From 9bad60ef6d692745fbbf98338dfb17751f47dac3 Mon Sep 17 00:00:00 2001 From: Tor Brede Vekterli Date: Fri, 17 Feb 2023 10:22:38 +0000 Subject: Add metrics tracking failed RPC and status page capability checks --- fnet/src/tests/frt/rpc/invoke.cpp | 10 ++++++++++ fnet/src/vespa/fnet/frt/require_capabilities.cpp | 2 ++ 2 files changed, 12 insertions(+) (limited to 'fnet') diff --git a/fnet/src/tests/frt/rpc/invoke.cpp b/fnet/src/tests/frt/rpc/invoke.cpp index 38f260dd202..e930c1252bf 100644 --- a/fnet/src/tests/frt/rpc/invoke.cpp +++ b/fnet/src/tests/frt/rpc/invoke.cpp @@ -2,6 +2,7 @@ #include #include #include +#include #include #include #include @@ -16,6 +17,7 @@ using vespalib::SocketSpec; using vespalib::BenchmarkTimer; +using vespalib::net::tls::CapabilityStatistics; using namespace vespalib::net::tls; constexpr double timeout = 60.0; @@ -486,6 +488,7 @@ TEST_F("request allowed by access filter invokes server method as usual", Fixtur } TEST_F("capability checking filter is enforced under mTLS unless overridden by env var", Fixture()) { + const auto cap_stats_before = CapabilityStatistics::get().snapshot(); MyReq req("capabilityRestricted"); // Requires content node cap set; disallowed f1.target().InvokeSync(req.borrow(), timeout); auto cap_mode = capability_enforcement_mode_from_env(); @@ -494,6 +497,9 @@ TEST_F("capability checking filter is enforced under mTLS unless overridden by e // Default authz rule does not give required capabilities; must fail. EXPECT_EQUAL(req.get().GetErrorCode(), FRTE_RPC_PERMISSION_DENIED); EXPECT_FALSE(f1.server_instance().restricted_method_was_invoked()); + // Permission denied should bump capability check failure statistic + const auto cap_stats = CapabilityStatistics::get().snapshot().subtract(cap_stats_before); + EXPECT_EQUAL(cap_stats.rpc_capability_checks_failed, 1u); } else { // Either no mTLS configured (implicit full capability set) or capabilities not enforced. ASSERT_FALSE(req.get().IsError()); @@ -502,11 +508,15 @@ TEST_F("capability checking filter is enforced under mTLS unless overridden by e } TEST_F("access is allowed by capability filter when peer is granted the required capability", Fixture()) { + const auto cap_stats_before = CapabilityStatistics::get().snapshot(); MyReq req("capabilityAllowed"); // Requires telemetry cap set; allowed f1.target().InvokeSync(req.borrow(), timeout); // Should always be allowed, regardless of mTLS mode or capability enforcement ASSERT_FALSE(req.get().IsError()); EXPECT_TRUE(f1.server_instance().restricted_method_was_invoked()); + // Should _not_ bump capability check failure statistic + const auto cap_stats = CapabilityStatistics::get().snapshot().subtract(cap_stats_before); + EXPECT_EQUAL(cap_stats.rpc_capability_checks_failed, 0u); } TEST_F("access is allowed by capability filter when required capability set is empty", Fixture()) { diff --git a/fnet/src/vespa/fnet/frt/require_capabilities.cpp b/fnet/src/vespa/fnet/frt/require_capabilities.cpp index 6996557c91e..26504d06e0f 100644 --- a/fnet/src/vespa/fnet/frt/require_capabilities.cpp +++ b/fnet/src/vespa/fnet/frt/require_capabilities.cpp @@ -5,6 +5,7 @@ #include #include #include +#include #include LOG_SETUP(".fnet.frt.require_capabilities"); @@ -19,6 +20,7 @@ FRT_RequireCapabilities::allow(FRT_RPCRequest& req) const noexcept if (is_authorized) { return true; } else { + CapabilityStatistics::get().inc_rpc_capability_checks_failed(); const auto mode = capability_enforcement_mode_from_env(); if (mode == CapabilityEnforcementMode::Disable) { return true; -- cgit v1.2.3