feat: add register_auth error metric with reasons (#76)

dhruvjain99 · dhruvjain99 · web-flow · commit 7a40c0864f66 · 2025-07-02T22:46:06.000+05:30
* feat: add register_auth error metric with reasons

* fix: runner with deprecated ubuntu20 image

* fix: job failed as it couldn't find otp23

* fix: fmt

* fix: dialyzer and test errors

* fix: unwanted changes due to failing GH CI

---------

Co-authored-by: dhruvjain99 &lt;dhruv.jain@gojek.com&gt;
diff --git a/apps/vmq_enhanced_auth/rebar.config b/apps/vmq_enhanced_auth/rebar.config
@@ -1,4 +1,11 @@
 %%-*- mode: erlang -*-
 {deps, [
+    {lager, "3.8.0"},
     {jwerl, {git, "https://github.com/G-Corp/jwerl.git", {tag, "1.1.0"}}}
 ]}.
+
+{erl_opts, [
+    {parse_transform, lager_transform},
+    warnings_as_errors,
+    debug_info
+]}.
diff --git a/apps/vmq_enhanced_auth/src/vmq_enhanced_auth.app.src b/apps/vmq_enhanced_auth/src/vmq_enhanced_auth.app.src
@@ -6,13 +6,15 @@
         kernel,
         stdlib,
         clique,
-        jwerl
+        jwerl,
+        lager
     ]},
     {mod, {vmq_enhanced_auth_app, []}},
     {env, [
         {file, "priv/test.acl"},
         {interval, 10},
         {vmq_config_enabled, true},
+        {vmq_metrics_mfa, {vmq_enhanced_auth_metrics, metrics, []}},
         {vmq_plugin_hooks, [
             {vmq_enhanced_auth, change_config, 1, [internal]},
             {vmq_enhanced_auth, auth_on_publish, 6, []},
diff --git a/apps/vmq_enhanced_auth/src/vmq_enhanced_auth.erl b/apps/vmq_enhanced_auth/src/vmq_enhanced_auth.erl
@@ -42,6 +42,7 @@
 -import(vmq_topic, [words/1, match/2]).
 
 -include_lib("vmq_server/src/vmq_server.hrl").
+-include_lib("vmq_enhanced_auth/src/vmq_enhanced_auth.hrl").
 
 -define(TABLES, [
     vmq_enhanced_auth_acl_read_pattern,
@@ -173,7 +174,7 @@ auth_on_register(
     %%      - {mountpoint, NewMountPoint::string}
     %%      - {clean_session, NewCleanSession::boolean}
     %% 4. return {error, invalid_credentials} -> CONNACK_CREDENTIALS is sent
-    %% 5. return {error, whatever} -> CONNACK_AUTH is sent
+    %% 5. return {error, Error} -> CONNACK_AUTH is sent
 
     %% we return 'ok'
     D = is_auth_on_register_disabled(),
@@ -183,9 +184,12 @@ auth_on_register(
         true ->
             {Result, Claims} = verify(Password, ?SecretKey),
             if
-                Result =:= ok -> check_rid(Claims, UserName);
+                Result =:= ok ->
+                    check_rid(Claims, UserName);
                 %else block
-                true -> {error, invalid_signature}
+                true ->
+                    vmq_enhanced_auth_metrics:incr({?REGISTER_AUTH_ERROR, ?INVALID_SIGNATURE}),
+                    {error, ?INVALID_SIGNATURE}
             end
     end.
 
@@ -593,12 +597,16 @@ check_rid(Claims, UserName) ->
     case maps:find(rid, Claims) of
         {ok, Value} ->
             if
-                Value =:= UserName -> ok;
+                Value =:= UserName ->
+                    ok;
                 %else block
-                true -> error
+                true ->
+                    vmq_enhanced_auth_metrics:incr({?REGISTER_AUTH_ERROR, ?USERNAME_RID_MISMATCH}),
+                    {error, ?USERNAME_RID_MISMATCH}
             end;
         error ->
-            error
+            vmq_enhanced_auth_metrics:incr({?REGISTER_AUTH_ERROR, ?MISSING_RID}),
+            {error, ?MISSING_RID}
     end.
 
 -ifdef(TEST).
diff --git a/apps/vmq_enhanced_auth/src/vmq_enhanced_auth.hrl b/apps/vmq_enhanced_auth/src/vmq_enhanced_auth.hrl
@@ -0,0 +1,4 @@
+-define(REGISTER_AUTH_ERROR, register_auth_error).
+-define(INVALID_SIGNATURE, invalid_signature).
+-define(USERNAME_RID_MISMATCH, username_rid_mismatch).
+-define(MISSING_RID, missing_rid).
diff --git a/apps/vmq_enhanced_auth/src/vmq_enhanced_auth_metrics.erl b/apps/vmq_enhanced_auth/src/vmq_enhanced_auth_metrics.erl
@@ -0,0 +1,222 @@
+%% Copyright Gojek
+
+-module(vmq_enhanced_auth_metrics).
+
+-behaviour(gen_server).
+
+%% API
+-export([
+    start_link/0,
+    metrics/0,
+    incr/1,
+    incr/2
+]).
+
+%% gen_server callbacks
+-export([
+    init/1,
+    handle_call/3,
+    handle_cast/2,
+    handle_info/2,
+    terminate/2,
+    code_change/3
+]).
+
+-define(SERVER, ?MODULE).
+
+-include_lib("vmq_enhanced_auth/src/vmq_enhanced_auth.hrl").
+
+-record(state, {}).
+-record(metric_def, {
+    type :: atom(),
+    labels :: [metric_label()],
+    id :: metric_id(),
+    name :: atom(),
+    description :: undefined | binary()
+}).
+
+-type metric_def() :: #metric_def{}.
+-type metric_val() :: {Id :: metric_id(), Val :: any()}.
+-type metric_label() :: {atom(), string()}.
+-type metric_id() ::
+    atom()
+    | {atom(), non_neg_integer() | atom()}
+    | {atom(), atom(), atom()}
+    | [{atom(), [{atom(), any()}]}].
+
+%%%===================================================================
+%%% API
+%%%===================================================================
+
+-spec start_link() -> 'ignore' | {'error', _} | {'ok', pid()}.
+start_link() ->
+    gen_server:start_link({local, ?SERVER}, ?MODULE, [], []).
+
+-spec metrics() -> [{metric_def(), non_neg_integer()}].
+metrics() ->
+    MetricDefs = metrics_defs(),
+    MetricValues = metric_values(),
+
+    %% Create id->metric def map
+    IdDef = lists:foldl(
+        fun(#metric_def{id = Id} = MD, Acc) ->
+            maps:put(Id, MD, Acc)
+        end,
+        #{},
+        MetricDefs
+    ),
+
+    %% Merge metrics definitions with values and filter based on labels.
+    Metrics = lists:filtermap(
+        fun({Id, Val}) ->
+            case maps:find(Id, IdDef) of
+                {ok, #metric_def{
+                    type = Type, id = Id, name = Name, labels = GotLabels, description = Description
+                }} ->
+                    {true, {Type, GotLabels, Id, Name, Description, Val}};
+                error ->
+                    %% this could happen if metric definitions does
+                    %% not correspond to the ids returned with the
+                    %% metrics values.
+                    lager:warning("unknown metrics id: ~p", [Id]),
+                    false
+            end
+        end,
+        MetricValues
+    ),
+    Metrics.
+
+-spec incr(any()) -> 'ok'.
+incr(Entry) ->
+    incr_item(Entry, 1).
+
+-spec incr(any(), non_neg_integer()) -> 'ok'.
+incr(Entry, N) ->
+    incr_item(Entry, N).
+
+%%%===================================================================
+%%% gen_server callbacks
+%%%===================================================================
+
+-spec init(_) -> {ok, #state{}}.
+init([]) ->
+    AllEntries = [Id || #metric_def{id = Id} <- metrics_defs()],
+    NumEntries = length(AllEntries),
+    %% Sanity check where it is checked that there is a one-to-one
+    %% mapping between atomics indexes and metrics identifiers by 1)
+    %% checking that all metric identifiers have an atomics index and
+    %% 2) that there are as many indexes as there are metrics and 3)
+    %% that there are no index duplicates.
+    Idxs = lists:map(fun(Id) -> met2idx(Id) end, AllEntries),
+    NumEntries = length(lists:sort(Idxs)),
+    NumEntries = length(lists:usort(Idxs)),
+
+    %% only alloc a new atomics array if one doesn't already exist!
+    case catch persistent_term:get(?MODULE) of
+        {'EXIT', {badarg, _}} ->
+            %% allocate twice the number of entries to make it possible to add
+            %% new metrics during a hot code upgrade.
+            ARef = atomics:new(2 * NumEntries, [{signed, false}]),
+            persistent_term:put(?MODULE, ARef);
+        _ExistingRef ->
+            ok
+    end,
+    {ok, #state{}}.
+
+handle_call(_Request, _From, State) ->
+    Reply = ok,
+    {reply, Reply, State}.
+
+handle_cast(_Msg, State) ->
+    {noreply, State}.
+
+handle_info(_Info, State) ->
+    {noreply, State}.
+
+terminate(_Reason, _State) ->
+    ok.
+
+code_change(_OldVsn, State, _Extra) ->
+    {ok, State}.
+
+%%%===================================================================
+%%% Internal functions
+%%%===================================================================
+
+%% don't do the update
+incr_item(_, 0) ->
+    ok;
+incr_item(Entry, Val) when Val > 0 ->
+    ARef =
+        case get(vmq_enhanced_auth_atomics_ref) of
+            undefined ->
+                Ref = persistent_term:get(?MODULE),
+                put(vmq_enhanced_auth_atomics_ref, Ref),
+                Ref;
+            Ref ->
+                Ref
+        end,
+    atomics:add(ARef, met2idx(Entry), Val).
+
+-spec metric_values() -> [metric_val()].
+metric_values() ->
+    lists:map(
+        fun(#metric_def{id = Id}) ->
+            try counter_val(Id) of
+                Value -> {Id, Value}
+            catch
+                _:_ -> {Id, 0}
+            end
+        end,
+        metrics_defs()
+    ).
+
+-spec metrics_defs() -> [metric_def()].
+metrics_defs() ->
+    [
+        m(
+            counter,
+            [
+                {reason, atom_to_list(?INVALID_SIGNATURE)}
+            ],
+            {?REGISTER_AUTH_ERROR, ?INVALID_SIGNATURE},
+            ?REGISTER_AUTH_ERROR,
+            <<"The number of times the auth_on_register hook returned error due to invalid_signature.">>
+        ),
+        m(
+            counter,
+            [
+                {reason, atom_to_list(?MISSING_RID)}
+            ],
+            {?REGISTER_AUTH_ERROR, ?MISSING_RID},
+            ?REGISTER_AUTH_ERROR,
+            <<"The number of times the auth_on_register hook returned error due to missing_rid.">>
+        ),
+        m(
+            counter,
+            [
+                {reason, atom_to_list(?USERNAME_RID_MISMATCH)}
+            ],
+            {?REGISTER_AUTH_ERROR, ?USERNAME_RID_MISMATCH},
+            ?REGISTER_AUTH_ERROR,
+            <<"The number of times the auth_on_register hook returned error due to username_rid_mismatch.">>
+        )
+    ].
+
+-spec m(atom(), [metric_label()], metric_id(), atom(), 'undefined' | binary()) -> metric_def().
+m(Type, Labels, UniqueId, Name, Description) ->
+    #metric_def{
+        type = Type,
+        labels = Labels,
+        id = UniqueId,
+        name = Name,
+        description = Description
+    }.
+
+counter_val(Entry) ->
+    ARef = persistent_term:get(?MODULE),
+    atomics:get(ARef, met2idx(Entry)).
+
+met2idx({?REGISTER_AUTH_ERROR, ?INVALID_SIGNATURE}) -> 1;
+met2idx({?REGISTER_AUTH_ERROR, ?USERNAME_RID_MISMATCH}) -> 2;
+met2idx({?REGISTER_AUTH_ERROR, ?MISSING_RID}) -> 3.
diff --git a/apps/vmq_enhanced_auth/src/vmq_enhanced_auth_sup.erl b/apps/vmq_enhanced_auth/src/vmq_enhanced_auth_sup.erl
@@ -37,4 +37,7 @@ start_link() ->
 %% ===================================================================
 
 init([]) ->
-    {ok, {{one_for_one, 5, 10}, [?CHILD(vmq_enhanced_auth_reloader, worker)]}}.
+    {ok,
+        {{one_for_one, 5, 10}, [
+            ?CHILD(vmq_enhanced_auth_reloader, worker), ?CHILD(vmq_enhanced_auth_metrics, worker)
+        ]}}.
diff --git a/apps/vmq_enhanced_auth/test/vmq_enhanced_auth_SUITE.erl b/apps/vmq_enhanced_auth/test/vmq_enhanced_auth_SUITE.erl
@@ -1,5 +1,7 @@
 -module(vmq_enhanced_auth_SUITE).
 
+-include_lib("vmq_enhanced_auth/src/vmq_enhanced_auth.hrl").
+
 %% API
 -export([
   init_per_suite/1,
@@ -28,6 +30,7 @@ all() ->
 
 init_per_suite(_Config) ->
   cover:start(),
+  vmq_enhanced_auth_metrics:start_link(),
   _Config.
 
 end_per_suite(_Config) ->
@@ -55,7 +58,7 @@ auth_on_register_rid_absent_test(_) ->
 
   %When rid is not present in claims
   Password = jwerl:sign([{norid, <<"username">>}], hs256, <<"test-key">>),
-  error = vmq_enhanced_auth:auth_on_register({"",""}, {"",""}, "username", Password, false),
+  {error, ?MISSING_RID} = vmq_enhanced_auth:auth_on_register({"",""}, {"",""}, "username", Password, false),
   application:unset_env(vmq_enhanced_auth, secret_key),
   application:unset_env(vmq_enhanced_auth, enable_jwt_auth).
 
@@ -65,7 +68,7 @@ auth_on_register_rid_different_test(_) ->
 
   %When rid in claims is different from username
   Password = jwerl:sign([{rid, <<"different_username">>}], hs256, <<"test-key">>),
-  error = vmq_enhanced_auth:auth_on_register({"",""}, {"",""}, <<"username">>, Password, false),
+  {error, ?USERNAME_RID_MISMATCH} = vmq_enhanced_auth:auth_on_register({"",""}, {"",""}, <<"username">>, Password, false),
   application:unset_env(vmq_enhanced_auth, secret_key),
   application:unset_env(vmq_enhanced_auth, enable_jwt_auth).
 
@@ -74,7 +77,7 @@ auth_on_register_unparsable_token_test(_) ->
   ok = application:set_env(vmq_enhanced_auth, enable_jwt_auth, true),
 
   %When password is not jwt from username
-  {error, invalid_signature} = vmq_enhanced_auth:auth_on_register({"",""}, {"",""}, <<"username">>, <<"Password">>, false),
+  {error, ?INVALID_SIGNATURE} = vmq_enhanced_auth:auth_on_register({"",""}, {"",""}, <<"username">>, <<"Password">>, false),
   application:unset_env(vmq_enhanced_auth, secret_key),
   application:unset_env(vmq_enhanced_auth, enable_jwt_auth).
 
