Refactor Prometheus timing metrics across multiple modules

The commit introduces a more efficient approach to handling Prometheus timers across several modules. A new function, `PrometheusTimer`, has been created in `statistics.go` that manages the creation and usage of Prometheus Timers. This function has been utilized across various modules to replace redundant and repetitive code. This change improves code maintainability and promotes a DRY (Don't Repeat Yourself) approach.

Signed-off-by: Christian Roessner <[email protected]>

Author: Christian Roessner

server/backend/ldap.go

@@ -22,7 +22,6 @@ import (
 	"github.com/croessner/nauthilus/server/util"
 	"github.com/go-kit/log/level"
 	"github.com/go-ldap/ldap/v3"
-	"github.com/prometheus/client_golang/prometheus"
 	"github.com/segmentio/ksuid"
 	"github.com/yuin/gopher-lua"
 )
@@ -58,7 +57,7 @@ type LDAPConnection struct {
 	// essential when multiple goroutines need to access or modify the same connection concurrently.
 	Mu sync.Mutex
 
-	// Conn is the active LDAP connection. It is a pointer to an ldap.Conn object.
+	// Conn is the active LDAP connection. It is a pointer to a ldap.Conn object.
 	Conn *ldap.Conn
 }
 
@@ -1135,7 +1134,7 @@ func (l *LDAPConnection) search(ldapRequest *LDAPRequest) (result DatabaseResult
 //
 //	err: Error. If an error occurs during the search operation or modification, it will return an error, otherwise this function will return nil.
 //
-// Note: This operation is destructive. It modifies the LDAP directory. Therefore, it should be used judiciously and you should make sure that ldapRequest contains correct values.
+// Note: This operation is destructive. It modifies the LDAP directory. Therefore, it should be used judiciously, and you should make sure that ldapRequest contains correct values.
 func (l *LDAPConnection) modifyAdd(ldapRequest *LDAPRequest) (err error) {
 	var (
 		assertOk           bool
@@ -1270,10 +1269,10 @@ func (l *LDAPPool) processLookupModifyAddRequest(index int, ldapRequest *LDAPReq
 // It sets the connection state to global.LDAPStateFree.
 // It unlocks the connection.
 func (l *LDAPPool) proccessLookupRequest(index int, ldapRequest *LDAPRequest, ldapWaitGroup *sync.WaitGroup) {
-	timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("Backend", "LDAPMainWorker"))
+	stopTimer := stats.PrometheusTimer(global.PromBackend, stats.FunctionDuration.WithLabelValues(global.PromBackend, "ldap_backend_lookup_request_total"))
 
 	defer func() {
-		timer.ObserveDuration()
+		stopTimer()
 		ldapWaitGroup.Done()
 	}()
 
@@ -1381,10 +1380,10 @@ func (l *LDAPPool) processAuthBindRequest(index int, ldapAuthRequest *LDAPAuthRe
 // The function sends the LDAPReply object (which may contain the result, the raw result, or an error) to the LDAPAuthRequest channel.
 // It locks the connection's mutex, sets the connection state to LDAPStateFree, and unlocks the mutex.
 func (l *LDAPPool) processAuthRequest(index int, ldapAuthRequest *LDAPAuthRequest, ldapWaitGroup *sync.WaitGroup) {
-	timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("Backend", "LDAPAuthWorker"))
+	stopTimer := stats.PrometheusTimer(global.PromBackend, stats.FunctionDuration.WithLabelValues(global.PromBackend, "ldap_backend_auth_request_total"))
 
 	defer func() {
-		timer.ObserveDuration()
+		stopTimer()
 		ldapWaitGroup.Done()
 	}()
 

server/backend/lua.go

@@ -10,11 +10,9 @@ import (
 	"github.com/croessner/nauthilus/server/global"
 	"github.com/croessner/nauthilus/server/logging"
 	"github.com/croessner/nauthilus/server/lualib"
-	"github.com/croessner/nauthilus/server/stats"
 	"github.com/croessner/nauthilus/server/util"
 	"github.com/gin-gonic/gin"
 	"github.com/go-kit/log/level"
-	"github.com/prometheus/client_golang/prometheus"
 	"github.com/spf13/viper"
 	lua "github.com/yuin/gopher-lua"
 )
@@ -231,10 +229,6 @@ func setLuaRequestParameters(luaRequest *LuaRequest, request *lua.LTable) (luaCo
 //
 //	err := executeAndHandleError(compiledScript, luaCommand, luaRequest, L, request, nret, logs)
 func executeAndHandleError(compiledScript *lua.FunctionProto, luaCommand string, luaRequest *LuaRequest, L *lua.LState, request *lua.LTable, nret int, logs *lualib.CustomLogKeyValue) (err error) {
-	timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("Backend", "executeLua"))
-
-	defer timer.ObserveDuration()
-
 	if err = lualib.PackagePath(L); err != nil {
 		processError(err, luaRequest, logs)
 	}

server/config/file.go

@@ -908,6 +908,34 @@ func (f *File) validateSecrets() error {
 	return nil
 }
 
+// validatePrometheusLabels is a method on the File struct that validates the Prometheus labels used in the server's Prometheus timer configuration.
+// If the Prometheus timer is enabled, it checks that each label is one of the predefined constants:
+// - global.PromAction
+// - global.PromAccount
+// - global.PromBackend
+// - global.PromBruteForce
+// - global.PromFeature
+// - global.PromFilter
+// - global.PromPostAction
+// - global.PromRequest
+// - global.PromStoreTOTP
+// If any label is unknown, it returns an error with a message indicating the unknown label.
+// If the Prometheus timer is not enabled, it returns nil.
+func (f *File) validatePrometheusLabels() error {
+	if f.Server.PrometheusTimer.Enabled {
+		for _, label := range f.Server.PrometheusTimer.Labels {
+			switch label {
+			case global.PromAction, global.PromAccount, global.PromBackend, global.PromBruteForce, global.PromFeature, global.PromFilter, global.PromPostAction, global.PromRequest, global.PromStoreTOTP:
+				continue
+			}
+
+			return fmt.Errorf("the prometheus_timer::label name '%s' is unknown", label)
+		}
+	}
+
+	return nil
+}
+
 // LDAPHavePoolOnly is a method on the File struct.
 // It checks if the LDAP field and LDAP.Config field are not nil,
 // and returns the value of LDAP.Config.PoolOnly.
@@ -1269,6 +1297,7 @@ func (f *File) validate() (err error) {
 		f.validateRedisSentinels,
 		f.validateRedisDatabaseNumber,
 		f.validateRedisPoolSize,
+		f.validatePrometheusLabels,
 
 		// Without errors, but fixing things
 		f.validateInstanceName,

server/config/server.go

@@ -5,21 +5,22 @@ import (
 )
 
 type ServerSection struct {
-	Address             string      `mapstructure:"address"`
-	HAproxyV2           bool        `mapstructure:"haproxy_v2"`
-	TLS                 TLS         `mapstructure:"tls"`
-	BasicAuth           BasicAuth   `mapstructure:"basic_auth"`
-	InstanceName        string      `mapstructure:"instance_name"`
-	Log                 Log         `maptostructure:"log"`
-	Backends            []*Backend  `mapstructure:"backends"`
-	Features            []*Feature  `mapstructure:"features"`
-	BruteForceProtocols []*Protocol `mapstructure:"brute_force_protocols"`
-	HydraAdminUrl       string      `mapstructure:"ory_hydra_admin_url"`
-	DNS                 DNS         `mapstructure:"dns"`
-	Insights            Insights    `mapstructure:"insights"`
-	Redis               Redis       `mapstructure:"redis"`
-	MasterUser          MasterUser  `mapstructure:"master_user"`
-	Frontend            Frontend    `mapstructure:"frontend"`
+	Address             string          `mapstructure:"address"`
+	HAproxyV2           bool            `mapstructure:"haproxy_v2"`
+	TLS                 TLS             `mapstructure:"tls"`
+	BasicAuth           BasicAuth       `mapstructure:"basic_auth"`
+	InstanceName        string          `mapstructure:"instance_name"`
+	Log                 Log             `maptostructure:"log"`
+	Backends            []*Backend      `mapstructure:"backends"`
+	Features            []*Feature      `mapstructure:"features"`
+	BruteForceProtocols []*Protocol     `mapstructure:"brute_force_protocols"`
+	HydraAdminUrl       string          `mapstructure:"ory_hydra_admin_url"`
+	DNS                 DNS             `mapstructure:"dns"`
+	Insights            Insights        `mapstructure:"insights"`
+	Redis               Redis           `mapstructure:"redis"`
+	MasterUser          MasterUser      `mapstructure:"master_user"`
+	Frontend            Frontend        `mapstructure:"frontend"`
+	PrometheusTimer     PrometheusTimer `mapstructure:"prometheus_timer"`
 }
 
 type TLS struct {
@@ -101,3 +102,8 @@ type Frontend struct {
 	CookieStoreAuthKey string `mapstructure:"cookie_store_auth_key"`
 	CookieStoreEncKey  string `mapstructure:"cookie_store_encryption_key"`
 }
+
+type PrometheusTimer struct {
+	Enabled bool     `mapstructure:"enabled"`
+	Labels  []string `mapstructure:"labels"`
+}

server/core/auth.go

@@ -31,7 +31,6 @@ import (
 	"github.com/go-kit/log/level"
 	"github.com/go-webauthn/webauthn/webauthn"
 	openapi "github.com/ory/hydra-client-go/v2"
-	"github.com/prometheus/client_golang/prometheus"
 )
 
 // ClaimHandler represents a claim handler struct.
@@ -1135,9 +1134,9 @@ func (a *Authentication) handleFeatures(ctx *gin.Context) (authResult global.Aut
 			return
 		}
 
-		timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("Action", luaActionName))
+		stopTimer := stats.PrometheusTimer(global.PromAction, stats.FunctionDuration.WithLabelValues(global.PromAction, luaActionName))
 
-		defer timer.ObserveDuration()
+		defer stopTimer()
 
 		finished := make(chan action.Done)
 
@@ -1261,9 +1260,9 @@ func (a *Authentication) postLuaAction(passDBResult *PassDBResult) {
 	}
 
 	go func() {
-		timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("PostAction", "postLuaAction"))
+		stopTimer := stats.PrometheusTimer(global.PromPostAction, stats.FunctionDuration.WithLabelValues(global.PromPostAction, "lua_post_action_request_total"))
 
-		defer timer.ObserveDuration()
+		defer stopTimer()
 
 		finished := make(chan action.Done)
 
@@ -1617,9 +1616,9 @@ func (a *Authentication) filterLua(passDBResult *PassDBResult, ctx *gin.Context)
 		return global.AuthResultFail
 	}
 
-	timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("Filter", "filterLua"))
+	stopTimer := stats.PrometheusTimer(global.PromFilter, stats.FunctionDuration.WithLabelValues(global.PromFilter, "lua_filter_request_total"))
 
-	defer timer.ObserveDuration()
+	defer stopTimer()
 
 	BackendServers.mu.RLock()
 

server/core/bruteforce.go

@@ -21,7 +21,6 @@ import (
 	"github.com/croessner/nauthilus/server/util"
 	"github.com/dspinhirne/netaddr-go"
 	"github.com/go-kit/log/level"
-	"github.com/prometheus/client_golang/prometheus"
 	"github.com/redis/go-redis/v9"
 )
 
@@ -594,9 +593,9 @@ func (a *Authentication) checkBruteForce() (blockClientIP bool) {
 		network          *net.IPNet
 	)
 
-	timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("BruteForce", "checkBruteForce"))
+	stopTimer := stats.PrometheusTimer(global.PromBruteForce, stats.FunctionDuration.WithLabelValues(global.PromBruteForce, "check_brute_force_request_total"))
 
-	defer timer.ObserveDuration()
+	defer stopTimer()
 
 	if config.LoadableConfig.BruteForce == nil {
 		return false

server/core/cache.go

@@ -6,7 +6,6 @@ import (
 	"github.com/croessner/nauthilus/server/global"
 	"github.com/croessner/nauthilus/server/stats"
 	"github.com/croessner/nauthilus/server/util"
-	"github.com/prometheus/client_golang/prometheus"
 )
 
 // cachePassDB implements the redis password database backend.
@@ -16,9 +15,9 @@ func cachePassDB(auth *Authentication) (passDBResult *PassDBResult, err error) {
 		ppc         *backend.PositivePasswordCache
 	)
 
-	timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("Authentication", "cachePassDB"))
+	stopTimer := stats.PrometheusTimer(global.PromBackend, stats.FunctionDuration.WithLabelValues(global.PromBackend, "cache_backend_request_total"))
 
-	defer timer.ObserveDuration()
+	defer stopTimer()
 
 	passDBResult = &PassDBResult{}
 

server/core/features.go

@@ -16,14 +16,13 @@ import (
 	"github.com/croessner/nauthilus/server/util"
 	"github.com/gin-gonic/gin"
 	"github.com/go-kit/log/level"
-	"github.com/prometheus/client_golang/prometheus"
 )
 
 // featureLua runs Lua scripts and returns a trigger result.
 func (a *Authentication) featureLua(ctx *gin.Context) (triggered bool, abortFeatures bool, err error) {
-	timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("Feature", global.FeatureLua))
+	stopTimer := stats.PrometheusTimer(global.PromFeature, stats.FunctionDuration.WithLabelValues(global.PromFeature, global.FeatureLua))
 
-	defer timer.ObserveDuration()
+	defer stopTimer()
 
 	if !(a.ClientIP == global.Localhost4 || a.ClientIP == global.Localhost6 || a.ClientIP == "") {
 		featureRequest := feature.Request{
@@ -91,9 +90,9 @@ func (a *Authentication) featureLua(ctx *gin.Context) (triggered bool, abortFeat
 
 // featureTLSEncryption checks, if the remote client connection was secured.
 func (a *Authentication) featureTLSEncryption() (triggered bool) {
-	timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("Feature", global.FeatureTLSEncryption))
+	stopTimer := stats.PrometheusTimer(global.PromFeature, stats.FunctionDuration.WithLabelValues(global.PromFeature, global.FeatureTLSEncryption))
 
-	defer timer.ObserveDuration()
+	defer stopTimer()
 
 	if !(a.ClientIP == global.Localhost4 || a.ClientIP == global.Localhost6 || a.ClientIP == "") {
 		if a.XSSL == global.NotAvailable {
@@ -125,9 +124,9 @@ func (a *Authentication) featureTLSEncryption() (triggered bool) {
 // featureRelayDomains triggers if a user sent an email address as a login name and the domain component does not
 // match the list of known domains.
 func (a *Authentication) featureRelayDomains() (triggered bool) {
-	timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("Feature", global.FeatureRelayDomains))
+	stopTimer := stats.PrometheusTimer(global.PromFeature, stats.FunctionDuration.WithLabelValues(global.PromFeature, global.FeatureRelayDomains))
 
-	defer timer.ObserveDuration()
+	defer stopTimer()
 
 	if config.LoadableConfig.RelayDomains == nil {
 		return
@@ -171,9 +170,9 @@ func (a *Authentication) featureRBLs(ctx *gin.Context) (triggered bool, err erro
 		totalRBLScore int
 	)
 
-	timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("Feature", global.FeatureRBL))
+	stopTimer := stats.PrometheusTimer(global.PromFeature, stats.FunctionDuration.WithLabelValues(global.PromFeature, global.FeatureRBL))
 
-	defer timer.ObserveDuration()
+	defer stopTimer()
 
 	if config.LoadableConfig.RBLs == nil {
 		return

server/core/http.go

@@ -464,10 +464,14 @@ func setupHTTPServer(router *gin.Engine) *http.Server {
 // This middleware function should be used in the setup of routing to collect metrics for each HTTP request.
 func prometheusMiddleware() gin.HandlerFunc {
 	return func(ctx *gin.Context) {
+		var timer *prometheus.Timer
+
+		stopTimer := stats.PrometheusTimer(global.PromRequest, stats.FunctionDuration.WithLabelValues(global.PromRequest, "request_total"))
 		path := ctx.FullPath()
 
-		timer := prometheus.NewTimer(stats.HttpResponseTimeSecondsHist.WithLabelValues(path))
-		timer2 := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("Request", "prometheusMiddleware"))
+		if config.LoadableConfig.Server.PrometheusTimer.Enabled {
+			timer = prometheus.NewTimer(stats.HttpResponseTimeSecondsHist.WithLabelValues(path))
+		}
 
 		ctx.Next()
 
@@ -490,8 +494,11 @@ func prometheusMiddleware() gin.HandlerFunc {
 			stats.RedisStaleConns.With(prometheus.Labels{"type": handleType}).Set(float64(redisStats.StaleConns))
 		}
 
-		timer.ObserveDuration()
-		timer2.ObserveDuration()
+		if config.LoadableConfig.Server.PrometheusTimer.Enabled {
+			timer.ObserveDuration()
+		}
+
+		stopTimer()
 	}
 }
 

server/core/ldap.go

@@ -15,7 +15,6 @@ import (
 	"github.com/go-kit/log/level"
 	"github.com/go-ldap/ldap/v3"
 	"github.com/go-webauthn/webauthn/webauthn"
-	"github.com/prometheus/client_golang/prometheus"
 )
 
 // handleMasterUserMode handles the master user mode functionality for authentication.
@@ -266,9 +265,9 @@ func ldapAccountDB(auth *Authentication) (accounts AccountList, err error) {
 		protocol     *config.LDAPSearchProtocol
 	)
 
-	timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("Account", "ldapAccountDB"))
+	stopTimer := stats.PrometheusTimer(global.PromAccount, stats.FunctionDuration.WithLabelValues(global.PromAccount, "ldap_account_request_total"))
 
-	defer timer.ObserveDuration()
+	defer stopTimer()
 
 	ldapReplyChan := make(chan *backend.LDAPReply)
 
@@ -356,9 +355,9 @@ func ldapAddTOTPSecret(auth *Authentication, totp *TOTPSecret) (err error) {
 		ldapError   *ldap.Error
 	)
 
-	timer := prometheus.NewTimer(stats.FunctionDuration.WithLabelValues("StoreTOTP", "ldapAddTOTPSecret"))
+	stopTimer := stats.PrometheusTimer(global.PromStoreTOTP, stats.FunctionDuration.WithLabelValues(global.PromStoreTOTP, "ldap_store_totp_request_total"))
 
-	defer timer.ObserveDuration()
+	defer stopTimer()
 
 	ldapReplyChan := make(chan *backend.LDAPReply)