[EXPORTER] Log SSL Connection Information #3113
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -22,6 +22,7 @@ | |
| #include "opentelemetry/ext/http/client/curl/http_client_curl.h" | ||
| #include "opentelemetry/ext/http/client/curl/http_operation_curl.h" | ||
| #include "opentelemetry/ext/http/client/http_client.h" | ||
| #include "opentelemetry/nostd/string_view.h" | ||
| #include "opentelemetry/sdk/common/global_log_handler.h" | ||
| #include "opentelemetry/version.h" | ||
|
|
||
|
|
@@ -569,6 +570,65 @@ CURLcode HttpOperation::SetCurlOffOption(CURLoption option, curl_off_t value) | |
| return rc; | ||
| } | ||
|
|
||
| int HttpOperation::CurlLoggerCallback(const CURL * /* handle */, | ||
| curl_infotype type, | ||
| const char *data, | ||
| size_t size, | ||
| void * /* clientp */) noexcept | ||
| { | ||
| nostd::string_view text_to_log{data, size}; | ||
|
|
||
| if (!text_to_log.empty() && text_to_log[size - 1] == '\n') | ||
| { | ||
| text_to_log = text_to_log.substr(0, size - 1); | ||
| } | ||
|
|
||
| if (type == CURLINFO_TEXT) | ||
| { | ||
| static const auto kTlsInfo = nostd::string_view("SSL connection using"); | ||
| static const auto kFailureMsg = nostd::string_view("Recv failure:"); | ||
|
|
||
| if (text_to_log.substr(0, kTlsInfo.size()) == kTlsInfo) | ||
| { | ||
| OTEL_INTERNAL_LOG_INFO(text_to_log); | ||
| } | ||
| else if (text_to_log.substr(0, kFailureMsg.size()) == kFailureMsg) | ||
| { | ||
| OTEL_INTERNAL_LOG_ERROR(text_to_log); | ||
| } | ||
| #ifdef CURL_DEBUG | ||
| else | ||
| { | ||
| OTEL_INTERNAL_LOG_DEBUG(text_to_log); | ||
| } | ||
| #endif // CURL_DEBUG | ||
| } | ||
| #ifdef CURL_DEBUG | ||
| else if (type == CURLINFO_HEADER_OUT) | ||
| { | ||
| static const auto kHeaderSent = nostd::string_view("Send header => "); | ||
|
|
||
| while (!text_to_log.empty() && !std::iscntrl(text_to_log[0])) | ||
| { | ||
| const auto pos = text_to_log.find('\n'); | ||
|
|
||
| if (pos != nostd::string_view::npos) | ||
| { | ||
| OTEL_INTERNAL_LOG_DEBUG(kHeaderSent << text_to_log.substr(0, pos - 1)); | ||
| text_to_log = text_to_log.substr(pos + 1); | ||
| } | ||
| } | ||
| } | ||
| else if (type == CURLINFO_HEADER_IN) | ||
| { | ||
| static const auto kHeaderRecv = nostd::string_view("Recv header => "); | ||
| OTEL_INTERNAL_LOG_DEBUG(kHeaderRecv << text_to_log); | ||
| } | ||
| #endif // CURL_DEBUG | ||
|
|
||
| return 0; | ||
| } | ||
|
|
||
| CURLcode HttpOperation::Setup() | ||
| { | ||
| if (!curl_resource_.easy_handle) | ||
|
|
@@ -581,7 +641,14 @@ CURLcode HttpOperation::Setup() | |
| curl_error_message_[0] = '\0'; | ||
| curl_easy_setopt(curl_resource_.easy_handle, CURLOPT_ERRORBUFFER, curl_error_message_); | ||
|
|
||
| rc = SetCurlLongOption(CURLOPT_VERBOSE, 1L); | ||
|
There was a problem hiding this comment. Setting CURLOPT_VERBOSE to 1L is useful for debugging but not sure if it's best practice to keep enabled in production, as it can significantly impact performance in high-throughput scenarios. Would it make sense to make this optional, controlled by an environment variable, configuration option, or macro? There was a problem hiding this comment. Agreed, I think that would make sense as the general rule. If the requirement is to expose the TLS version / cipher information in the logs, then I haven't found anything obvious in terms of option switches / macros that I could repurpose for this so maybe introducing something like a There was a problem hiding this comment. yes There was a problem hiding this comment. I agree, we need a compile time flag like A runtime flag as well, to turn the verbose logging on/off would be nice, but this can be a separate discussion and PR. There was a problem hiding this comment. Apologies for the sudden silence, it's been a busy week so far. I actually had this similarly implemented with a runtime flag for another project. I think I can have this done in the same PR, just need to run this through the full CI to make sure I didn't miss anything. If both compile-time and runtime flags are to be supported, the way I see it is that runtime should take precedence as there could be certain cases where this logging info would be useful but, as a general use case, omitting it would fall back to the value set at compile time via |
||
| if (rc != CURLE_OK) | ||
| { | ||
| return rc; | ||
| } | ||
|
|
||
| rc = SetCurlPtrOption(CURLOPT_DEBUGFUNCTION, | ||
| reinterpret_cast<void *>(&HttpOperation::CurlLoggerCallback)); | ||
| if (rc != CURLE_OK) | ||
| { | ||
| return rc; | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please clarify (with a comment) the intent of CURL_DEBUG, which is separate from ENABLE_CURL_LOGGING.
As I understand it, ENABLE_CURL_LOGGING is exposed in CMake, to add the new logging feature.
On top of that, CURL_DEBUG seem to be a private developer flag (not exposed in cmake), for a developper to debug the new logging feature itself, if needed.
So, ENABLE_CURL_LOGGING may be used optionally in production, but CURL_DEBUG should not be used in production.
Is this accurate ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is correct,
CURL_DEBUGis a guard that comes in handy when debugging something, where the full verbosity would be required. However, making it controllable by the user is probably not desirable as it could lead to unintentionally logging too much / sensitive information, such as request body, auth tokens, other sensitive in/out headers, etc.That said, though, if this is deemed necessary by future requirements, exposing additional logging should be as simple as "punching" a few more holes in the callback function, by simply adding the respective
if/else ifstatements outside this guarded block.So, in a way, the second use of
CURL_DEBUGis to force the developer to have to explicitly opt-in for exposing more logging info from CURL, which hopefully also makes it easy to see what information the callback function is letting out into the wild.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clarifications.
Do not change any code then, just add a comment that CURL_DEBUG is for maintainers, and should not be used in production (information leak).