scitokens
diff --git a/‎CMakeLists.txt‎
Lines changed: 8 additions & 1 deletion b/‎CMakeLists.txt‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎src/scitokens.cpp‎
Lines changed: 39 additions & 5 deletions b/‎src/scitokens.cpp‎
Lines changed: 39 additions & 5 deletions
diff --git a/‎src/scitokens.h‎
Lines changed: 21 additions & 0 deletions b/‎src/scitokens.h‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎src/scitokens_internal.cpp‎
Lines changed: 115 additions & 98 deletions b/‎src/scitokens_internal.cpp‎
Lines changed: 115 additions & 98 deletions
@@ -44,7 +44,7 @@ pkg_check_modules(SQLITE REQUIRED sqlite3)
 
 endif()
 
-add_library(SciTokens SHARED src/scitokens.cpp src/scitokens_internal.cpp src/scitokens_cache.cpp)
+add_library(SciTokens SHARED src/scitokens.cpp src/scitokens_internal.cpp src/scitokens_cache.cpp src/scitokens_monitoring.cpp)
 target_compile_features(SciTokens PUBLIC cxx_std_11) # Use at least C++11 for building and when linking to scitokens
 target_include_directories(SciTokens PUBLIC ${JWT_CPP_INCLUDES} "${PROJECT_SOURCE_DIR}/src" PRIVATE ${CURL_INCLUDE_DIRS} ${OPENSSL_INCLUDE_DIRS} ${LIBCRYPTO_INCLUDE_DIRS} ${SQLITE_INCLUDE_DIRS}  ${UUID_INCLUDE_DIRS})
 
@@ -75,10 +75,17 @@ target_link_libraries(scitokens-list-access SciTokens)
 add_executable(scitokens-create src/create.cpp)
 target_link_libraries(scitokens-create SciTokens)
 
+
 add_executable(scitokens-generate-jwks src/generate_jwks.cpp)
 target_include_directories(scitokens-generate-jwks PRIVATE ${OPENSSL_INCLUDE_DIRS} ${LIBCRYPTO_INCLUDE_DIRS})
 target_link_libraries(scitokens-generate-jwks ${OPENSSL_LIBRARIES} ${LIBCRYPTO_LIBRARIES})
 
+add_executable(scitokens-test-monitoring src/test_monitoring.cpp)
+target_link_libraries(scitokens-test-monitoring SciTokens)
+
+add_executable(scitokens-test-monitoring-comprehensive src/test_monitoring_comprehensive.cpp)
+target_link_libraries(scitokens-test-monitoring-comprehensive SciTokens)
+
 get_directory_property(TARGETS BUILDSYSTEM_TARGETS)
 install(
   TARGETS ${TARGETS} 
 
@@ -246,10 +246,12 @@ int scitoken_get_expiration(const SciToken token, long long *expiry,
             // Float value - convert to integer (truncate)
             // Float value - convert to integer using std::floor().
             // This ensures expiration is not extended by fractional seconds.
-            result = static_cast<long long>(std::floor(claim_value.get<double>()));
+            result =
+                static_cast<long long>(std::floor(claim_value.get<double>()));
         } else {
             if (err_msg) {
-                *err_msg = strdup("'exp' claim must be a number (integer or float)");
+                *err_msg =
+                    strdup("'exp' claim must be a number (integer or float)");
             }
             return -1;
         }
@@ -1080,9 +1082,9 @@ int scitoken_config_set_str(const char *key, const char *value,
             return -1;
         }
     } else if (_key == "tls.ca_file") {
-       configurer::Configuration::set_tls_ca_file(value ? std::string(value) : "");
-    }
-    else {
+        configurer::Configuration::set_tls_ca_file(value ? std::string(value)
+                                                         : "");
+    } else {
         if (err_msg) {
             *err_msg = strdup("Key not recognized.");
         }
@@ -1114,3 +1116,35 @@ int scitoken_config_get_str(const char *key, char **output, char **err_msg) {
     }
     return 0;
 }
+
+int scitoken_get_monitoring_json(char **json_out, char **err_msg) {
+    if (!json_out) {
+        if (err_msg) {
+            *err_msg = strdup("JSON output pointer may not be null.");
+        }
+        return -1;
+    }
+    try {
+        std::string json =
+            scitokens::internal::MonitoringStats::instance().get_json();
+        *json_out = strdup(json.c_str());
+    } catch (std::exception &exc) {
+        if (err_msg) {
+            *err_msg = strdup(exc.what());
+        }
+        return -1;
+    }
+    return 0;
+}
+
+int scitoken_reset_monitoring_stats(char **err_msg) {
+    try {
+        scitokens::internal::MonitoringStats::instance().reset();
+    } catch (std::exception &exc) {
+        if (err_msg) {
+            *err_msg = strdup(exc.what());
+        }
+        return -1;
+    }
+    return 0;
+}
@@ -329,6 +329,27 @@ int scitoken_config_set_str(const char *key, const char *value, char **err_msg);
  */
 int scitoken_config_get_str(const char *key, char **output, char **err_msg);
 
+/**
+ * Get monitoring statistics as a JSON string.
+ * Returns a JSON object containing per-issuer validation statistics including:
+ * - successful_validations: count of successful token validations
+ * - unsuccessful_validations: count of failed token validations
+ * - expired_tokens: count of expired tokens encountered
+ * - total_validation_time_s: total validation time in seconds
+ * - failed_issuer_lookups: count of failed issuer lookups (limited to prevent
+ * DDoS)
+ *
+ * The returned string must be freed by the caller using free().
+ * Returns 0 on success, nonzero on failure.
+ */
+int scitoken_get_monitoring_json(char **json_out, char **err_msg);
+
+/**
+ * Reset all monitoring statistics.
+ * Returns 0 on success, nonzero on failure.
+ */
+int scitoken_reset_monitoring_stats(char **err_msg);
+
 #ifdef __cplusplus
 }
 #endif
@@ -652,116 +652,133 @@ SciToken::deserialize_continue(std::unique_ptr<SciTokenAsyncStatus> status) {
 std::unique_ptr<AsyncStatus>
 Validator::get_public_keys_from_web(const std::string &issuer,
                                     unsigned timeout) {
-    std::string openid_metadata, oauth_metadata;
-    get_metadata_endpoint(issuer, openid_metadata, oauth_metadata);
-
-    std::unique_ptr<AsyncStatus> status(new AsyncStatus());
-    status->m_oauth_metadata_url = oauth_metadata;
-    status->m_cget.reset(new internal::SimpleCurlGet(1024 * 1024, timeout));
-    auto cget_status = status->m_cget->perform_start(openid_metadata);
-    status->m_continue_fetch = true;
-    if (!cget_status.m_done) {
-        return status;
-    }
-    return get_public_keys_from_web_continue(std::move(status));
+    try {
+        std::string openid_metadata, oauth_metadata;
+        get_metadata_endpoint(issuer, openid_metadata, oauth_metadata);
+
+        std::unique_ptr<AsyncStatus> status(new AsyncStatus());
+        status->m_oauth_metadata_url = oauth_metadata;
+        status->m_cget.reset(new internal::SimpleCurlGet(1024 * 1024, timeout));
+        auto cget_status = status->m_cget->perform_start(openid_metadata);
+        status->m_continue_fetch = true;
+        if (!cget_status.m_done) {
+            return status;
+        }
+        return get_public_keys_from_web_continue(std::move(status));
+    } catch (const CurlException &e) {
+        // Rethrow CURL errors during issuer key fetch as IssuerLookupException
+        throw IssuerLookupException(e.what());
+    }
 }
 
 std::unique_ptr<AsyncStatus> Validator::get_public_keys_from_web_continue(
     std::unique_ptr<AsyncStatus> status) {
-    char *buffer;
-    size_t len;
+    try {
+        char *buffer;
+        size_t len;
 
-    switch (status->m_state) {
+        switch (status->m_state) {
 
-    case AsyncStatus::DOWNLOAD_METADATA: {
-        auto cget_status = status->m_cget->perform_continue();
-        if (!cget_status.m_done) {
-            return std::move(status);
-        }
-        if (cget_status.m_status_code != 200) {
-            if (status->m_oauth_fallback) {
-                throw CurlException("Failed to retrieve metadata provider "
-                                    "information for issuer.");
-            } else {
-                status->m_oauth_fallback = true;
-                status->m_cget.reset(new internal::SimpleCurlGet());
-                cget_status =
-                    status->m_cget->perform_start(status->m_oauth_metadata_url);
-                if (!cget_status.m_done) {
-                    return std::move(status);
+        case AsyncStatus::DOWNLOAD_METADATA: {
+            auto cget_status = status->m_cget->perform_continue();
+            if (!cget_status.m_done) {
+                return std::move(status);
+            }
+            if (cget_status.m_status_code != 200) {
+                if (status->m_oauth_fallback) {
+                    throw IssuerLookupException(
+                        "Failed to retrieve metadata provider "
+                        "information for issuer.");
+                } else {
+                    status->m_oauth_fallback = true;
+                    status->m_cget.reset(new internal::SimpleCurlGet());
+                    cget_status = status->m_cget->perform_start(
+                        status->m_oauth_metadata_url);
+                    if (!cget_status.m_done) {
+                        return std::move(status);
+                    }
+                    return get_public_keys_from_web_continue(std::move(status));
                 }
-                return get_public_keys_from_web_continue(std::move(status));
             }
+            status->m_cget->get_data(buffer, len);
+            std::string metadata(buffer, len);
+            picojson::value json_obj;
+            auto err = picojson::parse(json_obj, metadata);
+            if (!err.empty()) {
+                throw JsonException("JSON parse failure when downloading from "
+                                    "the metadata URL " +
+                                    status->m_cget->get_url() + ": " + err);
+            }
+            if (!json_obj.is<picojson::object>()) {
+                throw JsonException("Metadata resource " +
+                                    status->m_cget->get_url() +
+                                    " contains "
+                                    "improperly-formatted JSON.");
+            }
+            auto top_obj = json_obj.get<picojson::object>();
+            auto iter = top_obj.find("jwks_uri");
+            if (iter == top_obj.end() || (!iter->second.is<std::string>())) {
+                throw JsonException("Metadata resource " +
+                                    status->m_cget->get_url() +
+                                    " is missing 'jwks_uri' string value");
+            }
+            auto jwks_uri = iter->second.get<std::string>();
+            status->m_has_metadata = true;
+            status->m_state = AsyncStatus::DOWNLOAD_PUBLIC_KEY;
+            status->m_cget.reset(new internal::SimpleCurlGet());
+            status->m_cget->perform_start(jwks_uri);
+            // This should also fall through the next state
         }
-        status->m_cget->get_data(buffer, len);
-        std::string metadata(buffer, len);
-        picojson::value json_obj;
-        auto err = picojson::parse(json_obj, metadata);
-        if (!err.empty()) {
-            throw JsonException(
-                "JSON parse failure when downloading from the metadata URL " +
-                status->m_cget->get_url() + ": " + err);
-        }
-        if (!json_obj.is<picojson::object>()) {
-            throw JsonException("Metadata resource " +
-                                status->m_cget->get_url() +
-                                " contains "
-                                "improperly-formatted JSON.");
-        }
-        auto top_obj = json_obj.get<picojson::object>();
-        auto iter = top_obj.find("jwks_uri");
-        if (iter == top_obj.end() || (!iter->second.is<std::string>())) {
-            throw JsonException("Metadata resource " +
-                                status->m_cget->get_url() +
-                                " is missing 'jwks_uri' string value");
-        }
-        auto jwks_uri = iter->second.get<std::string>();
-        status->m_has_metadata = true;
-        status->m_state = AsyncStatus::DOWNLOAD_PUBLIC_KEY;
-        status->m_cget.reset(new internal::SimpleCurlGet());
-        status->m_cget->perform_start(jwks_uri);
-        // This should also fall through the next state
-    }
 
-    case AsyncStatus::DOWNLOAD_PUBLIC_KEY: {
-        auto cget_status = status->m_cget->perform_continue();
-        if (!cget_status.m_done) {
-            return std::move(status);
-        }
-        if (cget_status.m_status_code != 200) {
-            throw CurlException("Failed to retrieve the issuer's key set");
-        }
+        case AsyncStatus::DOWNLOAD_PUBLIC_KEY: {
+            auto cget_status = status->m_cget->perform_continue();
+            if (!cget_status.m_done) {
+                return std::move(status);
+            }
+            if (cget_status.m_status_code != 200) {
+                throw IssuerLookupException(
+                    "Failed to retrieve the issuer's key set");
+            }
 
-        status->m_cget->get_data(buffer, len);
-        auto metadata = std::string(buffer, len);
-        picojson::value json_obj;
-        auto err = picojson::parse(json_obj, metadata);
-        if (!err.empty()) {
-            throw JsonException("JSON parse failure when downloading from the "
-                                " public key URL " +
-                                status->m_cget->get_url() + ": " + err);
+            status->m_cget->get_data(buffer, len);
+            auto metadata = std::string(buffer, len);
+            picojson::value json_obj;
+            auto err = picojson::parse(json_obj, metadata);
+            if (!err.empty()) {
+                throw JsonException(
+                    "JSON parse failure when downloading from the "
+                    " public key URL " +
+                    status->m_cget->get_url() + ": " + err);
+            }
+            status->m_cget.reset();
+
+            auto now = std::time(NULL);
+            // TODO: take expiration time from the cache-control header in the
+            // response.
+
+            int next_update_delta =
+                configurer::Configuration::get_next_update_delta();
+            int expiry_delta = configurer::Configuration::get_expiry_delta();
+            status->m_next_update = now + next_update_delta;
+            status->m_expires = now + expiry_delta;
+            status->m_keys = json_obj;
+            status->m_continue_fetch = false;
+            status->m_done = true;
+            status->m_state = AsyncStatus::DONE;
         }
-        status->m_cget.reset();
-
-        auto now = std::time(NULL);
-        // TODO: take expiration time from the cache-control header in the
-        // response.
-
-        int next_update_delta =
-            configurer::Configuration::get_next_update_delta();
-        int expiry_delta = configurer::Configuration::get_expiry_delta();
-        status->m_next_update = now + next_update_delta;
-        status->m_expires = now + expiry_delta;
-        status->m_keys = json_obj;
-        status->m_continue_fetch = false;
-        status->m_done = true;
-        status->m_state = AsyncStatus::DONE;
-    }
-    case AsyncStatus::DONE:
-        status->m_done = true;
-
-    } // Switch
-    return std::move(status);
+        case AsyncStatus::DONE:
+            status->m_done = true;
+
+        } // Switch
+        return std::move(status);
+    } catch (const CurlException &e) {
+        // Rethrow CURL errors during issuer key fetch as IssuerLookupException
+        // (unless it's already an IssuerLookupException)
+        if (dynamic_cast<const IssuerLookupException *>(&e)) {
+            throw;
+        }
+        throw IssuerLookupException(e.what());
+    }
 }
 
 std::string Validator::get_jwks(const std::string &issuer) {