add metrics/observability capability OIDCMetricsData/OIDCMetricsPublish

bump to 2.4.15rc8 Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Dec 14, 2023 · ad677c6 · ad677c6
1 parent 82ad435
commit ad677c6
Show file tree

Hide file tree

Showing 9 changed files with 1,027 additions and 34 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+12/14/2023
+- add metrics collection capability, configured with OIDCMetricsData and retrieved through OIDCMetricsPublish
+- bump to 2.4.15rc8
+
 11/30/2023
 - fix SSL server certificate validation when revoking tokens
   apply `OIDCSSLValidateServer` setting rather than `OIDCOAuthSSLValidateServer` in `oidc_revoke_tokens`

diff --git a/Makefile.am b/Makefile.am
@@ -7,6 +7,7 @@ libauth_openidc_la_SOURCES = \
 	src/cache/file.c \
 	src/cache/shm.c \
 	src/cache/common.c \
+	src/metrics.c \
 	src/oauth.c \
 	src/proto.c \
 	src/config.c \
@@ -56,6 +57,7 @@ noinst_HEADERS = \
 	src/const.h \
 	src/jose.h \
 	src/parse.h \
+	src/metrics.h \
 	src/cache/cache.h \
 	src/pcre_subst.h
 

diff --git a/auth_openidc.conf b/auth_openidc.conf
@@ -1011,6 +1011,23 @@
 # When not defined the session hook will not return any data but a HTTP 404
 #OIDCInfoHook [iat|access_token|access_token_expires|id_token|id_token_hint|userinfo|refresh_token|exp|timeout|remote_user|session]+
 
+# Specify metrics that you wish to collect and keep in shared memory for retrieval.
+# Supported metrics classes are:
+#   authtype: the authentication handler type split out per AuthType: openid-connect, oauth20, auth-openidc
+#   redirect_uri: requests to the redirect_uri
+#   authn: authentication request generation and response processing
+#   session: existing session handling
+#   content: requests to the content handler, split out per types of request (info, metrics, jwks, etc.)
+# When not defined no metrics will be recorded.
+#OIDCMetricsData [ authtype | redirect_uri | authn | session | content ]+
+
+# Specify the path where metrics are published and can be consumed.
+# The "format=<format>" parameter can be passed to specify the format of the data.
+# The default is "prometheus", "json" is also supported.
+# Protect protect this path (e.g. Require host localhost) or serve it on an internal co-located vhost/port.
+# When not defined, no metrics will be published on the enclosing vhost.
+#OIDCMetricsPublish <path>
+
 # Specify claims that should be removed from the userinfo and/or id_token before storing them in the session.
 # Note that OIDCBlackListedClaims takes precedence over OIDCWhiteListedClaims
 # When not defined no claims are blacklisted and all claims are stored except when OIDCWhiteListedClaims is used.

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.15rc7],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.15rc8],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/config.c b/src/config.c
@@ -41,7 +41,12 @@
  * @Author: Hans Zandbelt - [email protected]
  */
 
+// clang-format off
+
 #include "mod_auth_openidc.h"
+#include "metrics.h"
+
+// clang-format on
 
 #include <curl/curl.h>
 
@@ -1124,6 +1129,14 @@ static const char *oidc_set_info_hook_data(cmd_parms *cmd, void *m, const char *
 	return OIDC_CONFIG_DIR_RV(cmd, rv);
 }
 
+static const char *oidc_set_metrics_hook_data(cmd_parms *cmd, void *m, const char *arg) {
+	oidc_cfg *cfg = (oidc_cfg *)ap_get_module_config(cmd->server->module_config, &auth_openidc_module);
+	if (cfg->metrics_hook_data == NULL)
+		cfg->metrics_hook_data = apr_hash_make(cmd->pool);
+	apr_hash_set(cfg->metrics_hook_data, arg, APR_HASH_KEY_STRING, arg);
+	return NULL;
+}
+
 static const char *oidc_set_filtered_claims(cmd_parms *cmd, void *m, const char *arg) {
 	oidc_cfg *cfg = (oidc_cfg *)ap_get_module_config(cmd->server->module_config, &auth_openidc_module);
 	int offset = (int)(long)cmd->info;
@@ -1642,6 +1655,9 @@ void *oidc_create_server_config(apr_pool_t *pool, server_rec *svr) {
 	c->provider_metadata_refresh_interval = OIDC_DEFAULT_PROVIDER_METADATA_REFRESH_INTERVAL;
 
 	c->info_hook_data = NULL;
+	c->metrics_hook_data = NULL;
+	c->metrics_path = NULL;
+
 	c->black_listed_claims = NULL;
 	c->white_listed_claims = NULL;
 	c->filter_claims_expr = NULL;
@@ -1888,6 +1904,9 @@ void *oidc_merge_server_config(apr_pool_t *pool, void *BASE, void *ADD) {
 		: base->provider_metadata_refresh_interval;
 
 	c->info_hook_data = add->info_hook_data != NULL ? add->info_hook_data : base->info_hook_data;
+	c->metrics_hook_data = add->metrics_hook_data != NULL ? add->metrics_hook_data : base->metrics_hook_data;
+	c->metrics_path = add->metrics_path != NULL ? add->metrics_path : base->metrics_path;
+
 	c->black_listed_claims =
 	    add->black_listed_claims != NULL ? add->black_listed_claims : base->black_listed_claims;
 	c->white_listed_claims =
@@ -2439,6 +2458,11 @@ static apr_status_t oidc_cleanup_child(void *data) {
 				oidc_serror(sp, "oidc_cache_mutex_destroy on refresh mutex failed");
 			}
 		}
+		if (cfg->metrics_hook_data != NULL) {
+			if (oidc_metrics_cache_cleanup(sp) != APR_SUCCESS) {
+				oidc_serror(sp, "oidc_metrics_cache_cleanup failed");
+			}
+		}
 		sp = sp->next;
 	}
 
@@ -2548,6 +2572,10 @@ static int oidc_post_config(apr_pool_t *pool, apr_pool_t *p1, apr_pool_t *p2, se
 			if (oidc_cache_mutex_post_config(sp, cfg->refresh_mutex, "refresh") != TRUE)
 				return HTTP_INTERNAL_SERVER_ERROR;
 		}
+		if (cfg->metrics_hook_data != NULL) {
+			if (oidc_metrics_cache_post_config(s) != TRUE)
+				return HTTP_INTERNAL_SERVER_ERROR;
+		}
 		sp = sp->next;
 	}
 
@@ -2617,6 +2645,11 @@ static void oidc_child_init(apr_pool_t *p, server_rec *s) {
 				oidc_serror(sp, "oidc_cache_mutex_child_init on refresh mutex failed");
 			}
 		}
+		if (cfg->metrics_hook_data != NULL) {
+			if (oidc_metrics_cache_child_init(p, s) != APR_SUCCESS) {
+				oidc_serror(sp, "oidc_metrics_cache_child_init failed");
+			}
+		}
 		sp = sp->next;
 	}
 	apr_pool_cleanup_register(p, s, oidc_cleanup_child, apr_pool_cleanup_null);
@@ -3365,6 +3398,16 @@ const command_rec oidc_config_cmds[] = {
 				(void *)APR_OFFSETOF(oidc_cfg, info_hook_data),
 				RSRC_CONF,
 				"The data that will be returned from the info hook."),
+		AP_INIT_ITERATE(OIDCMetricsData,
+				oidc_set_metrics_hook_data,
+				(void *)APR_OFFSETOF(oidc_cfg, metrics_hook_data),
+				RSRC_CONF,
+				"The data that will be returned from the metrics hook."),
+		AP_INIT_TAKE1(OIDCMetricsPublish,
+				oidc_set_string_slot,
+				(void *)APR_OFFSETOF(oidc_cfg, metrics_path),
+				RSRC_CONF,
+				"Define the URL where the metrics will be published (e.g.: /metrics)"),
 		AP_INIT_ITERATE(OIDCBlackListedClaims,
 				oidc_set_filtered_claims,
 				(void *) APR_OFFSETOF(oidc_cfg, black_listed_claims),