feat(posthog): Add Telemetry client Posthog (#781)

Signed-off-by: Javier Rodriguez <[email protected]>

Author: javirln

.github/workflows/release.yaml

@@ -75,6 +75,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
           COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
+          POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
+          POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
 
       - uses: anchore/sbom-action@c6aed38a4323b393d05372c58a74c39ae8386d02 # v0.15.6
         with:

.goreleaser.yml

@@ -28,6 +28,8 @@ builds:
     ldflags:
       - "{{ .Env.COMMON_LDFLAGS }}"
       - -X github.com/chainloop-dev/chainloop/app/cli/cmd.Version={{ .Version }}
+      - -X github.com/chainloop-dev/chainloop/app/cli/cmd.posthogAPIKey={{ .Env.POSTHOG_API_KEY }}
+      - -X github.com/chainloop-dev/chainloop/app/cli/cmd.posthogEndpoint={{ .Env.POSTHOG_ENDPOINT }}
     targets:
       - darwin_amd64
       - darwin_arm64

app/cli/Makefile

@@ -3,7 +3,11 @@ VERSION=$(shell git describe --tags --always)
 .PHONY: build
 # build
 build:
-	mkdir -p bin/ && go build -ldflags "-X github.com/chainloop-dev/chainloop/app/cli/cmd.Version=$(VERSION)" -o ./bin/chainloop ./main.go
+	mkdir -p bin/ && go build -ldflags \
+    		  "-X github.com/chainloop-dev/chainloop/app/cli/cmd.Version=$(VERSION) \
+    		  -X github.com/chainloop-dev/chainloop/app/cli/cmd.posthogAPIKey=${POSTHOG_API_KEY} \
+    		  -X github.com/chainloop-dev/chainloop/app/cli/cmd.posthogEndpoint=${POSTHOG_ENDPOINT}" \
+    		  -o ./bin/chainloop ./main.go
 
 .PHONY: test
 # test

app/cli/cmd/root.go

@@ -16,14 +16,18 @@
 package cmd
 
 import (
-	"context"
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
+	"sync"
 
 	"github.com/adrg/xdg"
 	"github.com/chainloop-dev/chainloop/app/cli/internal/action"
+	"github.com/chainloop-dev/chainloop/app/cli/internal/telemetry"
+	"github.com/chainloop-dev/chainloop/app/cli/internal/telemetry/posthog"
 	"github.com/chainloop-dev/chainloop/internal/grpcconn"
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/rs/zerolog"
@@ -53,12 +57,16 @@ const (
 	userAudience         = "user-auth.chainloop"
 	//nolint:gosec
 	apiTokenAudience = "api-token-auth.chainloop"
+	// Follow the convention stated on https://consoledonottrack.com/
+	doNotTrackEnv = "DO_NOT_TRACK"
 )
 
-type AuthenticationToken struct{}
-type ParsedToken struct {
-	ID   string
-	Type string
+var telemetryWg sync.WaitGroup
+
+type parsedToken struct {
+	id        string
+	orgID     string
+	tokenType string
 }
 
 func NewRootCmd(l zerolog.Logger) *cobra.Command {
@@ -92,15 +100,28 @@ func NewRootCmd(l zerolog.Logger) *cobra.Command {
 
 			actionOpts = newActionOpts(logger, conn)
 
-			// For telemetry reasons we parse the token to know the type of token is being used when executing the CLI
-			// Once we have the token type we can send it to the telemetry service by injecting it on the context
-			token, err := parseToken(apiToken)
-			if err != nil {
-				logger.Debug().Err(err).Msg("parsing token for telemetry")
+			if !isTelemetryDisabled() {
+				logger.Debug().Msg("Telemetry enabled, to disable it use DO_NOT_TRACK=1")
+
+				telemetryWg.Add(1)
+				go func() {
+					defer telemetryWg.Done()
+
+					// For telemetry reasons we parse the token to know the type of token is being used when executing the CLI
+					// Once we have the token type we can send it to the telemetry service by injecting it on the context
+					token, err := parseToken(apiToken)
+					if err != nil {
+						logger.Debug().Err(err).Msg("parsing token for telemetry")
+						return
+					}
+
+					err = recordCommand(cmd, token)
+					if err != nil {
+						logger.Debug().Err(err).Msg("sending command to telemetry")
+					}
+				}()
 			}
 
-			cmd.SetContext(context.WithValue(cmd.Context(), AuthenticationToken{}, token))
-
 			return nil
 		},
 		PersistentPostRunE: func(cmd *cobra.Command, args []string) error {
@@ -143,6 +164,16 @@ func NewRootCmd(l zerolog.Logger) *cobra.Command {
 
 func init() {
 	cobra.OnInitialize(initConfigFile)
+	// Using the cobra.OnFinalize because the hooks don't work on error
+	cobra.OnFinalize(func() {
+		// In some cases the command is faster than the telemetry, in that case we wait
+		telemetryWg.Wait()
+	})
+}
+
+// isTelemetryDisabled checks if the telemetry is disabled by the user or if we are running a development version
+func isTelemetryDisabled() bool {
+	return os.Getenv(doNotTrackEnv) == "1" || os.Getenv(doNotTrackEnv) == "true" || Version == devVersion
 }
 
 func initLogger(logger zerolog.Logger) (zerolog.Logger, error) {
@@ -239,46 +270,125 @@ func loadControlplaneAuthToken(cmd *cobra.Command) (string, error) {
 // 3. API token
 // Each one of them have an associated audience claim that we use to identify the type of token. If the token is not
 // present, nor we cannot match it with one of the expected audience, return nil.
-func parseToken(token string) (*ParsedToken, error) {
+func parseToken(token string) (*parsedToken, error) {
 	if token == "" {
-		return &ParsedToken{}, nil
+		return nil, nil
 	}
 
 	// Create a parser without claims validation
 	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
 
 	// Parse the token without verification
-	parsedToken, _, err := parser.ParseUnverified(token, jwt.MapClaims{})
+	t, _, err := parser.ParseUnverified(token, jwt.MapClaims{})
 	if err != nil {
 		return nil, err
 	}
 
-	// Extract claims
-	claims := parsedToken.Claims.(jwt.MapClaims)
+	// Extract generic claims otherwise, we would have to parse
+	// the token again to get the claims for each type
+	claims, ok := t.Claims.(jwt.MapClaims)
+	if !ok {
+		return nil, nil
+	}
 
 	// Get the audience claim
-	if val, ok := claims["aud"]; ok && val != nil {
-		// Chainloop tokens have only one audience in an array
-		aud, ok := val.([]interface{})
-		if !ok {
-			return nil, nil
+	val, ok := claims["aud"]
+	if !ok || val == nil {
+		return nil, nil
+	}
+
+	// Ensure audience is an array of interfaces
+	// Chainloop only has one audience per token
+	aud, ok := val.([]interface{})
+	if !ok || len(aud) == 0 {
+		return nil, nil
+	}
+
+	// Initialize parsedToken
+	pToken := &parsedToken{}
+
+	// Determine the type of token based on the audience.
+	switch aud[0].(string) {
+	case apiTokenAudience:
+		pToken.tokenType = "api-token"
+		if tokenID, ok := claims["jti"].(string); ok {
+			pToken.id = tokenID
 		}
-		if len(aud) == 0 {
-			return nil, nil
+		if orgID, ok := claims["org_id"].(string); ok {
+			pToken.orgID = orgID
 		}
-
-		switch aud[0].(string) {
-		case apiTokenAudience:
-			return &ParsedToken{Type: "api-token"}, nil
-		case userAudience:
-			userID := claims["user_id"].(string)
-			return &ParsedToken{Type: "user", ID: userID}, nil
-		case robotAccountAudience:
-			return &ParsedToken{Type: "robot-account"}, nil
-		default:
-			return nil, nil
+	case userAudience:
+		pToken.tokenType = "user"
+		if userID, ok := claims["user_id"].(string); ok {
+			pToken.id = userID
+		}
+	case robotAccountAudience:
+		pToken.tokenType = "robot-account"
+		if tokenID, ok := claims["jti"].(string); ok {
+			pToken.id = tokenID
+		}
+		if orgID, ok := claims["org_id"].(string); ok {
+			pToken.orgID = orgID
 		}
+	default:
+		return nil, nil
+	}
+
+	return pToken, nil
+}
+
+var (
+	// Posthog API key and endpoint to be injected in the build process
+	posthogAPIKey   = ""
+	posthogEndpoint = ""
+)
+
+// recordCommand sends the command to the telemetry service
+func recordCommand(executedCmd *cobra.Command, authInfo *parsedToken) error {
+	telemetryClient, err := posthog.NewClient(posthogAPIKey, posthogEndpoint)
+	if err != nil {
+		logger.Debug().Err(err).Msgf("creating telemetry client: %v", err)
+	}
+
+	cmdTracker := telemetry.NewCommandTracker(telemetryClient)
+	tags := telemetry.Tags{
+		"cli_version":      Version,
+		"cp_url_hash":      hashControlPlaneURL(),
+		"chainloop_source": "cli",
+	}
+
+	// It tries to extract the token from the context and add it to the tags. If it fails, it will ignore it.
+	if authInfo != nil {
+		tags["token_type"] = authInfo.tokenType
+		tags["user_id"] = authInfo.id
+		tags["org_id"] = authInfo.orgID
+	}
+
+	if err = cmdTracker.Track(executedCmd.Context(), extractCmdLineFromCommand(executedCmd), tags); err != nil {
+		return fmt.Errorf("sending event: %w", err)
 	}
 
-	return nil, nil
+	return nil
+}
+
+// extractCmdLineFromCommand returns the full command hierarchy as a string from a cobra.Command
+func extractCmdLineFromCommand(cmd *cobra.Command) string {
+	var cmdHierarchy []string
+	currentCmd := cmd
+	// While the current command is not the root command, keep iteration.
+	// This is done to get the full hierarchy of the command and remove the root command from the hierarchy.
+	for currentCmd.Use != "chainloop" {
+		cmdHierarchy = append([]string{currentCmd.Use}, cmdHierarchy...)
+		currentCmd = currentCmd.Parent()
+	}
+
+	cmdLine := strings.Join(cmdHierarchy, " ")
+	return cmdLine
+}
+
+// hashControlPlaneURL returns a hash of the control plane URL
+func hashControlPlaneURL() string {
+	url := viper.GetString("control-plane.API")
+
+	return fmt.Sprintf("%x", sha256.Sum256([]byte(url)))
 }

app/cli/cmd/root_test.go

@@ -25,38 +25,68 @@ func TestParseToken(t *testing.T) {
 	tests := []struct {
 		name  string
 		token string
-		want  ParsedToken
+		want  *parsedToken
 	}{
 		{
 			name:  "robot account",
-			token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdfaWQiOiI5M2QwMjI3NS04NTNjLTRhZDYtOWQ2MC04ZjU2MmIxMjNmZDIiLCJ3b3JrZmxvd19pZCI6IjM1ZTZkOGIwLWE0OGYtNDFmYS05YmU3LWQ1OTM5YjJkZGUyNiIsImlzcyI6ImNwLmNoYWlubG9vcCIsImF1ZCI6WyJhdHRlc3RhdGlvbnMuY2hhaW5sb29wIl0sImp0aSI6IjQ4YWVhMWNiLTk5MGUtNDM2OS1hOTFhLTczNTIzNzk1NjhiNSJ9.aYPAPK-AauJpxRGEapV2ejwxhyhmFej6S79Ni-xJ4Q0",
-			want: ParsedToken{
-				Type: "robot-account",
+			token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdfaWQiOiJkZGRiODIwMS1lYWI2LTRlNjEtOTIwMS1mMTJiNDdjMDE4OTIiLCJ3b3JrZmxvd19pZCI6ImY0NmIzMDc5LTMwOGYtNGIwNC1hYjYwLTY3NDNmOGUzMGQzMyIsImlzcyI6ImNwLmNoYWlubG9vcCIsImF1ZCI6WyJhdHRlc3RhdGlvbnMuY2hhaW5sb29wIl0sImp0aSI6IjkzODI5NDE1LTA1ODYtNDFkYS05NTJkLTkyYTRjNDk1ZWEyMCJ9.3Af2C62PiODbEknhv47j0LHLuAgWLqvTrfmIzFjwPCM",
+			want: &parsedToken{
+				id:        "93829415-0586-41da-952d-92a4c495ea20",
+				tokenType: "robot-account",
+				orgID:     "dddb8201-eab6-4e61-9201-f12b47c01892",
 			},
 		},
 		{
 			name:  "user account",
 			token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiYmMwYjIxOTktY2E4NS00MmFiLWE4NTctMDQyZTljMTA5ZDQzIiwiaXNzIjoiY3AuY2hhaW5sb29wIiwiYXVkIjpbInVzZXItYXV0aC5jaGFpbmxvb3AiXSwiZXhwIjoxNzE1OTM1MjUwfQ.ounYshGtagtYQsVIzNeE0ztVYRXrmjFSpdmaTF4QvyY",
-			want: ParsedToken{
-				ID:   "bc0b2199-ca85-42ab-a857-042e9c109d43",
-				Type: "user",
+			want: &parsedToken{
+				id:        "bc0b2199-ca85-42ab-a857-042e9c109d43",
+				tokenType: "user",
 			},
 		},
 		{
 			name:  "api token",
-			token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjcC5jaGFpbmxvb3AiLCJhdWQiOlsiYXBpLXRva2VuLWF1dGguY2hhaW5sb29wIl0sImp0aSI6IjE0NTQ5MzUwLTFjNGItNDdlYi05NDZkLWY2MjJhZWYyMDk0MyJ9.BPzuNxSwx10h22fJ3ocAOEIjsq9OOlk9p8fSoCwqSmM",
-			want: ParsedToken{
-				Type: "api-token",
+			token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdfaWQiOiJkZGRiODIwMS1lYWI2LTRlNjEtOTIwMS1mMTJiNDdjMDE4OTIiLCJpc3MiOiJjcC5jaGFpbmxvb3AiLCJhdWQiOlsiYXBpLXRva2VuLWF1dGguY2hhaW5sb29wIl0sImp0aSI6IjRiMGYwZGQ0LTQ1MzgtNDI2OS05MmE5LWFiNWIwZmNlMDI1OCJ9.yMgsoe4CcqYoNp0xtrvvSGj1Y74HeqxoxS5sw8pdnQ8",
+			want: &parsedToken{
+				id:        "4b0f0dd4-4538-4269-92a9-ab5b0fce0258",
+				tokenType: "api-token",
+				orgID:     "dddb8201-eab6-4e61-9201-f12b47c01892",
 			},
 		},
+		{
+			name:  "old api token (without orgID)",
+			token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjcC5jaGFpbmxvb3AiLCJhdWQiOlsiYXBpLXRva2VuLWF1dGguY2hhaW5sb29wIl0sImp0aSI6ImQ0ZTBlZTVlLTk3MTMtNDFkMi05ZmVhLTBiZGIxNDAzMzA4MSJ9.IOd3JIHPwfo9ihU20kvRwLIQJcQtTvp-ajlGqlCD4Es",
+			want: &parsedToken{
+				id:        "d4e0ee5e-9713-41d2-9fea-0bdb14033081",
+				tokenType: "api-token",
+			},
+		},
+		{
+			name:  "old robot account",
+			token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdfaWQiOiI5M2QwMjI3NS04NTNjLTRhZDYtOWQ2MC04ZjU2MmIxMjNmZDIiLCJ3b3JrZmxvd19pZCI6IjM1ZTZkOGIwLWE0OGYtNDFmYS05YmU3LWQ1OTM5YjJkZGUyNiIsImlzcyI6ImNwLmNoYWlubG9vcCIsImF1ZCI6WyJhdHRlc3RhdGlvbnMuY2hhaW5sb29wIl0sImp0aSI6ImUxZDUzOGQxLWI2MWQtNGY4MC1iZWQzLWM3MGE1NzRlOWI2NiJ9.81WltZtOno26oNydJ-YtHRwAIEmD2B4RgChhsS4yYVk",
+			want: &parsedToken{
+				id:        "e1d538d1-b61d-4f80-bed3-c70a574e9b66",
+				tokenType: "robot-account",
+				orgID:     "93d02275-853c-4ad6-9d60-8f562b123fd2",
+			},
+		},
+		{
+			name:  "totally random token",
+			token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE3MTYxOTE2ODQsImV4cCI6MTc0NzcyNzY4NCwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.5UnBivwkQCG4qWgi-gWkJ-Dsd7-A9G_EVEvswODc7Kk",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := parseToken(tt.token)
 			assert.NoError(t, err)
+			if tt.want == nil {
+				assert.Nil(t, got)
+				return
+			}
 
-			assert.Equal(t, tt.want.ID, got.ID)
-			assert.Equal(t, tt.want.Type, got.Type)
+			assert.Equal(t, tt.want.id, got.id)
+			assert.Equal(t, tt.want.tokenType, got.tokenType)
+			assert.Equal(t, tt.want.orgID, got.orgID)
 		})
 	}
 }