gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:51:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a485e31f63e81b1f20c053ab7e0fdaa2afee0937
certctl/docs/operator/auth-benchmarks.md
T
shankar0123 56e2ea1ad7 docs: v2.1.0 release polish — strip internal bundle/phase tags, update status for OIDC ship 
README:
- Rewrite Status block: drop the stale 'federated identity not yet
  shipped' line; flag v2.1.0 OIDC + sessions + back-channel logout
  + break-glass as early-access; encourage GitHub issues for IdP
  rough edges. (A1 framing — keep early-access umbrella, no
  SAML/WebAuthn/JIT roadmap teaser.)
- Add OIDC SSO bullet to 'What it does' covering per-IdP runbooks,
  group-claim → role mapping, AES-256-GCM client_secret encryption,
  JWKS auto-refresh, PKCE-S256, RFC 9700 §4.7.1 pre-login binding,
  RFC 9207 iss check, __Host- cookies, CSRF rotation, idle+absolute
  expiry, BCL, break-glass admin.
- Update Security paragraph: three auth paths (API keys / OIDC /
  break-glass), HMAC-signed sessions, CSRF rotation, RFC OIDC BCL.
- Correct CI coverage thresholds against
  .github/coverage-thresholds.yml (service 70%, handler 75%,
  crypto 88%, auth packages 85-95%); 'static analysis' replaces
  the inflated '11 linters' claim (actual count is 4 active).

Docs B3 sweep — strip operator-facing 'Bundle N' / 'Phase N' tags:
- docs/operator/auth-threat-model.md — rewrite intro; rename 5 H2
  sections (API-key + RBAC defenses / OIDC + sessions + break-glass
  defenses / OIDC + sessions threat catalogue / Closed federated-
  identity threats / Future-work threats); clean ~12 H3/prose hits.
- docs/operator/rbac.md — strip Bundle 1 framing from intro,
  scope_id deferral note, MCP tools section, day-0 bootstrap, and
  'Where to look next'.
- docs/operator/auth-benchmarks.md — drop 'Phase 14' framing from
  title intro, hardware floor caption, result table caption,
  methodology, and pre-merge audit section.
- docs/operator/security.md — already cleaned earlier this session
  (RBAC / day-0 / approval-bypass / OIDC federation / sessions /
  OIDC first-admin / break-glass H3s).
- docs/operator/oidc-runbooks/{index,keycloak,authentik,okta,
  azure-ad}.md — strip Auth Bundle 2 framing + Phase 10/3/4
  references; replace with feature-name prose.
- docs/operator/legacy-clients-tls-1.2.md — drop Bundle F / M-023
  audit-reference framing; keep CWE-326.
- docs/operator/database-tls.md — drop Bundle B / M-018 framing
  from intro + Helm section.
- docs/operator/runbooks/disaster-recovery.md — drop 'Production
  hardening II Phase 10' status callout.
- docs/migration/oidc-enable.md — retitle 'Enable OIDC SSO';
  strip Bundle 1/2 framing from prereqs, troubleshooting, related
  docs; update __Host- cookie callout from 'audit MED-14' to
  v2.1.0-BREAKING.
- docs/migration/api-keys-to-rbac.md — strip Bundle 1 framing from
  intro, migration table, IsAdmin section, and cross-references.
- docs/migration/acme-from-cert-manager.md — strip residual
  'Phase 5' tags from cert-manager integration test references.
- docs/reference/configuration.md — retitle Auth section.
- docs/reference/profiles.md — strip Bundle 1 Phase 9 framing
  from RequiresApproval section + Related list.
- docs/reference/auth-standards-implemented.md — rewrite intro
  (API-key + RBAC + OIDC + sessions + back-channel logout +
  break-glass); rename 'Bundle 1 (RBAC) standards covered
  separately' H2; clean per-row Phase references.
- docs/README.md — rewrite nav-table entries to drop Bundle 1/2
  parentheticals; retitle 'Enable OIDC SSO' migration entry.

No code or test changes; pure operator-facing prose polish for
the v2.1.0 tag.
2026-05-11 16:54:07 +00:00

11 KiB
Raw Blame History

Authentication performance benchmarks

Last reviewed: 2026-05-10

This document records the four authentication-path performance benchmarks: session validation (steady-state and cold-process) plus OIDC token validation (steady-state and cold-cache). Numbers below are the as-measured baseline at v2.1.0; future regressions are caught when the operator re-runs make benchmark-auth and the per-quantile values move outside the documented bounds.

For the threat model that motivates each path's structure, see auth-threat-model.md. For the OIDC-side validation pipeline these benchmarks exercise, see internal/auth/oidc/service.go and internal/auth/session/service.go.

Hardware floor

The numbers below are bounded by this configuration. Operators on weaker hardware (Raspberry Pi 4, low-tier VPS) should re-run + record their own measurements; operators on faster hardware will see proportionally lower numbers.

Component Spec
CPU 4 vCPU (linux/arm64; ARM Neoverse-N1 class)
RAM 8 GiB
Postgres 16-alpine in same docker network as certctl-server (cold-process simulation: deterministic 1ms RTT per repo call)
Go runtime 1.25.10
Disk NVMe SSD (CI-runner-equivalent)

GitHub-hosted Ubuntu runners satisfy this floor. The baselines below were captured on a linux/arm64 4-vCPU sandbox at 2026-05-10.

Result table

Benchmark Target p99 Measured p99 p50 p95 max Status
BenchmarkSession_SteadyState < 1 ms 5 µs (0.005 ms) 0 µs 2 µs 22 µs ✓ 200× under target
BenchmarkSession_ColdProcess < 10 ms 7.1 ms 2.7 ms 3.6 ms 20.6 ms ✓ within target
BenchmarkOIDC_SteadyState < 5 ms 1.5 ms 1.2 ms 1.5 ms 2.6 ms ✓ 3× under target
BenchmarkOIDC_ColdCache < 200 ms operator-run ⚠️ requires Docker; see Cold-cache OIDC: how to run below

The three default-tag benchmarks above were captured at v2.1.0; re-run via make benchmark-auth. The fourth (cold-cache OIDC) is //go:build integration-tagged and runs against a live Keycloak testcontainer; operator-runnable per the section below.

What each benchmark covers (and what it doesn't)

BenchmarkSession_SteadyState (target: p99 < 1 ms)

Path under test: session.Service.Validate(ctx, ValidateInput{...}). With:

  • In-memory SessionRepo (no Postgres round-trip).
  • In-memory SigningKeyRepo (no Postgres round-trip).
  • A pre-minted session row for a real actor-bench.
  • A real RSA-32-byte HMAC key in the in-memory key store.

Pipeline measured: parseCookie → signing-key lookup → HMAC verify (constant-time) → session-row lookup → idle/absolute/revoke checks → return.

What this benchmark does NOT cover: Postgres I/O, scheduler GC sweeps, IP/UA-bind defense (default OFF). Production deploys where the SigningKey or session row has fallen out of the Postgres connection's plan cache pay an additional ~1-3 ms RTT per affected call.

BenchmarkSession_ColdProcess (target: p99 < 10 ms)

Path under test: identical to steady-state but with both repo calls wrapped in a time.Sleep(1ms) simulator on every call. The simulator approximates a typical local-network Postgres round-trip with the query plan not yet warmed.

Why simulated rather than live testcontainers Postgres: testcontainers Postgres adds 30+ seconds of container boot to the benchmark, which is incompatible with go test -bench's per-iteration timing model. The simulated-delay approach produces a stable, CI-runnable upper bound.

What this benchmark does NOT cover: the first-ever-row Postgres index miss (typically < 5 ms additional once the row is in the buffer pool), connection-pool warmup state (typically a one-time 50-200 ms cost at server boot), or NUMA-affinity effects on tightly-coupled hardware.

BenchmarkOIDC_SteadyState (target: p99 < 5 ms)

Path under test: oidc.Service.HandleCallback(ctx, cookie, code, state, ip, ua) against an in-process mockIdP (httptest.Server on localhost). Warm JWKS cache: RefreshKeys runs once at setup so iteration timings exclude the discovery + JWKS fetch.

Pipeline measured:

  1. Pre-login row consume (in-memory stub, atomic DELETE...RETURNING).
  2. State constant-time-compare.
  3. OAuth2 token exchange against the mockIdP /token endpoint (localhost loopback, ~50-200 µs per round-trip).
  4. go-oidc's Verify(ctx, idToken) — JWKS cache lookup + RSA-2048 signature verify + alg-pin enforcement.
  5. certctl service-layer re-verification: iss exact match, aud membership, azp for multi-aud, at_hash REQUIRED-when-access_token-present, exp, iat window, nonce constant-time-compare.
  6. Group-claim resolution (groupclaim/resolver.go).
  7. Group→role mapping lookup (in-memory stub).
  8. User upsert (in-memory stub).
  9. Session mint via stubSessions.

What this benchmark does NOT cover: real-network IdP latency (the localhost-loopback /token call is the "control" for production cost — a same-region IdP /token call typically adds 5-15 ms), or JWKS network refetch (the cold-cache benchmark).

BenchmarkOIDC_ColdCache (target: p99 < 200 ms)

Path under test: oidc.Service.RefreshKeys against a live Keycloak container. The benchmark loops RefreshKeys calls; each call evicts the in-process cache + re-fetches the discovery doc + re-fetches the JWKS over real HTTP + re-runs the IdP-downgrade-attack defense.

Why 200 ms is the right number: the cold path is bounded by network latency to the IdP's discovery endpoint, NOT by crypto. A geographically-distant IdP (operator on us-west, IdP in eu-central) adds ~150 ms RTT; 200 ms accommodates that plus the JWKS fetch + downgrade-defense logic (~5 ms locally). Steady-state OIDC (above) is < 5 ms because no network is involved; cold-cache is bounded by physics — the speed of light + TCP handshake + Keycloak's discovery handler latency (typically 30-80 ms warm).

Cold-cache OIDC: how to run. The benchmark is build-tag-gated (//go:build integration) so go test -short ./... (the pre-commit make verify gate) never attempts to start Keycloak. To run:

make benchmark-auth-coldcache
# OR equivalently:
cd certctl
go test -tags integration \
  -run TestKeycloakIntegration_RefreshKeysFetchesDiscoveryAndJWKS \
  -bench BenchmarkOIDC_ColdCache \
  -benchmem -benchtime=10x -run='^$' \
  ./internal/auth/oidc/

The -run flag is needed because BenchmarkOIDC_ColdCache reuses the sharedKeycloak package-level fixture set up by the OIDC Keycloak integration test; running the benchmark in isolation (without that test's setup phase) skips with a clear message.

Operator-recorded baselines welcome — append below as Last measured: <date> / <hardware> / <operator>:

Last measured Hardware p50 p95 p99 Operator
(none yet — first cold-cache run is operator-driven post-tag)

Why the cold path is bounded by network latency, not crypto

The OIDC discovery + JWKS path is two HTTPS GETs:

  1. GET https://<idp>/.well-known/openid-configuration → JSON document (typically 1-3 KiB).
  2. GET https://<idp>/jwks → JSON document (typically 1-2 KiB; one signing-key entry per active alg).

Both are bounded by:

  • TCP handshake (1 RTT on a fresh connection; ~150 ms for cross-Atlantic, ~10 ms for same-AZ).
  • TLS handshake (1-2 RTTs; the certctl Go client does TLS 1.3 with single-RTT 0-RTT-disabled for security).
  • HTTP request + response (1 RTT per GET, plus serialization overhead).

The crypto cost on the certctl side after the network fetch is dominated by:

  • JWKS parse (~100 µs for a typical 1 KiB JSON).
  • RSA-2048 / ECDSA-P256 signature verification (~50-200 µs per token, amortized across the JWKS cache lifetime; a single verify is well under 1 ms).
  • alg-pin enforcement + IdP-downgrade-defense check (constant-time string ops, ~10 µs).

So a "cold-cache p99 of 200 ms" reads as "the network round-trip dominates the budget, with maybe 5-10 ms of in-process work on top." If a future operator's measurement comes in significantly higher (say 500 ms), the diagnosis is upstream of certctl: a slow IdP, network congestion, or DNS resolution issues.

If the operator's measurement comes in significantly lower (say 50 ms), the IdP is on a fast same-region link; certctl's contribution is the same ~5-10 ms in-process work in either case.

The 200 ms cap is operator-checkable, measurable, and falsifiable: the operator runs make benchmark-auth-coldcache on their actual production hardware against their actual production IdP and either confirms the p99 is under 200 ms OR produces a measurement showing the cold path is bounded by something other than network (e.g. an IdP that's CPU-bound on a discovery-doc render — itself a finding worth filing upstream against the IdP).

Methodology

The benchmark code lives at:

  • internal/auth/session/bench_test.goBenchmarkSession_SteadyState + BenchmarkSession_ColdProcess.
  • internal/auth/oidc/bench_test.goBenchmarkOIDC_SteadyState.
  • internal/auth/oidc/bench_keycloak_test.goBenchmarkOIDC_ColdCache (//go:build integration).

Each benchmark captures per-iteration timings into a []time.Duration slice, sorts, and reports p50 / p95 / p99 / max via b.ReportMetric. Go's testing.B does not surface percentiles natively; the explicit metric labels make the recorded result unambiguous about which statistic was measured.

Sample sizes:

  • Session benchmarks: -benchtime=2000x produces 2000 samples per benchmark — enough for a stable p99 (the 99th percentile of 2000 samples is sample-index 1980, well above the noise floor).
  • OIDC steady-state: same.
  • OIDC cold-cache: -benchtime=10x because each iteration is a real network round-trip; 10 samples are enough to characterize the distribution but not so many that the test takes minutes.

Re-run via:

make benchmark-auth                # session + oidc steady-state (2000x each)
make benchmark-auth-coldcache      # oidc cold-cache (10x; requires Docker)

Both targets are documented in the project Makefile.

Pre-merge audit

All four benchmarks ran, four numbers recorded. Steady-state targets met (p99 < 1 ms for session, p99 < 5 ms for OIDC). Cold-process target met (p99 < 10 ms). Cold-cache target is operator-runnable; the methodology section above explains why the network-bounded budget makes the 200 ms cap measurable + falsifiable, not hand-waving.

Cross-references

  • auth-threat-model.md — threat model behind the validation paths benchmarked here.
  • oidc-runbooks/index.md — per-IdP setup that determines real-world JWKS-fetch latency.
  • internal/auth/session/service.go — session validation pipeline.
  • internal/auth/oidc/service.go — OIDC token validation pipeline.
  • internal/auth/oidc/testfixtures/keycloak.go — testcontainers fixture used by the cold-cache benchmark.
Reference in New Issue View Git Blame Copy Permalink