feat: improved tracing for authorizers (#1079)

ory · Mar 15, 2023 · b3aa0c3 · b3aa0c3
1 parent 12bdbe6
commit b3aa0c3
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 8 deletions.
diff --git a/driver/configuration/provider_koanf_public_test.go b/driver/configuration/provider_koanf_public_test.go
@@ -323,7 +323,8 @@ func TestKoanfProvider(t *testing.T) {
 		})
 
 		t.Run("authorizer=keto_engine_acp_ory", func(t *testing.T) {
-			a := authz.NewAuthorizerKetoEngineACPORY(p)
+			l := logrusx.New("", "")
+			a := authz.NewAuthorizerKetoEngineACPORY(p, otelx.NewNoop(l, p.TracingConfig()))
 			assert.True(t, p.AuthorizerIsEnabled(a.GetID()))
 			require.NoError(t, a.Validate(nil))
 

diff --git a/driver/registry_memory.go b/driver/registry_memory.go
@@ -380,7 +380,7 @@ func (r *RegistryMemory) prepareAuthz() {
 		interim := []authz.Authorizer{
 			authz.NewAuthorizerAllow(r.c),
 			authz.NewAuthorizerDeny(r.c),
-			authz.NewAuthorizerKetoEngineACPORY(r.c),
+			authz.NewAuthorizerKetoEngineACPORY(r.c, r),
 			authz.NewAuthorizerRemote(r.c, r),
 			authz.NewAuthorizerRemoteJSON(r.c, r),
 		}

diff --git a/pipeline/authz/keto_engine_acp_ory.go b/pipeline/authz/keto_engine_acp_ory.go
@@ -14,13 +14,15 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-retryablehttp"
+	"go.opentelemetry.io/otel/trace"
 
 	"github.com/ory/oathkeeper/driver/configuration"
 	"github.com/ory/oathkeeper/pipeline"
 	"github.com/ory/oathkeeper/pipeline/authn"
 	"github.com/ory/oathkeeper/x"
 
 	"github.com/ory/x/httpx"
+	"github.com/ory/x/otelx"
 	"github.com/ory/x/urlx"
 
 	"github.com/pkg/errors"
@@ -55,22 +57,25 @@ type AuthorizerKetoEngineACPORY struct {
 	client         *retryablehttp.Client
 	contextCreator authorizerKetoWardenContext
 	t              *template.Template
+	tracer         trace.Tracer
 }
 
-func NewAuthorizerKetoEngineACPORY(c configuration.Provider) *AuthorizerKetoEngineACPORY {
+func NewAuthorizerKetoEngineACPORY(c configuration.Provider, d interface{ Tracer() trace.Tracer }) *AuthorizerKetoEngineACPORY {
 	return &AuthorizerKetoEngineACPORY{
 		c: c,
 		client: httpx.NewResilientClient(
 			httpx.ResilientClientWithMaxRetryWait(100*time.Millisecond),
 			httpx.ResilientClientWithMaxRetry(5),
+			httpx.ResilientClientWithTracer(d.Tracer()),
 		),
 		contextCreator: func(r *http.Request) map[string]interface{} {
 			return map[string]interface{}{
 				"remoteIpAddress": realip.RealIP(r),
 				"requestedAt":     time.Now().UTC(),
 			}
 		},
-		t: x.NewTemplate("keto_engine_acp_ory"),
+		t:      x.NewTemplate("keto_engine_acp_ory"),
+		tracer: d.Tracer(),
 	}
 }
 
@@ -91,7 +96,11 @@ func (a *AuthorizerKetoEngineACPORY) WithContextCreator(f authorizerKetoWardenCo
 	a.contextCreator = f
 }
 
-func (a *AuthorizerKetoEngineACPORY) Authorize(r *http.Request, session *authn.AuthenticationSession, config json.RawMessage, _ pipeline.Rule) error {
+func (a *AuthorizerKetoEngineACPORY) Authorize(r *http.Request, session *authn.AuthenticationSession, config json.RawMessage, _ pipeline.Rule) (err error) {
+	ctx, span := a.tracer.Start(r.Context(), "authz.keto_engine_acp_ory")
+	defer otelx.End(span, &err)
+	r = r.WithContext(ctx)
+
 	cf, err := a.Config(config)
 	if err != nil {
 		return err

diff --git a/pipeline/authz/keto_engine_acp_ory_test.go b/pipeline/authz/keto_engine_acp_ory_test.go
@@ -47,6 +47,7 @@ func TestAuthorizerKetoWarden(t *testing.T) {
 		expectErr bool
 	}{
 		{
+			r:         &http.Request{},
 			expectErr: true,
 		},
 		{

diff --git a/pipeline/authz/remote.go b/pipeline/authz/remote.go
@@ -15,6 +15,7 @@ import (
 	"github.com/pkg/errors"
 
 	"github.com/ory/x/httpx"
+	"github.com/ory/x/otelx"
 
 	"go.opentelemetry.io/otel/trace"
 
@@ -44,14 +45,16 @@ type AuthorizerRemote struct {
 
 	client *http.Client
 	t      *template.Template
+	tracer trace.Tracer
 }
 
 // NewAuthorizerRemote creates a new AuthorizerRemote.
 func NewAuthorizerRemote(c configuration.Provider, d interface{ Tracer() trace.Tracer }) *AuthorizerRemote {
 	return &AuthorizerRemote{
 		c:      c,
-		client: httpx.NewResilientClient().StandardClient(),
+		client: httpx.NewResilientClient(httpx.ResilientClientWithTracer(d.Tracer())).StandardClient(),
 		t:      x.NewTemplate("remote"),
+		tracer: d.Tracer(),
 	}
 }
 
@@ -61,7 +64,11 @@ func (a *AuthorizerRemote) GetID() string {
 }
 
 // Authorize implements the Authorizer interface.
-func (a *AuthorizerRemote) Authorize(r *http.Request, session *authn.AuthenticationSession, config json.RawMessage, rl pipeline.Rule) error {
+func (a *AuthorizerRemote) Authorize(r *http.Request, session *authn.AuthenticationSession, config json.RawMessage, rl pipeline.Rule) (err error) {
+	ctx, span := a.tracer.Start(r.Context(), "authz.remote")
+	defer otelx.End(span, &err)
+	r = r.WithContext(ctx)
+
 	c, err := a.Config(config)
 	if err != nil {
 		return err
@@ -174,6 +181,7 @@ func (a *AuthorizerRemote) Config(config json.RawMessage) (*AuthorizerRemoteConf
 	a.client = httpx.NewResilientClient(
 		httpx.ResilientClientWithMaxRetryWait(maxWait),
 		httpx.ResilientClientWithConnectionTimeout(timeout),
+		httpx.ResilientClientWithTracer(a.tracer),
 	).StandardClient()
 
 	return &c, nil

diff --git a/pipeline/authz/remote_json.go b/pipeline/authz/remote_json.go
@@ -15,6 +15,7 @@ import (
 	"github.com/pkg/errors"
 
 	"github.com/ory/x/httpx"
+	"github.com/ory/x/otelx"
 
 	"go.opentelemetry.io/otel/trace"
 
@@ -49,6 +50,7 @@ type AuthorizerRemoteJSON struct {
 
 	client *http.Client
 	t      *template.Template
+	tracer trace.Tracer
 }
 
 // NewAuthorizerRemoteJSON creates a new AuthorizerRemoteJSON.
@@ -57,6 +59,7 @@ func NewAuthorizerRemoteJSON(c configuration.Provider, d interface{ Tracer() tra
 		c:      c,
 		client: httpx.NewResilientClient(httpx.ResilientClientWithTracer(d.Tracer())).StandardClient(),
 		t:      x.NewTemplate("remote_json"),
+		tracer: d.Tracer(),
 	}
 }
 
@@ -66,7 +69,11 @@ func (a *AuthorizerRemoteJSON) GetID() string {
 }
 
 // Authorize implements the Authorizer interface.
-func (a *AuthorizerRemoteJSON) Authorize(r *http.Request, session *authn.AuthenticationSession, config json.RawMessage, _ pipeline.Rule) error {
+func (a *AuthorizerRemoteJSON) Authorize(r *http.Request, session *authn.AuthenticationSession, config json.RawMessage, _ pipeline.Rule) (err error) {
+	ctx, span := a.tracer.Start(r.Context(), "authz.remote_json")
+	defer otelx.End(span, &err)
+	r = r.WithContext(ctx)
+
 	c, err := a.Config(config)
 	if err != nil {
 		return err
@@ -157,6 +164,7 @@ func (a *AuthorizerRemoteJSON) Config(config json.RawMessage) (*AuthorizerRemote
 	a.client = httpx.NewResilientClient(
 		httpx.ResilientClientWithMaxRetryWait(maxWait),
 		httpx.ResilientClientWithConnectionTimeout(timeout),
+		httpx.ResilientClientWithTracer(a.tracer),
 	).StandardClient()
 
 	return &c, nil