Skip to content

Commit

Permalink
Basic auth: add metrics
Browse files Browse the repository at this point in the history
Signed-off-by: Julien Pivotto <[email protected]>
  • Loading branch information
roidelapluie committed Dec 27, 2020
1 parent 880ae69 commit 2c33506
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 9 deletions.
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ go 1.14
require (
github.com/go-kit/kit v0.10.0
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.7.1
github.com/prometheus/common v0.15.0
golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9
gopkg.in/alecthomas/kingpin.v2 v2.2.6
Expand Down
11 changes: 7 additions & 4 deletions https/tls_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
"github.com/go-kit/kit/log"
"github.com/go-kit/kit/log/level"
"github.com/pkg/errors"
"github.com/prometheus/client_golang/prometheus"
config_util "github.com/prometheus/common/config"
"gopkg.in/yaml.v2"
)
Expand Down Expand Up @@ -176,18 +177,18 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {

// Listen starts the server on the given address. Based on the file
// tlsConfigPath, TLS or basic auth could be enabled.
func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error {
func Listen(server *http.Server, tlsConfigPath string, logger log.Logger, r prometheus.Registerer) error {
listener, err := net.Listen("tcp", server.Addr)
if err != nil {
return err
}
defer listener.Close()
return Serve(listener, server, tlsConfigPath, logger)
return Serve(listener, server, tlsConfigPath, logger, r)
}

// Server starts the server on the given listener. Based on the file
// tlsConfigPath, TLS or basic auth could be enabled.
func Serve(l net.Listener, server *http.Server, tlsConfigPath string, logger log.Logger) error {
func Serve(l net.Listener, server *http.Server, tlsConfigPath string, logger log.Logger, r prometheus.Registerer) error {
if tlsConfigPath == "" {
level.Info(logger).Log("msg", "TLS is disabled.", "http2", false)
return server.Serve(l)
Expand All @@ -202,11 +203,13 @@ func Serve(l net.Listener, server *http.Server, tlsConfigPath string, logger log
if server.Handler != nil {
handler = server.Handler
}
server.Handler = &userAuthRoundtrip{
urt := &userAuthRoundtrip{
tlsConfigPath: tlsConfigPath,
logger: logger,
handler: handler,
}
urt.instrument(r)
server.Handler = urt

c, err := getConfig(tlsConfigPath)
if err != nil {
Expand Down
4 changes: 2 additions & 2 deletions https/tls_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -319,7 +319,7 @@ func TestConfigReloading(t *testing.T) {
recordConnectionError(errors.New("Panic starting server"))
}
}()
err := Listen(server, badYAMLPath, testlogger)
err := Listen(server, badYAMLPath, testlogger, nil)
recordConnectionError(err)
}()

Expand Down Expand Up @@ -391,7 +391,7 @@ func (test *TestInputs) Test(t *testing.T) {
recordConnectionError(errors.New("Panic starting server"))
}
}()
err := Listen(server, test.YAMLConfigPath, testlogger)
err := Listen(server, test.YAMLConfigPath, testlogger, nil)
recordConnectionError(err)
}()

Expand Down
24 changes: 21 additions & 3 deletions https/users.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (
"net/http"

"github.com/go-kit/kit/log"
"github.com/prometheus/client_golang/prometheus"
"golang.org/x/crypto/bcrypt"
)

Expand All @@ -37,14 +38,30 @@ func validateUsers(configPath string) error {
}

type userAuthRoundtrip struct {
tlsConfigPath string
handler http.Handler
logger log.Logger
tlsConfigPath string
handler http.Handler
logger log.Logger
failuresCounter prometheus.Counter
}

func (u *userAuthRoundtrip) instrument(r prometheus.Registerer) {
u.failuresCounter = prometheus.NewCounter(
prometheus.CounterOpts{
Namespace: "prometheus_toolkit",
Subsystem: "https",
Name: "request_basic_authentication_failures_total",
Help: "Total number of requests rejected by basic authentication because of wrong username, password, or configuration.",
},
)
if r != nil {
r.MustRegister(u.failuresCounter)
}
}

func (u *userAuthRoundtrip) ServeHTTP(w http.ResponseWriter, r *http.Request) {
c, err := getConfig(u.tlsConfigPath)
if err != nil {
u.failuresCounter.Inc()
u.logger.Log("msg", "Unable to parse configuration", "err", err)
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
Expand All @@ -65,6 +82,7 @@ func (u *userAuthRoundtrip) ServeHTTP(w http.ResponseWriter, r *http.Request) {
}
}

u.failuresCounter.Inc()
w.Header().Set("WWW-Authenticate", "Basic")
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
}

0 comments on commit 2c33506

Please sign in to comment.