2.4.15rc10: metrics refactoring and extension

Signed-off-by: Hans Zandbelt <hans.zandbelt@openidc.com>

ChangeLog

@@ -1,3 +1,7 @@
+12/18/2023
+- metrics refactoring and extension
+- bump to 2.4.15rc10
+
 12/15/2023
 - add (and fix) more metrics, including provider requests, authorization and cache
 - bump to 2.4.15rc9

auth_openidc.conf

@@ -1013,20 +1013,25 @@
 
 # Specify metrics that you wish to collect and keep in shared memory for retrieval.
 # Supported metrics classes are:
-#   authtype: the authentication handler type split out per AuthType: openid-connect, oauth20, auth-openidc
-#   authn: authentication request generation and response processing
-#   authz: authorization errors
-#   requests: requests to the provider endpoints (metadata retrieval, token request, refresh requests and userinfo requests)
-#   session: existing session handling
-#   cache: cache read/write/errors
-#   redirect_uri: requests to the redirect_uri
-#   content: requests to the content handler, split out per types of request (info, metrics, jwks, etc.)
+#   authtype        Request counter, overall and per AuthType: openid-connect, oauth20 and auth-openidc.
+#   authn           Authentication request creation and response processing.
+#   authz           Authorization errors per OIDCUnAuthzAction (per Require statement, not overall).
+#   require.claim   Match/failure count of Require claim directives (per Require statement, not overall).
+#   requests        Requests to the provider endpoints: metadata retrieval, token request, refresh requests and userinfo requests.
+#   session         Existing session processing.
+#   cache           Cache read/write timings and errors.
+#   redirect_uri    Requests to the Redirect URI, per type.
+#   content         Requests to the content handler, per type of request: info, metrics, jwks, etc.
 # When not defined no metrics will be recorded.
-#OIDCMetricsData [ authtype | authn | authz | requests | session | cache | redirect_uri | content ]+
+#OIDCMetricsData [ authtype | authn | authz | require.claim | requests | session | cache | redirect_uri | content ]+
 
 # Specify the path where metrics are published and can be consumed.
-# The "format=<format>" parameter can be passed to specify the format of the data.
-# The default is "prometheus", "json" is also supported.
+# The format parameter can be passed to specify the format in which the collected data is returned.
+#   format=prometheus  Prometheus text-based exporter
+#   format=json        (non-standard) JSON with descriptions and names
+#   format=status      short text based status message "OK" plus optional counter (&vhost=<vhost>&counter=<name>)
+#   format=internal    internal terse JSON for debugging purposes
+# The default is "prometheus".
 # Protect protect this path (e.g. Require host localhost) or serve it on an internal co-located vhost/port.
 # When not defined, no metrics will be published on the enclosing vhost.
 #OIDCMetricsPublish <path>

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.15rc9],[hans.zandbelt@openidc.com])
+AC_INIT([mod_auth_openidc],[2.4.15rc10],[hans.zandbelt@openidc.com])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

src/authz.c

@@ -44,6 +44,8 @@
  */
 
 #include "mod_auth_openidc.h"
+
+#include "metrics.h"
 #include "pcre_subst.h"
 
 static apr_byte_t oidc_authz_match_value(request_rec *r, const char *spec_c, const json_t *val, const char *key) {
@@ -308,10 +310,10 @@ int oidc_authz_worker22(request_rec *r, json_t *claims, const require_line *cons
 		token = ap_getword_white(r->pool, &requirement);
 
 		/* see if we've got anything meant for us */
-		if (apr_strnatcasecmp(token, OIDC_REQUIRE_CLAIM_NAME) == 0) {
+		if (_oidc_strnatcasecmp(token, OIDC_REQUIRE_CLAIM_NAME) == 0) {
 			match_claim_fn = oidc_authz_match_claim;
 #ifdef USE_LIBJQ
-		} else if (apr_strnatcasecmp(token, OIDC_REQUIRE_CLAIMS_EXPR_NAME) == 0) {
+		} else if (_oidc_strnatcasecmp(token, OIDC_REQUIRE_CLAIMS_EXPR_NAME) == 0) {
 			match_claim_fn = oidc_authz_match_claims_expr;
 #endif
 		} else {
@@ -381,6 +383,7 @@ int oidc_authz_worker22(request_rec *r, json_t *claims, const require_line *cons
 authz_status oidc_authz_worker24(request_rec *r, json_t *claims, const char *require_args,
 				 const void *parsed_require_args, oidc_authz_match_claim_fn_type match_claim_fn) {
 
+	oidc_cfg *cfg = ap_get_module_config(r->server->module_config, &auth_openidc_module);
 	int count_oauth_claims = 0;
 	const char *t, *w, *err = NULL;
 	const ap_expr_info_t *expr = parsed_require_args;
@@ -413,6 +416,8 @@ authz_status oidc_authz_worker24(request_rec *r, json_t *claims, const char *req
 		/* see if we can match any of out input claims against this Require'd value */
 		if (match_claim_fn(r, w, claims) == TRUE) {
 
+			OIDC_METRICS_COUNTER_INC_SPEC(r, cfg, OM_AUTHZ_MATCH_REQUIRE_CLAIM, require_args);
+
 			oidc_debug(r, "require claim/expr '%s' matched", w);
 			return AUTHZ_GRANTED;
 		}
@@ -423,6 +428,8 @@ authz_status oidc_authz_worker24(request_rec *r, json_t *claims, const char *req
 		oidc_warn(r, "'require claim/expr' missing specification(s) in configuration, denying");
 	}
 
+	OIDC_METRICS_COUNTER_INC_SPEC(r, cfg, OM_AUTHZ_ERROR_REQUIRE_CLAIM, require_args);
+
 	oidc_debug(r, "could not match require claim expression '%s'", require_args);
 	oidc_authz_error_add(r, require_args);
 

src/config.c

@@ -2760,6 +2760,7 @@ void oidc_register_hooks(apr_pool_t *pool) {
 	oidc_pre_config_init();
 	ap_hook_post_config(oidc_post_config, NULL, NULL, APR_HOOK_LAST);
 	ap_hook_child_init(oidc_child_init, NULL, NULL, APR_HOOK_MIDDLE);
+	ap_hook_fixups(oidc_fixups, NULL, NULL, APR_HOOK_MIDDLE);
 	static const char *const proxySucc[] = {"mod_proxy.c", NULL};
 	ap_hook_handler(oidc_content_handler, NULL, proxySucc, APR_HOOK_FIRST);
 	ap_hook_insert_filter(oidc_filter_in_insert_filter, NULL, NULL, APR_HOOK_MIDDLE);

src/const.h

@@ -69,6 +69,7 @@
 
 #define _oidc_strlen(s) (s ? strlen(s) : 0)
 #define _oidc_strcmp(a, b) ((a && b) ? apr_strnatcmp(a, b) : -1)
+#define _oidc_strnatcasecmp(a, b) ((a && b) ? apr_strnatcasecmp(a, b) : -1)
 #define _oidc_strncmp(a, b, size) ((a && b) ? strncmp(a, b, size) : -1)
 
 #define _oidc_str_to_int(s) (s ? (int)strtol(s, NULL, 10) : 0)