Basic auth: add metrics

Signed-off-by: Julien Pivotto <[email protected]>

Author: Julien Pivotto

go.mod

@@ -5,6 +5,7 @@ go 1.14
 require (
 	github.com/go-kit/kit v0.10.0
 	github.com/pkg/errors v0.9.1
+	github.com/prometheus/client_golang v1.7.1
 	github.com/prometheus/common v0.15.0
 	golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6

https/tls_config.go

@@ -26,6 +26,7 @@ import (
 	"github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/log/level"
 	"github.com/pkg/errors"
+	"github.com/prometheus/client_golang/prometheus"
 	config_util "github.com/prometheus/common/config"
 	"gopkg.in/yaml.v2"
 )
@@ -176,18 +177,18 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
 
 // Listen starts the server on the given address. Based on the file
 // tlsConfigPath, TLS or basic auth could be enabled.
-func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error {
+func Listen(server *http.Server, tlsConfigPath string, logger log.Logger, r prometheus.Registerer) error {
 	listener, err := net.Listen("tcp", server.Addr)
 	if err != nil {
 		return err
 	}
 	defer listener.Close()
-	return Serve(listener, server, tlsConfigPath, logger)
+	return Serve(listener, server, tlsConfigPath, logger, r)
 }
 
 // Server starts the server on the given listener. Based on the file
 // tlsConfigPath, TLS or basic auth could be enabled.
-func Serve(l net.Listener, server *http.Server, tlsConfigPath string, logger log.Logger) error {
+func Serve(l net.Listener, server *http.Server, tlsConfigPath string, logger log.Logger, r prometheus.Registerer) error {
 	if tlsConfigPath == "" {
 		level.Info(logger).Log("msg", "TLS is disabled.", "http2", false)
 		return server.Serve(l)
@@ -202,11 +203,13 @@ func Serve(l net.Listener, server *http.Server, tlsConfigPath string, logger log
 	if server.Handler != nil {
 		handler = server.Handler
 	}
-	server.Handler = &userAuthRoundtrip{
+	urt := &userAuthRoundtrip{
 		tlsConfigPath: tlsConfigPath,
 		logger:        logger,
 		handler:       handler,
 	}
+	urt.instrument(r)
+	server.Handler = urt
 
 	c, err := getConfig(tlsConfigPath)
 	if err != nil {

https/tls_config_test.go

@@ -319,7 +319,7 @@ func TestConfigReloading(t *testing.T) {
 				recordConnectionError(errors.New("Panic starting server"))
 			}
 		}()
-		err := Listen(server, badYAMLPath, testlogger)
+		err := Listen(server, badYAMLPath, testlogger, nil)
 		recordConnectionError(err)
 	}()
 
@@ -391,7 +391,7 @@ func (test *TestInputs) Test(t *testing.T) {
 				recordConnectionError(errors.New("Panic starting server"))
 			}
 		}()
-		err := Listen(server, test.YAMLConfigPath, testlogger)
+		err := Listen(server, test.YAMLConfigPath, testlogger, nil)
 		recordConnectionError(err)
 	}()
 

https/users.go

@@ -17,6 +17,7 @@ import (
 	"net/http"
 
 	"github.com/go-kit/kit/log"
+	"github.com/prometheus/client_golang/prometheus"
 	"golang.org/x/crypto/bcrypt"
 )
 
@@ -37,14 +38,30 @@ func validateUsers(configPath string) error {
 }
 
 type userAuthRoundtrip struct {
-	tlsConfigPath string
-	handler       http.Handler
-	logger        log.Logger
+	tlsConfigPath   string
+	handler         http.Handler
+	logger          log.Logger
+	failuresCounter prometheus.Counter
+}
+
+func (u *userAuthRoundtrip) instrument(r prometheus.Registerer) {
+	u.failuresCounter = prometheus.NewCounter(
+		prometheus.CounterOpts{
+			Namespace: "prometheus_toolkit",
+			Subsystem: "https",
+			Name:      "request_basic_authentication_failures_total",
+			Help:      "Total number of requests rejected by basic authentication because of wrong username, password, or configuration.",
+		},
+	)
+	if r != nil {
+		r.MustRegister(u.failuresCounter)
+	}
 }
 
 func (u *userAuthRoundtrip) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	c, err := getConfig(u.tlsConfigPath)
 	if err != nil {
+		u.failuresCounter.Inc()
 		u.logger.Log("msg", "Unable to parse configuration", "err", err)
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		return
@@ -65,6 +82,7 @@ func (u *userAuthRoundtrip) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	u.failuresCounter.Inc()
 	w.Header().Set("WWW-Authenticate", "Basic")
 	http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 }