reworked dep injection

authority/authorize.go

@@ -286,16 +286,16 @@ func (a *Authority) authorizeRevoke(ctx context.Context, token string) error {
 // extra extension cannot be found, authorize the renewal by default.
 //
 // TODO(mariano): should we authorize by default?
-func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate) error {
+func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate) (provisioner.Interface, error) {
 	serial := cert.SerialNumber.String()
 	var opts = []interface{}{errs.WithKeyVal("serialNumber", serial)}
 
 	isRevoked, err := a.IsRevoked(serial)
 	if err != nil {
-		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
 	}
 	if isRevoked {
-		return errs.Unauthorized("authority.authorizeRenew: certificate has been revoked", opts...)
+		return nil, errs.Unauthorized("authority.authorizeRenew: certificate has been revoked", opts...)
 	}
 	p, err := a.LoadProvisionerByCertificate(cert)
 	if err != nil {
@@ -305,13 +305,13 @@ func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate)
 		// returns the noop provisioner if this happens, and it allows
 		// certificate renewals.
 		if p, ok = a.provisioners.LoadByCertificate(cert); !ok {
-			return errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
+			return nil, errs.Unauthorized("authority.authorizeRenew: provisioner not found", opts...)
 		}
 	}
 	if err := p.AuthorizeRenew(ctx, cert); err != nil {
-		return errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "authority.authorizeRenew", opts...)
 	}
-	return nil
+	return p, nil
 }
 
 // authorizeSSHCertificate returns an error if the given certificate is revoked.

authority/authorize_test.go

@@ -876,7 +876,7 @@ func TestAuthority_authorizeRenew(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			tc := genTestCase(t)
 
-			err := tc.auth.authorizeRenew(context.Background(), tc.cert)
+			_, err := tc.auth.authorizeRenew(context.Background(), tc.cert)
 			if err != nil {
 				if assert.NotNil(t, tc.err) {
 					var sc render.StatusCodedError

authority/config/config.go

@@ -328,6 +328,12 @@ func (c *Config) Validate() error {
 		return errors.Errorf("invalid address %s", c.Address)
 	}
 
+	if addr := c.MetricsAddr; addr != "" {
+		if _, _, err := net.SplitHostPort(addr); err != nil {
+			return errors.Errorf("invalid metrics address %s", c.Address)
+		}
+	}
+
 	if c.TLS == nil {
 		c.TLS = &DefaultTLSOptions
 	} else {

authority/meter.go

@@ -2,9 +2,15 @@ package authority
 
 // Meter wraps the set of defined callbacks for metrics gatherers.
 type Meter interface {
-	// X509Signatures is called whenever a X509 CSR is signed.
-	X509Signatures(provisioner string)
+	// X509Signed is called whenever a X509 CSR is signed.
+	X509Signed(provisioner string)
 
-	// SSHSignatures is called whenever a SSH CSR is issued.
-	SSHSignatures(provisioner string)
+	// X509Renewed is called whenever a X509 certificate is renewed.
+	X509Renewed(provisioner string)
+
+	// SSHSigned is called whenever a SSH CSR is signed.
+	SSHSigned(provisioner string)
+
+	// SSHRenewedf is called whenever a SSH certificate is renewed.
+	SSHRenewed(provisioner string)
 }

authority/ssh.go

@@ -301,7 +301,7 @@ func (a *Authority) SignSSH(_ context.Context, key ssh.PublicKey, opts provision
 	}
 
 	if h := a.meter; h != nil {
-		h.SSHSignatures(prov.GetName())
+		h.SSHSigned(prov.GetName())
 	}
 
 	return cert, nil
@@ -374,6 +374,8 @@ func (a *Authority) RenewSSH(ctx context.Context, oldCert *ssh.Certificate) (*ss
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "renewSSH: error storing certificate in db")
 	}
 
+	// TODO(@azazeal): SSH renew trigger
+
 	return cert, nil
 }
 

authority/tls.go

@@ -290,7 +290,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 	}
 
 	if h := a.meter; h != nil {
-		h.X509Signatures(prov.GetName())
+		h.X509Signed(prov.GetName())
 	}
 
 	return fullchain, nil
@@ -347,7 +347,8 @@ func (a *Authority) RenewContext(ctx context.Context, oldCert *x509.Certificate,
 	}
 
 	// Check step provisioner extensions
-	if err := a.authorizeRenew(ctx, oldCert); err != nil {
+	prov, err := a.authorizeRenew(ctx, oldCert)
+	if err != nil {
 		return nil, errs.StatusCodeError(http.StatusInternalServerError, err, opts...)
 	}
 
@@ -450,6 +451,10 @@ func (a *Authority) RenewContext(ctx context.Context, oldCert *x509.Certificate,
 		}
 	}
 
+	if h := a.meter; h != nil {
+		h.X509Renewed(prov.GetName())
+	}
+
 	return fullchain, nil
 }
 

ca/ca.go

@@ -47,7 +47,6 @@ type options struct {
 	sshHostPassword []byte
 	sshUserPassword []byte
 	database        db.AuthDB
-	metricsAddr     string
 }
 
 func (o *options) apply(opts []Option) {
@@ -120,13 +119,6 @@ func WithQuiet(quiet bool) Option {
 	}
 }
 
-// WithMetricsAddr sets the address on which the metrics server will bind one.
-func WithMetricsAddr(addr string) Option {
-	return func(o *options) {
-		o.metricsAddr = addr
-	}
-}
-
 // CA is the type used to build the complete certificate authority. It builds
 // the HTTP server, set ups the middlewares and the HTTP handlers.
 type CA struct {
@@ -499,7 +491,6 @@ func (ca *CA) Reload() error {
 		WithQuiet(ca.opts.quiet),
 		WithConfigFile(ca.opts.configFile),
 		WithDatabase(ca.auth.GetDatabase()),
-		WithMetricsAddr(ca.opts.metricsAddr),
 	)
 	if err != nil {
 		logContinue("Reload failed because the CA with new configuration could not be initialized.")

commands/app.go

@@ -244,7 +244,7 @@ To get a linked authority token:
 		}
 	}
 
-	caOpts := []ca.Option{
+	srv, err := ca.New(cfg,
 		ca.WithConfigFile(configFile),
 		ca.WithPassword(password),
 		ca.WithSSHHostPassword(sshHostPassword),
@@ -252,12 +252,7 @@ To get a linked authority token:
 		ca.WithIssuerPassword(issuerPassword),
 		ca.WithLinkedCAToken(token),
 		ca.WithQuiet(quiet),
-	}
-	if addr := cfg.MetricsAddr; addr != "" {
-		caOpts = append(caOpts, ca.WithMetricsAddr(addr))
-	}
-
-	srv, err := ca.New(cfg, caOpts...)
+	)
 	if err != nil {
 		fatal(err)
 	}

internal/metrix/meter.go

@@ -9,64 +9,34 @@ import (
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 )
 
+// New initializes and returns a new [Meter].
 func New() (m *Meter) {
-	m = new(Meter)
-
-	m.signatures.ssh = prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Namespace: "step_ca",
-			Subsystem: "ssh",
-			Name:      "signatures_total",
-			Help:      "Number of SSH CSRs signed",
+	m = &Meter{
+		x509: signatures{
+			signed: newCounterVec("x509", "signed_total", "Number of X509 CSRs signed",
+				"provisioner",
+			),
+			renewed: newCounterVec("x509", "renewed_total", "Number of X509 certificates renewed",
+				"provisioner",
+			),
 		},
-		[]string{
-			"provider",
+		ssh: signatures{
+			signed: newCounterVec("ssh", "signed_total", "Number of SSH CSRs signed",
+				"provisioner",
+			),
+			renewed: newCounterVec("ssh", "renewed_total", "Number of SSH certificates renewed",
+				"provisioner",
+			),
 		},
-	)
-
-	m.renewals.ssh = prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Namespace: "step_ca",
-			Subsystem: "ssh",
-			Name:      "renewals_total",
-			Help:      "Number of SSH renewals",
-		},
-		[]string{
-			"provider",
-		},
-	)
-
-	m.signatures.x509 = prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Namespace: "step_ca",
-			Subsystem: "x509",
-			Name:      "signatures_total",
-			Help:      "Number of X509 CSRs signed",
-		},
-		[]string{
-			"provider",
-		},
-	)
-
-	m.renewals.x509 = prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Namespace: "step_ca",
-			Subsystem: "x509",
-			Name:      "renewals_total",
-			Help:      "Number of X509 renewals",
-		},
-		[]string{
-			"provider",
-		},
-	)
+	}
 
 	reg := prometheus.NewRegistry()
 
 	reg.MustRegister(
-		m.signatures.ssh,
-		m.signatures.x509,
-		m.renewals.ssh,
-		m.renewals.x509,
+		m.x509.renewed,
+		m.x509.signed,
+		m.ssh.signed,
+		m.ssh.renewed,
 	)
 
 	h := promhttp.HandlerFor(reg, promhttp.HandlerOpts{
@@ -86,23 +56,40 @@ func New() (m *Meter) {
 type Meter struct {
 	http.Handler
 
-	signatures struct {
-		x509 *prometheus.CounterVec // X509 CSRs signed
-		ssh  *prometheus.CounterVec // SSH CSRs signed
-	}
+	x509 signatures
+	ssh  signatures
+}
 
-	renewals struct {
-		x509 *prometheus.CounterVec // X509 renewals
-		ssh  *prometheus.CounterVec // SSH renewals
-	}
+type signatures struct {
+	signed  *prometheus.CounterVec
+	renewed *prometheus.CounterVec
+}
+
+// X509Signed implements [authority.Meter] for [Meter].
+func (m *Meter) X509Signed(provisioner string) {
+	m.x509.signed.WithLabelValues(provisioner).Inc()
+}
+
+// X509Renewed implements [authority.Meter] for [Meter].
+func (m *Meter) X509Renewed(provisioner string) {
+	m.x509.renewed.WithLabelValues(provisioner).Inc()
+}
+
+// SSHSigned implements [authority.Meter] for [Meter].
+func (m *Meter) SSHSigned(provisioner string) {
+	m.ssh.signed.WithLabelValues(provisioner).Inc()
 }
 
-// X509Signatures implements [authority.Meter] for [Meter].
-func (m *Meter) X509Signatures(provisioner string) {
-	m.signatures.x509.WithLabelValues(provisioner).Inc()
+// SSHRenewed implements [authority.Meter] for [Meter].
+func (m *Meter) SSHRenewed(provisioner string) {
+	m.ssh.renewed.WithLabelValues(provisioner).Inc()
 }
 
-// SSHSignatures implements [authority.Meter] for [Meter].
-func (m *Meter) SSHSignatures(provisioner string) {
-	m.signatures.ssh.WithLabelValues(provisioner).Inc()
+func newCounterVec(subsystem, name, help string, labels ...string) *prometheus.CounterVec {
+	return prometheus.NewCounterVec(prometheus.CounterOpts{
+		Namespace: "step_ca",
+		Subsystem: subsystem,
+		Name:      name,
+		Help:      help,
+	}, labels)
 }