Add new metrics as requested by some customers
Note that the `status` field on the pull and push metrics will eventually be set to False for failed pulls and pushes in a followup PR
This commit is contained in:
Joseph Schorr
parent
7fc4aa7afd
commit
4b926ae189
7 changed files with 57 additions and 21 deletions
|
|
@ -12,7 +12,7 @@ from flask_principal import identity_changed, Identity
|
|||
|
||||
import scopes
|
||||
|
||||
from app import app, authentication
|
||||
from app import app, authentication, metric_queue
|
||||
from auth_context import (set_authenticated_user, set_validated_token, set_grant_context,
|
||||
set_validated_oauth_token)
|
||||
from data import model
|
||||
|
|
@ -52,14 +52,17 @@ def _validate_and_apply_oauth_token(token):
|
|||
validated = model.oauth.validate_access_token(token)
|
||||
if not validated:
|
||||
logger.warning('OAuth access token could not be validated: %s', token)
|
||||
metric_queue.authentication_count.Inc(labelvalues=['oauth', False])
|
||||
raise InvalidToken('OAuth access token could not be validated: {token}'.format(token=token))
|
||||
elif validated.expires_at <= datetime.utcnow():
|
||||
logger.info('OAuth access with an expired token: %s', token)
|
||||
metric_queue.authentication_count.Inc(labelvalues=['oauth', False])
|
||||
raise ExpiredToken('OAuth access token has expired: {token}'.format(token=token))
|
||||
|
||||
# Don't allow disabled users to login.
|
||||
if not validated.authorized_user.enabled:
|
||||
return None
|
||||
metric_queue.authentication_count.Inc(labelvalues=['oauth', False])
|
||||
return False
|
||||
|
||||
# We have a valid token
|
||||
scope_set = scopes.scopes_from_scope_string(validated.scope)
|
||||
|
|
@ -71,6 +74,8 @@ def _validate_and_apply_oauth_token(token):
|
|||
|
||||
new_identity = QuayDeferredPermissionUser.for_user(validated.authorized_user, scope_set)
|
||||
identity_changed.send(app, identity=new_identity)
|
||||
metric_queue.authentication_count.Inc(labelvalues=['oauth', True])
|
||||
return True
|
||||
|
||||
|
||||
def _parse_basic_auth_header(auth):
|
||||
|
|
@ -105,14 +110,16 @@ def _process_basic_auth(auth):
|
|||
logger.debug('Successfully validated token: %s', credentials[1])
|
||||
set_validated_token(token)
|
||||
identity_changed.send(app, identity=Identity(token.code, 'token'))
|
||||
return
|
||||
metric_queue.authentication_count.Inc(labelvalues=['token', True])
|
||||
return True
|
||||
|
||||
except model.DataModelException:
|
||||
logger.debug('Invalid token: %s', credentials[1])
|
||||
metric_queue.authentication_count.Inc(labelvalues=['token', False])
|
||||
|
||||
elif credentials[0] == '$oauthtoken':
|
||||
oauth_token = credentials[1]
|
||||
_validate_and_apply_oauth_token(oauth_token)
|
||||
return _validate_and_apply_oauth_token(oauth_token)
|
||||
|
||||
elif '+' in credentials[0]:
|
||||
logger.debug('Trying robot auth with credentials %s', str(credentials))
|
||||
|
|
@ -124,9 +131,11 @@ def _process_basic_auth(auth):
|
|||
|
||||
deferred_robot = QuayDeferredPermissionUser.for_user(robot)
|
||||
identity_changed.send(app, identity=deferred_robot)
|
||||
return
|
||||
metric_queue.authentication_count.Inc(labelvalues=['robot', True])
|
||||
return True
|
||||
except model.InvalidRobotException:
|
||||
logger.debug('Invalid robot or password for robot: %s', credentials[0])
|
||||
metric_queue.authentication_count.Inc(labelvalues=['robot', False])
|
||||
|
||||
else:
|
||||
(authenticated, _) = authentication.verify_and_link_user(credentials[0], credentials[1],
|
||||
|
|
@ -137,10 +146,14 @@ def _process_basic_auth(auth):
|
|||
|
||||
new_identity = QuayDeferredPermissionUser.for_user(authenticated)
|
||||
identity_changed.send(app, identity=new_identity)
|
||||
return
|
||||
metric_queue.authentication_count.Inc(labelvalues=['user', True])
|
||||
return True
|
||||
else:
|
||||
metric_queue.authentication_count.Inc(labelvalues=['user', False])
|
||||
|
||||
# We weren't able to authenticate via basic auth.
|
||||
logger.debug('Basic auth present but could not be validated.')
|
||||
return False
|
||||
|
||||
|
||||
def has_basic_auth(username):
|
||||
|
|
@ -175,11 +188,11 @@ def _process_signed_grant(auth):
|
|||
normalized = [part.strip() for part in auth.split(' ') if part]
|
||||
if normalized[0].lower() != 'token' or len(normalized) != 2:
|
||||
logger.debug('Not a token: %s', auth)
|
||||
return
|
||||
return False
|
||||
|
||||
if not normalized[1].startswith(SIGNATURE_PREFIX):
|
||||
logger.debug('Not a signed grant token: %s', auth)
|
||||
return
|
||||
return False
|
||||
|
||||
encrypted = normalized[1][len(SIGNATURE_PREFIX):]
|
||||
ser = SecureCookieSessionInterface().get_signing_serializer(app)
|
||||
|
|
@ -188,6 +201,7 @@ def _process_signed_grant(auth):
|
|||
token_data = ser.loads(encrypted, max_age=app.config['SIGNED_GRANT_EXPIRATION_SEC'])
|
||||
except BadSignature:
|
||||
logger.warning('Signed grant could not be validated: %s', encrypted)
|
||||
metric_queue.authentication_count.Inc(labelvalues=['signed', False])
|
||||
abort(401, message='Signed grant could not be validated: %(auth)s', issue='invalid-auth-token',
|
||||
auth=auth)
|
||||
|
||||
|
|
@ -203,6 +217,8 @@ def _process_signed_grant(auth):
|
|||
|
||||
loaded_identity.provides.update(token_data['grants'])
|
||||
identity_changed.send(app, identity=loaded_identity)
|
||||
metric_queue.authentication_count.Inc(labelvalues=['signed', True])
|
||||
return True
|
||||
|
||||
|
||||
def process_oauth(func):
|
||||
|
|
|
|||
Reference in a new issue