feat: add tracing interceptors to login and oidc (#764)

* add tracing interceptors to login and oidc

* add some tracing spans

* trace login calls

* add some spans

* add some spans (change password)

* add some more tracing in oauth/oidc

* revert org exists

* Merge branch 'master' into http-tracing

# Conflicts:
#	internal/api/oidc/auth_request.go
#	internal/api/oidc/client.go
#	internal/auth/repository/eventsourcing/eventstore/auth_request.go
#	internal/auth/repository/eventsourcing/eventstore/user.go
#	internal/authz/repository/eventsourcing/eventstore/token_verifier.go
#	internal/authz/repository/eventsourcing/view/token.go
#	internal/user/repository/eventsourcing/eventstore.go

internal/api/authz/authorization.go

@@ -7,14 +7,18 @@ import (
 	"strings"
 
 	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/tracing"
 )
 
 const (
 	authenticated = "authenticated"
 )
 
-func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID string, verifier *TokenVerifier, authConfig Config, requiredAuthOption Option, method string) (context.Context, error) {
-	ctx, err := VerifyTokenAndWriteCtxData(ctx, token, orgID, verifier, method)
+func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID string, verifier *TokenVerifier, authConfig Config, requiredAuthOption Option, method string) (_ context.Context, err error) {
+	ctx, span := tracing.NewServerInterceptorSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	ctx, err = VerifyTokenAndWriteCtxData(ctx, token, orgID, verifier, method)
 	if err != nil {
 		return nil, err
 	}
@@ -29,7 +33,9 @@ func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID s
 		return nil, err
 	}
 
+	ctx, userPermissionSpan := tracing.NewNamedSpan(ctx, "checkUserPermissions")
 	err = checkUserPermissions(req, perms, requiredAuthOption)
+	userPermissionSpan.EndWithError(err)
 	if err != nil {
 		return nil, err
 	}

internal/api/authz/context.go

@@ -6,6 +6,7 @@ import (
 	"github.com/caos/zitadel/internal/api/grpc"
 	http_util "github.com/caos/zitadel/internal/api/http"
 	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/tracing"
 )
 
 type key int
@@ -36,6 +37,9 @@ type Grant struct {
 }
 
 func VerifyTokenAndWriteCtxData(ctx context.Context, token, orgID string, t *TokenVerifier, method string) (_ context.Context, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
 	if orgID != "" {
 		err = t.ExistsOrg(ctx, orgID)
 		if err != nil {

internal/api/authz/permissions.go

@@ -4,9 +4,13 @@ import (
 	"context"
 
 	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/tracing"
 )
 
-func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPerm string, authConfig Config) (context.Context, []string, error) {
+func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPerm string, authConfig Config) (_ context.Context, _ []string, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
 	ctxData := GetCtxData(ctx)
 	if ctxData.IsZero() {
 		return nil, nil, errors.ThrowUnauthenticated(nil, "AUTH-rKLWEH", "context missing")

internal/api/authz/token.go

@@ -6,6 +6,7 @@ import (
 	"sync"
 
 	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/tracing"
 )
 
 const (
@@ -62,7 +63,10 @@ func prefixFromMethod(method string) (string, bool) {
 	return parts[1], true
 }
 
-func (v *TokenVerifier) clientIDFromMethod(ctx context.Context, method string) (string, error) {
+func (v *TokenVerifier) clientIDFromMethod(ctx context.Context, method string) (_ string, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
 	prefix, ok := prefixFromMethod(method)
 	if !ok {
 		return "", caos_errs.ThrowPermissionDenied(nil, "AUTHZ-GRD2Q", "Errors.Internal")
@@ -71,7 +75,6 @@ func (v *TokenVerifier) clientIDFromMethod(ctx context.Context, method string) (
 	if !ok {
 		return "", caos_errs.ThrowPermissionDenied(nil, "AUTHZ-G2qrh", "Errors.Internal")
 	}
-	var err error
 	c := app.(*client)
 	if c.id != "" {
 		return c.id, nil
@@ -84,15 +87,22 @@ func (v *TokenVerifier) clientIDFromMethod(ctx context.Context, method string) (
 	return c.id, nil
 }
 
-func (v *TokenVerifier) ResolveGrant(ctx context.Context) (*Grant, error) {
+func (v *TokenVerifier) ResolveGrant(ctx context.Context) (_ *Grant, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
 	return v.authZRepo.ResolveGrants(ctx)
 }
 
-func (v *TokenVerifier) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (string, []string, error) {
+func (v *TokenVerifier) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (_ string, _ []string, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
 	return v.authZRepo.ProjectIDAndOriginsByClientID(ctx, clientID)
 }
 
-func (v *TokenVerifier) ExistsOrg(ctx context.Context, orgID string) error {
+func (v *TokenVerifier) ExistsOrg(ctx context.Context, orgID string) (err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
 	return v.authZRepo.ExistsOrg(ctx, orgID)
 }
 
@@ -102,6 +112,9 @@ func (v *TokenVerifier) CheckAuthMethod(method string) (Option, bool) {
 }
 
 func verifyAccessToken(ctx context.Context, token string, t *TokenVerifier, method string) (userID, clientID, agentID, prefLang string, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
 	parts := strings.Split(token, BearerPrefix)
 	if len(parts) != 2 {
 		return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "AUTH-7fs1e", "invalid auth header")