feat: tracing for oauth2_introspection authenticator

ory · Aug 30, 2023 · b7267ad · b7267ad
1 parent 3853322
commit b7267ad
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 13 deletions.
diff --git a/driver/configuration/provider_koanf_public_test.go b/driver/configuration/provider_koanf_public_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/rs/cors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/otel/trace"
 
 	"github.com/ory/x/configx"
 	"github.com/ory/x/logrusx"
@@ -285,7 +286,7 @@ func TestKoanfProvider(t *testing.T) {
 		})
 
 		t.Run("authenticator=oauth2_introspection", func(t *testing.T) {
-			a := authn.NewAuthenticatorOAuth2Introspection(p, logger)
+			a := authn.NewAuthenticatorOAuth2Introspection(p, logger, trace.NewNoopTracerProvider())
 			assert.True(t, p.AuthenticatorIsEnabled(a.GetID()))
 			require.NoError(t, a.Validate(nil))
 
@@ -433,7 +434,7 @@ func TestAuthenticatorOAuth2TokenIntrospectionPreAuthorization(t *testing.T) {
 		{enabled: true, id: "a", secret: "b", turl: "https://some-url", err: false},
 	} {
 		t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
-			a := authn.NewAuthenticatorOAuth2Introspection(p, logrusx.New("", ""))
+			a := authn.NewAuthenticatorOAuth2Introspection(p, logrusx.New("", ""), trace.NewNoopTracerProvider())
 
 			config, _, err := a.Config(json.RawMessage(fmt.Sprintf(`{
 	"pre_authorization": {

diff --git a/driver/registry_memory.go b/driver/registry_memory.go
@@ -362,7 +362,7 @@ func (r *RegistryMemory) prepareAuthn() {
 			authn.NewAuthenticatorJWT(r.c, r),
 			authn.NewAuthenticatorNoOp(r.c),
 			authn.NewAuthenticatorOAuth2ClientCredentials(r.c, r.Logger()),
-			authn.NewAuthenticatorOAuth2Introspection(r.c, r.Logger()),
+			authn.NewAuthenticatorOAuth2Introspection(r.c, r.Logger(), r.trc.Provider()),
 			authn.NewAuthenticatorUnauthorized(r.c),
 		}
 

diff --git a/pipeline/authn/authenticator_oauth2_introspection.go b/pipeline/authn/authenticator_oauth2_introspection.go
@@ -17,6 +17,7 @@ import (
 	"github.com/dgraph-io/ristretto"
 	"github.com/pkg/errors"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
+	"go.opentelemetry.io/otel/trace"
 	"golang.org/x/oauth2/clientcredentials"
 
 	"github.com/ory/fosite"
@@ -26,6 +27,7 @@ import (
 	"github.com/ory/oathkeeper/x/header"
 	"github.com/ory/x/httpx"
 	"github.com/ory/x/logrusx"
+	"github.com/ory/x/otelx"
 	"github.com/ory/x/stringslice"
 )
 
@@ -72,10 +74,11 @@ type AuthenticatorOAuth2Introspection struct {
 	tokenCache *ristretto.Cache
 	cacheTTL   *time.Duration
 	logger     *logrusx.Logger
+	provider   trace.TracerProvider
 }
 
-func NewAuthenticatorOAuth2Introspection(c configuration.Provider, logger *logrusx.Logger) *AuthenticatorOAuth2Introspection {
-	return &AuthenticatorOAuth2Introspection{c: c, logger: logger, clientMap: make(map[string]*http.Client)}
+func NewAuthenticatorOAuth2Introspection(c configuration.Provider, l *logrusx.Logger, p trace.TracerProvider) *AuthenticatorOAuth2Introspection {
+	return &AuthenticatorOAuth2Introspection{c: c, logger: l, provider: p, clientMap: make(map[string]*http.Client)}
 }
 
 func (a *AuthenticatorOAuth2Introspection) GetID() string {
@@ -171,7 +174,12 @@ func (a *AuthenticatorOAuth2Introspection) tokenToCache(config *AuthenticatorOAu
 	}
 }
 
-func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, session *AuthenticationSession, config json.RawMessage, _ pipeline.Rule) error {
+func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, session *AuthenticationSession, config json.RawMessage, _ pipeline.Rule) (err error) {
+	tp := trace.SpanFromContext(r.Context()).TracerProvider()
+	ctx, span := tp.Tracer("oauthkeeper/pipeline/authn").Start(r.Context(), "authn.oauth2_introspection")
+	defer otelx.End(span, &err)
+	r = r.WithContext(ctx)
+
 	cf, client, err := a.Config(config)
 	if err != nil {
 		return err
@@ -195,7 +203,7 @@ func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, session
 			body.Add("scope", strings.Join(cf.Scopes, " "))
 		}
 
-		introspectReq, err := http.NewRequest(http.MethodPost, cf.IntrospectionURL, strings.NewReader(body.Encode()))
+		introspectReq, err := http.NewRequestWithContext(ctx, http.MethodPost, cf.IntrospectionURL, strings.NewReader(body.Encode()))
 		if err != nil {
 			return errors.WithStack(err)
 		}
@@ -210,7 +218,7 @@ func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, session
 			introspectReq.Header.Set(header.XForwardedHost, r.Host)
 		}
 
-		resp, err := client.Do(introspectReq.WithContext(r.Context()))
+		resp, err := client.Do(introspectReq)
 		if err != nil {
 			return errors.WithStack(err)
 		}
@@ -348,7 +356,7 @@ func (a *AuthenticatorOAuth2Introspection) Config(config json.RawMessage) (*Auth
 			httpx.ResilientClientWithMaxRetryWait(maxWait),
 			httpx.ResilientClientWithConnectionTimeout(timeout),
 		).StandardClient()
-		client.Transport = otelhttp.NewTransport(rt)
+		client.Transport = otelhttp.NewTransport(rt, otelhttp.WithTracerProvider(a.provider))
 		a.mu.Lock()
 		a.clientMap[clientKey] = client
 		a.mu.Unlock()

diff --git a/pipeline/authn/authenticator_oauth2_introspection_cache_test.go b/pipeline/authn/authenticator_oauth2_introspection_cache_test.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/otel/trace"
 
 	"github.com/ory/fosite"
 	"github.com/ory/oathkeeper/driver/configuration"
@@ -30,7 +31,7 @@ func TestCache(t *testing.T) {
 		}))
 	require.NoError(t, err)
 
-	a := NewAuthenticatorOAuth2Introspection(c, logger)
+	a := NewAuthenticatorOAuth2Introspection(c, logger, trace.NewNoopTracerProvider())
 	assert.Equal(t, "oauth2_introspection", a.GetID())
 
 	config, _, err := a.Config(nil)

diff --git a/pipeline/authn/authenticator_oauth2_introspection_test.go b/pipeline/authn/authenticator_oauth2_introspection_test.go
@@ -12,16 +12,17 @@ import (
 	"testing"
 	"time"
 
+	"go.opentelemetry.io/otel/trace"
+
 	"github.com/ory/x/assertx"
 	"github.com/ory/x/configx"
+	"github.com/ory/x/logrusx"
 
 	"github.com/julienschmidt/httprouter"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tidwall/sjson"
 
-	"github.com/ory/x/logrusx"
-
 	"github.com/ory/oathkeeper/driver/configuration"
 	"github.com/ory/oathkeeper/internal"
 	. "github.com/ory/oathkeeper/pipeline/authn"
@@ -791,7 +792,7 @@ func TestAuthenticatorOAuth2Introspection(t *testing.T) {
 
 	t.Run("method=config", func(t *testing.T) {
 		logger := logrusx.New("test", "1")
-		authenticator := NewAuthenticatorOAuth2Introspection(conf, logger)
+		authenticator := NewAuthenticatorOAuth2Introspection(conf, logger, trace.NewNoopTracerProvider())
 
 		noPreauthConfig := []byte(`{ "introspection_url":"http://localhost/oauth2/token" }`)
 		preAuthConfigOne := []byte(`{ "introspection_url":"http://localhost/oauth2/token","pre_authorization":{"token_url":"http://localhost/oauth2/token","client_id":"some_id","client_secret":"some_secret","enabled":true} }`)