Skip to content

Commit 5fa4744

Browse files
mikethemanmiketheman
authored
feat: add issuer_url to oidc service metrics (#18864)
To aid with debugging, distinct from `publisher`, so we can continue to group by publisher (type) and issuer_url - distinct issuers. Resolves #18863 Signed-off-by: Mike Fiedler <[email protected]>
1 parent 310954b commit 5fa4744

File tree

2 files changed

+29
-20
lines changed

2 files changed

+29
-20
lines changed

tests/unit/oidc/test_services.py

Lines changed: 20 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,7 @@ def test_verify_jwt_signature_get_key_for_token_fails(self, metrics, monkeypatch
103103
service = services.OIDCPublisherService(
104104
session=pretend.stub(),
105105
publisher="fakepublisher",
106-
issuer_url=pretend.stub(),
106+
issuer_url="https://none",
107107
audience="fakeaudience",
108108
cache_url=pretend.stub(),
109109
metrics=metrics,
@@ -123,7 +123,7 @@ def test_verify_jwt_signature_get_key_for_token_fails(self, metrics, monkeypatch
123123
assert service.metrics.increment.calls == [
124124
pretend.call(
125125
"warehouse.oidc.verify_jwt_signature.malformed_jwt",
126-
tags=["publisher:fakepublisher"],
126+
tags=["publisher:fakepublisher", "issuer_url:https://none"],
127127
)
128128
]
129129
assert services.sentry_sdk.capture_message.calls == []
@@ -133,7 +133,7 @@ def test_verify_jwt_signature_fails(self, metrics, monkeypatch, exc):
133133
service = services.OIDCPublisherService(
134134
session=pretend.stub(),
135135
publisher="fakepublisher",
136-
issuer_url=pretend.stub(),
136+
issuer_url="https://none",
137137
audience="fakeaudience",
138138
cache_url=pretend.stub(),
139139
metrics=metrics,
@@ -156,7 +156,7 @@ def test_verify_jwt_signature_fails(self, metrics, monkeypatch, exc):
156156
assert service.metrics.increment.calls == [
157157
pretend.call(
158158
"warehouse.oidc.verify_jwt_signature.invalid_signature",
159-
tags=["publisher:fakepublisher"],
159+
tags=["publisher:fakepublisher", "issuer_url:https://none"],
160160
)
161161
]
162162

@@ -171,7 +171,7 @@ def test_find_publisher(self, metrics, monkeypatch):
171171
service = services.OIDCPublisherService(
172172
session=pretend.stub(),
173173
publisher="fakepublisher",
174-
issuer_url=pretend.stub(),
174+
issuer_url="https://none",
175175
audience="fakeaudience",
176176
cache_url=pretend.stub(),
177177
metrics=metrics,
@@ -189,19 +189,19 @@ def test_find_publisher(self, metrics, monkeypatch):
189189
assert service.metrics.increment.calls == [
190190
pretend.call(
191191
"warehouse.oidc.find_publisher.attempt",
192-
tags=["publisher:fakepublisher"],
192+
tags=["publisher:fakepublisher", "issuer_url:https://none"],
193193
),
194194
pretend.call(
195195
"warehouse.oidc.find_publisher.ok",
196-
tags=["publisher:fakepublisher"],
196+
tags=["publisher:fakepublisher", "issuer_url:https://none"],
197197
),
198198
]
199199

200200
def test_find_publisher_issuer_lookup_fails(self, metrics, monkeypatch):
201201
service = services.OIDCPublisherService(
202202
session=pretend.stub(),
203203
publisher="fakepublisher",
204-
issuer_url=pretend.stub(),
204+
issuer_url="https://none",
205205
audience="fakeaudience",
206206
cache_url=pretend.stub(),
207207
metrics=metrics,
@@ -218,19 +218,19 @@ def test_find_publisher_issuer_lookup_fails(self, metrics, monkeypatch):
218218
assert service.metrics.increment.calls == [
219219
pretend.call(
220220
"warehouse.oidc.find_publisher.attempt",
221-
tags=["publisher:fakepublisher"],
221+
tags=["publisher:fakepublisher", "issuer_url:https://none"],
222222
),
223223
pretend.call(
224224
"warehouse.oidc.find_publisher.publisher_not_found",
225-
tags=["publisher:fakepublisher"],
225+
tags=["publisher:fakepublisher", "issuer_url:https://none"],
226226
),
227227
]
228228

229229
def test_find_publisher_verify_claims_fails(self, metrics, monkeypatch):
230230
service = services.OIDCPublisherService(
231231
session=pretend.stub(),
232232
publisher="fakepublisher",
233-
issuer_url=pretend.stub(),
233+
issuer_url="https://none",
234234
audience="fakeaudience",
235235
cache_url=pretend.stub(),
236236
metrics=metrics,
@@ -252,11 +252,11 @@ def test_find_publisher_verify_claims_fails(self, metrics, monkeypatch):
252252
assert service.metrics.increment.calls == [
253253
pretend.call(
254254
"warehouse.oidc.find_publisher.attempt",
255-
tags=["publisher:fakepublisher"],
255+
tags=["publisher:fakepublisher", "issuer_url:https://none"],
256256
),
257257
pretend.call(
258258
"warehouse.oidc.find_publisher.publisher_not_found",
259-
tags=["publisher:fakepublisher"],
259+
tags=["publisher:fakepublisher", "issuer_url:https://none"],
260260
),
261261
]
262262
assert publisher.verify_claims.calls == [pretend.call(claims, service)]
@@ -354,7 +354,8 @@ def test_refresh_keyset_timeout(self, metrics, monkeypatch, mockredis):
354354
assert keys == keyset
355355
assert metrics.increment.calls == [
356356
pretend.call(
357-
"warehouse.oidc.refresh_keyset.timeout", tags=["publisher:example"]
357+
"warehouse.oidc.refresh_keyset.timeout",
358+
tags=["publisher:example", "issuer_url:https://example.com"],
358359
)
359360
]
360361

@@ -669,7 +670,11 @@ def test_get_key_refresh_fails(self, metrics, monkeypatch):
669670
assert metrics.increment.calls == [
670671
pretend.call(
671672
"warehouse.oidc.get_key.error",
672-
tags=["publisher:example", "key_id:fake-key-id"],
673+
tags=[
674+
"publisher:example",
675+
"key_id:fake-key-id",
676+
"issuer_url:https://example.com",
677+
],
673678
)
674679
]
675680

warehouse/oidc/services.py

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -164,7 +164,7 @@ def _refresh_keyset(self) -> dict[str, dict]:
164164
if timeout:
165165
self.metrics.increment(
166166
"warehouse.oidc.refresh_keyset.timeout",
167-
tags=[f"publisher:{self.publisher}"],
167+
tags=[f"publisher:{self.publisher}", f"issuer_url:{self.issuer_url}"],
168168
)
169169
return keys
170170

@@ -235,7 +235,11 @@ def _get_key(self, key_id: str) -> jwt.PyJWK | None:
235235
if key_id not in keyset:
236236
self.metrics.increment(
237237
"warehouse.oidc.get_key.error",
238-
tags=[f"publisher:{self.publisher}", f"key_id:{key_id}"],
238+
tags=[
239+
f"publisher:{self.publisher}",
240+
f"key_id:{key_id}",
241+
f"issuer_url:{self.issuer_url}",
242+
],
239243
)
240244
return None
241245
return jwt.PyJWK(keyset[key_id])
@@ -280,7 +284,7 @@ def verify_jwt_signature(self, unverified_token: str) -> SignedClaims | None:
280284
# with missing components.
281285
self.metrics.increment(
282286
"warehouse.oidc.verify_jwt_signature.malformed_jwt",
283-
tags=[f"publisher:{self.publisher}"],
287+
tags=[f"publisher:{self.publisher}", f"issuer_url:{self.issuer_url}"],
284288
)
285289
return None
286290

@@ -315,7 +319,7 @@ def verify_jwt_signature(self, unverified_token: str) -> SignedClaims | None:
315319
except Exception as e:
316320
self.metrics.increment(
317321
"warehouse.oidc.verify_jwt_signature.invalid_signature",
318-
tags=[f"publisher:{self.publisher}"],
322+
tags=[f"publisher:{self.publisher}", f"issuer_url:{self.issuer_url}"],
319323
)
320324
if not isinstance(e, jwt.PyJWTError):
321325
with sentry_sdk.new_scope() as scope:
@@ -330,7 +334,7 @@ def find_publisher(
330334
self, signed_claims: SignedClaims, *, pending: bool = False
331335
) -> OIDCPublisher | PendingOIDCPublisher:
332336
"""Returns a publisher for the given claims, or raises an error."""
333-
metrics_tags = [f"publisher:{self.publisher}"]
337+
metrics_tags = [f"publisher:{self.publisher}", f"issuer_url:{self.issuer_url}"]
334338
self.metrics.increment(
335339
"warehouse.oidc.find_publisher.attempt",
336340
tags=metrics_tags,

0 commit comments

Comments
 (0)