Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore: instrument external oauth2 requests#11519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 20 commits intomainfromstevenmasley/oauth_instrument
Jan 10, 2024

Conversation

Emyrk
Copy link
Member

@EmyrkEmyrk commentedJan 9, 2024
edited
Loading

Supports#10853

What this does

This adds an instrumentation layer to all of our oidc/oauth2 external requests.

Debugging this has been very challenging because I cannot reproduce the issue. So I figured adding some instrumentation could at best help debug, at worst it is just some nice extra metrics 🤷‍♂️.

What the metrics track for each oauth2 config.

  • name: A human readable name to identify the provider. This is theexternal_auth.id or justlogin-github for primary authentication.
  • source: Indicates which method was called to trigger the request.[TokenSource|Exchange]. I think this could be extended in debug logging if we need for debugging purposes. For now, this doubles the number of tracked metrics, and I don't think we should make this list any larger.
  • domain: The domain the request is sent to.Is this redundant??REMOVED
  • status_code: Returned status code. For alerting purposes, you could alert when 429s occur.

Example metrics

# HELP coderd_oauth2_external_requests_total The total number of api calls made to external oauth2 providers. 'status_code' will be 0 if the request failed with no response.# TYPE coderd_oauth2_external_requests_total countercoderd_oauth2_external_requests_total{name="github-login",source="Exchange",status_code="200"} 2coderd_oauth2_external_requests_total{name="primary-github",source="TokenSource",status_code="200"} 1coderd_oauth2_external_requests_total{name="github-login",source="Exchange",status_code="200"} 2coderd_oauth2_external_requests_total{name="primary-github",source="TokenSource",status_code="200"} 1coderd_oauth2_external_requests_total{name="github-login",source="Exchange",status_code="200"} 1coderd_oauth2_external_requests_total{name="primary-github",source="AppInstallations",status_code="200"} 5coderd_oauth2_external_requests_total{name="primary-github",source="ValidateToken",status_code="200"} 5

What this does not do

This only instruments oauth and some related methods. Verify OIDC and userinfo OIDC are not instrumented. ThereforeOIDC is not instrumented at this time

@EmyrkEmyrk marked this pull request as ready for reviewJanuary 9, 2024 18:44
@EmyrkEmyrkforce-pushed thestevenmasley/oauth_instrument branch from22cc18e to721fb0aCompareJanuary 9, 2024 20:08
@EmyrkEmyrk requested a review frommafredriJanuary 9, 2024 21:04
@EmyrkGraphite App
Copy link
MemberAuthor

Emyrk commentedJan 9, 2024
edited
Loading

In this stack:📊 Improve observability and metrics for OAuth2 integration

This stack of pull requests is managed by Graphite.Learn more about stacking.

Join@Emyrk and the rest of your teammates onGraphiteGraphite

}
}

resp,err:=do(req)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Noticed we never check HTTP status code forresp, should we?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I am not sure, I did not write this part. Have not checked the payloads myself here.

}

// If the underlying transport is the default, we need to clone it.
// We should also clone it if it supports cloning.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

How about testing forunder.(interface{ Clone() ... }) instead? That would cover the "supports cloning" case.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I wish I could but the method signature is:

func (t*Transport)Clone()*Transport

So the interface ofClone() http.RoundTripper does not match, and the default transport would not implement it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Ah, of course. That's unfortunate :(.

// Verify the default client was not broken. This check is added because we
// extend the http.DefaultTransport. If a `.Clone()` is not done, this can be
// mis-used. It is cheap to run this quick check.
req,err:=http.NewRequest(http.MethodGet,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Minor suggestion: Could usehttptest.NewRequest to avoid checking error. Alternativelyhttp.NewRequestWithContext to skip that step.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

httptest just uses panics instead of an error 🤷
https://github.com/golang/go/blob/master/src/net/http/httptest/httptest.go#L46

I can useNewRequestWithContext though

@EmyrkEmyrkforce-pushed thestevenmasley/oauth_instrument branch frome48a44f to85e2d91CompareJanuary 10, 2024 14:50
@EmyrkEmyrk merged commit50b78e3 intomainJan 10, 2024
@EmyrkEmyrk deleted the stevenmasley/oauth_instrument branchJanuary 10, 2024 15:13
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsJan 10, 2024
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.

Reviewers

@mafredrimafredrimafredri approved these changes

Assignees

@EmyrkEmyrk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Emyrk@mafredri
[8]ページ先頭
©2009-2025 Movatter.jp