-
Notifications
You must be signed in to change notification settings - Fork 351
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add jwtMetrics filter that parses JWT token and increments a set of counters, see documentation for details. Signed-off-by: Alexander Yastrebov <[email protected]>
- Loading branch information
1 parent
36f8db4
commit 6a235e0
Showing
5 changed files
with
322 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
package auth | ||
|
||
import ( | ||
"fmt" | ||
"regexp" | ||
"slices" | ||
"strings" | ||
|
||
"github.com/ghodss/yaml" | ||
"github.com/zalando/skipper/filters" | ||
"github.com/zalando/skipper/jwt" | ||
) | ||
|
||
type ( | ||
jwtMetricsSpec struct{} | ||
|
||
jwtMetricsFilter struct { | ||
Issuers []string `json:"issuers,omitempty"` | ||
} | ||
) | ||
|
||
func NewJwtMetrics() filters.Spec { | ||
return &jwtMetricsSpec{} | ||
} | ||
|
||
func (s *jwtMetricsSpec) Name() string { | ||
return filters.JwtMetricsName | ||
} | ||
|
||
func (s *jwtMetricsSpec) CreateFilter(args []interface{}) (filters.Filter, error) { | ||
f := &jwtMetricsFilter{} | ||
|
||
if len(args) == 1 { | ||
if config, ok := args[0].(string); !ok { | ||
return nil, fmt.Errorf("requires single string argument") | ||
} else if err := yaml.Unmarshal([]byte(config), f); err != nil { | ||
return nil, fmt.Errorf("failed to parse configuration") | ||
} | ||
} else if len(args) > 1 { | ||
return nil, fmt.Errorf("requires single string argument") | ||
} | ||
|
||
return f, nil | ||
} | ||
|
||
func (f *jwtMetricsFilter) Request(ctx filters.FilterContext) {} | ||
|
||
func (f *jwtMetricsFilter) Response(ctx filters.FilterContext) { | ||
response := ctx.Response() | ||
|
||
if response.StatusCode >= 400 && response.StatusCode < 500 { | ||
return // ignore invalid requests | ||
} | ||
|
||
request := ctx.Request() | ||
|
||
metrics := ctx.Metrics() | ||
metricsPrefix := fmt.Sprintf("%s.%s.%d.", request.Method, escapeMetricKeySegment(request.Host), response.StatusCode) | ||
|
||
ahead := request.Header.Get("Authorization") | ||
if ahead == "" { | ||
metrics.IncCounter(metricsPrefix + "missing-token") | ||
return | ||
} | ||
|
||
tv := strings.TrimPrefix(ahead, "Bearer ") | ||
if tv == ahead { | ||
metrics.IncCounter(metricsPrefix + "invalid-token-type") | ||
return | ||
} | ||
|
||
if len(f.Issuers) > 0 { | ||
token, err := jwt.Parse(tv) | ||
if err != nil { | ||
metrics.IncCounter(metricsPrefix + "invalid-token") | ||
return | ||
} | ||
|
||
// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1 | ||
if issuer, ok := token.Claims["iss"].(string); !ok { | ||
metrics.IncCounter(metricsPrefix + "missing-issuer") | ||
} else if !slices.Contains(f.Issuers, issuer) { | ||
metrics.IncCounter(metricsPrefix + "invalid-issuer") | ||
} | ||
} | ||
} | ||
|
||
var escapeMetricKeySegmentPattern = regexp.MustCompile("[^a-zA-Z0-9_]") | ||
|
||
func escapeMetricKeySegment(s string) string { | ||
return escapeMetricKeySegmentPattern.ReplaceAllLiteralString(s, "_") | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,200 @@ | ||
package auth_test | ||
|
||
import ( | ||
"encoding/base64" | ||
"encoding/json" | ||
"net/http" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
"github.com/stretchr/testify/require" | ||
"github.com/zalando/skipper/eskip" | ||
"github.com/zalando/skipper/filters/auth" | ||
"github.com/zalando/skipper/filters/filtertest" | ||
"github.com/zalando/skipper/metrics/metricstest" | ||
) | ||
|
||
func TestJwtMetrics(t *testing.T) { | ||
spec := auth.NewJwtMetrics() | ||
|
||
for _, tc := range []struct { | ||
name string | ||
def string | ||
request *http.Request | ||
response *http.Response | ||
expected map[string]int64 | ||
}{ | ||
{ | ||
name: "ignores 401 response", | ||
def: `jwtMetrics("{issuers: [foo, bar]}")`, | ||
request: &http.Request{Method: "GET", Host: "foo.test"}, | ||
response: &http.Response{StatusCode: http.StatusUnauthorized}, | ||
expected: map[string]int64{}, | ||
}, | ||
{ | ||
name: "ignores 403 response", | ||
def: `jwtMetrics("{issuers: [foo, bar]}")`, | ||
request: &http.Request{Method: "GET", Host: "foo.test"}, | ||
response: &http.Response{StatusCode: http.StatusForbidden}, | ||
expected: map[string]int64{}, | ||
}, | ||
{ | ||
name: "ignores 404 response", | ||
def: `jwtMetrics("{issuers: [foo, bar]}")`, | ||
request: &http.Request{Method: "GET", Host: "foo.test"}, | ||
response: &http.Response{StatusCode: http.StatusNotFound}, | ||
expected: map[string]int64{}, | ||
}, | ||
{ | ||
name: "missing-token", | ||
def: `jwtMetrics("{issuers: [foo, bar]}")`, | ||
request: &http.Request{Method: "GET", Host: "foo.test"}, | ||
response: &http.Response{StatusCode: http.StatusOK}, | ||
expected: map[string]int64{ | ||
"GET.foo_test.200.missing-token": 1, | ||
}, | ||
}, | ||
{ | ||
name: "invalid-token-type", | ||
def: `jwtMetrics("{issuers: [foo, bar]}")`, | ||
request: &http.Request{Method: "GET", Host: "foo.test", | ||
Header: http.Header{"Authorization": []string{"Basic foobarbaz"}}, | ||
}, | ||
response: &http.Response{StatusCode: http.StatusOK}, | ||
expected: map[string]int64{ | ||
"GET.foo_test.200.invalid-token-type": 1, | ||
}, | ||
}, | ||
{ | ||
name: "invalid-token", | ||
def: `jwtMetrics("{issuers: [foo, bar]}")`, | ||
request: &http.Request{Method: "GET", Host: "foo.test", | ||
Header: http.Header{"Authorization": []string{"Bearer invalid-token"}}, | ||
}, | ||
response: &http.Response{StatusCode: http.StatusOK}, | ||
expected: map[string]int64{ | ||
"GET.foo_test.200.invalid-token": 1, | ||
}, | ||
}, | ||
{ | ||
name: "missing-issuer", | ||
def: `jwtMetrics("{issuers: [foo, bar]}")`, | ||
request: &http.Request{Method: "GET", Host: "foo.test", | ||
Header: http.Header{"Authorization": []string{ | ||
"Bearer header." + marshalBase64JSON(t, map[string]any{"sub": "baz"}) + ".signature", | ||
}}, | ||
}, | ||
response: &http.Response{StatusCode: http.StatusOK}, | ||
expected: map[string]int64{ | ||
"GET.foo_test.200.missing-issuer": 1, | ||
}, | ||
}, | ||
{ | ||
name: "invalid-issuer", | ||
def: `jwtMetrics("{issuers: [foo, bar]}")`, | ||
request: &http.Request{Method: "GET", Host: "foo.test", | ||
Header: http.Header{"Authorization": []string{ | ||
"Bearer header." + marshalBase64JSON(t, map[string]any{"iss": "baz"}) + ".signature", | ||
}}, | ||
}, | ||
response: &http.Response{StatusCode: http.StatusOK}, | ||
expected: map[string]int64{ | ||
"GET.foo_test.200.invalid-issuer": 1, | ||
}, | ||
}, | ||
{ | ||
name: "no invalid-issuer for empty issuers", | ||
def: `jwtMetrics()`, | ||
request: &http.Request{Method: "GET", Host: "foo.test", | ||
Header: http.Header{"Authorization": []string{ | ||
"Bearer header." + marshalBase64JSON(t, map[string]any{"iss": "baz"}) + ".signature", | ||
}}, | ||
}, | ||
response: &http.Response{StatusCode: http.StatusOK}, | ||
expected: map[string]int64{}, | ||
}, | ||
{ | ||
name: "no invalid-issuer when matches first", | ||
def: `jwtMetrics("{issuers: [foo, bar]}")`, | ||
request: &http.Request{Method: "GET", Host: "foo.test", | ||
Header: http.Header{"Authorization": []string{ | ||
"Bearer header." + marshalBase64JSON(t, map[string]any{"iss": "foo"}) + ".signature", | ||
}}, | ||
}, | ||
response: &http.Response{StatusCode: http.StatusOK}, | ||
expected: map[string]int64{}, | ||
}, | ||
{ | ||
name: "no invalid-issuer when matches second", | ||
def: `jwtMetrics("{issuers: [foo, bar]}")`, | ||
request: &http.Request{Method: "GET", Host: "foo.test", | ||
Header: http.Header{"Authorization": []string{ | ||
"Bearer header." + marshalBase64JSON(t, map[string]any{"iss": "bar"}) + ".signature", | ||
}}, | ||
}, | ||
response: &http.Response{StatusCode: http.StatusOK}, | ||
expected: map[string]int64{}, | ||
}, | ||
} { | ||
t.Run(tc.name, func(t *testing.T) { | ||
args := eskip.MustParseFilters(tc.def)[0].Args | ||
|
||
filter, err := spec.CreateFilter(args) | ||
require.NoError(t, err) | ||
|
||
metrics := &metricstest.MockMetrics{} | ||
ctx := &filtertest.Context{ | ||
FRequest: tc.request, | ||
FMetrics: metrics, | ||
} | ||
filter.Request(ctx) | ||
ctx.FResponse = tc.response | ||
filter.Response(ctx) | ||
|
||
metrics.WithCounters(func(counters map[string]int64) { | ||
assert.Equal(t, tc.expected, counters) | ||
}) | ||
}) | ||
} | ||
} | ||
|
||
func TestJwtMetricsArgs(t *testing.T) { | ||
spec := auth.NewJwtMetrics() | ||
|
||
t.Run("valid", func(t *testing.T) { | ||
for _, def := range []string{ | ||
`jwtMetrics()`, | ||
`jwtMetrics("{issuers: [foo, bar]}")`, | ||
} { | ||
t.Run(def, func(t *testing.T) { | ||
args := eskip.MustParseFilters(def)[0].Args | ||
|
||
_, err := spec.CreateFilter(args) | ||
assert.NoError(t, err) | ||
}) | ||
} | ||
}) | ||
|
||
t.Run("invalid", func(t *testing.T) { | ||
for _, def := range []string{ | ||
`jwtMetrics("iss")`, | ||
`jwtMetrics(1)`, | ||
`jwtMetrics("iss", 1)`, | ||
} { | ||
t.Run(def, func(t *testing.T) { | ||
args := eskip.MustParseFilters(def)[0].Args | ||
|
||
_, err := spec.CreateFilter(args) | ||
assert.Error(t, err) | ||
}) | ||
} | ||
}) | ||
} | ||
|
||
func marshalBase64JSON(t *testing.T, v any) string { | ||
d, err := json.Marshal(v) | ||
if err != nil { | ||
t.Fatalf("failed to marshal json: %v, %v", v, err) | ||
} | ||
return base64.RawURLEncoding.EncodeToString(d) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters