "test");
 
@@ -114,6 +115,7 @@ public void TestAuthorizeInvalid() {
 
         AuthorityList authListMock = new AuthorityList();
         Authorizer authorizerMock = Mockito.mock(Authorizer.class);
+        Metric metricMock = Mockito.mock(Metric.class);
 
         Mockito.when(reqMock.getHeader("testheader")).thenReturn("testcred");
         Mockito.when(reqMock.getRemoteAddr()).thenReturn("1.1.1.1");
@@ -123,7 +125,7 @@ public void TestAuthorizeInvalid() {
         Mockito.when(authorizerMock.access(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any()))
                 .thenReturn(true);
 
-        RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock);
+        RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock, metricMock);
 
         // when not set authority
         wrapper.authorize("add-domain", "test", "test");