[NOJIRA] Validation metrics support + return issuer from validator (#71)

Author: imrekel

go.mod

@@ -12,6 +12,7 @@ require (
 )
 
 require (
+	github.com/DataDog/datadog-go/v5 v5.8.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/labstack/gommon v0.4.2 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
@@ -20,6 +21,8 @@ require (
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.2 // indirect
+	go.uber.org/multierr v1.10.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.39.0 // indirect
 	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect

go.sum

@@ -1,11 +1,16 @@
+github.com/DataDog/datadog-go/v5 v5.8.1 h1:+GOES5W9zpKlhwHptZVW2C0NLVf7ilr7pHkDcbNvpIc=
+github.com/DataDog/datadog-go/v5 v5.8.1/go.mod h1:K9kcYBlxkcPP8tvvjZZKs/m1edNAUFzBbdpTUKfCsuw=
+github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/bitrise-io/go-auth0 v0.0.0-20250924051602-0e08ce7ce456 h1:3LESTMNySlRrTjn0aZhmDIy1xmzf0uOgX5DU9jYXc7s=
 github.com/bitrise-io/go-auth0 v0.0.0-20250924051602-0e08ce7ce456/go.mod h1:Lre6GilgdYuCkd8hOSUjTQn28Ar8Y6IZH8W/+RyVvLs=
 github.com/bitrise-io/go-auth0 v0.0.0-20250924125910-31ce4e32c32b h1:lypuksW0qioSYLhxlsgk/AS4vsHF05EKE9KejzpVcG4=
 github.com/bitrise-io/go-auth0 v0.0.0-20250924125910-31ce4e32c32b/go.mod h1:Lre6GilgdYuCkd8hOSUjTQn28Ar8Y6IZH8W/+RyVvLs=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI=
 github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/labstack/echo v3.3.10+incompatible h1:pGRcYk231ExFAyoAjAfD85kQzRJCRI8bbnE7CX5OEgg=
@@ -21,27 +26,65 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasttemplate v1.2.2 h1:lxLXG0uE3Qnshl9QyaK6XJxMXlQZELvChBOCmQD0Loo=
 github.com/valyala/fasttemplate v1.2.2/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ=
+go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
+go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
 golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
 golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
 golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
 golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

metrics/datadog.go

@@ -0,0 +1,78 @@
+package metrics
+
+import (
+	"fmt"
+
+	"github.com/DataDog/datadog-go/v5/statsd"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+)
+
+const unknownIssuerId = "unknown"
+
+type DatadogMetrics struct {
+	rawClient statsd.ClientInterface
+	logger    Logger
+}
+
+// nolint: govet
+type DatadogConfig struct {
+	StatsdHost     string `env:"STATSD_HOST,default=datadog"`
+	StatsdPort     string `env:"STATSD_PORT,default=8125"`
+	MetricsEnabled bool   `env:"METRICS_ENABLED,default=true"`
+}
+
+type Logger interface {
+	Errorw(msg string, keysAndValues ...interface{})
+}
+
+func NewDatadogMetrics(cfg DatadogConfig, logger Logger) (*DatadogMetrics, error) {
+	if !cfg.MetricsEnabled {
+		return &DatadogMetrics{
+			rawClient: &statsd.NoOpClient{},
+			logger:    logger,
+		}, nil
+	}
+
+	c, err := statsd.New(fmt.Sprintf("%s:%s", cfg.StatsdHost, cfg.StatsdPort))
+	if err != nil {
+		return &DatadogMetrics{}, errors.Wrap(err, "create statsd client failed")
+	}
+
+	return &DatadogMetrics{
+		rawClient: c,
+		logger:    logger,
+	}, nil
+}
+
+func (dm *DatadogMetrics) IncrRaw(name string, tags []string, rate float64) {
+	if name == "" {
+		dm.logger.Errorw("metric name is empty")
+
+		return
+	}
+
+	if err := dm.rawClient.Incr(name, tags, rate); err != nil {
+		dm.logger.Errorw("failed to increment raw metric", zap.String("metric", name), zap.Error(err))
+	}
+}
+
+func (dm *DatadogMetrics) IncrAuthValidationSucceededMetric(issuer string) {
+	if issuer == "" {
+		issuer = unknownIssuerId
+	}
+
+	dm.IncrRaw("bitrise.jwt_auth.validation_succeeded", []string{"iss:" + issuer}, 1)
+}
+
+func (dm *DatadogMetrics) IncrAuthValidationFailedMetric(issuer string) {
+	if issuer == "" {
+		issuer = unknownIssuerId
+	}
+
+	dm.IncrRaw("bitrise.jwt_auth.validation_failed", []string{"iss:" + issuer}, 1)
+}
+
+func (dm *DatadogMetrics) Close() error {
+	return dm.rawClient.Close()
+}

service/mocks/jwtvalidatorrepository_mock.go

@@ -14,9 +14,12 @@ import (
 //
 // The request must contain a valid JWT in the Authorization header ("Authorization: Bearer <token>")
 // The validator is selected based on the "iss" claim in the JWT
+//go:generate moq -out mocks/jwtvalidatorrepository_mock.go -pkg service_test . JwtValidatorRepository
 type JwtValidatorRepository interface {
-	GetJwtValidatorForRequest(r *http.Request) (Validator, error)
-	GetJwtValidatorForRawToken(rawJwt string) (Validator, error)
+	// GetJwtValidatorForRequest returns the JWT validator and its issuer for the given request
+	GetJwtValidatorForRequest(r *http.Request) (Validator, string, error)
+	// GetJwtValidatorForRawToken returns the JWT validator and its issuer for the given raw JWT
+	GetJwtValidatorForRawToken(rawJwt string) (Validator, string, error)
 }
 
 // DefaultJwtValidatorRepository ...
@@ -32,28 +35,28 @@ func NewJwtValidatorRepository(jwtValidators map[string]Validator) JwtValidatorR
 }
 
 // GetJwtValidatorForRequest ...
-func (vr *DefaultJwtValidatorRepository) GetJwtValidatorForRequest(r *http.Request) (Validator, error) {
+func (vr *DefaultJwtValidatorRepository) GetJwtValidatorForRequest(r *http.Request) (Validator, string, error) {
 	rawJwt := strings.Split(strings.TrimSpace(r.Header.Get("Authorization")), "Bearer ")
 	if len(rawJwt) != 2 {
-		return nil, errors.New("failed to read JWT from header")
+		return nil, "", errors.New("failed to read JWT from header")
 	}
 
 	return vr.GetJwtValidatorForRawToken(rawJwt[1])
 }
 
 // GetJwtValidatorForRawToken ...
-func (vr *DefaultJwtValidatorRepository) GetJwtValidatorForRawToken(rawJwt string) (Validator, error) {
+func (vr *DefaultJwtValidatorRepository) GetJwtValidatorForRawToken(rawJwt string) (Validator, string, error) {
 	iss, err := vr.getIssuerFromRawJWT(rawJwt)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to get issuer form the JWT")
+		return nil, "", errors.Wrap(err, "failed to get issuer form the JWT")
 	}
 
 	validator := vr.JwtValidators[iss]
 	if validator == nil {
-		return nil, fmt.Errorf("there is no JWT validator for issuer: %s", iss)
+		return nil, iss, fmt.Errorf("there is no JWT validator for issuer: %s", iss)
 	}
 
-	return validator, nil
+	return validator, iss, nil
 }
 
 func (vr *DefaultJwtValidatorRepository) getIssuerFromRawJWT(rawJwt string) (string, error) {

service/validator_repository.go

@@ -27,9 +27,9 @@ func Test_GetJwtValidatorForRawToken_GivenMatchingValidatorExists_ReturnsValidat
 		tokenIssuerServiceIssuer: tokenIssuerServiceValidator,
 	})
 
-	v, err := vr.GetJwtValidatorForRawToken(mocks.RawMockToken)
+	v, iss, err := vr.GetJwtValidatorForRawToken(mocks.RawMockToken)
 	assert.NoError(t, err)
-
+	assert.Equal(t, tokenIssuerServiceIssuer, iss)
 	assert.Equal(t, tokenIssuerServiceValidator, v)
 }
 
@@ -49,9 +49,9 @@ func Test_GetJwtValidatorForRequest_GivenMatchingValidatorExists_ReturnsValidato
 	assert.NoError(t, err)
 	request.Header.Add("Authorization", fmt.Sprintf("Bearer %s", mocks.RawMockToken))
 
-	v, err := vr.GetJwtValidatorForRequest(request)
+	v, iss, err := vr.GetJwtValidatorForRequest(request)
 	assert.NoError(t, err)
-
+	assert.Equal(t, tokenIssuerServiceIssuer, iss)
 	assert.Equal(t, tokenIssuerServiceValidator, v)
 }
 
@@ -67,7 +67,7 @@ func Test_GetJwtValidatorForRequest_GivenNoMatchingValidatorExists_ReturnsError(
 	assert.NoError(t, err)
 	request.Header.Add("Authorization", fmt.Sprintf("Bearer %s", mocks.RawMockToken))
 
-	_, err = vr.GetJwtValidatorForRequest(request)
+	_, _, err = vr.GetJwtValidatorForRequest(request)
 	assert.EqualError(t, err, "there is no JWT validator for issuer: https://token-issuer.bitrise.io/auth/realms/bitrise-services")
 }
 
@@ -83,6 +83,6 @@ func Test_GetJwtValidatorForRequest_GivenInvalidAuthorizationHeader_ReturnsError
 	assert.NoError(t, err)
 	request.Header.Add("Authorization", "InvalidHeader")
 
-	_, err = vr.GetJwtValidatorForRequest(request)
+	_, _, err = vr.GetJwtValidatorForRequest(request)
 	assert.EqualError(t, err, "failed to read JWT from header")
 }