Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Enable Auth Observability Metrics #509

Merged
merged 25 commits into from
May 2, 2024
Merged
Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
e74bf89
feat: Initate Metrics Trait
yash30201 Dec 14, 2023
b01646a
feat: Enable Service Api Metrics
yash30201 Dec 14, 2023
73e9ee3
feat: Enable Token Endpoint Metrics
yash30201 Dec 14, 2023
e1f1e08
fix: Remove the anit pattern
yash30201 Dec 15, 2023
fa36906
fix: Correct applyMetricHeader method name
yash30201 Dec 15, 2023
134ebdc
Merge branch 'main' into metrics-with-trait
yash30201 Dec 15, 2023
7c2b605
Finalise PR
yash30201 Dec 19, 2023
bfe2cfe
nit fix
yash30201 Dec 19, 2023
3fc4be9
fix: Nit fix on docs
yash30201 Dec 19, 2023
1c383b0
PR self review
yash30201 Dec 19, 2023
aca9108
fix: Static analysis fix and updatemetadata logic correction
yash30201 Dec 19, 2023
2640b97
Self review:
yash30201 Dec 19, 2023
7a4b456
Merge branch 'main' into metrics-with-trait
bshaffer Dec 28, 2023
0293833
PR Iteration
yash30201 Jan 3, 2024
06b368f
Fix the service api usage metrics logic
yash30201 Jan 4, 2024
fce1cea
Update documentation
yash30201 Jan 4, 2024
43c525a
Remove directory separator usage
yash30201 Jan 4, 2024
661c3ba
Merge branch 'main' into metrics-with-trait
yash30201 Jan 4, 2024
d9ffad8
Merge branch 'main' into metrics-with-trait
yash30201 Jan 5, 2024
c70ff2e
Nit fix
yash30201 Jan 5, 2024
d4cc704
iteration
yash30201 Apr 30, 2024
8f7a74a
Merge branch 'main' into metrics-with-trait
bshaffer Apr 30, 2024
e71c48e
Update static reference
yash30201 Apr 30, 2024
16e0b72
Apply suggestions from code review
bshaffer May 2, 2024
1cf34d6
Merge branch 'main' into metrics-with-trait
bshaffer May 2, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions src/Credentials/ExternalAccountCredentials.php
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
use Google\Auth\GetQuotaProjectInterface;
use Google\Auth\HttpHandler\HttpClientCache;
use Google\Auth\HttpHandler\HttpHandlerFactory;
use Google\Auth\MetricsTrait;
use Google\Auth\OAuth2;
use Google\Auth\UpdateMetadataInterface;
use Google\Auth\UpdateMetadataTrait;
Expand All @@ -34,6 +35,7 @@
class ExternalAccountCredentials implements FetchAuthTokenInterface, UpdateMetadataInterface, GetQuotaProjectInterface
{
use UpdateMetadataTrait;
use MetricsTrait;
yash30201 marked this conversation as resolved.
Show resolved Hide resolved

private const EXTERNAL_ACCOUNT_TYPE = 'external_account';

Expand Down
41 changes: 37 additions & 4 deletions src/Credentials/GCECredentials.php
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,13 @@ class GCECredentials extends CredentialsLoader implements
*/
protected $lastReceivedToken;

/**
* Used in observability metric headers
*
* @var string
*/
protected $credType = 'cred-type/mds';

/**
* @var string|null
*/
Expand Down Expand Up @@ -308,6 +315,20 @@ private static function getProjectIdUri()
return $base . self::PROJECT_ID_URI_PATH;
}

/**
* @return array<mixed>
*/
private static function getMdsPingHeader()
{
return [
self::$metricsHeaderKey => [sprintf(
'gl-php/%s auth/%s auth-request-type/mds',
PHP_VERSION,
self::getVersion()
)]
];
}

/**
* The full uri for accessing the default universe domain.
*
Expand Down Expand Up @@ -359,7 +380,7 @@ public static function onGce(callable $httpHandler = null)
new Request(
'GET',
$checkUri,
[self::FLAVOR_HEADER => 'Google']
[self::FLAVOR_HEADER => 'Google'] + self::getMdsPingHeader()
),
['timeout' => self::COMPUTE_PING_CONNECTION_TIMEOUT_S]
);
Expand Down Expand Up @@ -421,7 +442,16 @@ public function fetchAuthToken(callable $httpHandler = null)
return []; // return an empty array with no access token
}

$response = $this->getFromMetadata($httpHandler, $this->tokenUri);
$isAccessTokenRequest = true;
if (!is_null($this->targetAudience)) {
$isAccessTokenRequest = false;
}

$metricsHeader = $this->applyMetricsHeader(
[],
$this->getTokenEndpointMetricsHeaderValue($isAccessTokenRequest)
);
$response = $this->getFromMetadata($httpHandler, $this->tokenUri, $metricsHeader);

if ($this->targetAudience) {
return ['id_token' => $response];
Expand Down Expand Up @@ -581,15 +611,18 @@ public function getUniverseDomain(callable $httpHandler = null): string
*
* @param callable $httpHandler An HTTP Handler to deliver PSR7 requests.
* @param string $uri The metadata URI.
* @param array<mixed> $metricsHeader [optional] If present, add these headers to the token
* endpoint request.
bshaffer marked this conversation as resolved.
Show resolved Hide resolved
*
* @return string
*/
private function getFromMetadata(callable $httpHandler, $uri)
private function getFromMetadata(callable $httpHandler, $uri, array $metricsHeader = [])
bshaffer marked this conversation as resolved.
Show resolved Hide resolved
{
$resp = $httpHandler(
new Request(
'GET',
$uri,
[self::FLAVOR_HEADER => 'Google']
[self::FLAVOR_HEADER => 'Google'] + $metricsHeader
bshaffer marked this conversation as resolved.
Show resolved Hide resolved
)
);

Expand Down
15 changes: 14 additions & 1 deletion src/Credentials/ImpersonatedServiceAccountCredentials.php
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,13 @@ class ImpersonatedServiceAccountCredentials extends CredentialsLoader implements
*/
protected $sourceCredentials;

/**
* Used in observability metric headers
*
* @var string
*/
protected $credType = 'cred-type/imp';

/**
* Instantiate an instance of ImpersonatedServiceAccountCredentials from a credentials file that
* has be created with the --impersonated-service-account flag.
Expand Down Expand Up @@ -121,7 +128,13 @@ public function getClientName(callable $unusedHttpHandler = null)
*/
public function fetchAuthToken(callable $httpHandler = null)
{
return $this->sourceCredentials->fetchAuthToken($httpHandler);
// We don't support id token endpoint requests as of now for Impersonated Cred
$isAccessTokenRequest = true;
$metricsHeader = $this->applyMetricsHeader(
[],
$this->getTokenEndpointMetricsHeaderValue($isAccessTokenRequest)
);
return $this->sourceCredentials->fetchAuthToken($httpHandler, $metricsHeader);
}

/**
Expand Down
18 changes: 17 additions & 1 deletion src/Credentials/ServiceAccountCredentials.php
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,13 @@ class ServiceAccountCredentials extends CredentialsLoader implements
*/
protected $projectId;

/**
* Used in observability metric headers
*
* @var string
*/
protected $credType = 'cred-type/sa';

/**
* @var array<mixed>|null
*/
Expand Down Expand Up @@ -206,7 +213,16 @@ public function fetchAuthToken(callable $httpHandler = null)

return $accessToken;
}
return $this->auth->fetchAuthToken($httpHandler);
$isAccessTokenRequest = true;
if (isset($this->auth->getAdditionalClaims()['target_audience'])) {
$isAccessTokenRequest = false;
}
bshaffer marked this conversation as resolved.
Show resolved Hide resolved

$metricsHeader = $this->applyMetricsHeader(
[],
$this->getTokenEndpointMetricsHeaderValue($isAccessTokenRequest)
);
return $this->auth->fetchAuthToken($httpHandler, $metricsHeader);
}

/**
Expand Down
7 changes: 7 additions & 0 deletions src/Credentials/ServiceAccountJwtAccessCredentials.php
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,13 @@ class ServiceAccountJwtAccessCredentials extends CredentialsLoader implements
*/
protected $quotaProject;

/**
* Used in observability metric headers
*
* @var string
*/
protected $credType = 'cred-type/jwt';

/**
* @var string
*/
Expand Down
25 changes: 23 additions & 2 deletions src/Credentials/UserRefreshCredentials.php
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,13 @@ class UserRefreshCredentials extends CredentialsLoader implements GetQuotaProjec
*/
protected $quotaProject;

/**
* Used in observability metric headers
*
* @var string
*/
protected $credType = 'cred-type/u';

/**
* Create a new UserRefreshCredentials.
*
Expand Down Expand Up @@ -98,6 +105,10 @@ public function __construct(

/**
* @param callable $httpHandler
* @param array<mixed> $metricsHeader [optional] Metrics headers to be inserted
* into the token endpoint request present.
* This could be passed from ImersonatedServiceAccountCredentials as it uses
* UserRefreshCredentials as source credentials.
*
* @return array<mixed> {
* A set of auth related metadata, containing the following
Expand All @@ -109,9 +120,19 @@ public function __construct(
* @type string $id_token
* }
*/
public function fetchAuthToken(callable $httpHandler = null)
public function fetchAuthToken(callable $httpHandler = null, array $metricsHeader = [])
{
return $this->auth->fetchAuthToken($httpHandler);
// ImersonatedServiceAccountCredentials will propagate it's own header value, hence
// we'll pass them if present, else create headers for UserCred and pass along.
if (empty($metricsHeader)) {
// We don't support id token endpoint requests as of now for User Cred
$isAccessTokenRequest = true;
$metricsHeader = $this->applyMetricsHeader(
[],
$this->getTokenEndpointMetricsHeaderValue($isAccessTokenRequest)
);
}
return $this->auth->fetchAuthToken($httpHandler, $metricsHeader);
}

/**
Expand Down
1 change: 1 addition & 0 deletions src/CredentialsLoader.php
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ abstract class CredentialsLoader implements
FetchAuthTokenInterface,
UpdateMetadataInterface
{
use MetricsTrait;
use UpdateMetadataTrait;

const TOKEN_CREDENTIAL_URI = 'https://oauth2.googleapis.com/token';
Expand Down
120 changes: 120 additions & 0 deletions src/MetricsTrait.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
<?php
/*
* Copyright 2023 Google Inc.
bshaffer marked this conversation as resolved.
Show resolved Hide resolved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

namespace Google\Auth;

/**
* Trait containing helper methods required for enabling
* observability metrics in the library.
*
* @internal
*/
trait MetricsTrait
{
/**
* @var string The version of the auth library php.
*/
private static $version;

/**
* @var string The header key for the observability metrics.
*/
protected static $metricsHeaderKey = 'x-goog-api-client';

/**
* @var array<string, string> The request type header values
* for the observability metrics.
*/
private static $requestType = [
'accessToken' => 'auth-request-type/at',
'idToken' => 'auth-request-type/it',
];

/**
* @var array<string, string> The credential type headervalues
* for the observability metrics.
*/
private static $credTypes = [
bshaffer marked this conversation as resolved.
Show resolved Hide resolved
'user' => 'cred-type/u',
'sa' => 'cred-type/sa',
'jwt' => 'cred-type/jwt',
'gce' => 'cred-type/mds',
'impersonate' => 'cred-type/imp'
];

/**
* @var string The credential type for the observability metrics.
* This would be overridden by the credential class if applicable.
*/
protected $credType = '';

protected function getServiceApiMetricsHeaderValue(): string
{
if (!empty($this->credType)) {
return $this->langAndVersion() . ' ' . $this->credType;
}
return '';
}

protected function getTokenEndpointMetricsHeaderValue(bool $isAccessTokenRequest): string
{
$value = $this->langAndVersion();
$value .= ' ' . self::$requestType[($isAccessTokenRequest ? 'accessToken' : 'idToken')];

if (!empty($this->credType)) {
return $value . ' ' . $this->credType;
}

return '';
}

/**
* @param array<mixed> $metadata The metadata to update and return.
* @param string $headerValue The header value to add to the metadata for
* observability metrics.
* @return array<mixed> The updated metadata.
*/
protected function applyMetricsHeader($metadata, $headerValue)
yash30201 marked this conversation as resolved.
Show resolved Hide resolved
{
yash30201 marked this conversation as resolved.
Show resolved Hide resolved
if (empty($headerValue)) {
return $metadata;
} elseif (!isset($metadata[self::$metricsHeaderKey]) || empty($metadata[self::$metricsHeaderKey])) {
$metadata[self::$metricsHeaderKey] = [$headerValue];
} elseif (is_array($metadata[self::$metricsHeaderKey])) {
$metadata[self::$metricsHeaderKey][0] .= ' ' . $headerValue;
} else {
// It's a string instead of array
$metadata[self::$metricsHeaderKey] .= ' ' . $headerValue;
}
yash30201 marked this conversation as resolved.
Show resolved Hide resolved

return $metadata;
}

protected static function getVersion(): string
{
if (is_null(self::$version)) {
$versionFilePath = implode(DIRECTORY_SEPARATOR, [__DIR__, '..', 'VERSION']);
yash30201 marked this conversation as resolved.
Show resolved Hide resolved
self::$version = trim((string) file_get_contents($versionFilePath));
}
return self::$version;
}

private function langAndVersion(): string
{
return 'gl-php/' . PHP_VERSION . ' auth/' . self::getVersion();
}
}
12 changes: 8 additions & 4 deletions src/OAuth2.php
Original file line number Diff line number Diff line change
Expand Up @@ -572,9 +572,11 @@ public function toJwt(array $config = [])
* Generates a request for token credentials.
*
* @param callable $httpHandler callback which delivers psr7 request
* @param array<mixed> $metricsHeader [optional] Metrics headers to be inserted
* into the token endpoint request present.
bshaffer marked this conversation as resolved.
Show resolved Hide resolved
* @return RequestInterface the authorization Url.
*/
public function generateCredentialsRequest(callable $httpHandler = null)
public function generateCredentialsRequest(callable $httpHandler = null, $metricsHeader = [])
bshaffer marked this conversation as resolved.
Show resolved Hide resolved
{
$uri = $this->getTokenCredentialUri();
if (is_null($uri)) {
Expand Down Expand Up @@ -633,7 +635,7 @@ public function generateCredentialsRequest(callable $httpHandler = null)
$headers = [
'Cache-Control' => 'no-store',
'Content-Type' => 'application/x-www-form-urlencoded',
];
] + $metricsHeader;
bshaffer marked this conversation as resolved.
Show resolved Hide resolved

return new Request(
'POST',
Expand All @@ -647,15 +649,17 @@ public function generateCredentialsRequest(callable $httpHandler = null)
* Fetches the auth tokens based on the current state.
*
* @param callable $httpHandler callback which delivers psr7 request
* @param array<mixed> $metricsHeader [optional] If present, add these headers to the token
* endpoint request.
* @return array<mixed> the response
*/
public function fetchAuthToken(callable $httpHandler = null)
public function fetchAuthToken(callable $httpHandler = null, $metricsHeader = [])
{
if (is_null($httpHandler)) {
$httpHandler = HttpHandlerFactory::build(HttpClientCache::getHttpClient());
}

$response = $httpHandler($this->generateCredentialsRequest($httpHandler));
$response = $httpHandler($this->generateCredentialsRequest($httpHandler, $metricsHeader));
$credentials = $this->parseTokenResponse($response);
$this->updateToken($credentials);
if (isset($credentials['scope'])) {
Expand Down
Loading