Add TLS statistics to vespalib and expose as metrics via storageserver

Also add functionality for extracting "notAfter" expiration time from
current certificate, which may later be added as an expiry metric.

2 files changed, 46 insertions, 8 deletions

diff --git a/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp b/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp
index 245368b6a7b..5dc85bc567f 100644
--- a/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp
+++ b/vespalib/src/tests/net/tls/auto_reloading_tls_crypto_engine/auto_reloading_tls_crypto_engine_test.cpp
@@ -2,6 +2,7 @@
 
 #include <vespa/vespalib/io/fileutil.h>
 #include <vespa/vespalib/net/tls/auto_reloading_tls_crypto_engine.h>
+#include <vespa/vespalib/net/tls/statistics.h>
 #include <vespa/vespalib/net/tls/transport_security_options.h>
 #include <vespa/vespalib/net/tls/transport_security_options_reading.h>
 #include <vespa/vespalib/net/tls/impl/openssl_tls_context_impl.h>
@@ -106,17 +107,11 @@ struct Fixture {
     }
 
     vespalib::string current_cert_chain() const {
-        auto impl = engine->acquire_current_engine();
-        // Leaks implementation details galore, but it's not very likely that we'll use
-        // anything but OpenSSL (or compatible APIs) in practice...
-        auto& ctx_impl = dynamic_cast<const impl::OpenSslTlsContextImpl&>(*impl->tls_context());
-        return ctx_impl.transport_security_options().cert_chain_pem();
+        return engine->acquire_current_engine()->tls_context()->transport_security_options().cert_chain_pem();
     }
 
     AuthorizationMode current_authorization_mode() const {
-        auto impl = engine->acquire_current_engine();
-        auto& ctx_impl = dynamic_cast<const impl::OpenSslTlsContextImpl&>(*impl->tls_context());
-        return ctx_impl.authorization_mode();
+        return engine->acquire_current_engine()->tls_context()->authorization_mode();
     }
 };
 
@@ -143,4 +138,15 @@ TEST_FF("Authorization mode is propagated to engine", Fixture(50ms, Authorizatio
     EXPECT_EQUAL(AuthorizationMode::LogOnly, f1.current_authorization_mode());
 }
 
+TEST_FF("Config reload failure increments failure statistic", Fixture(50ms), TimeBomb(60)) {
+    auto before = ConfigStatistics::get().snapshot();
+
+    write_file("test_cert.pem.tmp", "Broken file oh no :(");
+    rename("test_cert.pem.tmp", "test_cert.pem", false, false);
+
+    while (ConfigStatistics::get().snapshot().subtract(before).failed_config_reloads == 0) {
+        std::this_thread::sleep_for(10ms);
+    }
+}
+
 TEST_MAIN() { TEST_RUN_ALL(); }
diff --git a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp
index 69e0d44147e..f70c5670bc9 100644
--- a/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp
+++ b/vespalib/src/tests/net/tls/openssl_impl/openssl_impl_test.cpp
@@ -4,6 +4,7 @@
 #include <vespa/vespalib/data/smart_buffer.h>
 #include <vespa/vespalib/net/tls/authorization_mode.h>
 #include <vespa/vespalib/net/tls/crypto_codec.h>
+#include <vespa/vespalib/net/tls/statistics.h>
 #include <vespa/vespalib/net/tls/tls_context.h>
 #include <vespa/vespalib/net/tls/transport_security_options.h>
 #include <vespa/vespalib/net/tls/impl/openssl_crypto_codec_impl.h>
@@ -619,6 +620,37 @@ TEST_F("Disabled insecure authorization mode ignores verification result", CertF
     EXPECT_TRUE(f.handshake());
 }
 
+TEST_F("Failure statistics are incremented on authorization failures", CertFixture) {
+    reset_peers_with_server_authz_mode(f, AuthorizationMode::Enforce);
+    auto server_before = ConnectionStatistics::get(true).snapshot();
+    auto client_before = ConnectionStatistics::get(false).snapshot();
+    EXPECT_FALSE(f.handshake());
+    auto server_stats = ConnectionStatistics::get(true).snapshot().subtract(server_before);
+    auto client_stats = ConnectionStatistics::get(false).snapshot().subtract(client_before);
+
+    EXPECT_EQUAL(1u, server_stats.invalid_peer_credentials);
+    EXPECT_EQUAL(0u, client_stats.invalid_peer_credentials);
+    EXPECT_EQUAL(1u, server_stats.failed_tls_handshakes);
+    EXPECT_EQUAL(0u, server_stats.tls_connections);
+    EXPECT_EQUAL(0u, client_stats.tls_connections);
+}
+
+TEST_F("Success statistics are incremented on OK authorization", CertFixture) {
+    reset_peers_with_server_authz_mode(f, AuthorizationMode::Disable);
+    auto server_before = ConnectionStatistics::get(true).snapshot();
+    auto client_before = ConnectionStatistics::get(false).snapshot();
+    EXPECT_TRUE(f.handshake());
+    auto server_stats = ConnectionStatistics::get(true).snapshot().subtract(server_before);
+    auto client_stats = ConnectionStatistics::get(false).snapshot().subtract(client_before);
+
+    EXPECT_EQUAL(0u, server_stats.invalid_peer_credentials);
+    EXPECT_EQUAL(0u, client_stats.invalid_peer_credentials);
+    EXPECT_EQUAL(0u, server_stats.failed_tls_handshakes);
+    EXPECT_EQUAL(0u, client_stats.failed_tls_handshakes);
+    EXPECT_EQUAL(1u, server_stats.tls_connections);
+    EXPECT_EQUAL(1u, client_stats.tls_connections);
+}
+
 // TODO we can't test embedded nulls since the OpenSSL v3 extension APIs
 // take in null terminated strings as arguments... :I