[WIP] Add metrics for OIDC

cmd/broker/filter/main.go

@@ -151,9 +151,9 @@
 	oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
 	// We are running both the receiver (takes messages in from the Broker) and the dispatcher (send
 	// the messages to the triggers' subscribers) in this binary.
-	oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx)
+	oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, reporter)
 	trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
 	handler, err = filter.NewHandler(logger, oidcTokenVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc)
 	if err != nil {
 		logger.Fatal("Error creating Handler", zap.Error(err))
 	}

cmd/jobsink/main.go

@@ -117,7 +117,7 @@ func main() {
 		k8s:               kubeclient.Get(ctx),
 		lister:            jobsink.Get(ctx).Lister(),
 		withContext:       ctxFunc,
-		oidcTokenVerifier: auth.NewOIDCTokenVerifier(ctx),
+		oidcTokenVerifier: auth.NewOIDCTokenVerifier(ctx, nil),
 	}
 
 	tlsConfig, err := getServerTLSConfig(ctx)
@@ -201,7 +201,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 		audience := auth.GetAudienceDirect(sinksv.SchemeGroupVersion.WithKind("JobSink"), ref.Namespace, ref.Name)
 
-		err := h.oidcTokenVerifier.VerifyJWTFromRequest(ctx, r, &audience, w)
+		err := h.oidcTokenVerifier.VerifyJWTFromRequest(ctx, r, &audience, w, nil)
 		if err != nil {
 			logger.Warn("Error when validating the JWT token in the request", zap.Error(err))
 			return
@@ -382,7 +382,7 @@ func (h *Handler) handleGet(ctx context.Context, w http.ResponseWriter, r *http.
 
 		audience := auth.GetAudienceDirect(sinksv.SchemeGroupVersion.WithKind("JobSink"), ref.Namespace, ref.Name)
 
-		err := h.oidcTokenVerifier.VerifyJWTFromRequest(ctx, r, &audience, w)
+		err := h.oidcTokenVerifier.VerifyJWTFromRequest(ctx, r, &audience, w, nil)
 		if err != nil {
 			logger.Warn("Error when validating the JWT token in the request", zap.Error(err))
 			return

pkg/auth/token_verifier.go

@@ -19,6 +19,7 @@ package auth
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -28,6 +29,7 @@ import (
 	"go.uber.org/zap"
 	"k8s.io/client-go/rest"
 	"knative.dev/eventing/pkg/apis/feature"
+	"knative.dev/eventing/pkg/broker/filter"
 	"knative.dev/pkg/injection"
 	"knative.dev/pkg/logging"
 )
@@ -36,10 +38,16 @@ const (
 	kubernetesOIDCDiscoveryBaseURL = "https://kubernetes.default.svc"
 )
 
+var (
+	ErrNoJWTTokenFound = errors.New("no JWT token found in request")
+	ErrInvalidJWTToken = errors.New("invalid JWT token")
+)
+
 type OIDCTokenVerifier struct {
-	logger     *zap.SugaredLogger
-	restConfig *rest.Config
-	provider   *oidc.Provider
+	logger        *zap.SugaredLogger
+	restConfig    *rest.Config
+	provider      *oidc.Provider
+	statsReporter filter.StatsReporter
 }
 
 type IDToken struct {
@@ -51,10 +59,11 @@ type IDToken struct {
 	AccessTokenHash string
 }
 
-func NewOIDCTokenVerifier(ctx context.Context) *OIDCTokenVerifier {
+func NewOIDCTokenVerifier(ctx context.Context, statsReporter filter.StatsReporter) *OIDCTokenVerifier {
 	tokenHandler := &OIDCTokenVerifier{
-		logger:     logging.FromContext(ctx).With("component", "oidc-token-handler"),
-		restConfig: injection.GetConfig(ctx),
+		logger:        logging.FromContext(ctx).With("component", "oidc-token-handler"),
+		restConfig:    injection.GetConfig(ctx),
+		statsReporter: statsReporter,
 	}
 
 	if err := tokenHandler.initOIDCProvider(ctx); err != nil {
@@ -152,10 +161,16 @@ func (c *OIDCTokenVerifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error
 }
 
 // VerifyJWTFromRequest will verify the incoming request contains the correct JWT token
-func (tokenVerifier *OIDCTokenVerifier) VerifyJWTFromRequest(ctx context.Context, r *http.Request, audience *string, response http.ResponseWriter) error {
+func (tokenVerifier *OIDCTokenVerifier) VerifyJWTFromRequest(ctx context.Context, r *http.Request, audience *string, response http.ResponseWriter, reportArgs *filter.ReportArgs) error {
 	token := GetJWTFromHeader(r.Header)
+
 	if token == "" {
 		response.WriteHeader(http.StatusUnauthorized)
+
+		if tokenVerifier.statsReporter != nil {
+			tokenVerifier.statsReporter.ReportUnauthenticatedRequest(reportArgs)
+		}
+
 		return fmt.Errorf("no JWT token found in request")
 	}
 
@@ -166,6 +181,10 @@ func (tokenVerifier *OIDCTokenVerifier) VerifyJWTFromRequest(ctx context.Context
 
 	if _, err := tokenVerifier.VerifyJWT(ctx, token, *audience); err != nil {
 		response.WriteHeader(http.StatusUnauthorized)
+
+		if tokenVerifier.statsReporter != nil {
+			tokenVerifier.statsReporter.ReportInvalidTokenRequest(reportArgs)
+		}
 		return fmt.Errorf("failed to verify JWT: %w", err)
 	}
 

pkg/broker/filter/filter_handler.go

@@ -40,7 +40,7 @@
 	"knative.dev/pkg/logging"
 
 	"knative.dev/eventing/pkg/apis"
 	"knative.dev/eventing/pkg/auth"
 	"knative.dev/eventing/pkg/eventingtls"
 	"knative.dev/eventing/pkg/utils"
 
@@ -53,7 +53,7 @@
 	"knative.dev/eventing/pkg/eventfilter/attributes"
 	"knative.dev/eventing/pkg/eventfilter/subscriptionsapi"
 	"knative.dev/eventing/pkg/eventtype"
 	"knative.dev/eventing/pkg/kncloudevents"
 	"knative.dev/eventing/pkg/reconciler/sugar/trigger/path"
 	"knative.dev/eventing/pkg/tracing"
 )
@@ -204,7 +204,15 @@
 
 		audience := FilterAudience
 
-		err = h.tokenVerifier.VerifyJWTFromRequest(ctx, request, &audience, writer)
+		reportArgs := &ReportArgs{
+			ns:          trigger.Namespace,
+			trigger:     trigger.Name,
+			broker:      trigger.Spec.Broker,
+			requestType: "filter",
+		}
+
+		err = h.tokenVerifier.VerifyJWTFromRequest(ctx, request, &audience, writer, reportArgs)
+
 		if err != nil {
 			h.logger.Warn("Error when validating the JWT token in the request", zap.Error(err))
 			return

pkg/broker/filter/filter_handler_test.go

@@ -88,15 +88,17 @@ func TestReceiver(t *testing.T) {
 		additionalReplyHeaders http.Header
 
 		// expectations
-		expectedResponseEvent       *cloudevents.Event
-		expectedResponse            *http.Response
-		expectedDispatch            bool
-		expectedStatus              int
-		expectedHeaders             http.Header
-		expectedEventCount          bool
-		expectedEventDispatchTime   bool
-		expectedEventProcessingTime bool
-		expectedResponseHeaders     http.Header
+		expectedResponseEvent        *cloudevents.Event
+		expectedResponse             *http.Response
+		expectedDispatch             bool
+		expectedStatus               int
+		expectedHeaders              http.Header
+		expectedEventCount           bool
+		expectedUnauthenticatedCount bool
+		expectedInvalidTokenCount    bool
+		expectedEventDispatchTime    bool
+		expectedEventProcessingTime  bool
+		expectedResponseHeaders      http.Header
 	}{
 		"Not POST": {
 			request:        httptest.NewRequest(http.MethodGet, validPath, nil),
@@ -438,7 +440,7 @@ func TestReceiver(t *testing.T) {
 
 			logger := zaptest.NewLogger(t, zaptest.WrapOptions(zap.AddCaller()))
 			oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
-			oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx)
+			oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, nil)
 
 			for _, trig := range tc.triggers {
 				// Replace the SubscriberURI to point at our fake server.
@@ -517,6 +519,12 @@ func TestReceiver(t *testing.T) {
 			if tc.expectedEventCount != reporter.eventCountReported {
 				t.Errorf("Incorrect event count reported metric. Expected %v, Actual %v", tc.expectedEventCount, reporter.eventCountReported)
 			}
+			if tc.expectedUnauthenticatedCount != reporter.unauthenticatedCountReported {
+				t.Errorf("Incorrect unauthenticated count reported metric. Expected %v, Actual %v", tc.expectedUnauthenticatedCount, reporter.unauthenticatedCountReported)
+			}
+			if tc.expectedInvalidTokenCount != reporter.invalidTokenCountReported {
+				t.Errorf("Incorrect invalid token count reported metric. Expected %v, Actual %v", tc.expectedInvalidTokenCount, reporter.invalidTokenCountReported)
+			}
 			if tc.expectedEventDispatchTime != reporter.eventDispatchTimeReported {
 				t.Errorf("Incorrect event dispatch time reported metric. Expected %v, Actual %v", tc.expectedEventDispatchTime, reporter.eventDispatchTimeReported)
 			}
@@ -637,7 +645,7 @@ func TestReceiver_WithSubscriptionsAPI(t *testing.T) {
 
 			logger := zaptest.NewLogger(t, zaptest.WrapOptions(zap.AddCaller()))
 			oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
-			oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx)
+			oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx, nil)
 
 			// Replace the SubscriberURI to point at our fake server.
 			for _, trig := range tc.triggers {
@@ -742,16 +750,28 @@ func (r *responseWriterWithInvocationsCheck) WriteHeader(statusCode int) {
 }
 
 type mockReporter struct {
-	eventCountReported          bool
-	eventDispatchTimeReported   bool
-	eventProcessingTimeReported bool
+	eventCountReported           bool
+	unauthenticatedCountReported bool
+	invalidTokenCountReported    bool
+	eventDispatchTimeReported    bool
+	eventProcessingTimeReported  bool
 }
 
 func (r *mockReporter) ReportEventCount(args *ReportArgs, responseCode int) error {
 	r.eventCountReported = true
 	return nil
 }
 
+func (r *mockReporter) ReportUnauthenticatedRequest(args *ReportArgs) error {
+	r.unauthenticatedCountReported = true
+	return nil
+}
+
+func (r *mockReporter) ReportInvalidTokenRequest(args *ReportArgs) error {
+	r.invalidTokenCountReported = true
+	return nil
+}
+
 func (r *mockReporter) ReportEventDispatchTime(args *ReportArgs, responseCode int, d time.Duration) error {
 	r.eventDispatchTimeReported = true
 	return nil

pkg/broker/filter/stats_reporter.go

@@ -46,6 +46,20 @@ var (
 		stats.UnitDimensionless,
 	)
 
+	// unauthenticatedRequestsM records the number of unauthenticated requests. (Without the JWT token in the header)
+	unauthenticatedRequestsM = stats.Int64(
+		"unauthenticated_requests",
+		"Number of unauthenticated requests (No JWT token found in the header)",
+		stats.UnitDimensionless,
+	)
+
+	// invalidTokenRequestsM records the number of requests with invalid tokens.
+	invalidTokenRequestsM = stats.Int64(
+		"invalid_token_requests",
+		"Number of requests with invalid tokens",
+		stats.UnitDimensionless,
+	)
+
 	// dispatchTimeInMsecM records the time spent dispatching an event to
 	// a Trigger subscriber, in milliseconds.
 	dispatchTimeInMsecM = stats.Float64(
@@ -90,6 +104,8 @@ func init() {
 // StatsReporter defines the interface for sending filter metrics.
 type StatsReporter interface {
 	ReportEventCount(args *ReportArgs, responseCode int) error
+	ReportUnauthenticatedRequest(args *ReportArgs) error
+	ReportInvalidTokenRequest(args *ReportArgs) error
 	ReportEventDispatchTime(args *ReportArgs, responseCode int, d time.Duration) error
 	ReportEventProcessingTime(args *ReportArgs, d time.Duration) error
 }
@@ -120,6 +136,18 @@ func register() {
 			Aggregation: view.Count(),
 			TagKeys:     []tag.Key{triggerFilterTypeKey, triggerFilterRequestTypeKey, triggerFilterRequestSchemeKey, responseCodeKey, responseCodeClassKey, broker.UniqueTagKey, broker.ContainerTagKey},
 		},
+		&view.View{
+			Description: unauthenticatedRequestsM.Description(),
+			Measure:     unauthenticatedRequestsM,
+			Aggregation: view.Count(),
+			TagKeys:     []tag.Key{triggerFilterTypeKey, triggerFilterRequestTypeKey, triggerFilterRequestSchemeKey, broker.UniqueTagKey, broker.ContainerTagKey},
+		},
+		&view.View{
+			Description: invalidTokenRequestsM.Description(),
+			Measure:     invalidTokenRequestsM,
+			Aggregation: view.Count(),
+			TagKeys:     []tag.Key{triggerFilterTypeKey, triggerFilterRequestTypeKey, triggerFilterRequestSchemeKey, broker.UniqueTagKey, broker.ContainerTagKey},
+		},
 		&view.View{
 			Description: dispatchTimeInMsecM.Description(),
 			Measure:     dispatchTimeInMsecM,
@@ -150,6 +178,26 @@ func (r *reporter) ReportEventCount(args *ReportArgs, responseCode int) error {
 	return nil
 }
 
+// ReportUnauthenticatedRequest captures unauthenticated requests. (The requests that do not have JWT token in the header)
+func (r *reporter) ReportUnauthenticatedRequest(args *ReportArgs) error {
+	ctx, err := r.generateTag(args)
+	if err != nil {
+		return err
+	}
+	metrics.Record(ctx, unauthenticatedRequestsM.M(1))
+	return nil
+}
+
+// ReportInvalidTokenRequest captures requests with invalid tokens.
+func (r *reporter) ReportInvalidTokenRequest(args *ReportArgs) error {
+	ctx, err := r.generateTag(args)
+	if err != nil {
+		return err
+	}
+	metrics.Record(ctx, invalidTokenRequestsM.M(1))
+	return nil
+}
+
 // ReportEventDispatchTime captures dispatch times.
 func (r *reporter) ReportEventDispatchTime(args *ReportArgs, responseCode int, d time.Duration) error {
 	ctx, err := r.generateTag(args,