diff --git a/hsm/manager_hsm.go b/hsm/manager_hsm.go index 870fc10ab4..75badb1cc5 100644 --- a/hsm/manager_hsm.go +++ b/hsm/manager_hsm.go @@ -34,6 +34,8 @@ import ( "github.com/go-jose/go-jose/v3" "github.com/go-jose/go-jose/v3/cryptosigner" "go.opentelemetry.io/otel" + "go.opentelemetry.io/otel/attribute" + "go.opentelemetry.io/otel/trace" ) const tracingComponent = "github.com/ory/hydra/hsm" @@ -58,23 +60,21 @@ func NewKeyManager(hsm Context, config *config.DefaultProvider) *KeyManager { } } -func (m *KeyManager) GenerateAndPersistKeySet(ctx context.Context, set, kid, alg, use string) (*jose.JSONWebKeySet, error) { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.GenerateAndPersistKeySet") - defer span.End() - attrs := map[string]string{ - "set": set, - "kid": kid, - "alg": alg, - "use": use, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m *KeyManager) GenerateAndPersistKeySet(ctx context.Context, set, kid, alg, use string) (_ *jose.JSONWebKeySet, err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.GenerateAndPersistKeySet", + trace.WithAttributes( + attribute.String("set", set), + attribute.String("kid", kid), + attribute.String("alg", alg), + attribute.String("use", use))) + defer otelx.End(span, &err) m.Lock() defer m.Unlock() set = m.prefixKeySet(set) - err := m.deleteExistingKeySet(set) + err = m.deleteExistingKeySet(set) if err != nil { return nil, err } @@ -119,14 +119,10 @@ func (m *KeyManager) GenerateAndPersistKeySet(ctx context.Context, set, kid, alg } } -func (m *KeyManager) GetKey(ctx context.Context, set, kid string) (*jose.JSONWebKeySet, error) { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.GetKey") - defer span.End() - attrs := map[string]string{ - "set": set, - "kid": kid, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m *KeyManager) GetKey(ctx context.Context, set, kid string) (_ *jose.JSONWebKeySet, err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.GetKey", + trace.WithAttributes(attribute.String("set", set), attribute.String("kid", kid))) + defer otelx.End(span, &err) m.RLock() defer m.RUnlock() @@ -150,13 +146,9 @@ func (m *KeyManager) GetKey(ctx context.Context, set, kid string) (*jose.JSONWeb return createKeySet(keyPair, id, alg, use) } -func (m *KeyManager) GetKeySet(ctx context.Context, set string) (*jose.JSONWebKeySet, error) { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.GetKeySet") - defer span.End() - attrs := map[string]string{ - "set": set, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m *KeyManager) GetKeySet(ctx context.Context, set string) (_ *jose.JSONWebKeySet, err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.GetKeySet", trace.WithAttributes(attribute.String("set", set))) + otelx.End(span, &err) m.RLock() defer m.RUnlock() @@ -186,14 +178,12 @@ func (m *KeyManager) GetKeySet(ctx context.Context, set string) (*jose.JSONWebKe }, nil } -func (m *KeyManager) DeleteKey(ctx context.Context, set, kid string) error { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.DeleteKey") - defer span.End() - attrs := map[string]string{ - "set": set, - "kid": kid, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m *KeyManager) DeleteKey(ctx context.Context, set, kid string) (err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.DeleteKey", + trace.WithAttributes( + attribute.String("set", set), + attribute.String("kid", kid))) + defer otelx.End(span, &err) m.Lock() defer m.Unlock() @@ -216,13 +206,9 @@ func (m *KeyManager) DeleteKey(ctx context.Context, set, kid string) error { return nil } -func (m *KeyManager) DeleteKeySet(ctx context.Context, set string) error { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.DeleteKeySet") - defer span.End() - attrs := map[string]string{ - "set": set, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m *KeyManager) DeleteKeySet(ctx context.Context, set string) (err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "hsm.DeleteKeySet", trace.WithAttributes(attribute.String("set", set))) + defer otelx.End(span, &err) m.Lock() defer m.Unlock() diff --git a/jwk/manager_strategy.go b/jwk/manager_strategy.go index c4da634f46..2519ba3d15 100644 --- a/jwk/manager_strategy.go +++ b/jwk/manager_strategy.go @@ -9,6 +9,8 @@ import ( "github.com/go-jose/go-jose/v3" "github.com/pkg/errors" "go.opentelemetry.io/otel" + "go.opentelemetry.io/otel/attribute" + "go.opentelemetry.io/otel/trace" "github.com/ory/hydra/v2/x" "github.com/ory/x/otelx" @@ -28,72 +30,52 @@ func NewManagerStrategy(hardwareKeyManager Manager, softwareKeyManager Manager) } } -func (m ManagerStrategy) GenerateAndPersistKeySet(ctx context.Context, set, kid, alg, use string) (*jose.JSONWebKeySet, error) { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.GenerateAndPersistKeySet") - defer span.End() - attrs := map[string]string{ - "set": set, - "kid": kid, - "alg": alg, - "use": use, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m ManagerStrategy) GenerateAndPersistKeySet(ctx context.Context, set, kid, alg, use string) (_ *jose.JSONWebKeySet, err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.GenerateAndPersistKeySet", + trace.WithAttributes( + attribute.String("set", set), + attribute.String("kid", kid), + attribute.String("alg", alg), + attribute.String("use", use))) + defer otelx.End(span, &err) return m.hardwareKeyManager.GenerateAndPersistKeySet(ctx, set, kid, alg, use) } -func (m ManagerStrategy) AddKey(ctx context.Context, set string, key *jose.JSONWebKey) error { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.AddKey") - defer span.End() - attrs := map[string]string{ - "set": set, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m ManagerStrategy) AddKey(ctx context.Context, set string, key *jose.JSONWebKey) (err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.AddKey", trace.WithAttributes(attribute.String("set", set))) + defer otelx.End(span, &err) return m.softwareKeyManager.AddKey(ctx, set, key) } -func (m ManagerStrategy) AddKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) error { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.AddKeySet") - defer span.End() - attrs := map[string]string{ - "set": set, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m ManagerStrategy) AddKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) (err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.AddKeySet", trace.WithAttributes(attribute.String("set", set))) + otelx.End(span, &err) return m.softwareKeyManager.AddKeySet(ctx, set, keys) } -func (m ManagerStrategy) UpdateKey(ctx context.Context, set string, key *jose.JSONWebKey) error { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.UpdateKey") - defer span.End() - attrs := map[string]string{ - "set": set, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m ManagerStrategy) UpdateKey(ctx context.Context, set string, key *jose.JSONWebKey) (err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.UpdateKey", trace.WithAttributes(attribute.String("set", set))) + defer otelx.End(span, &err) return m.softwareKeyManager.UpdateKey(ctx, set, key) } -func (m ManagerStrategy) UpdateKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) error { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.UpdateKeySet") - defer span.End() - attrs := map[string]string{ - "set": set, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m ManagerStrategy) UpdateKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) (err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.UpdateKeySet", trace.WithAttributes(attribute.String("set", set))) + defer otelx.End(span, &err) return m.softwareKeyManager.UpdateKeySet(ctx, set, keys) } -func (m ManagerStrategy) GetKey(ctx context.Context, set, kid string) (*jose.JSONWebKeySet, error) { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.GetKey") - defer span.End() - attrs := map[string]string{ - "set": set, - "kid": kid, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m ManagerStrategy) GetKey(ctx context.Context, set, kid string) (_ *jose.JSONWebKeySet, err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.GetKey", + trace.WithAttributes( + attribute.String("set", set), + attribute.String("kid", kid))) + defer otelx.End(span, &err) keySet, err := m.hardwareKeyManager.GetKey(ctx, set, kid) if err != nil && !errors.Is(err, x.ErrNotFound) { @@ -105,13 +87,9 @@ func (m ManagerStrategy) GetKey(ctx context.Context, set, kid string) (*jose.JSO } } -func (m ManagerStrategy) GetKeySet(ctx context.Context, set string) (*jose.JSONWebKeySet, error) { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.GetKeySet") - defer span.End() - attrs := map[string]string{ - "set": set, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m ManagerStrategy) GetKeySet(ctx context.Context, set string) (_ *jose.JSONWebKeySet, err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.GetKeySet", trace.WithAttributes(attribute.String("set", set))) + defer otelx.End(span, &err) keySet, err := m.hardwareKeyManager.GetKeySet(ctx, set) if err != nil && !errors.Is(err, x.ErrNotFound) { @@ -123,16 +101,14 @@ func (m ManagerStrategy) GetKeySet(ctx context.Context, set string) (*jose.JSONW } } -func (m ManagerStrategy) DeleteKey(ctx context.Context, set, kid string) error { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.DeleteKey") - defer span.End() - attrs := map[string]string{ - "set": set, - "kid": kid, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m ManagerStrategy) DeleteKey(ctx context.Context, set, kid string) (err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.DeleteKey", + trace.WithAttributes( + attribute.String("set", set), + attribute.String("kid", kid))) + defer otelx.End(span, &err) - err := m.hardwareKeyManager.DeleteKey(ctx, set, kid) + err = m.hardwareKeyManager.DeleteKey(ctx, set, kid) if err != nil && !errors.Is(err, x.ErrNotFound) { return err } else if errors.Is(err, x.ErrNotFound) { @@ -142,15 +118,11 @@ func (m ManagerStrategy) DeleteKey(ctx context.Context, set, kid string) error { } } -func (m ManagerStrategy) DeleteKeySet(ctx context.Context, set string) error { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.DeleteKeySet") - defer span.End() - attrs := map[string]string{ - "set": set, - } - span.SetAttributes(otelx.StringAttrs(attrs)...) +func (m ManagerStrategy) DeleteKeySet(ctx context.Context, set string) (err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "jwk.DeleteKeySet", trace.WithAttributes(attribute.String("set", set))) + defer otelx.End(span, &err) - err := m.hardwareKeyManager.DeleteKeySet(ctx, set) + err = m.hardwareKeyManager.DeleteKeySet(ctx, set) if err != nil && !errors.Is(err, x.ErrNotFound) { return err } else if errors.Is(err, x.ErrNotFound) { diff --git a/persistence/sql/persister_consent.go b/persistence/sql/persister_consent.go index b5669260ba..0b4582c3f4 100644 --- a/persistence/sql/persister_consent.go +++ b/persistence/sql/persister_consent.go @@ -13,6 +13,8 @@ import ( "github.com/gobuffalo/pop/v6" "github.com/gofrs/uuid" "github.com/pkg/errors" + "go.opentelemetry.io/otel/attribute" + "go.opentelemetry.io/otel/trace" "github.com/ory/fosite" "github.com/ory/hydra/v2/client" @@ -28,16 +30,16 @@ import ( var _ consent.Manager = &Persister{} -func (p *Persister) RevokeSubjectConsentSession(ctx context.Context, user string) error { +func (p *Persister) RevokeSubjectConsentSession(ctx context.Context, user string) (err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.RevokeSubjectConsentSession") - defer span.End() + defer otelx.End(span, &err) return p.Transaction(ctx, p.revokeConsentSession("consent_challenge_id IS NOT NULL AND subject = ?", user)) } -func (p *Persister) RevokeSubjectClientConsentSession(ctx context.Context, user, client string) error { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.RevokeSubjectClientConsentSession") - defer span.End() +func (p *Persister) RevokeSubjectClientConsentSession(ctx context.Context, user, client string) (err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.RevokeSubjectClientConsentSession", trace.WithAttributes(attribute.String("client", client))) + defer otelx.End(span, &err) return p.Transaction(ctx, p.revokeConsentSession("consent_challenge_id IS NOT NULL AND subject = ? AND client_id = ?", user, client)) } @@ -95,11 +97,11 @@ func (p *Persister) revokeConsentSession(whereStmt string, whereArgs ...interfac } } -func (p *Persister) RevokeSubjectLoginSession(ctx context.Context, subject string) error { +func (p *Persister) RevokeSubjectLoginSession(ctx context.Context, subject string) (err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.RevokeSubjectLoginSession") - defer span.End() + defer otelx.End(span, &err) - err := p.QueryWithNetwork(ctx).Where("subject = ?", subject).Delete(&flow.LoginSession{}) + err = p.QueryWithNetwork(ctx).Where("subject = ?", subject).Delete(&flow.LoginSession{}) if err != nil { return sqlcon.HandleError(err) } @@ -114,9 +116,9 @@ func (p *Persister) RevokeSubjectLoginSession(ctx context.Context, subject strin return nil } -func (p *Persister) CreateForcedObfuscatedLoginSession(ctx context.Context, session *consent.ForcedObfuscatedLoginSession) error { +func (p *Persister) CreateForcedObfuscatedLoginSession(ctx context.Context, session *consent.ForcedObfuscatedLoginSession) (err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.CreateForcedObfuscatedLoginSession") - defer span.End() + defer otelx.End(span, &err) return p.Transaction(ctx, func(ctx context.Context, c *pop.Connection) error { nid := p.NetworkID(ctx) @@ -139,9 +141,9 @@ func (p *Persister) CreateForcedObfuscatedLoginSession(ctx context.Context, sess }) } -func (p *Persister) GetForcedObfuscatedLoginSession(ctx context.Context, client, obfuscated string) (*consent.ForcedObfuscatedLoginSession, error) { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetForcedObfuscatedLoginSession") - defer span.End() +func (p *Persister) GetForcedObfuscatedLoginSession(ctx context.Context, client, obfuscated string) (_ *consent.ForcedObfuscatedLoginSession, err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetForcedObfuscatedLoginSession", trace.WithAttributes(attribute.String("client", client))) + defer otelx.End(span, &err) var s consent.ForcedObfuscatedLoginSession @@ -162,9 +164,9 @@ func (p *Persister) GetForcedObfuscatedLoginSession(ctx context.Context, client, // CreateConsentRequest configures fields that are introduced or changed in the // consent request. It doesn't touch fields that would be copied from the login // request. -func (p *Persister) CreateConsentRequest(ctx context.Context, f *flow.Flow, req *flow.OAuth2ConsentRequest) error { +func (p *Persister) CreateConsentRequest(ctx context.Context, f *flow.Flow, req *flow.OAuth2ConsentRequest) (err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.CreateConsentRequest") - defer span.End() + defer otelx.End(span, &err) if f == nil { return errorsx.WithStack(x.ErrNotFound.WithDebug("Flow is nil")) @@ -181,9 +183,9 @@ func (p *Persister) CreateConsentRequest(ctx context.Context, f *flow.Flow, req return nil } -func (p *Persister) GetFlowByConsentChallenge(ctx context.Context, challenge string) (*flow.Flow, error) { +func (p *Persister) GetFlowByConsentChallenge(ctx context.Context, challenge string) (_ *flow.Flow, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetFlowByConsentChallenge") - defer span.End() + defer otelx.End(span, &err) // challenge contains the flow. f, err := flowctx.Decode[flow.Flow](ctx, p.r.FlowCipher(), challenge, flowctx.AsConsentChallenge) @@ -200,9 +202,9 @@ func (p *Persister) GetFlowByConsentChallenge(ctx context.Context, challenge str return f, nil } -func (p *Persister) GetConsentRequest(ctx context.Context, challenge string) (*flow.OAuth2ConsentRequest, error) { +func (p *Persister) GetConsentRequest(ctx context.Context, challenge string) (_ *flow.OAuth2ConsentRequest, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetConsentRequest") - defer span.End() + defer otelx.End(span, &err) f, err := p.GetFlowByConsentChallenge(ctx, challenge) if err != nil { @@ -218,9 +220,9 @@ func (p *Persister) GetConsentRequest(ctx context.Context, challenge string) (*f return f.GetConsentRequest(), nil } -func (p *Persister) CreateLoginRequest(ctx context.Context, req *flow.LoginRequest) (*flow.Flow, error) { +func (p *Persister) CreateLoginRequest(ctx context.Context, req *flow.LoginRequest) (_ *flow.Flow, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.CreateLoginRequest") - defer span.End() + defer otelx.End(span, &err) f := flow.NewFlow(req) nid := p.NetworkID(ctx) @@ -232,9 +234,9 @@ func (p *Persister) CreateLoginRequest(ctx context.Context, req *flow.LoginReque return f, nil } -func (p *Persister) GetFlow(ctx context.Context, loginChallenge string) (*flow.Flow, error) { +func (p *Persister) GetFlow(ctx context.Context, loginChallenge string) (_ *flow.Flow, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetFlow") - defer span.End() + defer otelx.End(span, &err) var f flow.Flow if err := p.QueryWithNetwork(ctx).Where("login_challenge = ?", loginChallenge).First(&f); err != nil { @@ -246,9 +248,9 @@ func (p *Persister) GetFlow(ctx context.Context, loginChallenge string) (*flow.F return &f, nil } -func (p *Persister) GetLoginRequest(ctx context.Context, loginChallenge string) (*flow.LoginRequest, error) { +func (p *Persister) GetLoginRequest(ctx context.Context, loginChallenge string) (_ *flow.LoginRequest, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetLoginRequest") - defer span.End() + defer otelx.End(span, &err) f, err := flowctx.Decode[flow.Flow](ctx, p.r.FlowCipher(), loginChallenge, flowctx.AsLoginChallenge) if err != nil { @@ -268,9 +270,9 @@ func (p *Persister) GetLoginRequest(ctx context.Context, loginChallenge string) return lr, nil } -func (p *Persister) HandleConsentRequest(ctx context.Context, f *flow.Flow, r *flow.AcceptOAuth2ConsentRequest) (*flow.OAuth2ConsentRequest, error) { +func (p *Persister) HandleConsentRequest(ctx context.Context, f *flow.Flow, r *flow.AcceptOAuth2ConsentRequest) (_ *flow.OAuth2ConsentRequest, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.HandleConsentRequest") - defer span.End() + defer otelx.End(span, &err) if f == nil { return nil, errorsx.WithStack(fosite.ErrInvalidRequest.WithDebug("Flow was nil")) @@ -288,9 +290,9 @@ func (p *Persister) HandleConsentRequest(ctx context.Context, f *flow.Flow, r *f return f.GetConsentRequest(), nil } -func (p *Persister) VerifyAndInvalidateConsentRequest(ctx context.Context, verifier string) (*flow.AcceptOAuth2ConsentRequest, error) { +func (p *Persister) VerifyAndInvalidateConsentRequest(ctx context.Context, verifier string) (_ *flow.AcceptOAuth2ConsentRequest, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.VerifyAndInvalidateConsentRequest") - defer span.End() + defer otelx.End(span, &err) f, err := flowctx.Decode[flow.Flow](ctx, p.r.FlowCipher(), verifier, flowctx.AsConsentVerifier) if err != nil { @@ -317,7 +319,7 @@ func (p *Persister) VerifyAndInvalidateConsentRequest(ctx context.Context, verif func (p *Persister) HandleLoginRequest(ctx context.Context, f *flow.Flow, challenge string, r *flow.HandledLoginRequest) (lr *flow.LoginRequest, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.HandleLoginRequest") - defer span.End() + defer otelx.End(span, &err) if f == nil { return nil, errorsx.WithStack(fosite.ErrInvalidRequest.WithDebug("Flow was nil")) @@ -334,9 +336,9 @@ func (p *Persister) HandleLoginRequest(ctx context.Context, f *flow.Flow, challe return p.GetLoginRequest(ctx, challenge) } -func (p *Persister) VerifyAndInvalidateLoginRequest(ctx context.Context, verifier string) (*flow.HandledLoginRequest, error) { +func (p *Persister) VerifyAndInvalidateLoginRequest(ctx context.Context, verifier string) (_ *flow.HandledLoginRequest, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.VerifyAndInvalidateLoginRequest") - defer span.End() + defer otelx.End(span, &err) f, err := flowctx.Decode[flow.Flow](ctx, p.r.FlowCipher(), verifier, flowctx.AsLoginVerifier) if err != nil { @@ -354,9 +356,9 @@ func (p *Persister) VerifyAndInvalidateLoginRequest(ctx context.Context, verifie return &d, nil } -func (p *Persister) GetRememberedLoginSession(ctx context.Context, loginSessionFromCookie *flow.LoginSession, id string) (*flow.LoginSession, error) { +func (p *Persister) GetRememberedLoginSession(ctx context.Context, loginSessionFromCookie *flow.LoginSession, id string) (_ *flow.LoginSession, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetRememberedLoginSession") - defer span.End() + defer otelx.End(span, &err) if s := loginSessionFromCookie; s != nil && s.NID == p.NetworkID(ctx) && s.ID == id && s.Remember { return s, nil @@ -374,9 +376,9 @@ func (p *Persister) GetRememberedLoginSession(ctx context.Context, loginSessionF } // ConfirmLoginSession creates or updates the login session. The NID will be set to the network ID of the context. -func (p *Persister) ConfirmLoginSession(ctx context.Context, loginSession *flow.LoginSession) error { +func (p *Persister) ConfirmLoginSession(ctx context.Context, loginSession *flow.LoginSession) (err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.ConfirmLoginSession") - defer span.End() + defer otelx.End(span, &err) loginSession.NID = p.NetworkID(ctx) loginSession.AuthenticatedAt = sqlxx.NullTime(time.Time(loginSession.AuthenticatedAt).Truncate(time.Second)) @@ -386,7 +388,7 @@ func (p *Persister) ConfirmLoginSession(ctx context.Context, loginSession *flow. return p.mySQLConfirmLoginSession(ctx, loginSession) } - err := p.Connection(ctx).Transaction(func(tx *pop.Connection) error { + err = p.Connection(ctx).Transaction(func(tx *pop.Connection) error { res, err := tx.TX.NamedExec(` INSERT INTO hydra_oauth2_authentication_session (id, nid, authenticated_at, subject, remember, identity_provider_session_id) VALUES (:id, :nid, :authenticated_at, :subject, :remember, :identity_provider_session_id) @@ -417,9 +419,9 @@ WHERE hydra_oauth2_authentication_session.id = :id AND hydra_oauth2_authenticati return nil } -func (p *Persister) CreateLoginSession(ctx context.Context, session *flow.LoginSession) error { +func (p *Persister) CreateLoginSession(ctx context.Context, session *flow.LoginSession) (err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.CreateLoginSession") - defer span.End() + defer otelx.End(span, &err) nid := p.NetworkID(ctx) if nid == uuid.Nil { @@ -487,7 +489,7 @@ WHERE id = ? AND nid = ?`, func (p *Persister) FindGrantedAndRememberedConsentRequests(ctx context.Context, client, subject string) (rs []flow.AcceptOAuth2ConsentRequest, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.FindGrantedAndRememberedConsentRequests") - defer span.End() + defer otelx.End(span, &err) var f flow.Flow if err = p.Connection(ctx). @@ -514,9 +516,10 @@ nid = ?`, flow.FlowStateConsentUsed, flow.FlowStateConsentUnused, return p.filterExpiredConsentRequests(ctx, []flow.AcceptOAuth2ConsentRequest{*f.GetHandledConsentRequest()}) } -func (p *Persister) FindSubjectsGrantedConsentRequests(ctx context.Context, subject string, limit, offset int) ([]flow.AcceptOAuth2ConsentRequest, error) { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.FindSubjectsGrantedConsentRequests") - defer span.End() +func (p *Persister) FindSubjectsGrantedConsentRequests(ctx context.Context, subject string, limit, offset int) (_ []flow.AcceptOAuth2ConsentRequest, err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.FindSubjectsGrantedConsentRequests", + trace.WithAttributes(attribute.Int("limit", limit), attribute.Int("offset", offset))) + defer otelx.End(span, &err) var fs []flow.Flow c := p.Connection(ctx) @@ -548,9 +551,10 @@ nid = ?`, flow.FlowStateConsentUsed, flow.FlowStateConsentUnused, return p.filterExpiredConsentRequests(ctx, rs) } -func (p *Persister) FindSubjectsSessionGrantedConsentRequests(ctx context.Context, subject, sid string, limit, offset int) ([]flow.AcceptOAuth2ConsentRequest, error) { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.FindSubjectsSessionGrantedConsentRequests") - defer span.End() +func (p *Persister) FindSubjectsSessionGrantedConsentRequests(ctx context.Context, subject, sid string, limit, offset int) (_ []flow.AcceptOAuth2ConsentRequest, err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.FindSubjectsSessionGrantedConsentRequests", + trace.WithAttributes(attribute.String("sid", sid), attribute.Int("limit", limit), attribute.Int("offset", offset))) + defer otelx.End(span, &err) var fs []flow.Flow c := p.Connection(ctx) @@ -583,11 +587,14 @@ nid = ?`, flow.FlowStateConsentUsed, flow.FlowStateConsentUnused, return p.filterExpiredConsentRequests(ctx, rs) } -func (p *Persister) CountSubjectsGrantedConsentRequests(ctx context.Context, subject string) (int, error) { +func (p *Persister) CountSubjectsGrantedConsentRequests(ctx context.Context, subject string) (n int, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.CountSubjectsGrantedConsentRequests") - defer span.End() + defer otelx.End(span, &err) + defer func() { + span.SetAttributes(attribute.Int("count", n)) + }() - n, err := p.Connection(ctx). + n, err = p.Connection(ctx). Where( strings.TrimSpace(fmt.Sprintf(` (state = %d OR state = %d) AND @@ -601,9 +608,9 @@ nid = ?`, flow.FlowStateConsentUsed, flow.FlowStateConsentUnused, return n, sqlcon.HandleError(err) } -func (p *Persister) filterExpiredConsentRequests(ctx context.Context, requests []flow.AcceptOAuth2ConsentRequest) ([]flow.AcceptOAuth2ConsentRequest, error) { +func (p *Persister) filterExpiredConsentRequests(ctx context.Context, requests []flow.AcceptOAuth2ConsentRequest) (_ []flow.AcceptOAuth2ConsentRequest, err error) { _, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.filterExpiredConsentRequests") - defer span.End() + defer otelx.End(span, &err) var result []flow.AcceptOAuth2ConsentRequest for _, v := range requests { @@ -618,24 +625,25 @@ func (p *Persister) filterExpiredConsentRequests(ctx context.Context, requests [ return result, nil } -func (p *Persister) ListUserAuthenticatedClientsWithFrontChannelLogout(ctx context.Context, subject, sid string) ([]client.Client, error) { +func (p *Persister) ListUserAuthenticatedClientsWithFrontChannelLogout(ctx context.Context, subject, sid string) (_ []client.Client, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.ListUserAuthenticatedClientsWithFrontChannelLogout") - defer span.End() + defer otelx.End(span, &err) return p.listUserAuthenticatedClients(ctx, subject, sid, "front") } -func (p *Persister) ListUserAuthenticatedClientsWithBackChannelLogout(ctx context.Context, subject, sid string) ([]client.Client, error) { +func (p *Persister) ListUserAuthenticatedClientsWithBackChannelLogout(ctx context.Context, subject, sid string) (_ []client.Client, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.ListUserAuthenticatedClientsWithBackChannelLogout") - defer span.End() + defer otelx.End(span, &err) + return p.listUserAuthenticatedClients(ctx, subject, sid, "back") } -func (p *Persister) listUserAuthenticatedClients(ctx context.Context, subject, sid, channel string) ([]client.Client, error) { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.listUserAuthenticatedClients") - defer span.End() +func (p *Persister) listUserAuthenticatedClients(ctx context.Context, subject, sid, channel string) (cs []client.Client, err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.listUserAuthenticatedClients", + trace.WithAttributes(attribute.String("sid", sid))) + defer otelx.End(span, &err) - var cs []client.Client if err := p.Connection(ctx).RawQuery( /* #nosec G201 - channel can either be "front" or "back" */ fmt.Sprintf(` @@ -662,16 +670,16 @@ WHERE return cs, nil } -func (p *Persister) CreateLogoutRequest(ctx context.Context, request *flow.LogoutRequest) error { +func (p *Persister) CreateLogoutRequest(ctx context.Context, request *flow.LogoutRequest) (err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.CreateLogoutRequest") - defer span.End() + defer otelx.End(span, &err) return errorsx.WithStack(p.CreateWithNetwork(ctx, request)) } -func (p *Persister) AcceptLogoutRequest(ctx context.Context, challenge string) (*flow.LogoutRequest, error) { +func (p *Persister) AcceptLogoutRequest(ctx context.Context, challenge string) (_ *flow.LogoutRequest, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.AcceptLogoutRequest") - defer span.End() + defer otelx.End(span, &err) if err := p.Connection(ctx).RawQuery("UPDATE hydra_oauth2_logout_request SET accepted=true, rejected=false WHERE challenge=? AND nid = ?", challenge, p.NetworkID(ctx)).Exec(); err != nil { return nil, sqlcon.HandleError(err) @@ -680,9 +688,9 @@ func (p *Persister) AcceptLogoutRequest(ctx context.Context, challenge string) ( return p.GetLogoutRequest(ctx, challenge) } -func (p *Persister) RejectLogoutRequest(ctx context.Context, challenge string) error { +func (p *Persister) RejectLogoutRequest(ctx context.Context, challenge string) (err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.RejectLogoutRequest") - defer span.End() + defer otelx.End(span, &err) count, err := p.Connection(ctx). RawQuery("UPDATE hydra_oauth2_logout_request SET rejected=true, accepted=false WHERE challenge=? AND nid = ?", challenge, p.NetworkID(ctx)). @@ -694,17 +702,17 @@ func (p *Persister) RejectLogoutRequest(ctx context.Context, challenge string) e } } -func (p *Persister) GetLogoutRequest(ctx context.Context, challenge string) (*flow.LogoutRequest, error) { +func (p *Persister) GetLogoutRequest(ctx context.Context, challenge string) (_ *flow.LogoutRequest, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetLogoutRequest") - defer span.End() + defer otelx.End(span, &err) var lr flow.LogoutRequest return &lr, sqlcon.HandleError(p.QueryWithNetwork(ctx).Where("challenge = ? AND rejected = FALSE", challenge).First(&lr)) } -func (p *Persister) VerifyAndInvalidateLogoutRequest(ctx context.Context, verifier string) (*flow.LogoutRequest, error) { +func (p *Persister) VerifyAndInvalidateLogoutRequest(ctx context.Context, verifier string) (_ *flow.LogoutRequest, err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.VerifyAndInvalidateLogoutRequest") - defer span.End() + defer otelx.End(span, &err) var lr flow.LogoutRequest if count, err := p.Connection(ctx).RawQuery(` @@ -722,7 +730,7 @@ WHERE nid = ? return nil, sqlcon.HandleError(err) } - err := sqlcon.HandleError(p.QueryWithNetwork(ctx).Where("verifier = ?", verifier).First(&lr)) + err = sqlcon.HandleError(p.QueryWithNetwork(ctx).Where("verifier = ?", verifier).First(&lr)) if err != nil { return nil, err } @@ -730,9 +738,9 @@ WHERE nid = ? return &lr, nil } -func (p *Persister) FlushInactiveLoginConsentRequests(ctx context.Context, notAfter time.Time, limit int, batchSize int) error { +func (p *Persister) FlushInactiveLoginConsentRequests(ctx context.Context, notAfter time.Time, limit int, batchSize int) (err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.FlushInactiveLoginConsentRequests") - defer span.End() + defer otelx.End(span, &err) /* #nosec G201 table is static */ var f flow.Flow diff --git a/persistence/sql/persister_jwk.go b/persistence/sql/persister_jwk.go index ee5a82a748..27a6e184a2 100644 --- a/persistence/sql/persister_jwk.go +++ b/persistence/sql/persister_jwk.go @@ -9,8 +9,11 @@ import ( "github.com/go-jose/go-jose/v3" "github.com/gobuffalo/pop/v6" + "go.opentelemetry.io/otel/attribute" + "go.opentelemetry.io/otel/trace" "github.com/ory/x/errorsx" + "github.com/ory/x/otelx" "github.com/pkg/errors" @@ -20,9 +23,13 @@ import ( var _ jwk.Manager = &Persister{} -func (p *Persister) GenerateAndPersistKeySet(ctx context.Context, set, kid, alg, use string) (*jose.JSONWebKeySet, error) { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GenerateAndPersistKeySet") - defer span.End() +func (p *Persister) GenerateAndPersistKeySet(ctx context.Context, set, kid, alg, use string) (_ *jose.JSONWebKeySet, err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GenerateAndPersistKeySet", + trace.WithAttributes( + attribute.String("set", set), + attribute.String("kid", kid), + attribute.String("alg", alg))) + defer otelx.End(span, &err) keys, err := jwk.GenerateJWK(ctx, jose.SignatureAlgorithm(alg), kid, use) if err != nil { @@ -37,9 +44,13 @@ func (p *Persister) GenerateAndPersistKeySet(ctx context.Context, set, kid, alg, return keys, nil } -func (p *Persister) AddKey(ctx context.Context, set string, key *jose.JSONWebKey) error { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.AddKey") - defer span.End() +func (p *Persister) AddKey(ctx context.Context, set string, key *jose.JSONWebKey) (err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.AddKey", + trace.WithAttributes( + attribute.String("set", set), + attribute.String("kid", key.KeyID))) + + defer otelx.End(span, &err) out, err := json.Marshal(key) if err != nil { @@ -59,9 +70,9 @@ func (p *Persister) AddKey(ctx context.Context, set string, key *jose.JSONWebKey })) } -func (p *Persister) AddKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) error { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.AddKeySet") - defer span.End() +func (p *Persister) AddKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) (err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.AddKeySet", trace.WithAttributes(attribute.String("set", set))) + defer otelx.End(span, &err) return p.Transaction(ctx, func(ctx context.Context, c *pop.Connection) error { for _, key := range keys.Keys { @@ -89,9 +100,12 @@ func (p *Persister) AddKeySet(ctx context.Context, set string, keys *jose.JSONWe } // UpdateKey updates or creates the key. -func (p *Persister) UpdateKey(ctx context.Context, set string, key *jose.JSONWebKey) error { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.UpdateKey") - defer span.End() +func (p *Persister) UpdateKey(ctx context.Context, set string, key *jose.JSONWebKey) (err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.UpdateKey", + trace.WithAttributes( + attribute.String("set", set), + attribute.String("kid", key.KeyID))) + defer otelx.End(span, &err) return p.Transaction(ctx, func(ctx context.Context, c *pop.Connection) error { if err := p.DeleteKey(ctx, set, key.KeyID); err != nil { @@ -105,9 +119,9 @@ func (p *Persister) UpdateKey(ctx context.Context, set string, key *jose.JSONWeb } // UpdateKeySet updates or creates the key set. -func (p *Persister) UpdateKeySet(ctx context.Context, set string, keySet *jose.JSONWebKeySet) error { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.UpdateKeySet") - defer span.End() +func (p *Persister) UpdateKeySet(ctx context.Context, set string, keySet *jose.JSONWebKeySet) (err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.UpdateKeySet", trace.WithAttributes(attribute.String("set", set))) + defer otelx.End(span, &err) return p.Transaction(ctx, func(ctx context.Context, c *pop.Connection) error { if err := p.DeleteKeySet(ctx, set); err != nil { @@ -120,9 +134,12 @@ func (p *Persister) UpdateKeySet(ctx context.Context, set string, keySet *jose.J }) } -func (p *Persister) GetKey(ctx context.Context, set, kid string) (*jose.JSONWebKeySet, error) { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetKey") - defer span.End() +func (p *Persister) GetKey(ctx context.Context, set, kid string) (_ *jose.JSONWebKeySet, err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetKey", + trace.WithAttributes( + attribute.String("set", set), + attribute.String("kid", kid))) + defer otelx.End(span, &err) var j jwk.SQLData if err := p.QueryWithNetwork(ctx). @@ -148,8 +165,8 @@ func (p *Persister) GetKey(ctx context.Context, set, kid string) (*jose.JSONWebK } func (p *Persister) GetKeySet(ctx context.Context, set string) (keys *jose.JSONWebKeySet, err error) { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetKeySet") - defer span.End() + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetKeySet", trace.WithAttributes(attribute.String("set", set))) + defer otelx.End(span, &err) var js jwk.SQLDataRows if err := p.QueryWithNetwork(ctx). @@ -162,18 +179,21 @@ func (p *Persister) GetKeySet(ctx context.Context, set string) (keys *jose.JSONW return js.ToJWK(ctx, p.r) } -func (p *Persister) DeleteKey(ctx context.Context, set, kid string) error { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.DeleteKey") - defer span.End() +func (p *Persister) DeleteKey(ctx context.Context, set, kid string) (err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.DeleteKey", + trace.WithAttributes( + attribute.String("set", set), + attribute.String("kid", kid))) + defer otelx.End(span, &err) - err := p.QueryWithNetwork(ctx).Where("sid=? AND kid=?", set, kid).Delete(&jwk.SQLData{}) + err = p.QueryWithNetwork(ctx).Where("sid=? AND kid=?", set, kid).Delete(&jwk.SQLData{}) return sqlcon.HandleError(err) } -func (p *Persister) DeleteKeySet(ctx context.Context, set string) error { - ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.DeleteKeySet") - defer span.End() +func (p *Persister) DeleteKeySet(ctx context.Context, set string) (err error) { + ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.DeleteKeySet", trace.WithAttributes(attribute.String("set", set))) + defer otelx.End(span, &err) - err := p.QueryWithNetwork(ctx).Where("sid=?", set).Delete(&jwk.SQLData{}) + err = p.QueryWithNetwork(ctx).Where("sid=?", set).Delete(&jwk.SQLData{}) return sqlcon.HandleError(err) } diff --git a/x/hasher.go b/x/hasher.go index 835fa146fe..34d3502312 100644 --- a/x/hasher.go +++ b/x/hasher.go @@ -8,8 +8,11 @@ import ( "github.com/ory/fosite" "github.com/ory/x/hasherx" + "github.com/ory/x/otelx" "go.opentelemetry.io/otel" + "go.opentelemetry.io/otel/attribute" + "go.opentelemetry.io/otel/trace" "github.com/ory/x/errorsx" ) @@ -51,11 +54,14 @@ func NewHasher(c config) *Hasher { } } -func (b *Hasher) Hash(ctx context.Context, data []byte) ([]byte, error) { - ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "x.hasher.Hash") - defer span.End() +func (b *Hasher) Hash(ctx context.Context, data []byte) (_ []byte, err error) { + h := b.c.GetHasherAlgorithm(ctx) - switch b.c.GetHasherAlgorithm(ctx) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "x.hasher.Hash", + trace.WithAttributes(attribute.Stringer("algorithm", h))) + defer otelx.End(span, &err) + + switch h { case HashAlgorithmBCrypt: return b.bcrypt.Generate(ctx, data) case HashAlgorithmPBKDF2: @@ -65,9 +71,9 @@ func (b *Hasher) Hash(ctx context.Context, data []byte) ([]byte, error) { } } -func (b *Hasher) Compare(ctx context.Context, hash, data []byte) error { - _, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "x.hasher.Compare") - defer span.End() +func (b *Hasher) Compare(ctx context.Context, hash, data []byte) (err error) { + ctx, span := otel.GetTracerProvider().Tracer(tracingComponent).Start(ctx, "x.hasher.Compare") + defer otelx.End(span, &err) if err := hasherx.Compare(ctx, data, hash); err != nil { return errorsx.WithStack(err)