Skip to content

Change ASB usage data collection method to prevent elevated privileges #5535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mikeminutillo wants to merge 1 commit into
base: collect-more-data-cloud
Choose a base branch
from
+26 −85
Open

Change ASB usage data collection method to prevent elevated privileges #5535

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/Directory.Packages.props
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
<PackageVersion Include="Autofac" Version="9.1.0" />
<PackageVersion Include="AWSSDK.CloudWatch" Version="4.0.10.5" />
<PackageVersion Include="Azure.Identity" Version="1.21.0" />
<PackageVersion Include="Azure.Monitor.Query.Metrics" Version="1.0.0" />
<PackageVersion Include="Azure.ResourceManager.Monitor" Version="1.3.1" />
<PackageVersion Include="Azure.ResourceManager.ServiceBus" Version="1.1.0" />
<PackageVersion Include="ByteSize" Version="2.1.2" />
<PackageVersion Include="Caliburn.Micro" Version="5.0.258" />
Expand Down
107 changes: 24 additions & 83 deletions src/ServiceControl.Transports.ASBS/AzureQuery.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ namespace ServiceControl.Transports.ASBS;
using Azure.Core;
using Azure.Core.Pipeline;
using Azure.Identity;
using Azure.Monitor.Query.Metrics;
using Azure.Monitor.Query.Metrics.Models;
using Azure.ResourceManager;
using Azure.ResourceManager.Monitor;
using Azure.ResourceManager.Monitor.Models;
using Azure.ResourceManager.Resources;
using Azure.ResourceManager.ServiceBus;
using BrokerThroughput;
Expand All @@ -34,8 +34,6 @@ public class AzureQuery(ILogger<AzureQuery> logger, TimeProvider timeProvider, T
TokenCredential? credential;
ResourceIdentifier? resourceId;
ArmEnvironment armEnvironment;
MetricsClientAudience metricsClientAudience;
MetricsClient? metricsClient;

protected override void InitializeCore(ReadOnlyDictionary<string, string> settings)
{
Expand Down Expand Up @@ -108,7 +106,7 @@ protected override void InitializeCore(ReadOnlyDictionary<string, string> settin
Diagnostics.AppendLine("Client secret set");
}

(armEnvironment, metricsClientAudience) = GetEnvironment();
armEnvironment = GetEnvironment();

if (managementUrl == null)
{
Expand Down Expand Up @@ -147,26 +145,26 @@ protected override void InitializeCore(ReadOnlyDictionary<string, string> settin

return;

(ArmEnvironment armEnvironment, MetricsClientAudience metricsClientAudience) GetEnvironment()
ArmEnvironment GetEnvironment()
{
if (managementUrlParsed == null || managementUrlParsed == ArmEnvironment.AzurePublicCloud.Endpoint)
{
return (ArmEnvironment.AzurePublicCloud, MetricsClientAudience.AzurePublicCloud);
return ArmEnvironment.AzurePublicCloud;
}

if (managementUrlParsed == ArmEnvironment.AzureChina.Endpoint)
{
return (ArmEnvironment.AzureChina, MetricsClientAudience.AzureChina);
return ArmEnvironment.AzureChina;
}

if (managementUrlParsed == ArmEnvironment.AzureGermany.Endpoint)
{
return (ArmEnvironment.AzureGermany, MetricsClientAudience.AzurePublicCloud);
return ArmEnvironment.AzureGermany;
}

if (managementUrlParsed == ArmEnvironment.AzureGovernment.Endpoint)
{
return (ArmEnvironment.AzureGovernment, MetricsClientAudience.AzureGovernment);
return ArmEnvironment.AzureGovernment;
}

string options = string.Join(", ",
Expand All @@ -176,7 +174,7 @@ protected override void InitializeCore(ReadOnlyDictionary<string, string> settin
}.Select(environment => $"\"{environment.Endpoint}\""));
InitialiseErrors.Add($"Management url configuration is invalid, available options are {options}");

return (ArmEnvironment.AzurePublicCloud, MetricsClientAudience.AzurePublicCloud);
return ArmEnvironment.AzurePublicCloud;
}
}

Expand Down Expand Up @@ -241,85 +239,28 @@ public override async IAsyncEnumerable<QueueThroughput> GetThroughputPerDay(IBro
}
}

async Task<MetricsClient> InitializeMetricsClient(CancellationToken cancellationToken = default)
{
if (resourceId is null || armClient is null || credential is null)
{
throw new InvalidOperationException("AzureQuery has not been initialized correctly.");
}

var serviceBusNamespaceResource = await armClient
.GetServiceBusNamespaceResource(resourceId).GetAsync(cancellationToken)
?? throw new Exception($"Could not find an Azure Service Bus namespace with resource Id: \"{resourceId}\"");

// Determine the region of the namespace
var regionName = serviceBusNamespaceResource.Value.Data.Location.Name;

// Build the regional Azure Monitor Metrics endpoint from the audience
var metricsEndpoint = BuildMetricsEndpoint(metricsClientAudience, regionName);

// CreateNewOnMetadataUpdateAttribute the MetricsClient for this namespace
return new MetricsClient(
metricsEndpoint,
credential!,
new MetricsClientOptions
{
Audience = metricsClientAudience,
Transport = new HttpClientTransport(
new HttpClient(new SocketsHttpHandler
{
PooledConnectionIdleTimeout = TimeSpan.FromMinutes(2)
}))
});
}

static Uri BuildMetricsEndpoint(MetricsClientAudience audience, string regionName)
{
var region = regionName.ToLowerInvariant();
var builder = new UriBuilder(audience.ToString());
builder.Host = $"{region}.{builder.Host}";
return builder.Uri;
}

async Task<IReadOnlyList<MetricValue>> GetMetrics(string queueName, DateOnly startTime, DateOnly endTime,
async Task<IReadOnlyList<MonitorMetricValue>> GetMetrics(string queueName, DateOnly startTime, DateOnly endTime,
CancellationToken cancellationToken = default)
{
metricsClient ??= await InitializeMetricsClient(cancellationToken);

var response = await metricsClient.QueryResourcesAsync(
[resourceId!],
[CompleteMessageMetricName],
MicrosoftServicebusNamespacesMetricsNamespace,
new MetricsQueryResourcesOptions
{
Filter = $"EntityName eq '{queueName}'",
TimeRange = new MetricsQueryTimeRange(startTime.ToDateTime(TimeOnly.MinValue, DateTimeKind.Utc), endTime.ToDateTime(TimeOnly.MaxValue, DateTimeKind.Utc)),
Granularity = TimeSpan.FromDays(1)
},
cancellationToken);

var metricQueryResult = response.Value.Values.SingleOrDefault(mr => mr.Namespace == MicrosoftServicebusNamespacesMetricsNamespace);

if (metricQueryResult is null)
var options = new ArmResourceGetMonitorMetricsOptions()
{
throw new Exception($"No metrics query results returned for {MicrosoftServicebusNamespacesMetricsNamespace}");
}
Metricnames = CompleteMessageMetricName,
Timespan = $"{startTime:o}/{endTime:o}",
Filter = $"EntityName eq '{queueName}'",
Interval = TimeSpan.FromDays(1),
Metricnamespace = MicrosoftServicebusNamespacesMetricsNamespace
};

var metricResult = metricQueryResult.GetMetricByName(CompleteMessageMetricName);

if (metricResult.Error.Message is not null)
await foreach (var metric in armClient.GetMonitorMetricsAsync(resourceId, options, cancellationToken))
{
throw new Exception($"Metrics query result for '{metricResult.Name}' failed: {metricResult.Error.Message}");
}

var timeSeries = metricResult.TimeSeries.SingleOrDefault();

if (timeSeries is null)
{
throw new Exception($"Metrics query result for '{metricResult.Name}' contained no time series");
foreach (var timeSeries in metric.Timeseries)
{
return timeSeries.Data;

@PhilBastian PhilBastian Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this doesn't seem right? only returning the first timeseries data for the first metric?

@mikeminutillo mikeminutillo Jun 16, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll check but I believe there is only one metric, with one timeseries in it.

}
}

return timeSeries.Values.AsReadOnly();
// TODO: Better error handling

@PhilBastian PhilBastian Jun 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO

throw new Exception("No data returned from metrics query");
}

public override async IAsyncEnumerable<IBrokerQueue> GetQueueNames(
Expand Down
2 changes: 1 addition & 1 deletion src/ServiceControl.Transports.ASBS/ServiceControl.Transports.ASBS.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@

<ItemGroup>
<PackageReference Include="Azure.Identity" />
<PackageReference Include="Azure.Monitor.Query.Metrics" />
<PackageReference Include="Azure.ResourceManager.ServiceBus" />
<PackageReference Include="Azure.ResourceManager.Monitor" />
<PackageReference Include="DnsClient" />
<PackageReference Include="NServiceBus.CustomChecks" />
<PackageReference Include="NServiceBus.Transport.AzureServiceBus" />
Expand Down
Loading