Add KMS counters per single KMS with description labels only (#305)

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: steunix <[email protected]>
Co-authored-by: Stefano Rivoir <[email protected]>

Author: Copilot

lib/const.mjs

@@ -111,3 +111,5 @@ export const METRICS_ITEMS_UPDATED = 'items_updated_total'
 export const METRICS_ITEMS_DELETED = 'items_deleted_total'
 export const METRICS_KMS_ENCRYPTIONS = 'kms_encryptions_total'
 export const METRICS_KMS_DECRYPTIONS = 'kms_decryptions_total'
+export const METRICS_KMS_ENCRYPTIONS_PER_KMS = 'kms_encryptions_per_kms_total'
+export const METRICS_KMS_DECRYPTIONS_PER_KMS = 'kms_decryptions_per_kms_total'

lib/kms/kms-google.mjs

@@ -21,15 +21,18 @@ export class KMSGoogleCloud {
   #config = {}
   kmsclient = null
   #keyname = ''
+  #description = ''
 
   /**
    * Constructor
    * @param {String} id KMS id
    * @param {String} config Configuration string
+   * @param {String} description KMS description
    */
-  constructor (id, config) {
+  constructor (id, config, description) {
     this.#kmsid = id
     this.#config = JSON.parse(config)
+    this.#description = description
   }
 
   /**
@@ -144,4 +147,12 @@ export class KMSGoogleCloud {
 
     return decrypted
   }
+
+  /**
+   * Get KMS description
+   * @returns {String} KMS description
+   */
+  getDescription () {
+    return this.#description
+  }
 }

lib/kms/kms-localfile.mjs

@@ -20,15 +20,18 @@ export class KMSLocalFile {
   #masterKeyPath = ''
   #masterKey = ''
   #type = Const.KMS_TYPE_LOCALFILE
+  #description = ''
 
   /**
    * Constructor
    * @param {String} id KMS id
    * @param {String} config Configuration string
+   * @param {String} description KMS description
    */
-  constructor (id, config) {
+  constructor (id, config, description) {
     this.#kmsid = id
     this.#masterKeyPath = JSON.parse(config).master_key_path
+    this.#description = description
   }
 
   /**
@@ -148,4 +151,12 @@ export class KMSLocalFile {
 
     return decrypted
   }
+
+  /**
+   * Get KMS description
+   * @returns {String} KMS description
+   */
+  getDescription () {
+    return this.#description
+  }
 }

lib/kms/kms-nodek.mjs

@@ -16,15 +16,18 @@ export class KMSNoDEK {
   #kmsid = ''
   #masterKey = ''
   #type = Const.KMS_TYPE_NODEK
+  #description = ''
 
   /**
    * Constructor
    * @param {String} id KMS id
    * @param {String} config Configuration string
+   * @param {String} description KMS description
    */
-  constructor (id, config) {
+  constructor (id, config, description) {
     this.#kmsid = id
     this.#masterKey = Config.get().master_key
+    this.#description = description
   }
 
   /**
@@ -104,4 +107,12 @@ export class KMSNoDEK {
       encrypted: null
     }
   }
+
+  /**
+   * Get KMS description
+   * @returns {String} KMS description
+   */
+  getDescription () {
+    return this.#description
+  }
 }

lib/kms/kms.mjs

@@ -31,28 +31,30 @@ async function getKMS (kmsid) {
     if (kmsid === 'none') {
       reckms = {
         type: Const.KMS_TYPE_NODEK,
-        config: null
+        config: null,
+        description: 'No DEK'
       }
     } else {
       reckms = await DB.kms.findUnique({
         where: { id: kmsid },
         select: {
           type: true,
-          config: true
+          config: true,
+          description: true
         }
       })
     }
 
     switch (reckms.type) {
       case Const.KMS_TYPE_LOCALFILE:
-        Wallet[kmsid] = new KMSLocalFile(kmsid, reckms.config)
+        Wallet[kmsid] = new KMSLocalFile(kmsid, reckms.config, reckms.description)
         break
       case Const.KMS_TYPE_GOOGLECLOUD:
-        Wallet[kmsid] = new KMSGoogleCloud(kmsid, reckms.config)
+        Wallet[kmsid] = new KMSGoogleCloud(kmsid, reckms.config, reckms.description)
         break
       default:
         // Defaults to no DEK
-        Wallet[kmsid] = new KMSNoDEK(null, null)
+        Wallet[kmsid] = new KMSNoDEK(null, null, reckms.description)
     }
     await Wallet[kmsid].init()
     kms = Wallet[kmsid]
@@ -82,7 +84,9 @@ export async function encrypt (data, algorithm) {
   // Call KMS to encrypt
   const ret = await kms.encrypt(data, algorithm)
 
+  // Increment both global and per-KMS counters
   Metrics.counterInc(Const.METRICS_KMS_ENCRYPTIONS)
+  Metrics.counterInc(Const.METRICS_KMS_ENCRYPTIONS_PER_KMS, kms.getDescription() || 'Unknown')
   return ret
 }
 
@@ -102,6 +106,8 @@ export async function decrypt (kmsid, dek, data, iv, authTag, algorithm) {
   // Call KMS to decrypt
   const ret = await kms.decrypt(dek, data, iv, authTag, algorithm)
 
+  // Increment both global and per-KMS counters
   Metrics.counterInc(Const.METRICS_KMS_DECRYPTIONS)
+  Metrics.counterInc(Const.METRICS_KMS_DECRYPTIONS_PER_KMS, kms.getDescription() || 'Unknown')
   return ret
 }

lib/metrics.mjs

@@ -36,23 +36,64 @@ export async function output () {
  * Create a counter
  * @param {string} name Counter name
  * @param {string} help Counter help
- * @param {string} label Counter label
+ * @param {string} label Counter label (for single label use)
+ * @param {string[]} labelNames Array of label names for Prometheus labels
  */
-export function createCounter (name, help, label) {
+export function createCounter (name, help, label, labelNames) {
   if (!enabled) {
     return false
   }
-  counters[`${name}/${label || ''}`] = new PromClient.Counter({ name, help })
+  const key = `${name}/${label || ''}`
+  if (labelNames && labelNames.length > 0) {
+    counters[key] = new PromClient.Counter({ name, help, labelNames })
+  } else if (label && label.length > 0) {
+    // Support for single label
+    counters[key] = new PromClient.Counter({ name, help, labelNames: [label] })
+  } else {
+    counters[key] = new PromClient.Counter({ name, help })
+  }
 }
 
 /**
  * Increments counter
  * @param {string} name Counter name
- * @param {string} label Counter label
+ * @param {string} label Counter label value (for single label counters)
  */
 export function counterInc (name, label) {
   if (!enabled) {
     return false
   }
-  counters[`${name}/${label || ''}`].inc()
+
+  // First, try to find a counter with no label (old style)
+  let key = `${name}/`
+  let counter = counters[key]
+
+  if (!counter) {
+    // Look for counters with single labels
+    for (const counterKey in counters) {
+      if (counterKey.startsWith(`${name}/`) && counterKey !== `${name}/`) {
+        counter = counters[counterKey]
+        key = counterKey
+        break
+      }
+    }
+  }
+
+  if (!counter) {
+    return false
+  }
+
+  if (label && label.length > 0) {
+    // Support for single label value
+    const labelName = key.split('/')[1] // Extract label name from key
+    if (labelName) {
+      const labelObject = {}
+      labelObject[labelName] = label
+      counter.inc(labelObject)
+    } else {
+      counter.inc()
+    }
+  } else {
+    counter.inc()
+  }
 }

passweaver-api.mjs

@@ -131,6 +131,8 @@ if (cfg?.enable_metrics) {
   Metrics.createCounter(Const.METRICS_ITEMS_READ, 'Read items')
   Metrics.createCounter(Const.METRICS_KMS_ENCRYPTIONS, 'Encryptions')
   Metrics.createCounter(Const.METRICS_KMS_DECRYPTIONS, 'Decryptions')
+  Metrics.createCounter(Const.METRICS_KMS_ENCRYPTIONS_PER_KMS, 'Encryptions per KMS', 'kms_description')
+  Metrics.createCounter(Const.METRICS_KMS_DECRYPTIONS_PER_KMS, 'Decryptions per KMS', 'kms_description')
 }
 
 // HTTP(S) server start

test/kms-metrics.spec.cjs

@@ -0,0 +1,33 @@
+/* global describe, it, assert */
+require('./common.cjs')
+
+// Test for the new per-KMS metrics functionality
+describe('KMS Per-KMS Metrics', function () {
+  it('Should create labeled counters for per-KMS metrics', async () => {
+    // This test verifies that the metrics module can create and use labeled counters
+    // for per-KMS tracking without requiring the full application setup
+
+    const { init, createCounter, counterInc, output } = await import('../lib/metrics.mjs')
+    const { METRICS_KMS_ENCRYPTIONS_PER_KMS, METRICS_KMS_DECRYPTIONS_PER_KMS } = await import('../lib/const.mjs')
+
+    // Initialize metrics
+    init()
+
+    // Create the per-KMS counters with single label
+    createCounter(METRICS_KMS_ENCRYPTIONS_PER_KMS, 'Encryptions per KMS', 'kms_description')
+    createCounter(METRICS_KMS_DECRYPTIONS_PER_KMS, 'Decryptions per KMS', 'kms_description')
+
+    // Increment counters with different KMS descriptions
+    counterInc(METRICS_KMS_ENCRYPTIONS_PER_KMS, 'Test Local File KMS')
+    counterInc(METRICS_KMS_DECRYPTIONS_PER_KMS, 'Test Google Cloud KMS')
+
+    // Get metrics output
+    const metricsOutput = await output()
+
+    // Verify the metrics exist and have the correct labels
+    assert.match(metricsOutput, /kms_encryptions_per_kms_total/, 'Per-KMS encryption metric should exist')
+    assert.match(metricsOutput, /kms_decryptions_per_kms_total/, 'Per-KMS decryption metric should exist')
+    assert.match(metricsOutput, /kms_description="Test Local File KMS"/, 'Should have kms_description label for local file')
+    assert.match(metricsOutput, /kms_description="Test Google Cloud KMS"/, 'Should have kms_description label for google cloud')
+  })
+})

test/metrics.spec.cjs

@@ -11,4 +11,15 @@ describe('Metrics', function () {
     assert.strictEqual(res1.status, 200)
     assert.match(res1.text, /.+/)
   })
+
+  it('Check per-KMS metrics are included', async () => {
+    const res1 = await agent
+      .get(`${global.host}/api/v1/metrics`)
+      .catch(v => v)
+
+    assert.strictEqual(res1.status, 200)
+    // Check that the new per-KMS metrics are included in the output
+    assert.match(res1.text, /kms_encryptions_per_kms_total/)
+    assert.match(res1.text, /kms_decryptions_per_kms_total/)
+  })
 })