trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

outposts: add outpost_name label to metrics 

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-09-16 10:03:31 +02:00
parent 48ad3dccda
commit a6a6b3bd06
13 changed files with 105 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
internal/outpost/ldap/bind.go
View File

@ -42,10 +42,11 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
defer func() { defer func() {
span.Finish() span.Finish()
metrics.Requests.With(prometheus.Labels{ metrics.Requests.With(prometheus.Labels{
"type": "bind", "outpost_name": ls.ac.Outpost.Name,
"filter": "", "type": "bind",
"dn": req.BindDN, "filter": "",
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Observe(float64(span.EndTime.Sub(span.StartTime))) }).Observe(float64(span.EndTime.Sub(span.StartTime)))
req.log.WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Bind request") req.log.WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Bind request")
}() }()
@ -59,10 +60,11 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
} }
req.log.WithField("request", "bind").Warning("No provider found for request") req.log.WithField("request", "bind").Warning("No provider found for request")
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"type": "bind", "outpost_name": ls.ac.Outpost.Name,
"reason": "no_provider", "type": "bind",
"dn": bindDN, "reason": "no_provider",
"client": utils.GetIP(conn.RemoteAddr()), "dn": bindDN,
"client": utils.GetIP(conn.RemoteAddr()),
}).Inc() }).Inc()
return ldap.LDAPResultOperationsError, nil return ldap.LDAPResultOperationsError, nil
} }

45
internal/outpost/ldap/instance_bind.go
View File

@ -51,19 +51,21 @@ func (pi *ProviderInstance) Bind(username string, req BindRequest) (ldap.LDAPRes
passed, err := fe.Execute() passed, err := fe.Execute()
if !passed { if !passed {
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"type": "bind", "outpost_name": pi.outpostName,
"reason": "invalid_credentials", "type": "bind",
"dn": req.BindDN, "reason": "invalid_credentials",
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Inc() }).Inc()
return ldap.LDAPResultInvalidCredentials, nil return ldap.LDAPResultInvalidCredentials, nil
} }
if err != nil { if err != nil {
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"type": "bind", "outpost_name": pi.outpostName,
"reason": "flow_error", "type": "bind",
"dn": req.BindDN, "reason": "flow_error",
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Inc() }).Inc()
req.log.WithError(err).Warning("failed to execute flow") req.log.WithError(err).Warning("failed to execute flow")
return ldap.LDAPResultOperationsError, nil return ldap.LDAPResultOperationsError, nil
@ -73,19 +75,21 @@ func (pi *ProviderInstance) Bind(username string, req BindRequest) (ldap.LDAPRes
if !access { if !access {
req.log.Info("Access denied for user") req.log.Info("Access denied for user")
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"type": "bind", "outpost_name": pi.outpostName,
"reason": "access_denied", "type": "bind",
"dn": req.BindDN, "reason": "access_denied",
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Inc() }).Inc()
return ldap.LDAPResultInsufficientAccessRights, nil return ldap.LDAPResultInsufficientAccessRights, nil
} }
if err != nil { if err != nil {
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"type": "bind", "outpost_name": pi.outpostName,
"reason": "access_check_fail", "type": "bind",
"dn": req.BindDN, "reason": "access_check_fail",
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Inc() }).Inc()
req.log.WithError(err).Warning("failed to check access") req.log.WithError(err).Warning("failed to check access")
return ldap.LDAPResultOperationsError, nil return ldap.LDAPResultOperationsError, nil
@ -96,10 +100,11 @@ func (pi *ProviderInstance) Bind(username string, req BindRequest) (ldap.LDAPRes
userInfo, _, err := fe.ApiClient().CoreApi.CoreUsersMeRetrieve(context.Background()).Execute() userInfo, _, err := fe.ApiClient().CoreApi.CoreUsersMeRetrieve(context.Background()).Execute()
if err != nil { if err != nil {
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"type": "bind", "outpost_name": pi.outpostName,
"reason": "user_info_fail", "type": "bind",
"dn": req.BindDN, "reason": "user_info_fail",
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Inc() }).Inc()
req.log.WithError(err).Warning("failed to get user info") req.log.WithError(err).Warning("failed to get user info")
return ldap.LDAPResultOperationsError, nil return ldap.LDAPResultOperationsError, nil

54
internal/outpost/ldap/instance_search.go
View File

@ -36,28 +36,31 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
filterEntity, err := ldap.GetFilterObjectClass(req.Filter) filterEntity, err := ldap.GetFilterObjectClass(req.Filter)
if err != nil { if err != nil {
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"type": "search", "outpost_name": pi.outpostName,
"reason": "filter_parse_fail", "type": "search",
"dn": req.BindDN, "reason": "filter_parse_fail",
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Inc() }).Inc()
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter) return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter)
} }
if len(req.BindDN) < 1 { if len(req.BindDN) < 1 {
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"type": "search", "outpost_name": pi.outpostName,
"reason": "empty_bind_dn", "type": "search",
"dn": req.BindDN, "reason": "empty_bind_dn",
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Inc() }).Inc()
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN) return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
} }
if !strings.HasSuffix(req.BindDN, baseDN) { if !strings.HasSuffix(req.BindDN, baseDN) {
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"type": "search", "outpost_name": pi.outpostName,
"reason": "invalid_bind_dn", "type": "search",
"dn": req.BindDN, "reason": "invalid_bind_dn",
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Inc() }).Inc()
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, pi.BaseDN) return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, pi.BaseDN)
} }
@ -68,10 +71,11 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
if !ok { if !ok {
pi.log.Debug("User info not cached") pi.log.Debug("User info not cached")
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"type": "search", "outpost_name": pi.outpostName,
"reason": "user_info_not_cached", "type": "search",
"dn": req.BindDN, "reason": "user_info_not_cached",
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Inc() }).Inc()
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied") return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
} }
@ -84,10 +88,11 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
parsedFilter, err := ldap.CompileFilter(req.Filter) parsedFilter, err := ldap.CompileFilter(req.Filter)
if err != nil { if err != nil {
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"type": "search", "outpost_name": pi.outpostName,
"reason": "filter_parse_fail", "type": "search",
"dn": req.BindDN, "reason": "filter_parse_fail",
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Inc() }).Inc()
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter) return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter)
} }
@ -99,10 +104,11 @@ func (pi *ProviderInstance) Search(req SearchRequest) (ldap.ServerSearchResult,
switch filterEntity { switch filterEntity {
default: default:
metrics.RequestsRejected.With(prometheus.Labels{ metrics.RequestsRejected.With(prometheus.Labels{
"type": "search", "outpost_name": pi.outpostName,
"reason": "unhandled_filter_type", "type": "search",
"dn": req.BindDN, "reason": "unhandled_filter_type",
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Inc() }).Inc()
return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: unhandled filter type: %s [%s]", filterEntity, req.Filter) return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: unhandled filter type: %s [%s]", filterEntity, req.Filter)
case GroupObjectClass: case GroupObjectClass:

6
internal/outpost/ldap/ldap.go
View File

@ -29,9 +29,9 @@ type ProviderInstance struct {
s *LDAPServer s *LDAPServer
log *log.Entry log *log.Entry
tlsServerName *string tlsServerName *string
cert *tls.Certificate cert *tls.Certificate
outpostName string
searchAllowedGroups []*strfmt.UUID searchAllowedGroups []*strfmt.UUID
boundUsersMutex sync.RWMutex boundUsersMutex sync.RWMutex
boundUsers map[string]UserFlags boundUsers map[string]UserFlags

4
internal/outpost/ldap/metrics/metrics.go
View File

@ -13,11 +13,11 @@ var (
Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{ Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
Name: "authentik_outpost_ldap_requests", Name: "authentik_outpost_ldap_requests",
Help: "The total number of configured providers", Help: "The total number of configured providers",
}, []string{"type", "dn", "filter", "client"}) }, []string{"outpost_name", "type", "dn", "filter", "client"})
RequestsRejected = promauto.NewCounterVec(prometheus.CounterOpts{ RequestsRejected = promauto.NewCounterVec(prometheus.CounterOpts{
Name: "authentik_outpost_ldap_requests_rejected", Name: "authentik_outpost_ldap_requests_rejected",
Help: "Total number of rejected requests", Help: "Total number of rejected requests",
}, []string{"type", "reason", "dn", "client"}) }, []string{"outpost_name", "type", "reason", "dn", "client"})
) )
func RunServer() { func RunServer() {

1
internal/outpost/ldap/api.go → internal/outpost/ldap/refresh.go
View File

@ -50,6 +50,7 @@ func (ls *LDAPServer) Refresh() error {
tlsServerName: provider.TlsServerName, tlsServerName: provider.TlsServerName,
uidStartNumber: *provider.UidStartNumber, uidStartNumber: *provider.UidStartNumber,
gidStartNumber: *provider.GidStartNumber, gidStartNumber: *provider.GidStartNumber,
outpostName: ls.ac.Outpost.Name,
} }
if provider.Certificate.Get() != nil { if provider.Certificate.Get() != nil {
kp := provider.Certificate.Get() kp := provider.Certificate.Get()

9
internal/outpost/ldap/search.go
View File

@ -46,10 +46,11 @@ func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn n
defer func() { defer func() {
span.Finish() span.Finish()
metrics.Requests.With(prometheus.Labels{ metrics.Requests.With(prometheus.Labels{
"type": "search", "outpost_name": ls.ac.Outpost.Name,
"filter": req.Filter, "type": "search",
"dn": req.BindDN, "filter": req.Filter,
"client": utils.GetIP(req.conn.RemoteAddr()), "dn": req.BindDN,
"client": utils.GetIP(req.conn.RemoteAddr()),
}).Observe(float64(span.EndTime.Sub(span.StartTime))) }).Observe(float64(span.EndTime.Sub(span.StartTime)))
req.log.WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Search request") req.log.WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Search request")
}() }()

19
internal/outpost/proxyv2/application/application.go
View File

@ -31,6 +31,7 @@ type Application struct {
endpint OIDCEndpoint endpint OIDCEndpoint
oauthConfig oauth2.Config oauthConfig oauth2.Config
tokenVerifier *oidc.IDTokenVerifier tokenVerifier *oidc.IDTokenVerifier
outpostName string
sessions sessions.Store sessions sessions.Store
proxyConfig api.ProxyOutpostConfig proxyConfig api.ProxyOutpostConfig
@ -40,7 +41,7 @@ type Application struct {
mux *mux.Router mux *mux.Router
} }
func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore, akHost string) *Application { func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore, ak *ak.APIController) *Application {
gob.Register(Claims{}) gob.Register(Claims{})
externalHost, err := url.Parse(p.ExternalHost) externalHost, err := url.Parse(p.ExternalHost)
@ -56,7 +57,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
}) })
// Configure an OpenID Connect aware OAuth2 client. // Configure an OpenID Connect aware OAuth2 client.
endpoint := GetOIDCEndpoint(p, akHost) endpoint := GetOIDCEndpoint(p, ak.Outpost.Config["authentik_host"].(string))
oauth2Config := oauth2.Config{ oauth2Config := oauth2.Config{
ClientID: *p.ClientId, ClientID: *p.ClientId,
ClientSecret: *p.ClientSecret, ClientSecret: *p.ClientSecret,
@ -68,6 +69,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
a := &Application{ a := &Application{
Host: externalHost.Host, Host: externalHost.Host,
log: log.WithField("logger", "authentik.outpost.proxy.bundle").WithField("provider", p.Name), log: log.WithField("logger", "authentik.outpost.proxy.bundle").WithField("provider", p.Name),
outpostName: ak.Outpost.Name,
endpint: endpoint, endpint: endpoint,
oauthConfig: oauth2Config, oauthConfig: oauth2Config,
tokenVerifier: verifier, tokenVerifier: verifier,
@ -103,12 +105,13 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
inner.ServeHTTP(rw, r) inner.ServeHTTP(rw, r)
after := time.Since(before) after := time.Since(before)
metrics.Requests.With(prometheus.Labels{ metrics.Requests.With(prometheus.Labels{
"type": "app", "outpost_name": a.outpostName,
"scheme": r.URL.Scheme, "type": "app",
"method": r.Method, "scheme": r.URL.Scheme,
"path": r.URL.Path, "method": r.Method,
"host": web.GetHost(r), "path": r.URL.Path,
"user": user, "host": web.GetHost(r),
"user": user,
}).Observe(float64(after)) }).Observe(float64(after))
}) })
}) })

1
internal/outpost/proxyv2/application/mode_proxy.go
View File

@ -50,6 +50,7 @@ func (a *Application) configureProxy() error {
user = claims.Email user = claims.Email
} }
metrics.UpstreamTiming.With(prometheus.Labels{ metrics.UpstreamTiming.With(prometheus.Labels{
"outpost_name": a.outpostName,
"upstream_host": u.String(), "upstream_host": u.String(),
"scheme": r.URL.Scheme, "scheme": r.URL.Scheme,
"method": r.Method, "method": r.Method,

9
internal/outpost/proxyv2/application/utils.go
View File

@ -44,15 +44,6 @@ func (a *Application) getClaims(r *http.Request) (*Claims, error) {
return &c, nil return &c, nil
} }
func contains(s []string, e string) bool {
for _, a := range s {
if a == e {
return true
}
}
return false
}
// toString Generic to string function, currently supports actual strings and integers // toString Generic to string function, currently supports actual strings and integers
func toString(in interface{}) string { func toString(in interface{}) string {
switch v := in.(type) { switch v := in.(type) {

26
internal/outpost/proxyv2/handlers.go
View File

@ -15,12 +15,13 @@ func (ps *ProxyServer) HandlePing(rw http.ResponseWriter, r *http.Request) {
rw.WriteHeader(204) rw.WriteHeader(204)
after := time.Since(before) after := time.Since(before)
metrics.Requests.With(prometheus.Labels{ metrics.Requests.With(prometheus.Labels{
"method": r.Method, "outpost_name": ps.akAPI.Outpost.Name,
"schema": r.URL.Scheme, "method": r.Method,
"path": r.URL.Path, "schema": r.URL.Scheme,
"host": web.GetHost(r), "path": r.URL.Path,
"type": "ping", "host": web.GetHost(r),
"user": "", "type": "ping",
"user": "",
}).Observe(float64(after)) }).Observe(float64(after))
} }
@ -30,12 +31,13 @@ func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
http.StripPrefix("/akprox/static", staticFs).ServeHTTP(rw, r) http.StripPrefix("/akprox/static", staticFs).ServeHTTP(rw, r)
after := time.Since(before) after := time.Since(before)
metrics.Requests.With(prometheus.Labels{ metrics.Requests.With(prometheus.Labels{
"method": r.Method, "outpost_name": ps.akAPI.Outpost.Name,
"schema": r.URL.Scheme, "method": r.Method,
"path": r.URL.Path, "schema": r.URL.Scheme,
"host": web.GetHost(r), "path": r.URL.Path,
"type": "ping", "host": web.GetHost(r),
"user": "", "type": "ping",
"user": "",
}).Observe(float64(after)) }).Observe(float64(after))
} }

4
internal/outpost/proxyv2/metrics/metrics.go
View File

@ -13,11 +13,11 @@ var (
Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{ Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
Name: "authentik_outpost_proxy_requests", Name: "authentik_outpost_proxy_requests",
Help: "The total number of configured providers", Help: "The total number of configured providers",
}, []string{"method", "scheme", "path", "host", "type", "user"}) }, []string{"outpost_name", "method", "scheme", "path", "host", "type", "user"})
UpstreamTiming = promauto.NewHistogramVec(prometheus.HistogramOpts{ UpstreamTiming = promauto.NewHistogramVec(prometheus.HistogramOpts{
Name: "authentik_outpost_proxy_upstream_time", Name: "authentik_outpost_proxy_upstream_time",
Help: "A summary of the duration we wait for the upstream reply", Help: "A summary of the duration we wait for the upstream reply",
}, []string{"method", "scheme", "path", "host", "upstream_host", "user"}) }, []string{"outpost_name", "method", "scheme", "path", "host", "upstream_host", "user"})
) )
func RunServer() { func RunServer() {

2
internal/outpost/proxyv2/refresh.go
View File

@ -24,7 +24,7 @@ func (ps *ProxyServer) Refresh() error {
hc := &http.Client{ hc := &http.Client{
Transport: ak.NewUserAgentTransport(constants.OutpostUserAgent()+ua, ak.NewTracingTransport(context.TODO(), ak.GetTLSTransport())), Transport: ak.NewUserAgentTransport(constants.OutpostUserAgent()+ua, ak.NewTracingTransport(context.TODO(), ak.GetTLSTransport())),
} }
a := application.NewApplication(provider, hc, ps.cryptoStore, ps.akAPI.Outpost.Config["authentik_host"].(string)) a := application.NewApplication(provider, hc, ps.cryptoStore, ps.akAPI)
apps[a.Host] = a apps[a.Host] = a
} }
ps.apps = apps ps.apps = apps