Feb 23, 2024 · Feb 23, 2024 · Feb 23, 2024 · Feb 23, 2024 · Feb 23, 2024 · Feb 23, 2024
diff --git a/coderd/promoauth/github.go b/coderd/promoauth/github.go
 Resource  string
 }

 // githubRateLimits checks the returned response headers and
 // githubRateLimits returns rate limit information from a GitHub response.
 // GitHub rate limits are on a per-user basis, and tracking each user as
 // a prometheus label might be too much. So only track rate limits for
 // unauthorized responses.
 //
 // Unauthorized responses have a much stricter rate limit of 60 per hour.
 // Tracking this is vital to ensure we do not hit the limit.
 func githubRateLimits(resp *http.Response, err error) (rateLimits, bool) {
 if err != nil || resp == nil {
 return rateLimits{}, false
 }

 // Only track 401 responses which indicates we are using the 60 per hour
 // rate limit.
 if resp.StatusCode != http.StatusUnauthorized {
 return rateLimits{}, false
 }

 p := headerParser{header: resp.Header}
 // See
 // https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28#checking-the-status-of-your-rate-limit
 limits := rateLimits{
 Limit:     p.int("x-ratelimit-limit"),
 Remaining: p.int("x-ratelimit-remaining"),
 Used:      p.int("x-ratelimit-used"),
 Resource:  p.string("x-ratelimit-resource"),
 Resource:  p.string("x-ratelimit-resource") + "-unauthorized",
 }

 if limits.Limit == 0 &&
 }
 limits.Reset = resetAt

 // Unauthorized requests have their own rate limit, so we should
 // track them separately.
 if resp.StatusCode == http.StatusUnauthorized {
 limits.Resource += "-unauthorized"
 }

 // A 401 or 429 means too many requests. This might mess up the
 // "resource" string because we could hit the unauthorized limit,
 // and we do not want that to override the authorized one.
 // However, in testing, it seems a 401 is always a 401, even if
 // the limit is hit.

 if len(p.errors) > 0 {
 // If we are missing any headers, then do not try and guess
 // what the rate limits are.
diff --git a/coderd/promoauth/oauth2_test.go b/coderd/promoauth/oauth2_test.go
 }
 }

 // Ignore the well known, required for setup
 if !strings.Contains(r.URL.String(), ".well-known") {
 // GitHub rate limits only are instrumented for unauthenticated calls. So emulate
 // that here. We cannot actually use invalid credentials because the fake IDP
 // will throw a test error, as it only expects things to work. And we want to use
 // a real idp to emulate the right http calls to be instrumented.
 rw.WriteHeader(http.StatusUnauthorized)
 return
 }
 next.ServeHTTP(rw, r)
 })
 }))
 // Do a single oauth2 call
 ctx := testutil.Context(t, testutil.WaitShort)
 ctx = context.WithValue(ctx, oauth2.HTTPClient, idp.HTTPClient(nil))
 _, err := cfg.Exchange(ctx,idp.CreateAuthCode(t, "foo"))
 require.NoError(t, err)
 _, err := cfg.Exchange(ctx,"invalid")
 require.Error(t, err, "expected unauthorized exchange")

 // Verify
 labels := prometheus.Labels{
 "name":     "test",
 "resource": "core",
 "resource": "core-unauthorized",
 }
 pass := true
 if !c.ExpectNoMetrics {
diff --git a/scripts/metricsdocgen/metrics b/scripts/metricsdocgen/metrics
 coderd_oauth2_external_requests_rate_limit_reset_in_seconds{name="secondary-github",resource="core"} 121.82186601
 # HELP coderd_oauth2_external_requests_rate_limit_total The total number of allowed requests per interval.
 # TYPE coderd_oauth2_external_requests_rate_limit_total gauge
 coderd_oauth2_external_requests_rate_limit_total{name="primary-github",resource="core"} 5000
 coderd_oauth2_external_requests_rate_limit_total{name="secondary-github",resource="core"} 5000
 coderd_oauth2_external_requests_rate_limit_total{name="primary-github",resource="core-unauthorized"} 5000
 coderd_oauth2_external_requests_rate_limit_total{name="secondary-github",resource="core-unauthorized"} 5000
 # HELP coderd_oauth2_external_requests_rate_limit_used The number of requests made in this interval.
 # TYPE coderd_oauth2_external_requests_rate_limit_used gauge
 coderd_oauth2_external_requests_rate_limit_used{name="primary-github",resource="core"} 148
Original file line number	Diff line number	Diff line change
Expand Up		@@ -16,20 +16,32 @@ type rateLimits struct {
		Resource string
		}

		// githubRateLimits checks the returned response headers and
		// githubRateLimits returns rate limit information from a GitHub response.
		// GitHub rate limits are on a per-user basis, and tracking each user as
		// a prometheus label might be too much. So only track rate limits for
		// unauthorized responses.
		//
		// Unauthorized responses have a much stricter rate limit of 60 per hour.
		// Tracking this is vital to ensure we do not hit the limit.
		func githubRateLimits(resp *http.Response, err error) (rateLimits, bool) {
		if err != nil \|\| resp == nil {
		return rateLimits{}, false
		}

		// Only track 401 responses which indicates we are using the 60 per hour
		// rate limit.
		if resp.StatusCode != http.StatusUnauthorized {
		return rateLimits{}, false
		}

		p := headerParser{header: resp.Header}
		// See
		// https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28#checking-the-status-of-your-rate-limit
		limits := rateLimits{
		Limit: p.int("x-ratelimit-limit"),
		Remaining: p.int("x-ratelimit-remaining"),
		Used: p.int("x-ratelimit-used"),
		Resource: p.string("x-ratelimit-resource"),
		Resource: p.string("x-ratelimit-resource") + "-unauthorized",
		}

		if limits.Limit == 0 &&
Expand All		@@ -50,18 +62,6 @@ func githubRateLimits(resp *http.Response, err error) (rateLimits, bool) {
		}
		limits.Reset = resetAt

		// Unauthorized requests have their own rate limit, so we should
		// track them separately.
		if resp.StatusCode == http.StatusUnauthorized {
		limits.Resource += "-unauthorized"
		}

		// A 401 or 429 means too many requests. This might mess up the
		// "resource" string because we could hit the unauthorized limit,
		// and we do not want that to override the authorized one.
		// However, in testing, it seems a 401 is always a 401, even if
		// the limit is hit.

		if len(p.errors) > 0 {
		// If we are missing any headers, then do not try and guess
		// what the rate limits are.
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -179,6 +179,15 @@ func TestGithubRateLimits(t *testing.T) {
		}
		}

		// Ignore the well known, required for setup
		if !strings.Contains(r.URL.String(), ".well-known") {
		// GitHub rate limits only are instrumented for unauthenticated calls. So emulate
		// that here. We cannot actually use invalid credentials because the fake IDP
		// will throw a test error, as it only expects things to work. And we want to use
		// a real idp to emulate the right http calls to be instrumented.
		rw.WriteHeader(http.StatusUnauthorized)
		return
		}
		next.ServeHTTP(rw, r)
		})
		}))
Expand All		@@ -195,13 +204,13 @@ func TestGithubRateLimits(t *testing.T) {
		// Do a single oauth2 call
		ctx := testutil.Context(t, testutil.WaitShort)
		ctx = context.WithValue(ctx, oauth2.HTTPClient, idp.HTTPClient(nil))
		_, err := cfg.Exchange(ctx,idp.CreateAuthCode(t, "foo"))
		require.NoError(t, err)
		_, err := cfg.Exchange(ctx,"invalid")
		require.Error(t, err, "expected unauthorized exchange")

		// Verify
		labels := prometheus.Labels{
		"name": "test",
		"resource": "core",
		"resource": "core-unauthorized",
		}
		pass := true
		if !c.ExpectNoMetrics {
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -12,8 +12,8 @@ coderd_oauth2_external_requests_rate_limit_reset_in_seconds{name="primary-github
		coderd_oauth2_external_requests_rate_limit_reset_in_seconds{name="secondary-github",resource="core"} 121.82186601
		# HELP coderd_oauth2_external_requests_rate_limit_total The total number of allowed requests per interval.
		# TYPE coderd_oauth2_external_requests_rate_limit_total gauge
		coderd_oauth2_external_requests_rate_limit_total{name="primary-github",resource="core"} 5000
		coderd_oauth2_external_requests_rate_limit_total{name="secondary-github",resource="core"} 5000
		coderd_oauth2_external_requests_rate_limit_total{name="primary-github",resource="core-unauthorized"} 5000
Copy link Member matifaliFeb 23, 2024 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Should this be 60 instead of 5000? Copy link MemberAuthor EmyrkFeb 23, 2024 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. It should be, but it's only used to generate docs. The values are ignored, but the labels are included. https://coder.com/docs/v2/latest/admin/prometheus#prometheus-configuration Copy link MemberAuthor EmyrkFeb 23, 2024 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. So it is fine
		coderd_oauth2_external_requests_rate_limit_total{name="secondary-github",resource="core-unauthorized"} 5000
		# HELP coderd_oauth2_external_requests_rate_limit_used The number of requests made in this interval.
		# TYPE coderd_oauth2_external_requests_rate_limit_used gauge
		coderd_oauth2_external_requests_rate_limit_used{name="primary-github",resource="core"} 148
Expand Down