feat(instrumentation-tls): wrap tls.connect API

examples/network/client.js

@@ -0,0 +1,51 @@
+'use strict';
+
+const { diag, DiagConsoleLogger, DiagLogLevel } = require('@opentelemetry/api');
+const { NodeTracerProvider } = require('@opentelemetry/node');
+const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
+const { NetInstrumentation } = require('@opentelemetry/instrumentation-net');
+const { DnsInstrumentation } = require('@opentelemetry/instrumentation-dns');
+const { registerInstrumentations } = require('@opentelemetry/instrumentation');
+const { SimpleSpanProcessor, ConsoleSpanExporter } = require('@opentelemetry/tracing');
+const { JaegerExporter } = require('@opentelemetry/exporter-jaeger');
+
+const provider = new NodeTracerProvider();
+
+provider.addSpanProcessor(new SimpleSpanProcessor(new JaegerExporter({
+  serviceName: 'http-client',
+})));
+
+provider.addSpanProcessor(new SimpleSpanProcessor(new ConsoleSpanExporter()));
+
+provider.register();
+
+diag.setLogger(new DiagConsoleLogger(), DiagLogLevel.ALL);
+
+registerInstrumentations({
+  instrumentations: [
+    new NetInstrumentation(),
+    new HttpInstrumentation(),
+    new DnsInstrumentation({
+      // Avoid dns lookup loop with http zipkin calls
+      ignoreHostnames: ['localhost'],
+    }),
+  ],
+  tracerProvider: provider,
+});
+
+require('net');
+require('dns');
+const https = require('https');
+const http = require('http');
+
+http.get('http://opentelemetry.io/', () => {}).on('error', (e) => {
+  console.error(e);
+});
+
+https.get('https://opentelemetry.io/', () => {}).on('error', (e) => {
+  console.error(e);
+});
+
+https.get('https://opentelemetry.io/', { ca: [] }, () => {}).on('error', (e) => {
+  console.error(e);
+});

examples/network/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "tls-example",
+  "private": true,
+  "version": "0.15.0",
+  "description": "Example of NET & TLS integration with OpenTelemetry",
+  "main": "index.js",
+  "scripts": {
+    "zipkin:client": "cross-env EXPORTER=zipkin node ./client.js",
+    "jaeger:client": "cross-env EXPORTER=jaeger node ./client.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+ssh://[email protected]/open-telemetry/opentelemetry-js-contrib.git"
+  },
+  "keywords": [
+    "opentelemetry",
+    "net",
+    "tls",
+    "tracing"
+  ],
+  "engines": {
+    "node": ">=8.5.0"
+  },
+  "author": "OpenTelemetry Authors",
+  "license": "Apache-2.0",
+  "bugs": {
+    "url": "https://github.com/open-telemetry/opentelemetry-js-contrib/issues"
+  },
+  "dependencies": {
+    "@opentelemetry/api": "^0.18.1",
+    "@opentelemetry/exporter-jaeger": "^0.18.2",
+    "@opentelemetry/exporter-zipkin": "^0.18.2",
+    "@opentelemetry/instrumentation": "^0.18.2",
+    "@opentelemetry/instrumentation-net": "file:../../plugins/node/opentelemetry-instrumentation-net",
+    "@opentelemetry/instrumentation-http": "^0.19.0",
+    "@opentelemetry/instrumentation-dns": "^0.15.0",
+    "@opentelemetry/node": "^0.18.2",
+    "@opentelemetry/tracing": "^0.18.2"
+  },
+  "homepage": "https://github.com/open-telemetry/opentelemetry-js-contrib#readme",
+  "devDependencies": {
+    "cross-env": "^6.0.3"
+  }
+}

plugins/node/opentelemetry-instrumentation-net/src/net.ts

@@ -26,10 +26,11 @@ import {
   SemanticAttributes,
   NetTransportValues,
 } from '@opentelemetry/semantic-conventions';
-import { Net, NormalizedOptions, SocketEvent } from './types';
+import { Net, NormalizedOptions, SocketEvent, TLSAttributes } from './types';
 import { getNormalizedArgs, IPC_TRANSPORT } from './utils';
 import { VERSION } from './version';
 import { Socket } from 'net';
+import { TLSSocket } from 'tls';
 
 export class NetInstrumentation extends InstrumentationBase<Net> {
   constructor(protected _config: InstrumentationConfig = {}) {
@@ -69,11 +70,10 @@ export class NetInstrumentation extends InstrumentationBase<Net> {
       return function patchedConnect(this: Socket, ...args: unknown[]) {
         const options = getNormalizedArgs(args);
 
-        const span = options
-          ? options.path
-            ? plugin._startIpcSpan(options, this)
-            : plugin._startTcpSpan(options, this)
-          : plugin._startGenericSpan(this);
+        const span =
+          this instanceof TLSSocket
+            ? plugin._startTLSSpan(options, this)
+            : plugin._startSpan(options, this);
 
         return safeExecuteInTheMiddle(
           () => original.apply(this, args),
@@ -92,6 +92,61 @@ export class NetInstrumentation extends InstrumentationBase<Net> {
     };
   }
 
+  private _startSpan(
+    options: NormalizedOptions | undefined | null,
+    socket: Socket
+  ) {
+    if (!options) {
+      return this._startGenericSpan(socket);
+    }
+    if (options.path) {
+      return this._startIpcSpan(options, socket);
+    }
+    return this._startTcpSpan(options, socket);
+  }
+
+  private _startTLSSpan(
+    options: NormalizedOptions | undefined | null,
+    socket: TLSSocket
+  ) {
+    const tlsSpan = this.tracer.startSpan('tls.connect');
+
+    const netSpan = this._startSpan(options, socket);
+
+    /* if we use once and tls.connect() uses a callback this is never executed */
+    socket.prependOnceListener(SocketEvent.SECURE_CONNECT, () => {
+      const peerCertificate = socket.getPeerCertificate(true);
+      const cipher = socket.getCipher();
+      const protocol = socket.getProtocol();
+      const attributes = {
+        [TLSAttributes.PROTOCOL]: String(protocol),
+        [TLSAttributes.AUTHORIZED]: String(socket.authorized),
+        [TLSAttributes.CIPHER_NAME]: cipher.name,
+        [TLSAttributes.CIPHER_VERSION]: cipher.version,
+        [TLSAttributes.CERTIFICATE_FINGERPRINT]: peerCertificate.fingerprint,
+        [TLSAttributes.CERTIFICATE_SERIAL_NUMBER]: peerCertificate.serialNumber,
+        [TLSAttributes.CERTIFICATE_VALID_FROM]: peerCertificate.valid_from,
+        [TLSAttributes.CERTIFICATE_VALID_TO]: peerCertificate.valid_to,
+        [TLSAttributes.ALPN_PROTOCOL]: '',
+      };
+      if (socket.alpnProtocol) {
+        attributes[TLSAttributes.ALPN_PROTOCOL] = socket.alpnProtocol;
+      }
+
+      tlsSpan.setAttributes(attributes);
+      tlsSpan.end();
+    });
+    socket.once(SocketEvent.ERROR, (e: Error) => {
+      tlsSpan.setStatus({
+        code: SpanStatusCode.ERROR,
+        message: e.message,
+      });
+      tlsSpan.end();
+    });
+
+    return netSpan;
+  }
+
   /* It might still be useful to pick up errors due to invalid connect arguments. */
   private _startGenericSpan(socket: Socket) {
     const span = this.tracer.startSpan('connect');

plugins/node/opentelemetry-instrumentation-net/src/types.ts

@@ -28,4 +28,17 @@ export enum SocketEvent {
   CLOSE = 'close',
   CONNECT = 'connect',
   ERROR = 'error',
+  SECURE_CONNECT = 'secureConnect',
+}
+
+export enum TLSAttributes {
+  PROTOCOL = 'tls.protocol',
+  AUTHORIZED = 'tls.authorized',
+  CIPHER_NAME = 'tls.cipher.name',
+  CIPHER_VERSION = 'tls.cipher.version',
+  CERTIFICATE_FINGERPRINT = 'tls.certificate.fingerprint',
+  CERTIFICATE_SERIAL_NUMBER = 'tls.certificate.serialNumber',
+  CERTIFICATE_VALID_FROM = 'tls.certificate.validFrom',
+  CERTIFICATE_VALID_TO = 'tls.certificate.validTo',
+  ALPN_PROTOCOL = 'tls.alpnProtocol',
 }

plugins/node/opentelemetry-instrumentation-net/test/connect.test.ts

@@ -23,9 +23,20 @@ import { SemanticAttributes } from '@opentelemetry/semantic-conventions';
 import { NodeTracerProvider } from '@opentelemetry/node';
 import * as net from 'net';
 import * as assert from 'assert';
+import * as tls from 'tls';
 import { NetInstrumentation } from '../src/net';
 import { SocketEvent } from '../src/types';
-import { assertIpcSpan, assertTcpSpan, IPC_PATH, HOST, PORT } from './utils';
+import {
+  assertIpcSpan,
+  assertTcpSpan,
+  assertTLSSpan,
+  IPC_PATH,
+  HOST,
+  PORT,
+  TLS_SERVER_CERT,
+  TLS_SERVER_KEY,
+  TLS_PORT,
+} from './utils';
 
 const memoryExporter = new InMemorySpanExporter();
 const provider = new NodeTracerProvider();
@@ -38,11 +49,22 @@ function getSpan() {
   return span;
 }
 
+function getTLSSpans() {
+  const spans = memoryExporter.getFinishedSpans();
+  assert.strictEqual(spans.length, 2);
+  const [netSpan, tlsSpan] = spans;
+  return {
+    netSpan,
+    tlsSpan,
+  };
+}
+
 describe('NetInstrumentation', () => {
   let instrumentation: NetInstrumentation;
   let socket: net.Socket;
   let tcpServer: net.Server;
   let ipcServer: net.Server;
+  let tlsServer: tls.Server;
 
   before(() => {
     instrumentation = new NetInstrumentation();
@@ -60,6 +82,15 @@ describe('NetInstrumentation', () => {
     ipcServer.listen(IPC_PATH, done);
   });
 
+  before(done => {
+    tlsServer = tls.createServer({
+      cert: TLS_SERVER_CERT,
+      key: TLS_SERVER_KEY,
+    });
+
+    tlsServer.listen(TLS_PORT, done);
+  });
+
   beforeEach(() => {
     socket = new net.Socket();
   });
@@ -73,6 +104,7 @@ describe('NetInstrumentation', () => {
     instrumentation.disable();
     tcpServer.close();
     ipcServer.close();
+    tlsServer.close();
   });
 
   describe('successful net.connect produces a span', () => {
@@ -162,6 +194,67 @@ describe('NetInstrumentation', () => {
     });
   });
 
+  describe('successful tls.connect produces a span', () => {
+    it('should produce a span with "onSecure" callback', done => {
+      const tlsSocket = tls.connect(
+        TLS_PORT,
+        HOST,
+        {
+          ca: [TLS_SERVER_CERT],
+          checkServerIdentity: () => {
+            return undefined;
+          },
+        },
+        () => {
+          assertTLSSpan(getTLSSpans(), tlsSocket);
+          done();
+          // This needs to be here to make sure that mocha can close cleanly.
+          tlsSocket.destroy();
+        }
+      );
+    });
+
+    it('should produce a span without "onSecure" callback', done => {
+      socket = tls.connect(TLS_PORT, HOST, {
+        ca: [TLS_SERVER_CERT],
+        checkServerIdentity: () => {
+          return undefined;
+        },
+      });
+      tlsServer.on('connection', c => {
+        c.end();
+      });
+      socket.on('end', () => {
+        assertTLSSpan(getTLSSpans(), socket);
+        done();
+      });
+    });
+
+    it('should produce an error span when certificate is not trusted', done => {
+      socket = tls.connect(
+        TLS_PORT,
+        HOST,
+        {
+          ca: [],
+          checkServerIdentity: () => {
+            return undefined;
+          },
+        },
+        () => {
+          assertTLSSpan(getTLSSpans(), socket);
+          done();
+        }
+      );
+      socket.on('error', error => {
+        const { tlsSpan } = getTLSSpans();
+        // assertTcpSpan(netSpan, tlsSocket, TLS_PORT)
+        assert.strictEqual(tlsSpan.status.message, 'self signed certificate');
+        assert.strictEqual(tlsSpan.status.code, SpanStatusCode.ERROR);
+        done();
+      });
+    });
+  });
+
   describe('invalid input', () => {
     it('should produce an error span when connect throws', done => {
       assert.throws(() => {
@@ -195,6 +288,7 @@ describe('NetInstrumentation', () => {
         SocketEvent.CLOSE,
         SocketEvent.CONNECT,
         SocketEvent.ERROR,
+        SocketEvent.SECURE_CONNECT,
       ]) {
         assert.equal(events.has(event), false);
       }
@@ -226,5 +320,22 @@ describe('NetInstrumentation', () => {
         });
       });
     });
+
+    it('should clean up listeners for tls.connect', done => {
+      tls.connect(
+        TLS_PORT,
+        HOST,
+        {
+          ca: [TLS_SERVER_CERT],
+          checkServerIdentity: () => {
+            return undefined;
+          },
+        },
+        () => {
+          assertNoDanglingListeners();
+          done();
+        }
+      );
+    });
   });
 });