From 3527d1bb4128662e5aafd92ec98c6c0b629f5e3e Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Wed, 15 Feb 2023 17:34:46 +0100 Subject: Add metrics for capability checks --- .../yahoo/security/tls/ConnectionAuthContext.java | 3 ++ .../java/com/yahoo/security/tls/TlsMetrics.java | 36 ++++++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 security-utils/src/main/java/com/yahoo/security/tls/TlsMetrics.java (limited to 'security-utils') diff --git a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java index f231e8429ce..d7ea93955af 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/ConnectionAuthContext.java @@ -49,6 +49,7 @@ public record ConnectionAuthContext(List peerCertificateChain, if (capabilityMode == DISABLE) return; boolean hasCapabilities = capabilities.has(requiredCapabilities); if (!hasCapabilities) { + TlsMetrics.instance().incrementCapabilitiesFailed(); String msg = createPermissionDeniedErrorMessage(requiredCapabilities, action, resource, peer); if (capabilityMode == LOG_ONLY) { log.info(msg); @@ -57,6 +58,8 @@ public record ConnectionAuthContext(List peerCertificateChain, log.fine(msg); throw new MissingCapabilitiesException(msg); } + } else { + TlsMetrics.instance().incrementCapabilitiesSucceeded(); } } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TlsMetrics.java b/security-utils/src/main/java/com/yahoo/security/tls/TlsMetrics.java new file mode 100644 index 00000000000..1e9561a5b82 --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/tls/TlsMetrics.java @@ -0,0 +1,36 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.security.tls; + +import java.util.concurrent.atomic.AtomicLong; + +/** + * @author bjorncs + */ +public class TlsMetrics { + private static final TlsMetrics instance = new TlsMetrics(); + + private final AtomicLong capabilitiesSucceeded = new AtomicLong(0); + private final AtomicLong capabilitiesFailed = new AtomicLong(0); + + private TlsMetrics() {} + + public static TlsMetrics instance() { return instance; } + + void incrementCapabilitiesSucceeded() { capabilitiesSucceeded.incrementAndGet(); } + void incrementCapabilitiesFailed() { capabilitiesFailed.incrementAndGet(); } + public Snapshot snapshot() { return new Snapshot(this); } + + public record Snapshot(long capabilitiesSucceeded, long capabilitiesFailed) { + public static final Snapshot EMPTY = new Snapshot(0, 0); + private Snapshot(TlsMetrics m) { this(m.capabilitiesSucceeded.get(), m.capabilitiesFailed.get()); } + public Diff changesSince(Snapshot previous) { return new Diff(this, previous); } + } + + public record Diff(long capabilitiesSucceeded, long capabilitiesFailed) { + private Diff(Snapshot current, Snapshot previous) { + this(current.capabilitiesSucceeded - previous.capabilitiesSucceeded, + current.capabilitiesFailed - previous.capabilitiesFailed); + } + } +} -- cgit v1.2.3