@@ -252,10 +252,10 @@ def decrypt_token(self, username, token):
252252 version < self .minimum_token_version ):
253253 raise TokenValidationError ('Unacceptable token version.' )
254254 if self .stats :
255- self .stats .incr ('token_version_{0}' . format ( version ) )
256- self .stats .incr (f'cache_key.from. { _from } )
257- self .stats .incr (f'cache_key.to. { self .to_auth_context } )
258- self .stats .incr (f'cache_key.user_type. { user_type } )
255+ self .stats .incr ('token_version_{version}' )
256+ self .stats .incr (f'cache_key_from_ { _from } )
257+ self .stats .incr (f'cache_key_to_ { self .to_auth_context } )
258+ self .stats .incr (f'cache_key_user_type_ { user_type } )
259259 try :
260260 token_key = '{0}{1}{2}{3}' .format (
261261 hashlib .sha256 (ensure_bytes (token )).hexdigest (),
@@ -267,10 +267,10 @@ def decrypt_token(self, username, token):
267267 raise TokenValidationError ('Authentication error.' )
268268 if token_key not in self .TOKENS :
269269 if self .stats :
270- self .stats .incr ('token_cache.miss ' )
271- self .stats .gauge ('token_cache.size_at_miss ' , len (self .TOKENS ))
270+ self .stats .incr ('token_cache_miss ' )
271+ self .stats .gauge ('token_cache_size_at_miss ' , len (self .TOKENS ))
272272 if len (self .TOKENS ) >= self .token_cache_size :
273- self .stats .incr ('token_cache.eviction ' )
273+ self .stats .incr ('token_cache_eviction ' )
274274
275275 try :
276276 token = base64 .b64decode (token )
@@ -295,25 +295,27 @@ def decrypt_token(self, username, token):
295295 # Decrypt doesn't take KeyId as an argument. We need to verify
296296 # the correct key was used to do the decryption.
297297 # Annoyingly, the KeyId from the data is actually an arn.
298- key_arn = data ['KeyId' ]
299- if user_type == 'service' :
300- if not self ._valid_service_auth_key (key_arn ):
301- raise TokenValidationError (
302- 'Authentication error (wrong KMS key).'
303- )
304- elif user_type == 'user' :
305- if not self ._valid_user_auth_key (key_arn ):
306- raise TokenValidationError (
307- 'Authentication error (wrong KMS key).'
308- )
309- else :
310- raise TokenValidationError (
311- 'Authentication error. Unsupported user_type.'
312- )
313- plaintext = data ['Plaintext' ]
314- payload = json .loads (plaintext )
315- key_alias = self ._get_key_alias_from_cache (key_arn )
316- ret = {'payload' : payload , 'key_alias' : key_alias }
298+ if self .stats :
299+ with self .stats .timer ('kms_decrypt_token_post_validation' ):
300+ key_arn = data ['KeyId' ]
301+ if user_type == 'service' :
302+ if not self ._valid_service_auth_key (key_arn ):
303+ raise TokenValidationError (
304+ 'Authentication error (wrong KMS key).'
305+ )
306+ elif user_type == 'user' :
307+ if not self ._valid_user_auth_key (key_arn ):
308+ raise TokenValidationError (
309+ 'Authentication error (wrong KMS key).'
310+ )
311+ else :
312+ raise TokenValidationError (
313+ 'Authentication error. Unsupported user_type.'
314+ )
315+ plaintext = data ['Plaintext' ]
316+ payload = json .loads (plaintext )
317+ key_alias = self ._get_key_alias_from_cache (key_arn )
318+ ret = {'payload' : payload , 'key_alias' : key_alias }
317319 except TokenValidationError :
318320 raise
319321 except (ConnectionError , EndpointConnectionError ):
@@ -330,40 +332,42 @@ def decrypt_token(self, username, token):
330332 )
331333 else :
332334 if self .stats :
333- self .stats .incr ('token_cache.hit ' )
335+ self .stats .incr ('token_cache_hit ' )
334336 ret = self .TOKENS [token_key ]
335337 now = datetime .datetime .utcnow ()
336- try :
337- not_before = datetime .datetime .strptime (
338- ret ['payload' ]['not_before' ],
339- TIME_FORMAT
340- )
341- not_after = datetime .datetime .strptime (
342- ret ['payload' ]['not_after' ],
343- TIME_FORMAT
344- )
345- except Exception :
346- logging .exception (
347- 'Failed to get not_before and not_after from token payload.'
348- )
349- raise TokenValidationError (
350- 'Authentication error. Missing validity.'
351- )
352- delta = (not_after - not_before ).seconds / 60
353- if delta > self .auth_token_max_lifetime :
354- logging .warning ('Token used which exceeds max token lifetime.' )
355- raise TokenValidationError (
356- 'Authentication error. Token lifetime exceeded.'
357- )
358- if (now < not_before ) or (now > not_after ):
359- logging .warning ('Invalid time validity for token.' )
360- raise TokenValidationError (
361- 'Authentication error. Invalid time validity for token.'
362- )
363338 if self .stats :
364- self .stats .incr ('token_cache.set' )
365- self .stats .gauge ('token_cache.size_at_set' , len (self .TOKENS ))
366- self .TOKENS [token_key ] = ret
339+ with self .stats .timer ('kms_decrypt_token_final_validation' ):
340+ try :
341+ not_before = datetime .datetime .strptime (
342+ ret ['payload' ]['not_before' ],
343+ TIME_FORMAT
344+ )
345+ not_after = datetime .datetime .strptime (
346+ ret ['payload' ]['not_after' ],
347+ TIME_FORMAT
348+ )
349+ except Exception :
350+ logging .exception (
351+ 'Failed to get not_before and not_after from token payload.' # noqa: E501
352+ )
353+ raise TokenValidationError (
354+ 'Authentication error. Missing validity.'
355+ )
356+ delta = (not_after - not_before ).seconds / 60
357+ if delta > self .auth_token_max_lifetime :
358+ logging .warning ('Token used which exceeds max token lifetime.' ) # noqa: E501
359+ raise TokenValidationError (
360+ 'Authentication error. Token lifetime exceeded.'
361+ )
362+ if (now < not_before ) or (now > not_after ):
363+ logging .warning ('Invalid time validity for token.' )
364+ raise TokenValidationError (
365+ 'Authentication error. Invalid time validity for token.'
366+ )
367+ if self .stats :
368+ self .stats .incr ('token_cache_set' )
369+ self .stats .gauge ('token_cache_size_at_set' , len (self .TOKENS )) # noqa: E501
370+ self .TOKENS [token_key ] = ret
367371 return self .TOKENS [token_key ]
368372
369373
0 commit comments