diff --git a/driver/configuration/provider_koanf_public_test.go b/driver/configuration/provider_koanf_public_test.go index c6ace84a60..6961791df2 100644 --- a/driver/configuration/provider_koanf_public_test.go +++ b/driver/configuration/provider_koanf_public_test.go @@ -13,6 +13,7 @@ import ( "github.com/rs/cors" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "go.opentelemetry.io/otel/trace" "github.com/ory/x/configx" "github.com/ory/x/logrusx" @@ -285,7 +286,7 @@ func TestKoanfProvider(t *testing.T) { }) t.Run("authenticator=oauth2_introspection", func(t *testing.T) { - a := authn.NewAuthenticatorOAuth2Introspection(p, logger) + a := authn.NewAuthenticatorOAuth2Introspection(p, logger, trace.NewNoopTracerProvider()) assert.True(t, p.AuthenticatorIsEnabled(a.GetID())) require.NoError(t, a.Validate(nil)) @@ -433,7 +434,7 @@ func TestAuthenticatorOAuth2TokenIntrospectionPreAuthorization(t *testing.T) { {enabled: true, id: "a", secret: "b", turl: "https://some-url", err: false}, } { t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) { - a := authn.NewAuthenticatorOAuth2Introspection(p, logrusx.New("", "")) + a := authn.NewAuthenticatorOAuth2Introspection(p, logrusx.New("", ""), trace.NewNoopTracerProvider()) config, _, err := a.Config(json.RawMessage(fmt.Sprintf(`{ "pre_authorization": { diff --git a/driver/registry_memory.go b/driver/registry_memory.go index 0e42462aa6..bcf3d57200 100644 --- a/driver/registry_memory.go +++ b/driver/registry_memory.go @@ -362,7 +362,7 @@ func (r *RegistryMemory) prepareAuthn() { authn.NewAuthenticatorJWT(r.c, r), authn.NewAuthenticatorNoOp(r.c), authn.NewAuthenticatorOAuth2ClientCredentials(r.c, r.Logger()), - authn.NewAuthenticatorOAuth2Introspection(r.c, r.Logger()), + authn.NewAuthenticatorOAuth2Introspection(r.c, r.Logger(), r.trc.Provider()), authn.NewAuthenticatorUnauthorized(r.c), } diff --git a/pipeline/authn/authenticator_oauth2_introspection.go b/pipeline/authn/authenticator_oauth2_introspection.go index 8f3a5b8ed9..d0551ba416 100644 --- a/pipeline/authn/authenticator_oauth2_introspection.go +++ b/pipeline/authn/authenticator_oauth2_introspection.go @@ -17,6 +17,7 @@ import ( "github.com/dgraph-io/ristretto" "github.com/pkg/errors" "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp" + "go.opentelemetry.io/otel/trace" "golang.org/x/oauth2/clientcredentials" "github.com/ory/fosite" @@ -26,6 +27,7 @@ import ( "github.com/ory/oathkeeper/x/header" "github.com/ory/x/httpx" "github.com/ory/x/logrusx" + "github.com/ory/x/otelx" "github.com/ory/x/stringslice" ) @@ -72,10 +74,11 @@ type AuthenticatorOAuth2Introspection struct { tokenCache *ristretto.Cache cacheTTL *time.Duration logger *logrusx.Logger + provider trace.TracerProvider } -func NewAuthenticatorOAuth2Introspection(c configuration.Provider, logger *logrusx.Logger) *AuthenticatorOAuth2Introspection { - return &AuthenticatorOAuth2Introspection{c: c, logger: logger, clientMap: make(map[string]*http.Client)} +func NewAuthenticatorOAuth2Introspection(c configuration.Provider, l *logrusx.Logger, p trace.TracerProvider) *AuthenticatorOAuth2Introspection { + return &AuthenticatorOAuth2Introspection{c: c, logger: l, provider: p, clientMap: make(map[string]*http.Client)} } func (a *AuthenticatorOAuth2Introspection) GetID() string { @@ -171,7 +174,12 @@ func (a *AuthenticatorOAuth2Introspection) tokenToCache(config *AuthenticatorOAu } } -func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, session *AuthenticationSession, config json.RawMessage, _ pipeline.Rule) error { +func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, session *AuthenticationSession, config json.RawMessage, _ pipeline.Rule) (err error) { + tp := trace.SpanFromContext(r.Context()).TracerProvider() + ctx, span := tp.Tracer("oauthkeeper/pipeline/authn").Start(r.Context(), "authn.oauth2_introspection") + defer otelx.End(span, &err) + r = r.WithContext(ctx) + cf, client, err := a.Config(config) if err != nil { return err @@ -195,7 +203,7 @@ func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, session body.Add("scope", strings.Join(cf.Scopes, " ")) } - introspectReq, err := http.NewRequest(http.MethodPost, cf.IntrospectionURL, strings.NewReader(body.Encode())) + introspectReq, err := http.NewRequestWithContext(ctx, http.MethodPost, cf.IntrospectionURL, strings.NewReader(body.Encode())) if err != nil { return errors.WithStack(err) } @@ -210,7 +218,7 @@ func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, session introspectReq.Header.Set(header.XForwardedHost, r.Host) } - resp, err := client.Do(introspectReq.WithContext(r.Context())) + resp, err := client.Do(introspectReq) if err != nil { return errors.WithStack(err) } @@ -348,7 +356,7 @@ func (a *AuthenticatorOAuth2Introspection) Config(config json.RawMessage) (*Auth httpx.ResilientClientWithMaxRetryWait(maxWait), httpx.ResilientClientWithConnectionTimeout(timeout), ).StandardClient() - client.Transport = otelhttp.NewTransport(rt) + client.Transport = otelhttp.NewTransport(rt, otelhttp.WithTracerProvider(a.provider)) a.mu.Lock() a.clientMap[clientKey] = client a.mu.Unlock() diff --git a/pipeline/authn/authenticator_oauth2_introspection_cache_test.go b/pipeline/authn/authenticator_oauth2_introspection_cache_test.go index b0c600580e..49b1dced37 100644 --- a/pipeline/authn/authenticator_oauth2_introspection_cache_test.go +++ b/pipeline/authn/authenticator_oauth2_introspection_cache_test.go @@ -10,6 +10,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "go.opentelemetry.io/otel/trace" "github.com/ory/fosite" "github.com/ory/oathkeeper/driver/configuration" @@ -30,7 +31,7 @@ func TestCache(t *testing.T) { })) require.NoError(t, err) - a := NewAuthenticatorOAuth2Introspection(c, logger) + a := NewAuthenticatorOAuth2Introspection(c, logger, trace.NewNoopTracerProvider()) assert.Equal(t, "oauth2_introspection", a.GetID()) config, _, err := a.Config(nil) diff --git a/pipeline/authn/authenticator_oauth2_introspection_test.go b/pipeline/authn/authenticator_oauth2_introspection_test.go index 5695a0d4e2..a88104f25e 100644 --- a/pipeline/authn/authenticator_oauth2_introspection_test.go +++ b/pipeline/authn/authenticator_oauth2_introspection_test.go @@ -12,16 +12,17 @@ import ( "testing" "time" + "go.opentelemetry.io/otel/trace" + "github.com/ory/x/assertx" "github.com/ory/x/configx" + "github.com/ory/x/logrusx" "github.com/julienschmidt/httprouter" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/tidwall/sjson" - "github.com/ory/x/logrusx" - "github.com/ory/oathkeeper/driver/configuration" "github.com/ory/oathkeeper/internal" . "github.com/ory/oathkeeper/pipeline/authn" @@ -791,7 +792,7 @@ func TestAuthenticatorOAuth2Introspection(t *testing.T) { t.Run("method=config", func(t *testing.T) { logger := logrusx.New("test", "1") - authenticator := NewAuthenticatorOAuth2Introspection(conf, logger) + authenticator := NewAuthenticatorOAuth2Introspection(conf, logger, trace.NewNoopTracerProvider()) noPreauthConfig := []byte(`{ "introspection_url":"http://localhost/oauth2/token" }`) preAuthConfigOne := []byte(`{ "introspection_url":"http://localhost/oauth2/token","pre_authorization":{"token_url":"http://localhost/oauth2/token","client_id":"some_id","client_secret":"some_secret","enabled":true} }`)