PMM-11040: Add security metrics with info about encryption (#599)

dliakhov · web-flow · commit 86756f925012 · 2022-12-19T16:05:23.000+02:00
* PMM-11040: Add security metrics with info about encryption
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -206,3 +206,13 @@ services:
         ports:
             - "${TEST_MONGODB_STANDALONE_PORT:-27017}:27017"
         command: mongod --port 27017  --oplogSize 16
+
+    standalone-encrypted:
+        container_name: "standalone-encrypted"
+        image: percona/percona-server-mongodb:5.0.13-11
+        ports:
+            - "${TEST_MONGODB_STANDALONE_ENCRYPTED_PORT:-27027}:27017"
+        volumes:
+            - ./docker/secret/mongodb_secrets.txt:/secret/mongodb_secrets.txt
+            - ./docker/scripts:/scripts
+        command: /scripts/run-mongodb-encrypted.sh
diff --git a/docker/scripts/run-mongodb-encrypted.sh b/docker/scripts/run-mongodb-encrypted.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# set proper permissions for secret file, otherwise mongodb won't start
+chmod 600 /secret/mongodb_secrets.txt
+mongod --port 27017  --oplogSize 16 --bind_ip_all --enableEncryption --encryptionKeyFile  /secret/mongodb_secrets.txt
diff --git a/docker/secret/mongodb_secrets.txt b/docker/secret/mongodb_secrets.txt
@@ -0,0 +1 @@
+zN94kcTrN2CC/X1L9a54/VebKctZnJ/QIO3JdzUWKdY=
diff --git a/exporter/diagnostic_data_collector.go b/exporter/diagnostic_data_collector.go
@@ -26,6 +26,12 @@ import (
 	"go.mongodb.org/mongo-driver/mongo"
 )
 
+const (
+	kmipEncryption         = "kmip"
+	vaultEncryption        = "vault"
+	localKeyFileEncryption = "localKeyFile"
+)
+
 type diagnosticDataCollector struct {
 	ctx  context.Context
 	base *baseCollector
@@ -89,6 +95,13 @@ func (d *diagnosticDataCollector) collect(ch chan<- prometheus.Metric) {
 	metrics := makeMetrics("", m, d.topologyInfo.baseLabels(), d.compatibleMode)
 	metrics = append(metrics, locksMetrics(logger, m)...)
 
+	securityMetric, err := d.getSecurityMetricFromLineOptions(client)
+	if err != nil {
+		logger.Errorf("cannot decode getCmdLineOtpions: %s", err)
+	} else if securityMetric != nil {
+		metrics = append(metrics, securityMetric)
+	}
+
 	if d.compatibleMode {
 		metrics = append(metrics, specialMetrics(d.ctx, client, m, logger)...)
 
@@ -111,5 +124,67 @@ func (d *diagnosticDataCollector) collect(ch chan<- prometheus.Metric) {
 	}
 }
 
+func (d *diagnosticDataCollector) getSecurityMetricFromLineOptions(client *mongo.Client) (prometheus.Metric, error) {
+	var cmdLineOpionsBson bson.M
+	cmdLineOptions := bson.D{{Key: "getCmdLineOpts", Value: "1"}}
+	resCmdLineOptions := client.Database("admin").RunCommand(d.ctx, cmdLineOptions)
+	if resCmdLineOptions.Err() != nil {
+		return nil, errors.Wrap(resCmdLineOptions.Err(), "cannot execute getCmdLineOpts command")
+	}
+	if err := resCmdLineOptions.Decode(&cmdLineOpionsBson); err != nil {
+		return nil, errors.Wrap(err, "cannot parse response of the getCmdLineOpts command")
+	}
+
+	if cmdLineOpionsBson == nil || cmdLineOpionsBson["parsed"] == nil {
+		return nil, errors.New("cmdlined options is empty")
+	}
+	parsedOptions, ok := cmdLineOpionsBson["parsed"].(bson.M)
+	if !ok {
+		return nil, errors.New("cannot cast parsed options to BSON")
+	}
+	securityOptions, ok := parsedOptions["security"].(bson.M)
+	if !ok {
+		return nil, nil
+	}
+
+	metric, err := d.retrieveSecurityEncryptionMetric(securityOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	return metric, nil
+}
+
+func (d *diagnosticDataCollector) retrieveSecurityEncryptionMetric(securityOptions bson.M) (prometheus.Metric, error) {
+	_, ok := securityOptions["enableEncryption"]
+	if !ok {
+		return nil, nil
+	}
+
+	var encryptionType string
+	_, ok = securityOptions["kmip"]
+	if ok {
+		encryptionType = kmipEncryption
+	}
+	_, ok = securityOptions["vault"]
+	if ok {
+		encryptionType = vaultEncryption
+	}
+	_, ok = securityOptions["encryptionKeyFile"]
+	if ok {
+		encryptionType = localKeyFileEncryption
+	}
+
+	labels := map[string]string{"type": encryptionType}
+	desc := prometheus.NewDesc("mongodb_security_encryption_enabled", "Shows that encryption is enabled",
+		nil, labels)
+	metric, err := prometheus.NewConstMetric(desc, prometheus.GaugeValue, float64(1))
+	if err != nil {
+		return nil, errors.Wrap(err, "cannot create metric mongodb_security_encryption_enabled")
+	}
+
+	return metric, nil
+}
+
 // check interface.
 var _ prometheus.Collector = (*diagnosticDataCollector)(nil)
diff --git a/exporter/encryption_info_test.go b/exporter/encryption_info_test.go
@@ -0,0 +1,67 @@
+// mongodb_exporter
+// Copyright (C) 2017 Percona LLC
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+package exporter
+
+import (
+	"context"
+	"io"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/prometheus/client_golang/prometheus/testutil"
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/percona/mongodb_exporter/internal/tu"
+)
+
+func TestGetEncryptionInfo(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	client := tu.TestClient(ctx, tu.MongoDBStandAloneEncryptedPort, t)
+	t.Cleanup(func() {
+		err := client.Disconnect(ctx)
+		assert.NoError(t, err)
+	})
+	logger := logrus.New()
+	logger.Out = io.Discard // disable logs in tests
+
+	ti := labelsGetterMock{}
+
+	c := newDiagnosticDataCollector(ctx, client, logger, true, ti)
+
+	// The last \n at the end of this string is important
+	expected := strings.NewReader(`
+	# HELP mongodb_security_encryption_enabled Shows that encryption is enabled
+	# TYPE mongodb_security_encryption_enabled gauge
+	mongodb_security_encryption_enabled{type="localKeyFile"} 1
+	# HELP mongodb_version_info The server version
+	# TYPE mongodb_version_info gauge
+	mongodb_version_info{edition="Community",mongodb="5.0.13-11",vendor="Percona"} 1` + "\n")
+
+	filter := []string{
+		"mongodb_security_encryption_enabled",
+		"mongodb_version_info",
+	}
+
+	err := testutil.CollectAndCompare(c, expected, filter...)
+	assert.NoError(t, err)
+}
diff --git a/internal/tu/testutils.go b/internal/tu/testutils.go
@@ -50,6 +50,8 @@ const (
 	MongoDBStandAlonePort = "27017"
 	// MongoDBConfigServer1Port MongoDB config server primary Port.
 	MongoDBConfigServer1Port = "17009"
+	// MongoDBStandAloneEncryptedPort MongoDB standalone encrypted instance Port.
+	MongoDBStandAloneEncryptedPort = "27027"
 )
 
 // GetenvDefault gets a variable from the environment and returns its value or the

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+zN94kcTrN2CC/X1L9a54/VebKctZnJ/QIO3JdzUWKdY=`
Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,8 @@ const (`
`50`	`50`	`MongoDBStandAlonePort = "27017"`
`51`	`51`	`// MongoDBConfigServer1Port MongoDB config server primary Port.`
`52`	`52`	`MongoDBConfigServer1Port = "17009"`
	`53`	`+ // MongoDBStandAloneEncryptedPort MongoDB standalone encrypted instance Port.`
	`54`	`+ MongoDBStandAloneEncryptedPort = "27027"`
`53`	`55`	`)`
`54`	`56`
`55`	`57`	`// GetenvDefault gets a variable from the environment and returns its value or the`