lockbox_middleware 1.6.2 → 1.6.4

data/README.rdoc

@@ -38,20 +38,31 @@ to protect with LockBox.
 
 Here's an example lockbox.yml:
 
+  common: &COMMON
+    protected_paths:
+      - ^/api/
   production: 
+    <<: *COMMON
     base_uri: http://lockbox.foo.org
   development: 
+    <<: *COMMON
     base_uri: http://localhost:3001
   cucumber: 
+    <<: *COMMON
     base_uri: http://localhost:3001
   test: 
+    <<: *COMMON
     base_uri: http://localhost:3001
-  all:
-    protect_paths: 
-      - ^/api/
 
-The 'all' section of the yaml file is a LockBox-specific shortcut so you can DRY up your protected path definitions.
-Settings in more specific environments will override those in the 'all' section.
+== Graphite Integration
+
+The lockbox-middleware gem supports sending runtime metrics to Graphite (http://graphite.wikidot.com/) via statsd-client.
+This is off by default, but can be turned on by adding the keys 'statsd_host', 'statsd_port', and 'graphite_prefix' to
+your lockbox.yml file.  For example:
+
+  statsd_host:      statsd.example.com
+  statsd_port:      8125
+  graphite_prefix:  my.app.lockbox_middleware
 
 == Server Installation
 
@@ -81,6 +92,7 @@ Github: http://github.com/dnclabs/lockbox/tree/master
 - Chris Gill
 - Brian Cardarella
 - Wes Morgan
+- Dave Steinberg
 
 Copyright 2010 Democratic National Committee,
-All Rights Reserved.
+All Rights Reserved.

data/lib/lockbox_middleware.rb

@@ -2,6 +2,7 @@ require 'rubygems'
 require 'httpotato'
 require 'lockbox_cache'
 require 'hmac_request'
+require 'statsd'
 
 class LockBox
   include HTTPotato
@@ -37,10 +38,11 @@ class LockBox
   def initialize(app)
     @app = app
     @cache = LockBoxCache::Cache.new
+    @graphite = setup_graphite
   end
 
   def call(env)
-    dup.call!(env)
+    time_it("call") { dup.call!(env) }
   end
 
   def cache_string_for_key(api_key)
@@ -61,20 +63,25 @@ class LockBox
     if protected_path
         request = HmacRequest.new_from_rack_env(env)
         if !request['key'].nil?
+          auth_type = 'key'
           auth = auth_via_key(request['key'], request)
         else
+          auth_type = 'hmac'
           auth = auth_via_hmac(request)
         end
 
         if auth[:authorized]
+          record_it("#{auth_type}.authorized")
           app_response = @app.call(env)
           return [app_response[0], app_response[1].merge(auth[:headers]), app_response[2]]
         else
+          record_it("#{auth_type}.denied")
           message = "Access Denied"
           return [401, {'Content-Type' => 'text/plain', 'Content-Length' => "#{message.length}"}, [message]]
         end
     else
       #pass everything else straight through to app
+      record_it("unprotected")
       return @app.call(env)
     end
   end
@@ -83,7 +90,11 @@ class LockBox
     cached_auth = check_key_cache(api_key)
     # currently we don't cache forward headers
     return {:authorized => cached_auth, :headers => {}} if cached_auth
-    auth_response = self.class.get("/authentication/#{api_key}", {:headers => request.get_xreferer_auth_headers, :request => {:application_name => LockBox.config['application_name']}})
+
+    auth_response = time_it("key.http_request") { 
+      self.class.get("/authentication/#{api_key}", {:headers => request.get_xreferer_auth_headers, :request => {:application_name => LockBox.config['application_name']}})
+    }
+
     authorized = (auth_response.code == 200)
     cache_key_response_if_allowed(api_key, auth_response) if authorized
     {:authorized => authorized, :headers => response_headers(auth_response)}
@@ -92,7 +103,11 @@ class LockBox
   def auth_via_hmac(hmac_request)
     cached_auth = check_hmac_cache(hmac_request)
     return {:authorized => cached_auth, :headers => {}} if cached_auth
-    auth_response = self.class.get("/authentication/hmac", {:headers => hmac_request.get_xreferer_auth_headers, :request => {:application_name => LockBox.config['application_name']}})
+
+    auth_response = time_it("hmac.http_request") {
+      self.class.get("/authentication/hmac", {:headers => hmac_request.get_xreferer_auth_headers, :request => {:application_name => LockBox.config['application_name']}})
+    }
+
     authorized = (auth_response.code == 200)
     cache_hmac_response_if_allowed(hmac_request, auth_response) if authorized
     {:authorized => authorized, :headers => response_headers(auth_response)}
@@ -113,7 +128,9 @@ class LockBox
     end
     caching_allowed = (cache_max_age > 0 && cache_public)
     expiration = Time.at(Time.now.to_i + cache_max_age)
-    @cache.write(cache_string_for_key(api_key), expiration.to_i) if caching_allowed
+    if caching_allowed
+      time_it("key.cache_write") { @cache.write(cache_string_for_key(api_key), expiration.to_i) }
+    end
   end
 
   def cache_hmac_response_if_allowed(hmac_request, auth_response)
@@ -131,7 +148,7 @@ class LockBox
     expiration = Time.at(Time.now.to_i + cache_max_age)
     if caching_allowed
       api_key = auth_response.headers['X-LockBox-API-Key']
-      @cache.write(cache_string_for_hmac(hmac_request.hmac_id), [api_key, expiration.to_i])
+      time_it("hmac.cache_write") { @cache.write(cache_string_for_hmac(hmac_request.hmac_id), [api_key, expiration.to_i]) }
     end
   end
 
@@ -144,13 +161,15 @@ class LockBox
   end
 
   def check_key_cache(api_key)
-    expiration = @cache.read(cache_string_for_key(api_key))
+    expiration = time_it("key.cache_read") { @cache.read(cache_string_for_key(api_key)) }
     return nil if expiration.nil?
     expiration = Time.at(expiration)
     if expiration <= Time.now
+      record_it("key.cache_expired")
       @cache.delete(cache_string_for_key(api_key))
       nil
     else
+      record_it("key.cache_hit")
       true
     end
   end
@@ -158,18 +177,51 @@ class LockBox
   def check_hmac_cache(hmac_request)
     hmac_id, hmac_hash = hmac_request.hmac_id, hmac_request.hmac_hash
     return nil if hmac_id.nil? || hmac_hash.nil?
-    cached_val = @cache.read(cache_string_for_hmac(hmac_id))  
+    cached_val = time_it("hmac.cache_read") { @cache.read(cache_string_for_hmac(hmac_id)) }
     return nil if cached_val.nil?
     key, expiration = cached_val
     expiration = Time.at(expiration)
     if expiration <= Time.now
+      record_it("hmac.cache_expired")
       @cache.delete(cache_string_for_hmac(hmac_id))
       nil
     else
       #as long as the request is signed correctly, no need to contact the lockbox server to verify
       #just see if the request is signed properly and let it through if it is
-      return true if hmac_request.hmac_auth({hmac_id => key}) == key
-      return nil
+      if hmac_request.hmac_auth({hmac_id => key}) == key
+        record_it("hmac.cache_hit")
+        return true
+      else
+        return nil
+      end
+    end
+  end
+
+  def graphite_path
+    self.class.config["graphite_path"]
+  end
+  def setup_graphite
+    return nil unless ( self.class.config.has_key?("statsd_host") && 
+                        self.class.config.has_key?("statsd_port") && 
+                        self.class.config.has_key?("graphite_path") )
+    Statsd.host = self.class.config["statsd_host"]
+    Statsd.port = self.class.config["statsd_port"]
+    Statsd
+  end
+
+  def record_it(data_path)
+    Statsd.increment("#{graphite_path}.#{data_path}") if @graphite
+  end
+
+  def time_it(data_path)
+    start_ts = Time.now
+    rv = yield
+
+    if @graphite
+      #puts "Calling #timing with #{graphite_path}.#{data_path}"
+      Statsd.timing( "#{graphite_path}.#{data_path}", (Time.now - start_ts) * 1000 )
     end
+
+    rv
   end
 end

data/spec/lib/lockbox_middleware_spec.rb

@@ -136,6 +136,7 @@ describe 'LockBox' do
         env = Rack::MockRequest.env_for "/api/some_controller/some_action?key=123456"
         app.call(env)[1].should include('Content-Type')
       end
+
     end
     
     it "should cache lockbox responses for max-age when Cache-Control allows it" do
@@ -375,4 +376,44 @@ describe 'LockBox' do
     end    
   end
 
+  context "logging to statsd / graphite" do
+    before(:each) do
+      @graphite_path = "foo.bar"
+      safely_edit_config_file({:statsd_host => "localhost", :statsd_port => 8125, :graphite_path => @graphite_path})
+
+      @max_age = 3600
+      successful_response = mock("MockResponse")
+      successful_response.stubs(:code).returns(200)
+      successful_response.stubs(:headers).returns({'Cache-Control' => "public,max-age=#{@max_age},must-revalidate"})
+      LockBox.stubs(:get).with("/authentication/123456", any_parameters).returns(successful_response)
+      bad_response = mock("MockResponse")
+      bad_response.stubs(:code).returns(401)
+      bad_response.stubs(:headers).returns({'Cache-Control' => 'public,no-cache'})
+      LockBox.stubs(:get).with("/authentication/blah", any_parameters).returns(bad_response)
+
+      Statsd.stubs(:timing)
+      Statsd.stubs(:increment)
+    end
+    
+    after :each do
+      if @tmp_config_file && @config_file
+        FileUtils.mv(@tmp_config_file, @config_file)
+      end
+    end
+
+    it "should record timing data for the overall request" do
+      get "/api/some_controller/some_action?key=123456"
+      Statsd.should have_received( :timing ).with("#{@graphite_path}.call", anything)
+    end
+
+    it "should record a successful authorization" do
+      get "/api/some_controller/some_action?key=123456"
+      Statsd.should have_received( :increment ).with("#{@graphite_path}.key.authorized", anything)
+    end
+
+    it "should record denied requests" do
+      get "/api/some_controller/some_action?key=blah"
+      Statsd.should have_received( :increment ).with("#{@graphite_path}.key.denied", anything)
+    end
+  end
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: lockbox_middleware
 version: !ruby/object:Gem::Version 
-  hash: 11
+  hash: 7
   prerelease: 
   segments: 
   - 1
   - 6
-  - 2
-  version: 1.6.2
+  - 4
+  version: 1.6.4
 platform: ruby
 authors: 
 - Chris Gill
@@ -64,6 +64,20 @@ dependencies:
         version: "0"
   type: :runtime
   version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: statsd-client
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id004
 description: Rack middleware for the LockBox centralized API authorization service. Brought to you by the DNC Innovation Lab.
 email: innovationlab@dnc.org
 executables: []
@@ -115,7 +129,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.6.0
+rubygems_version: 1.6.1
 signing_key: 
 specification_version: 3
 summary: Rack middleware for the LockBox centralized API authorization service.