#3663: add Prometheus metrics to crypto storage engine (#3786)

Author: reinkrul

crypto/crypto.go

@@ -27,6 +27,7 @@ import (
 	"github.com/nuts-foundation/nuts-node/crypto/storage/azure"
 	"github.com/nuts-foundation/nuts-node/storage"
 	"github.com/nuts-foundation/nuts-node/storage/orm"
+	"github.com/prometheus/client_golang/prometheus"
 	"gorm.io/gorm"
 	"path"
 	"time"
@@ -65,6 +66,7 @@ func DefaultCryptoConfig() Config {
 }
 
 var _ KeyStore = (*Crypto)(nil)
+var _ core.Runnable = (*Crypto)(nil)
 
 // Crypto holds references to storage and needed config
 type Crypto struct {
@@ -74,6 +76,22 @@ type Crypto struct {
 	storage storage.Engine
 }
 
+func (client *Crypto) Start() error {
+	for _, collector := range client.backend.(*spi.PrometheusWrapper).Collectors() {
+		if err := prometheus.Register(collector); err != nil && !errors.Is(err, prometheus.AlreadyRegisteredError{}) {
+			return fmt.Errorf("register metric: %w", err)
+		}
+	}
+	return nil
+}
+
+func (client *Crypto) Shutdown() error {
+	for _, collector := range client.backend.(*spi.PrometheusWrapper).Collectors() {
+		_ = prometheus.Unregister(collector)
+	}
+	return nil
+}
+
 func (client *Crypto) CheckHealth() map[string]core.Health {
 	return client.backend.CheckHealth()
 }
@@ -94,49 +112,28 @@ func (client *Crypto) Config() interface{} {
 	return &client.config
 }
 
-func (client *Crypto) setupFSBackend(config core.ServerConfig) error {
+func (client *Crypto) setupFSBackend(config core.ServerConfig) (spi.Storage, error) {
 	log.Logger().Info("Setting up FileSystem backend for storage of private key material. " +
 		"Discouraged for production use unless backups and encryption is properly set up. Consider using the Hashicorp Vault backend.")
 	fsPath := path.Join(config.Datadir, "crypto")
-	fsBackend, err := fs.NewFileSystemBackend(fsPath)
-	if err != nil {
-		return err
-	}
-	client.backend = spi.NewValidatedKIDBackendWrapper(fsBackend, spi.KidPattern)
-	return nil
+	return fs.NewFileSystemBackend(fsPath)
 }
 
-func (client *Crypto) setupStorageAPIBackend() error {
+func (client *Crypto) setupStorageAPIBackend() (spi.Storage, error) {
 	log.Logger().Debug("Setting up StorageAPI backend for storage of private key material.")
 	log.Logger().Warn("External key storage backend is deprecated and will be removed in the future.")
-	apiBackend, err := external.NewAPIClient(client.config.External)
-	if err != nil {
-		return fmt.Errorf("unable to set up external crypto API client: %w", err)
-	}
-	client.backend = spi.NewValidatedKIDBackendWrapper(apiBackend, spi.KidPattern)
-	return nil
+	return external.NewAPIClient(client.config.External)
 }
 
-func (client *Crypto) setupVaultBackend(_ core.ServerConfig) error {
+func (client *Crypto) setupVaultBackend(_ core.ServerConfig) (spi.Storage, error) {
 	log.Logger().Debug("Setting up Vault backend for storage of private key material. " +
 		"This feature is experimental and may change in the future.")
-	vaultBackend, err := vault.NewVaultKVStorage(client.config.Vault)
-	if err != nil {
-		return err
-	}
-
-	client.backend = spi.NewValidatedKIDBackendWrapper(vaultBackend, spi.KidPattern)
-	return nil
+	return vault.NewVaultKVStorage(client.config.Vault)
 }
 
-func (client *Crypto) setupAzureKeyVaultBackend(_ core.ServerConfig) error {
+func (client *Crypto) setupAzureKeyVaultBackend(_ core.ServerConfig) (spi.Storage, error) {
 	log.Logger().Debug("Setting up Azure Key Vault backend for storage of private key material.")
-	azureBackend, err := azure.New(client.config.AzureKeyVault)
-	if err != nil {
-		return err
-	}
-	client.backend = spi.NewValidatedKIDBackendWrapper(azureBackend, spi.KidPattern)
-	return nil
+	return azure.New(client.config.AzureKeyVault)
 }
 
 // List returns the KIDs of the private keys that are present in the key store.
@@ -163,24 +160,33 @@ func (client *Crypto) List(ctx context.Context) []string {
 func (client *Crypto) Configure(config core.ServerConfig) error {
 	client.db = client.storage.GetSQLDatabase()
 
+	var backend spi.Storage
+	var err error
 	switch client.config.Storage {
 	case fs.StorageType:
-		return client.setupFSBackend(config)
+		backend, err = client.setupFSBackend(config)
 	case vault.StorageType:
-		return client.setupVaultBackend(config)
+		backend, err = client.setupVaultBackend(config)
 	case azure.StorageType:
-		return client.setupAzureKeyVaultBackend(config)
+		backend, err = client.setupAzureKeyVaultBackend(config)
 	case external.StorageType:
-		return client.setupStorageAPIBackend()
+		backend, err = client.setupStorageAPIBackend()
 	case "":
 		if config.Strictmode {
 			return errors.New("backend must be explicitly set in strict mode")
 		}
 		// default to file system and run this setup again
-		return client.setupFSBackend(config)
+		backend, err = client.setupFSBackend(config)
 	default:
 		return fmt.Errorf("invalid config for crypto.storage. Available options are: vaultkv, fs, %s(experimental)", external.StorageType)
 	}
+	if err != nil {
+		return fmt.Errorf("could not setup crypto backend (type=%s): %w", client.config.Storage, err)
+	}
+
+	metricsWrapper := spi.NewPrometheusWrapper(spi.NewValidatedKIDBackendWrapper(backend, spi.KidPattern))
+	client.backend = metricsWrapper
+	return nil
 }
 
 func (client *Crypto) Migrate() error {

crypto/crypto_test.go

@@ -20,11 +20,13 @@ package crypto
 
 import (
 	"context"
+	"crypto"
 	"github.com/nuts-foundation/nuts-node/audit"
 	"github.com/nuts-foundation/nuts-node/crypto/storage/fs"
 	"github.com/nuts-foundation/nuts-node/crypto/storage/spi"
 	"github.com/nuts-foundation/nuts-node/storage"
 	"github.com/nuts-foundation/nuts-node/storage/orm"
+	"github.com/nuts-foundation/nuts-node/test"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/require"
 	"net/http"
@@ -191,16 +193,20 @@ func TestCrypto_Resolve(t *testing.T) {
 func TestCrypto_setupBackend(t *testing.T) {
 	directory := io.TestDirectory(t)
 	cfg := *core.NewServerConfig()
+	cfg.Strictmode = false
 	cfg.Datadir = directory
 
 	t.Run("backends should be wrapped", func(t *testing.T) {
-
+		client := createCrypto(t)
+		err := client.Configure(cfg)
+		require.NoError(t, err)
 		t.Run("ok - fs backend is wrapped", func(t *testing.T) {
-			client := createCrypto(t)
-			err := client.setupFSBackend(cfg)
-			require.NoError(t, err)
 			storageType := reflect.TypeOf(client.backend).String()
-			assert.Equal(t, "spi.wrapper", storageType)
+			assert.Equal(t, "*spi.PrometheusWrapper", storageType)
+		})
+		t.Run("backend is wrapped in validating wrapper", func(t *testing.T) {
+			err := client.backend.SavePrivateKey(context.Background(), "../not-allowed", nil)
+			assert.EqualError(t, err, "invalid key ID: ../not-allowed")
 		})
 
 		t.Run("ok - vault backend is wrapped", func(t *testing.T) {
@@ -211,10 +217,10 @@ func TestCrypto_setupBackend(t *testing.T) {
 			defer s.Close()
 			client := createCrypto(t)
 			client.config.Vault.Address = s.URL
-			err := client.setupVaultBackend(cfg)
+			err := client.Configure(cfg)
 			require.NoError(t, err)
 			storageType := reflect.TypeOf(client.backend).String()
-			assert.Equal(t, "spi.wrapper", storageType)
+			assert.Equal(t, "*spi.PrometheusWrapper", storageType)
 		})
 	})
 }
@@ -266,3 +272,28 @@ func createCrypto(t *testing.T) *Crypto {
 	}
 	return &c
 }
+
+func TestCrypto_StartAndShutdown(t *testing.T) {
+	t.Run("metrics", func(t *testing.T) {
+		storageEngine := storage.NewTestStorageEngine(t)
+		instance := NewCryptoInstance(storageEngine)
+		err := instance.Configure(core.TestServerConfig(func(config *core.ServerConfig) {
+			config.Strictmode = false
+		}))
+		require.NoError(t, err)
+		err = instance.Start()
+		require.NoError(t, err)
+
+		// Generate some metrics
+		_, _, err = instance.New(audit.TestContext(), func(key crypto.PublicKey) (string, error) {
+			return "hello", nil
+		})
+		require.NoError(t, err)
+
+		stats := test.PrometheusStats(t)
+		assert.Contains(t, stats, "crypto_storage_op_duration_seconds_count{op=\"new_private_key\"} 1")
+
+		err = instance.Shutdown()
+		assert.NoError(t, err)
+	})
+}

crypto/storage/spi/wrapper.go

@@ -23,76 +23,156 @@ import (
 	"crypto"
 	"fmt"
 	"github.com/nuts-foundation/nuts-node/core"
+	"github.com/prometheus/client_golang/prometheus"
 	"regexp"
+	"time"
 )
 
 // wrapper wraps a Storage backend and checks the validity of the kid on each of the relevant functions before
 // forwarding the call to the wrapped backend.
-type wrapper struct {
+type validationWrapper struct {
 	kidPattern     *regexp.Regexp
 	wrappedBackend Storage
 }
 
-func (w wrapper) Name() string {
+func (w validationWrapper) Name() string {
 	return w.wrappedBackend.Name()
 }
 
-func (w wrapper) CheckHealth() map[string]core.Health {
+func (w validationWrapper) CheckHealth() map[string]core.Health {
 	return w.wrappedBackend.CheckHealth()
 }
 
 // NewValidatedKIDBackendWrapper creates a new wrapper for storage backends.
 // Every call to the backend which takes a kid as param, gets the kid validated against the provided kidPattern.
 func NewValidatedKIDBackendWrapper(backend Storage, kidPattern *regexp.Regexp) Storage {
-	return wrapper{
+	return validationWrapper{
 		kidPattern:     kidPattern,
 		wrappedBackend: backend,
 	}
 }
 
-func (w wrapper) validateKID(kid string) error {
+func (w validationWrapper) validateKID(kid string) error {
 	if !w.kidPattern.MatchString(kid) {
 		return fmt.Errorf("invalid key ID: %s", kid)
 	}
 	return nil
 }
 
-func (w wrapper) GetPrivateKey(ctx context.Context, keyName string, version string) (crypto.Signer, error) {
+func (w validationWrapper) GetPrivateKey(ctx context.Context, keyName string, version string) (crypto.Signer, error) {
 	if err := w.validateKID(keyName); err != nil {
 		return nil, err
 	}
 	return w.wrappedBackend.GetPrivateKey(ctx, keyName, version)
 }
 
-func (w wrapper) PrivateKeyExists(ctx context.Context, keyName string, version string) (bool, error) {
+func (w validationWrapper) PrivateKeyExists(ctx context.Context, keyName string, version string) (bool, error) {
 	if err := w.validateKID(keyName); err != nil {
 		return false, err
 	}
 	return w.wrappedBackend.PrivateKeyExists(ctx, keyName, version)
 }
 
-func (w wrapper) SavePrivateKey(ctx context.Context, kid string, key crypto.PrivateKey) error {
+func (w validationWrapper) SavePrivateKey(ctx context.Context, kid string, key crypto.PrivateKey) error {
 	if err := w.validateKID(kid); err != nil {
 		return err
 	}
 	return w.wrappedBackend.SavePrivateKey(ctx, kid, key)
 }
 
-func (w wrapper) DeletePrivateKey(ctx context.Context, keyName string) error {
+func (w validationWrapper) DeletePrivateKey(ctx context.Context, keyName string) error {
 	if err := w.validateKID(keyName); err != nil {
 		return err
 	}
 	return w.wrappedBackend.DeletePrivateKey(ctx, keyName)
 }
 
-func (w wrapper) ListPrivateKeys(ctx context.Context) []KeyNameVersion {
+func (w validationWrapper) ListPrivateKeys(ctx context.Context) []KeyNameVersion {
 	return w.wrappedBackend.ListPrivateKeys(ctx)
 }
 
-func (w wrapper) NewPrivateKey(ctx context.Context, keyName string) (crypto.PublicKey, string, error) {
+func (w validationWrapper) NewPrivateKey(ctx context.Context, keyName string) (crypto.PublicKey, string, error) {
 	publicKey, version, err := w.wrappedBackend.NewPrivateKey(ctx, keyName)
 	if err != nil {
 		return nil, "", err
 	}
 	return publicKey, version, err
 }
+
+func NewPrometheusWrapper(backend Storage) *PrometheusWrapper {
+	return &PrometheusWrapper{
+		wrappedBackend: backend,
+		opDurationMetric: prometheus.NewHistogramVec(prometheus.HistogramOpts{
+			Name:    "crypto_storage_op_duration_seconds",
+			Help:    "Duration of crypto storage operations in seconds (experimental, may be removed without notice)",
+			Buckets: []float64{0.01, 0.05, 0.1, .5, 1, 2},
+		}, []string{"op"}),
+	}
+}
+
+var _ Storage = (*PrometheusWrapper)(nil)
+
+type PrometheusWrapper struct {
+	wrappedBackend   Storage
+	opDurationMetric *prometheus.HistogramVec
+}
+
+func (p PrometheusWrapper) Collectors() []prometheus.Collector {
+	return []prometheus.Collector{p.opDurationMetric}
+}
+
+func (p PrometheusWrapper) Name() string {
+	return p.wrappedBackend.Name()
+}
+
+func (p PrometheusWrapper) CheckHealth() map[string]core.Health {
+	return p.wrappedBackend.CheckHealth()
+}
+
+func (p PrometheusWrapper) NewPrivateKey(ctx context.Context, keyName string) (crypto.PublicKey, string, error) {
+	start := time.Now()
+	defer func() {
+		p.opDurationMetric.WithLabelValues("new_private_key").Observe(time.Since(start).Seconds())
+	}()
+	return p.wrappedBackend.NewPrivateKey(ctx, keyName)
+}
+
+func (p PrometheusWrapper) GetPrivateKey(ctx context.Context, keyName string, version string) (crypto.Signer, error) {
+	start := time.Now()
+	defer func() {
+		p.opDurationMetric.WithLabelValues("get_private_key").Observe(time.Since(start).Seconds())
+	}()
+	return p.wrappedBackend.GetPrivateKey(ctx, keyName, version)
+}
+
+func (p PrometheusWrapper) PrivateKeyExists(ctx context.Context, keyName string, version string) (bool, error) {
+	start := time.Now()
+	defer func() {
+		p.opDurationMetric.WithLabelValues("private_key_exists").Observe(time.Since(start).Seconds())
+	}()
+	return p.wrappedBackend.PrivateKeyExists(ctx, keyName, version)
+}
+
+func (p PrometheusWrapper) SavePrivateKey(ctx context.Context, keyname string, key crypto.PrivateKey) error {
+	start := time.Now()
+	defer func() {
+		p.opDurationMetric.WithLabelValues("save_private_key").Observe(time.Since(start).Seconds())
+	}()
+	return p.wrappedBackend.SavePrivateKey(ctx, keyname, key)
+}
+
+func (p PrometheusWrapper) ListPrivateKeys(ctx context.Context) []KeyNameVersion {
+	start := time.Now()
+	defer func() {
+		p.opDurationMetric.WithLabelValues("list_private_keys").Observe(time.Since(start).Seconds())
+	}()
+	return p.wrappedBackend.ListPrivateKeys(ctx)
+}
+
+func (p PrometheusWrapper) DeletePrivateKey(ctx context.Context, keyName string) error {
+	start := time.Now()
+	defer func() {
+		p.opDurationMetric.WithLabelValues("delete_private_key").Observe(time.Since(start).Seconds())
+	}()
+	return p.wrappedBackend.DeletePrivateKey(ctx, keyName)
+}