Add failed issuer lookup tracking and comprehensive test

Copilot · bbockelm · Copilot · commit 2d07f0295670 · 2025-12-08T22:50:29.000Z
Co-authored-by: bbockelm &lt;1093447+bbockelm@users.noreply.github.com&gt;
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -78,6 +78,9 @@ target_link_libraries(scitokens-create SciTokens)
 add_executable(scitokens-test-monitoring src/test_monitoring.cpp)
 target_link_libraries(scitokens-test-monitoring SciTokens)
 
+add_executable(scitokens-test-monitoring-comprehensive src/test_monitoring_comprehensive.cpp)
+target_link_libraries(scitokens-test-monitoring-comprehensive SciTokens)
+
 get_directory_property(TARGETS BUILDSYSTEM_TARGETS)
 install(
   TARGETS ${TARGETS} 
diff --git a/src/scitokens_internal.h b/src/scitokens_internal.h
@@ -502,8 +502,17 @@ class Validator {
                 auto duration = std::chrono::duration_cast<std::chrono::nanoseconds>(
                     end_time - start_time);
                 
-                // Check if this is an expiration error
                 std::string error_msg = e.what();
+                
+                // Check if this is a failed issuer lookup (network/DNS errors)
+                if (error_msg.find("resolve") != std::string::npos ||
+                    error_msg.find("host") != std::string::npos ||
+                    error_msg.find("network") != std::string::npos ||
+                    error_msg.find("Failed to retrieve") != std::string::npos) {
+                    internal::MonitoringStats::instance().record_failed_issuer_lookup(issuer);
+                }
+                
+                // Check if this is an expiration error
                 if (error_msg.find("exp") != std::string::npos ||
                     error_msg.find("expir") != std::string::npos) {
                     internal::MonitoringStats::instance().record_expired_token(issuer);
@@ -517,9 +526,48 @@ class Validator {
     }
 
     void verify(const jwt::decoded_jwt<jwt::traits::kazuho_picojson> &jwt) {
-        auto result = verify_async(jwt);
-        while (!result->m_done) {
-            result = verify_async_continue(std::move(result));
+        std::string issuer;
+        auto start_time = std::chrono::steady_clock::now();
+        bool has_issuer = false;
+        
+        try {
+            // Try to extract issuer for monitoring
+            if (jwt.has_payload_claim("iss")) {
+                issuer = jwt.get_issuer();
+                has_issuer = true;
+            }
+            
+            auto result = verify_async(jwt);
+            while (!result->m_done) {
+                result = verify_async_continue(std::move(result));
+            }
+        } catch (const std::exception &e) {
+            // Record failure if we have an issuer
+            if (has_issuer) {
+                auto end_time = std::chrono::steady_clock::now();
+                auto duration = std::chrono::duration_cast<std::chrono::nanoseconds>(
+                    end_time - start_time);
+                
+                std::string error_msg = e.what();
+                
+                // Check if this is a failed issuer lookup (network/DNS errors)
+                if (error_msg.find("resolve") != std::string::npos ||
+                    error_msg.find("host") != std::string::npos ||
+                    error_msg.find("network") != std::string::npos ||
+                    error_msg.find("Failed to retrieve") != std::string::npos) {
+                    internal::MonitoringStats::instance().record_failed_issuer_lookup(issuer);
+                }
+                
+                // Check if this is an expiration error
+                if (error_msg.find("exp") != std::string::npos ||
+                    error_msg.find("expir") != std::string::npos) {
+                    internal::MonitoringStats::instance().record_expired_token(issuer);
+                }
+                
+                internal::MonitoringStats::instance().record_validation_failure(
+                    issuer, duration.count());
+            }
+            throw;
         }
     }
 
diff --git a/src/test_monitoring_comprehensive.cpp b/src/test_monitoring_comprehensive.cpp
@@ -0,0 +1,102 @@
+#include "scitokens.h"
+#include <iostream>
+#include <string>
+#include <cstring>
+
+// Helper function to print monitoring JSON
+void print_monitoring_stats(const std::string &label) {
+    char *json_out = nullptr;
+    char *err_msg = nullptr;
+    
+    int result = scitoken_get_monitoring_json(&json_out, &err_msg);
+    if (result != 0) {
+        std::cerr << "Error getting monitoring JSON: "
+                  << (err_msg ? err_msg : "unknown error") << std::endl;
+        if (err_msg)
+            free(err_msg);
+        return;
+    }
+    
+    std::cout << "\n=== " << label << " ===" << std::endl;
+    std::cout << json_out << std::endl;
+    free(json_out);
+}
+
+int main() {
+    char *err_msg = nullptr;
+    
+    // Reset monitoring stats at start
+    scitoken_reset_monitoring_stats(&err_msg);
+    
+    std::cout << "Testing Monitoring API with Token Validation\n";
+    std::cout << "=============================================\n";
+    
+    // Test 1: Initial state
+    print_monitoring_stats("Initial State (should be empty)");
+    
+    // Test 2: Failed validation - expired token from demo.scitokens.org
+    // This token is from the test.cpp and is expired
+    std::cout << "\n--- Test 1: Validating an expired token ---\n";
+    std::string expired_token =
+        "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtleS1yczI1NiJ9."
+        "eyJpc3MiOiJodHRwczovL2RlbW8uc2NpdG9rZW5zLm9yZyIsImV4cCI6MTU0NjM5MjAwOS"
+        "wiaWF0IjoxNTQ2MzkxNDA5LCJuYmYiOjE1NDYzOTE0MDksImp0aSI6ImFkYTk2MjdiLWEx"
+        "MGYtNGMyYS05Nzc2LTE4ZThkN2JmN2M4NSJ9.cNMG5zI2-JHh7l_"
+        "PUPUAxom5Vi6Q3akKmv6q57CoVKHtxZAZRc47Uoix_"
+        "AH3Xzr42qohr2FPamRTxUMsfZjrAFDJ_4JhJ-kKjJ3cRXXF-"
+        "gj7lbniCDGOBuPXeMsVmeED15nauZ3XKXUHTGLEsg5O6RjS7sGKM_"
+        "e9YiYvcTvWXcdkrkxZ2dPPU-R3IxdK6PtE9OB2XOk85H670OAJT3qimKm8Dk_"
+        "Ri6DEEty1Su_"
+        "1Tov3ac5B19iZkbhhVPMVP0cRolR9UNLhMxQAsbgEmArQOcs046AOzqQz6osOkdYOrVVO7"
+        "lO2owUyMol94mB_39y1M8jcf5WNq3ukMMIzMCAPwA";
+    
+    SciToken token = nullptr;
+    int result = scitoken_deserialize(expired_token.c_str(), &token, nullptr, &err_msg);
+    if (result != 0) {
+        std::cout << "Token deserialization/validation failed (expected): " 
+                  << (err_msg ? err_msg : "unknown error") << std::endl;
+        if (err_msg) {
+            free(err_msg);
+            err_msg = nullptr;
+        }
+    } else {
+        std::cout << "Token was valid (unexpected)" << std::endl;
+        scitoken_destroy(token);
+    }
+    
+    print_monitoring_stats("After Expired Token Validation");
+    
+    // Test 3: Invalid issuer (should not create unbounded entries)
+    std::cout << "\n--- Test 2: Testing DDoS protection with multiple invalid issuers ---\n";
+    
+    // Try to create many tokens with different invalid issuers
+    // The monitoring system should limit tracking to MAX_FAILED_ISSUERS (100)
+    for (int i = 0; i < 150; i++) {
+        // These are malformed tokens that will fail early
+        std::string fake_token = "invalid.token." + std::to_string(i);
+        SciToken temp_token = nullptr;
+        scitoken_deserialize(fake_token.c_str(), &temp_token, nullptr, &err_msg);
+        if (err_msg) {
+            free(err_msg);
+            err_msg = nullptr;
+        }
+    }
+    
+    print_monitoring_stats("After Multiple Invalid Token Attempts");
+    
+    // Test 4: Reset stats
+    std::cout << "\n--- Test 3: Testing reset functionality ---\n";
+    result = scitoken_reset_monitoring_stats(&err_msg);
+    if (result != 0) {
+        std::cerr << "Error resetting stats: "
+                  << (err_msg ? err_msg : "unknown error") << std::endl;
+        if (err_msg)
+            free(err_msg);
+        return 1;
+    }
+    
+    print_monitoring_stats("After Reset");
+    
+    std::cout << "\n=== All monitoring API tests completed successfully ===\n";
+    return 0;
+}
