Add duration/count metrics to PKI issue and revoke flows (#13889)

* Add duration/count metrics to PKI issue and revoke flows * docs, changelog * tidy * last tidy * remove err * Update callsites * Simple returns * Handle the fact that test cases don't have namespaces * Add mount point to the request * fmt * Handle empty mount point, and add it to unit tests * improvement * Turns out sign-verbatim is tricky, it can take a role but doesn't have to * Get around the field schema problem
2025-11-02 03:27:54 +00:00 · 2022-02-08 10:37:40 -06:00
parent f267c3ad74
commit 5e66ff9a27
6 changed files with 152 additions and 81 deletions
--- a/builtin/logical/pki/backend.go
+++ b/builtin/logical/pki/backend.go
@@ -2,14 +2,24 @@ package pki

 import (
 	"context"
+	"fmt"
 	"strings"
 	"sync"
 	"time"

+	"github.com/armon/go-metrics"
+	"github.com/hashicorp/vault/helper/metricsutil"
+	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
 )

+const (
+	noRole       = 0
+	roleOptional = 1
+	roleRequired = 2
+)
+
 // Factory creates a new backend implementing the logical.Backend interface
 func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
 	b := Backend(conf)
@@ -106,7 +116,10 @@ type backend struct {
 	tidyStatus     *tidyStatus
 }

-type tidyStatusState int
+type (
+	tidyStatusState int
+	roleOperation   func(ctx context.Context, req *logical.Request, data *framework.FieldData, role *roleEntry) (*logical.Response, error)
+)

 const (
 	tidyStatusInactive tidyStatusState = iota
@@ -137,3 +150,60 @@ The PKI backend dynamically generates X509 server and client certificates.
 After mounting this backend, configure the CA using the "pem_bundle" endpoint within
 the "config/" path.
 `
+
+func metricsKey(req *logical.Request, extra ...string) []string {
+	if req == nil || req.MountPoint == "" {
+		return extra
+	}
+	key := make([]string, len(extra)+1)
+	key[0] = req.MountPoint[:len(req.MountPoint)-1]
+	copy(key[1:], extra)
+	return key
+}
+
+func (b *backend) metricsWrap(callType string, roleMode int, ofunc roleOperation) framework.OperationFunc {
+	return func(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+		key := metricsKey(req, callType)
+		var role *roleEntry
+		var labels []metrics.Label
+		var err error
+
+		var roleName string
+		switch roleMode {
+		case roleRequired:
+			roleName = data.Get("role").(string)
+		case roleOptional:
+			r, ok := data.GetOk("role")
+			if ok {
+				roleName = r.(string)
+			}
+		}
+		if roleMode > noRole {
+			// Get the role
+			role, err = b.getRole(ctx, req.Storage, roleName)
+			if err != nil {
+				return nil, err
+			}
+			if role == nil && roleMode == roleRequired {
+				return logical.ErrorResponse(fmt.Sprintf("unknown role: %s", roleName)), nil
+			}
+			labels = []metrics.Label{{"role", roleName}}
+		}
+
+		ns, err := namespace.FromContext(ctx)
+		if err == nil {
+			labels = append(labels, metricsutil.NamespaceLabel(ns))
+		}
+
+		start := time.Now()
+		defer metrics.MeasureSinceWithLabels(key, start, labels)
+		resp, err := ofunc(ctx, req, data, role)
+
+		if err != nil || resp.IsError() {
+			metrics.IncrCounterWithLabels(append(key, "failure"), 1.0, labels)
+		} else {
+			metrics.IncrCounterWithLabels(key, 1.0, labels)
+		}
+		return resp, err
+	}
+}