diff options
| author | Jacob Vosmaer <jacob@gitlab.com> | 2019-10-21 23:48:10 +0300 |
|---|---|---|
| committer | Paul Okstad <pokstad@gitlab.com> | 2019-10-21 23:48:10 +0300 |
| commit | e790dc9f28edaeb57e82560529b46e533725f0fb (patch) | |
| tree | 6f9ffbe788ed4cc1a90aa6ef6d6cd3cbbccb0b1a | |
| parent | 58572ba20bf16604be65a3c425db63757ac5894f (diff) | |
Count v2 auth error return paths
| -rw-r--r-- | auth/token.go | 33 | ||||
| -rw-r--r-- | changelogs/unreleased/jv-count-hmac-errors.yml | 5 |
2 files changed, 35 insertions, 3 deletions
diff --git a/auth/token.go b/auth/token.go index 6eb62e6d9..9355750aa 100644 --- a/auth/token.go +++ b/auth/token.go @@ -12,6 +12,7 @@ import ( "time" grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth" + "github.com/prometheus/client_golang/prometheus" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) @@ -23,8 +24,20 @@ const ( var ( errUnauthenticated = status.Errorf(codes.Unauthenticated, "authentication required") errDenied = status.Errorf(codes.PermissionDenied, "permission denied") + + authErrors = prometheus.NewCounterVec( + prometheus.CounterOpts{ + Name: "gitaly_authentication_errors_total", + Help: "Counts of of Gitaly request authentication errors", + }, + []string{"version", "error"}, + ) ) +func init() { + prometheus.MustRegister(authErrors) +} + // AuthInfo contains the authentication information coming from a request type AuthInfo struct { Version string @@ -56,7 +69,7 @@ func CheckToken(ctx context.Context, secret string, targetTime time.Time) error return nil } case "v2": - if hmacInfoValid(authInfo.Message, authInfo.SignedMessage, []byte(secret), targetTime, timestampThreshold) { + if v2HmacInfoValid(authInfo.Message, authInfo.SignedMessage, []byte(secret), targetTime, timestampThreshold) { return nil } } @@ -93,14 +106,18 @@ func ExtractAuthInfo(ctx context.Context) (*AuthInfo, error) { return &AuthInfo{Version: version, SignedMessage: decodedSig, Message: msg}, nil } -func hmacInfoValid(message string, signedMessage, secret []byte, targetTime time.Time, timestampThreshold time.Duration) bool { +func countV2Error(message string) { authErrors.WithLabelValues("v2", message).Inc() } + +func v2HmacInfoValid(message string, signedMessage, secret []byte, targetTime time.Time, timestampThreshold time.Duration) bool { expectedHMAC := hmacSign(secret, message) if !hmac.Equal(signedMessage, expectedHMAC) { + countV2Error("wrong hmac signature") return false } timestamp, err := strconv.ParseInt(message, 10, 64) if err != nil { + countV2Error("cannot parse timestamp") return false } @@ -108,7 +125,17 @@ func hmacInfoValid(message string, signedMessage, secret []byte, targetTime time lowerBound := targetTime.Add(-timestampThreshold) upperBound := targetTime.Add(timestampThreshold) - return issuedAt.After(lowerBound) && issuedAt.Before(upperBound) + if issuedAt.Before(lowerBound) { + countV2Error("timestamp too old") + return false + } + + if issuedAt.After(upperBound) { + countV2Error("timestamp too new") + return false + } + + return true } func hmacSign(secret []byte, message string) []byte { diff --git a/changelogs/unreleased/jv-count-hmac-errors.yml b/changelogs/unreleased/jv-count-hmac-errors.yml new file mode 100644 index 000000000..59968b324 --- /dev/null +++ b/changelogs/unreleased/jv-count-hmac-errors.yml @@ -0,0 +1,5 @@ +--- +title: Count v2 auth error return paths +merge_request: 1568 +author: +type: other |