Add monitoring API infrastructure and basic test

Copilot · bbockelm · Copilot · commit 95d91daf8f92 · 2025-12-08T22:46:06.000Z
Co-authored-by: bbockelm &lt;1093447+bbockelm@users.noreply.github.com&gt;
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -44,7 +44,7 @@ pkg_check_modules(SQLITE REQUIRED sqlite3)
 
 endif()
 
-add_library(SciTokens SHARED src/scitokens.cpp src/scitokens_internal.cpp src/scitokens_cache.cpp)
+add_library(SciTokens SHARED src/scitokens.cpp src/scitokens_internal.cpp src/scitokens_cache.cpp src/scitokens_monitoring.cpp)
 target_compile_features(SciTokens PUBLIC cxx_std_11) # Use at least C++11 for building and when linking to scitokens
 target_include_directories(SciTokens PUBLIC ${JWT_CPP_INCLUDES} "${PROJECT_SOURCE_DIR}/src" PRIVATE ${CURL_INCLUDE_DIRS} ${OPENSSL_INCLUDE_DIRS} ${LIBCRYPTO_INCLUDE_DIRS} ${SQLITE_INCLUDE_DIRS}  ${UUID_INCLUDE_DIRS})
 
@@ -75,6 +75,9 @@ target_link_libraries(scitokens-list-access SciTokens)
 add_executable(scitokens-create src/create.cpp)
 target_link_libraries(scitokens-create SciTokens)
 
+add_executable(scitokens-test-monitoring src/test_monitoring.cpp)
+target_link_libraries(scitokens-test-monitoring SciTokens)
+
 get_directory_property(TARGETS BUILDSYSTEM_TARGETS)
 install(
   TARGETS ${TARGETS} 
diff --git a/src/scitokens.cpp b/src/scitokens.cpp
@@ -1114,3 +1114,35 @@ int scitoken_config_get_str(const char *key, char **output, char **err_msg) {
     }
     return 0;
 }
+
+int scitoken_get_monitoring_json(char **json_out, char **err_msg) {
+    if (!json_out) {
+        if (err_msg) {
+            *err_msg = strdup("JSON output pointer may not be null.");
+        }
+        return -1;
+    }
+    try {
+        std::string json =
+            scitokens::internal::MonitoringStats::instance().get_json();
+        *json_out = strdup(json.c_str());
+    } catch (std::exception &exc) {
+        if (err_msg) {
+            *err_msg = strdup(exc.what());
+        }
+        return -1;
+    }
+    return 0;
+}
+
+int scitoken_reset_monitoring_stats(char **err_msg) {
+    try {
+        scitokens::internal::MonitoringStats::instance().reset();
+    } catch (std::exception &exc) {
+        if (err_msg) {
+            *err_msg = strdup(exc.what());
+        }
+        return -1;
+    }
+    return 0;
+}
diff --git a/src/scitokens.h b/src/scitokens.h
@@ -329,6 +329,26 @@ int scitoken_config_set_str(const char *key, const char *value, char **err_msg);
  */
 int scitoken_config_get_str(const char *key, char **output, char **err_msg);
 
+/**
+ * Get monitoring statistics as a JSON string.
+ * Returns a JSON object containing per-issuer validation statistics including:
+ * - successful_validations: count of successful token validations
+ * - unsuccessful_validations: count of failed token validations
+ * - expired_tokens: count of expired tokens encountered
+ * - average_validation_time_ms: average validation time in milliseconds
+ * - failed_issuer_lookups: count of failed issuer lookups (limited to prevent DDoS)
+ *
+ * The returned string must be freed by the caller using free().
+ * Returns 0 on success, nonzero on failure.
+ */
+int scitoken_get_monitoring_json(char **json_out, char **err_msg);
+
+/**
+ * Reset all monitoring statistics.
+ * Returns 0 on success, nonzero on failure.
+ */
+int scitoken_reset_monitoring_stats(char **err_msg);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/scitokens_internal.h b/src/scitokens_internal.h
@@ -3,6 +3,7 @@
 #include <mutex>
 #include <sstream>
 #include <unordered_map>
+#include <chrono>
 
 #include <atomic>
 #include <curl/curl.h>
@@ -65,6 +66,9 @@ namespace scitokens {
 
 namespace internal {
 
+// Forward declaration
+class MonitoringStats;
+
 class SimpleCurlGet {
 
     int m_maxbytes{1048576};
@@ -110,6 +114,54 @@ class SimpleCurlGet {
                              void *userp);
 };
 
+/**
+ * Statistics for monitoring token validation per issuer.
+ */
+struct IssuerStats {
+    std::atomic<uint64_t> successful_validations{0};
+    std::atomic<uint64_t> unsuccessful_validations{0};
+    std::atomic<uint64_t> expired_tokens{0};
+    std::atomic<uint64_t> total_time_ns{0}; // Total time in nanoseconds
+    std::atomic<uint64_t> validation_count{0}; // For computing average
+};
+
+/**
+ * Monitoring statistics singleton.
+ * Tracks per-issuer validation statistics and protects against
+ * resource exhaustion from invalid issuers.
+ */
+class MonitoringStats {
+  public:
+    static MonitoringStats &instance();
+
+    void record_validation_start(const std::string &issuer);
+    void record_validation_success(const std::string &issuer,
+                                    uint64_t duration_ns);
+    void record_validation_failure(const std::string &issuer,
+                                    uint64_t duration_ns);
+    void record_expired_token(const std::string &issuer);
+    void record_failed_issuer_lookup(const std::string &issuer);
+
+    std::string get_json() const;
+    void reset();
+
+  private:
+    MonitoringStats() = default;
+    ~MonitoringStats() = default;
+    MonitoringStats(const MonitoringStats &) = delete;
+    MonitoringStats &operator=(const MonitoringStats &) = delete;
+
+    // Limit the number of failed issuer entries to prevent DDoS
+    static constexpr size_t MAX_FAILED_ISSUERS = 100;
+
+    mutable std::mutex m_mutex;
+    std::unordered_map<std::string, IssuerStats> m_issuer_stats;
+    std::unordered_map<std::string, std::atomic<uint64_t>> m_failed_issuer_lookups;
+
+    std::string sanitize_issuer_for_json(const std::string &issuer) const;
+    void prune_failed_issuers();
+};
+
 } // namespace internal
 
 class UnsupportedKeyException : public std::runtime_error {
@@ -226,6 +278,8 @@ class AsyncStatus {
     std::string m_jwt_string;
     std::string m_public_pem;
     std::string m_algorithm;
+    std::chrono::steady_clock::time_point m_start_time;
+    bool m_monitoring_started{false};
 
     struct timeval get_timeout_val(time_t expiry_time) const {
         auto now = time(NULL);
@@ -418,17 +472,47 @@ class Validator {
     }
 
     void verify(const SciToken &scitoken, time_t expiry_time) {
-        auto result = verify_async(scitoken);
-        while (!result->m_done) {
-            auto timeout_val = result->get_timeout_val(expiry_time);
-            select(result->get_max_fd() + 1, result->get_read_fd_set(),
-                   result->get_write_fd_set(), result->get_exc_fd_set(),
-                   &timeout_val);
-            if (time(NULL) >= expiry_time) {
-                throw CurlException("Timeout when loading the OIDC metadata.");
+        std::string issuer;
+        auto start_time = std::chrono::steady_clock::now();
+        bool has_issuer = false;
+        
+        try {
+            // Try to extract issuer for monitoring
+            if (scitoken.m_decoded && scitoken.m_decoded->has_payload_claim("iss")) {
+                issuer = scitoken.m_decoded->get_issuer();
+                has_issuer = true;
             }
+            
+            auto result = verify_async(scitoken);
+            while (!result->m_done) {
+                auto timeout_val = result->get_timeout_val(expiry_time);
+                select(result->get_max_fd() + 1, result->get_read_fd_set(),
+                       result->get_write_fd_set(), result->get_exc_fd_set(),
+                       &timeout_val);
+                if (time(NULL) >= expiry_time) {
+                    throw CurlException("Timeout when loading the OIDC metadata.");
+                }
 
-            result = verify_async_continue(std::move(result));
+                result = verify_async_continue(std::move(result));
+            }
+        } catch (const std::exception &e) {
+            // Record failure if we have an issuer
+            if (has_issuer) {
+                auto end_time = std::chrono::steady_clock::now();
+                auto duration = std::chrono::duration_cast<std::chrono::nanoseconds>(
+                    end_time - start_time);
+                
+                // Check if this is an expiration error
+                std::string error_msg = e.what();
+                if (error_msg.find("exp") != std::string::npos ||
+                    error_msg.find("expir") != std::string::npos) {
+                    internal::MonitoringStats::instance().record_expired_token(issuer);
+                }
+                
+                internal::MonitoringStats::instance().record_validation_failure(
+                    issuer, duration.count());
+            }
+            throw;
         }
     }
 
@@ -514,6 +598,9 @@ class Validator {
         status->m_jwt_string = jwt.get_token();
         status->m_public_pem = public_pem;
         status->m_algorithm = algorithm;
+        // Start monitoring timing
+        status->m_start_time = std::chrono::steady_clock::now();
+        status->m_monitoring_started = true;
 
         return verify_async_continue(std::move(status));
     }
@@ -677,6 +764,16 @@ class Validator {
                     }
                 }
         }
+        
+        // Record successful validation
+        if (status->m_monitoring_started) {
+            auto end_time = std::chrono::steady_clock::now();
+            auto duration = std::chrono::duration_cast<std::chrono::nanoseconds>(
+                end_time - status->m_start_time);
+            internal::MonitoringStats::instance().record_validation_success(
+                status->m_issuer, duration.count());
+        }
+        
         std::unique_ptr<AsyncStatus> result(new AsyncStatus());
         result->m_done = true;
         return result;
diff --git a/src/scitokens_monitoring.cpp b/src/scitokens_monitoring.cpp
diff --git a/src/test_monitoring.cpp b/src/test_monitoring.cpp
