diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/RsrcCtxWrapper.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/RsrcCtxWrapper.java index 47222d05e22..f26b01d643f 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/RsrcCtxWrapper.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/RsrcCtxWrapper.java @@ -19,6 +19,7 @@ import com.yahoo.athenz.auth.Principal; import com.yahoo.athenz.auth.impl.KerberosAuthority; import com.yahoo.athenz.common.server.rest.Http; +import com.yahoo.athenz.common.metrics.Metric; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -32,10 +33,13 @@ public class RsrcCtxWrapper implements ResourceContext { com.yahoo.athenz.common.server.rest.ResourceContext ctx; boolean optionalAuth; + Metric metric; public RsrcCtxWrapper(HttpServletRequest request, HttpServletResponse response, - Http.AuthorityList authList, boolean optionalAuth, Authorizer authorizer) { + Http.AuthorityList authList, boolean optionalAuth, Authorizer authorizer, + Metric metric) { this.optionalAuth = optionalAuth; + this.metric = metric; ctx = new com.yahoo.athenz.common.server.rest.ResourceContext(request, response, authList, authorizer); } @@ -116,6 +120,9 @@ public void logPrincipal(final String principal) { } public void throwZtsException(com.yahoo.athenz.common.server.rest.ResourceException restExc) { + + metric.increment("authfailure"); + String msg = null; Object data = restExc.getData(); if (data instanceof String) { diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java index 638f43c62cf..4c044c0ae7d 100644 --- a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java +++ b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java @@ -486,7 +486,7 @@ void loadMetricObject() { // create our metric and increment our startup count metric = metricFactory.create(); - metric.increment("zms_sa_startup"); + metric.increment("zts_startup"); } void loadServicePrivateKey() { @@ -1815,11 +1815,13 @@ public void postInstanceRegisterInformation(ResourceContext ctx, InstanceRegiste // make sure to close our provider when its no longer needed + Object timerProviderMetric = metric.startTiming("providerregister_timing", provider); try { instance = instanceProvider.confirmInstance(instance); } catch (Exception ex) { throw forbiddenError("unable to verify attestation data: " + ex.getMessage(), caller, domain); } finally { + metric.stopTiming(timerProviderMetric); instanceProvider.close(); } @@ -1849,16 +1851,21 @@ public void postInstanceRegisterInformation(ResourceContext ctx, InstanceRegiste // generate certificate for the instance + Object timerX509CertMetric = metric.startTiming("certsignx509_timing", null); InstanceIdentity identity = instanceCertManager.generateIdentity(info.getCsr(), cn, certUsage, certExpiryTime); + metric.stopTiming(timerX509CertMetric); + if (identity == null) { throw serverError("unable to generate identity", caller, domain); } - + // if we're asked then we should also generate a ssh // certificate for the instance as well - + + Object timerSSHCertMetric = metric.startTiming("certsignssh_timing", null); instanceCertManager.generateSshIdentity(identity, info.getSsh(), ZTSConsts.ZTS_SSH_HOST); + metric.stopTiming(timerSSHCertMetric); // set the other required attributes in the identity object @@ -1951,6 +1958,7 @@ public InstanceIdentity postInstanceRefreshInformation(ResourceContext ctx, Stri final String caller = "postinstancerefreshinformation"; final String callerTiming = "postinstancerefreshinformation_timing"; + metric.increment(HTTP_POST); logPrincipal(ctx); @@ -2076,7 +2084,7 @@ InstanceIdentity processProviderX509RefreshRequest(ResourceContext ctx, final Pr final Principal providerService, final String instanceId, InstanceRefreshInformation info, X509CertRecord x509CertRecord, X509Certificate cert, final String caller) { - + // parse and validate our CSR X509CertRequest certReq; @@ -2112,6 +2120,7 @@ InstanceIdentity processProviderX509RefreshRequest(ResourceContext ctx, final Pr // make sure to close our provider when its no longer needed + Object timerProviderMetric = metric.startTiming("providerrefresh_timing", provider); try { instance = instanceProvider.refreshInstance(instance); } catch (com.yahoo.athenz.instance.provider.ResourceException ex) { @@ -2125,6 +2134,7 @@ InstanceIdentity processProviderX509RefreshRequest(ResourceContext ctx, final Pr throw forbiddenError("unable to verify attestation data: " + ex.getMessage(), caller, domain); } } finally { + metric.stopTiming(timerProviderMetric); instanceProvider.close(); } @@ -2185,19 +2195,24 @@ InstanceIdentity processProviderX509RefreshRequest(ResourceContext ctx, final Pr } // generate identity with the certificate - + + Object timerX509CertMetric = metric.startTiming("certsignx509_timing", null); InstanceIdentity identity = instanceCertManager.generateIdentity(info.getCsr(), principalName, x509CertRecord.getClientCert() ? ZTSConsts.ZTS_CERT_USAGE_CLIENT : certUsage, certExpiryTime); + metric.stopTiming(timerX509CertMetric); + if (identity == null) { throw serverError("unable to generate identity", caller, domain); } - + // if we're asked then we should also generate a ssh // certificate for the instance as well - + + Object timerSSHCertMetric = metric.startTiming("certsignssh_timing", null); instanceCertManager.generateSshIdentity(identity, info.getSsh(), null); - + metric.stopTiming(timerSSHCertMetric); + // set the other required attributes in the identity object identity.setProvider(provider); @@ -2280,10 +2295,12 @@ InstanceIdentity processProviderSSHRefreshRequest(ResourceContext ctx, final Pri // generate identity with the ssh certificate InstanceIdentity identity = new InstanceIdentity().setName(principalName); + Object timerSSHCertMetric = metric.startTiming("certsignssh_timing", null); if (!instanceCertManager.generateSshIdentity(identity, sshCsr, null)) { throw serverError("unable to generate ssh identity", caller, domain); } - + metric.stopTiming(timerSSHCertMetric); + // set the other required attributes in the identity object identity.setProvider(provider); @@ -3149,7 +3166,7 @@ public ResourceContext newResourceContext(HttpServletRequest request, HttpServle boolean optionalAuth = StringUtils.requestUriMatch(request.getRequestURI(), authFreeUriSet, authFreeUriList); - return new RsrcCtxWrapper(request, response, authorities, optionalAuth, authorizer); + return new RsrcCtxWrapper(request, response, authorities, optionalAuth, authorizer, metric); } Authority getAuthority(String className) { diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/RsrcCtxWrapperTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/RsrcCtxWrapperTest.java index 0df1fc481c2..2ff5208bc84 100644 --- a/servers/zts/src/test/java/com/yahoo/athenz/zts/RsrcCtxWrapperTest.java +++ b/servers/zts/src/test/java/com/yahoo/athenz/zts/RsrcCtxWrapperTest.java @@ -26,6 +26,7 @@ import org.mockito.Mockito; import org.testng.annotations.Test; +import com.yahoo.athenz.common.metrics.Metric; import com.yahoo.athenz.common.server.rest.Http.AuthorityList; @@ -39,7 +40,7 @@ public void TestRsrcCtxWrapperSimpleAssertion() { AuthorityList authListMock = new AuthorityList(); Authorizer authorizerMock = Mockito.mock(Authorizer.class); Authority authMock = Mockito.mock(Authority.class); - + Metric metricMock = Mockito.mock(Metric.class); Principal prin = Mockito.mock(Principal.class); Mockito.when(authMock.getHeader()).thenReturn("testheader"); @@ -51,7 +52,7 @@ public void TestRsrcCtxWrapperSimpleAssertion() { Mockito.when(reqMock.getMethod()).thenReturn("POST"); authListMock.add(authMock); - RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock); + RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock, metricMock); assertNotNull(wrapper.context()); @@ -83,7 +84,7 @@ public void TestAuthorize() { AuthorityList authListMock = new AuthorityList(); Authorizer authorizerMock = Mockito.mock(Authorizer.class); Authority authMock = Mockito.mock(Authority.class); - + Metric metricMock = Mockito.mock(Metric.class); Principal prin = Mockito.mock(Principal.class); Mockito.when(authMock.getHeader()).thenReturn("testheader"); @@ -99,7 +100,7 @@ public void TestAuthorize() { Mockito.when(authorizerMock.access(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any())) .thenReturn(true); - RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock); + RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock, metricMock); wrapper.authorize("add-domain", "test", "test"); @@ -114,6 +115,7 @@ public void TestAuthorizeInvalid() { AuthorityList authListMock = new AuthorityList(); Authorizer authorizerMock = Mockito.mock(Authorizer.class); + Metric metricMock = Mockito.mock(Metric.class); Mockito.when(reqMock.getHeader("testheader")).thenReturn("testcred"); Mockito.when(reqMock.getRemoteAddr()).thenReturn("1.1.1.1"); @@ -123,7 +125,7 @@ public void TestAuthorizeInvalid() { Mockito.when(authorizerMock.access(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any())) .thenReturn(true); - RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock); + RsrcCtxWrapper wrapper = new RsrcCtxWrapper(reqMock, resMock, authListMock, false, authorizerMock, metricMock); // when not set authority wrapper.authorize("add-domain", "test", "test");