Add metrics for tracking when instance key renewal succeeds and fails, as well as when instance key *lookup* fails

2017-11-10 15:46:09 -05:00 · 2017-11-10 15:46:09 -05:00 · bbdf9e074c
commit bbdf9e074c
parent a927ce3e0f
10 changed files with 61 additions and 24 deletions
--- a/util/metrics/metricqueue.py
+++ b/util/metrics/metricqueue.py
@ -102,6 +102,18 @@ class MetricQueue(object):
    self.org_count = prom.create_gauge('org_count', 'Number of Organizations')
    self.robot_count = prom.create_gauge('robot_count', 'Number of robot accounts')

+    self.instance_key_renewal_success = prom.create_counter('instance_key_renewal_success',
+                                                            'Instance Key Renewal Success Count',
+                                                            labelnames=['key_id'])
+
+    self.instance_key_renewal_failure = prom.create_counter('instance_key_renewal_failure',
+                                                            'Instance Key Renewal Failure Count',
+                                                            labelnames=['key_id'])
+
+    self.invalid_instance_key_count = prom.create_counter('invalid_registry_instance_key_count',
+                                                          'Invalid registry instance key count',
+                                                          labelnames=['key_id'])
+
    # Deprecated: Define an in-memory queue for reporting metrics to CloudWatch or another
    # provider.
    self._queue = None
--- a/util/security/registry_jwt.py
+++ b/util/security/registry_jwt.py
@ -22,7 +22,7 @@ class InvalidBearerTokenException(Exception):
  pass


-def decode_bearer_header(bearer_header, instance_keys, config):
+def decode_bearer_header(bearer_header, instance_keys, config, metric_queue=None):
  """ decode_bearer_header decodes the given bearer header that contains an encoded JWT with both
      a Key ID as well as the signed JWT and returns the decoded and validated JWT. On any error,
      raises an InvalidBearerTokenException with the reason for failure.
@ -34,10 +34,10 @@ def decode_bearer_header(bearer_header, instance_keys, config):

  encoded_jwt = match.group(1)
  logger.debug('encoded JWT: %s', encoded_jwt)
-  return decode_bearer_token(encoded_jwt, instance_keys, config)
+  return decode_bearer_token(encoded_jwt, instance_keys, config, metric_queue=metric_queue)


-def decode_bearer_token(bearer_token, instance_keys, config):
+def decode_bearer_token(bearer_token, instance_keys, config, metric_queue=None):
  """ decode_bearer_token decodes the given bearer token that contains both a Key ID as well as the
      encoded JWT and returns the decoded and validated JWT. On any error, raises an
      InvalidBearerTokenException with the reason for failure.
@ -52,6 +52,9 @@ def decode_bearer_token(bearer_token, instance_keys, config):
  # Find the matching public key.
  public_key = instance_keys.get_service_key_public_key(kid)
  if public_key is None:
+    if metric_queue is not None:
+      metric_queue.invalid_instance_key_count.Inc(labelvalues=[kid])
+
    logger.error('Could not find requested service key %s with encoded JWT: %s', kid, bearer_token)
    raise InvalidBearerTokenException('Unknown service key')