OneIdentity
diff --git a/‎README.md‎
Lines changed: 40 additions & 0 deletions b/‎README.md‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎SafeguardDotNet.Core.sln‎
Lines changed: 7 additions & 0 deletions b/‎SafeguardDotNet.Core.sln‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎SafeguardDotNet/Event/PersistentSafeguardEventListenerBase.cs‎
Lines changed: 19 additions & 2 deletions b/‎SafeguardDotNet/Event/PersistentSafeguardEventListenerBase.cs‎
Lines changed: 19 additions & 2 deletions
diff --git a/‎SafeguardDotNet/Event/ReconnectBackoff.cs‎
Lines changed: 157 additions & 0 deletions b/‎SafeguardDotNet/Event/ReconnectBackoff.cs‎
Lines changed: 157 additions & 0 deletions
diff --git a/‎SafeguardDotNet/Properties/AssemblyInfo.cs‎
Lines changed: 5 additions & 0 deletions b/‎SafeguardDotNet/Properties/AssemblyInfo.cs‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎Samples/README.md‎
Lines changed: 31 additions & 0 deletions b/‎Samples/README.md‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎Samples/ServiceNowTicketValidator/app.config‎
Lines changed: 10 additions & 0 deletions b/‎Samples/ServiceNowTicketValidator/app.config‎
Lines changed: 10 additions & 0 deletions
@@ -77,6 +77,46 @@ SafeguardDotNet uses RestSharp and Json.NET to call the Safeguard API. It
 includes calls to Serilog, and if your calling application provides a sink you
 will get log information automatically.
 
+## Logging & diagnostics
+
+SafeguardDotNet emits diagnostic logs through Serilog, and surfaces appliance
+errors as `SafeguardDotNetException`. The exception carries an `HttpStatusCode`
+and a `Response` body string that contains **whatever the Safeguard appliance
+returned for the failing call** — this is intentional so that operators can
+diagnose appliance-side failures without re-running the request.
+
+Because Safeguard is a credential-management product, the SDK does **not**
+inspect, filter, or redact response bodies — they may legitimately contain
+fields named `Password`, `ApiKey`, `PrivateKey`, `SshHostKey`, `Token`,
+`AccountPassword`, and similar, and the SDK has no safe way to distinguish
+"product output the caller requested" from "metadata that happens to share a
+name". In rare authentication-failure shapes the response body can also echo
+submitted credentials (for example, the Resource Owner Password Credentials
+grant may return the submitted username, and some appliance versions echo other
+form fields in error envelopes).
+
+**If you forward `SafeguardDotNetException.Message`,
+`SafeguardDotNetException.Response`, or the rendered exception (`ex.ToString()`)
+to a log sink that is less trusted than the appliance — for example a shared
+SIEM, a cloud log aggregator, a support bundle, or a customer-visible error
+page — redact at the log layer.** Suggested patterns:
+
+- Log only `ex.HttpStatusCode` and `ex.ErrorCode` for production telemetry;
+  keep `ex.Response` in a privileged channel (local file, restricted sink) for
+  on-call diagnosis.
+- If you must forward the full response, run it through your organization's
+  log scrubber first (Serilog `Destructure.ByTransforming<>`, an
+  `IEnumerable<ILogEventEnricher>`, or a sink-side filter) with rules tuned to
+  *your* schema, not a generic substring blacklist.
+- Avoid `Log.Error(ex, "...")` patterns that capture the full exception object
+  when the sink is not under your control; prefer
+  `Log.Error("Safeguard request failed: {Status} {Code}", ex.HttpStatusCode, ex.ErrorCode)`.
+
+The SDK will not be changed to redact response bodies because substring
+matching on field names would corrupt legitimate Safeguard fields such as
+`PasswordRulesPolicyId`, `ApiKeyName`, `NewPasswordValidUntil`, etc., and
+would not actually help in the cases where redaction is needed.
+
 ## Resource Owner Password Grant Deprecation
 
 The OAuth2 Resource Owner Password Credential (ROPC) grant type — where
 
@@ -48,6 +48,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "pipeline-templates", "pipel
 		pipeline-templates\job-variables.yml = pipeline-templates\job-variables.yml
 	EndProjectSection
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SafeguardDotNetUnitTest", "Test\SafeguardDotNetUnitTest\SafeguardDotNetUnitTest.csproj", "{1B11B367-2F76-49EE-A820-2A0A8B1721B1}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -102,6 +104,10 @@ Global
 		{0149D659-78E3-476B-81F1-A80BDFA6F8A9}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{0149D659-78E3-476B-81F1-A80BDFA6F8A9}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{0149D659-78E3-476B-81F1-A80BDFA6F8A9}.Release|Any CPU.Build.0 = Release|Any CPU
+		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -117,6 +123,7 @@ Global
 		{C6D34567-3456-4321-9876-345678901CDE} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
 		{0149D659-78E3-476B-81F1-A80BDFA6F8A9} = {867EB36D-7893-444D-900D-29733E8E2636}
 		{1EB6D64D-7AFB-41DC-B11B-58934D053684} = {9249E337-656D-4970-B45C-7A077C56FA44}
+		{1B11B367-2F76-49EE-A820-2A0A8B1721B1} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {5A3B2C1D-4E6F-7A8B-9C0D-1E2F3A4B5C6D}
 
@@ -18,6 +18,7 @@ internal abstract class PersistentSafeguardEventListenerBase : ISafeguardEventLi
 
     private Task _reconnectTask;
     private CancellationTokenSource _reconnectCancel;
+    private readonly ReconnectBackoff _reconnectBackoff = new ReconnectBackoff();
 
     protected PersistentSafeguardEventListenerBase()
     {
@@ -62,13 +63,29 @@ private void PersistentReconnectAndStart()
                     _eventListener.SetEventListenerStateCallback(_eventListenerStateCallback);
                     _eventListener.Start();
                     _eventListener.SetDisconnectHandler(PersistentReconnectAndStart);
+
+                    // Reset backoff so the next disconnect starts a fresh exponential ramp.
+                    _reconnectBackoff.OnSuccess();
                     break;
                 }
                 catch (Exception ex)
                 {
-                    Log.Warning("Internal event listener connection error (see debug for more information), sleeping for 5 seconds...");
+                    // Exponential backoff + jitter so a sustained appliance
+                    // outage cannot exhaust local resources or hammer the
+                    // appliance during recovery.
+                    var delay = _reconnectBackoff.GetNextDelay();
+                    Log.Warning(
+                        "Internal event listener connection error (see debug for more information), sleeping for {DelaySeconds:F1} seconds...",
+                        delay.TotalSeconds);
                     Log.Debug(ex, "Internal event listener connection error.");
-                    Thread.Sleep(5000);
+                    try
+                    {
+                        _reconnectCancel.Token.WaitHandle.WaitOne(delay);
+                    }
+                    catch (ObjectDisposedException)
+                    {
+                        break;
+                    }
                 }
             }
         },
 
@@ -0,0 +1,157 @@
+// Copyright (c) One Identity LLC. All rights reserved.
+
+namespace OneIdentity.SafeguardDotNet.Event;
+
+using System;
+
+/// <summary>
+/// Exponential reconnect backoff with multiplicative ±25% jitter and a 60-second cap.
+/// </summary>
+/// <remarks>
+/// <para>
+/// Every persistent event listener should cap its reconnect frequency so that
+/// sustained appliance downtime or a network partition cannot turn the reconnect
+/// loop into a resource-exhaustion vector against either the calling process or
+/// the appliance.
+/// </para>
+/// <para>
+/// Algorithm:
+/// <code>
+///   delay_n = min(60s, 2^n * 1s)              for n = 0, 1, 2, ...
+///   actual_n = delay_n * (0.75 + 0.5 * rng()) // ±25% multiplicative jitter
+/// </code>
+/// where <c>rng()</c> returns a value in <c>[0.0, 1.0)</c>. The internal counter
+/// <c>n</c> advances on every call to <see cref="GetNextDelay"/> and resets to
+/// zero on <see cref="OnSuccess"/>. The cap takes effect at n = 6 (2^6 = 64 &gt; 60).
+/// </para>
+/// <para>
+/// The jitter source is injectable so callers and unit tests can substitute a
+/// deterministic function for the default <see cref="Random"/>-based source.
+/// Values returned outside <c>[0.0, 1.0]</c> are clamped to that range so a
+/// misbehaving RNG cannot produce negative or unbounded delays.
+/// </para>
+/// </remarks>
+internal sealed class ReconnectBackoff
+{
+    /// <summary>Initial delay before the first retry (n = 0), in seconds.</summary>
+    public const double InitialDelaySeconds = 1.0;
+
+    /// <summary>Maximum delay between retries, in seconds.</summary>
+    public const double MaxDelaySeconds = 60.0;
+
+    /// <summary>Half-width of the multiplicative jitter band (0.25 = ±25%).</summary>
+    public const double JitterFraction = 0.25;
+
+    private static readonly Random DefaultRandom = new Random();
+
+    private readonly Func<double> _jitterSource;
+    private readonly object _lock = new object();
+
+    private int _attempt;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="ReconnectBackoff"/> class
+    /// using a shared thread-safe default jitter source.
+    /// </summary>
+    public ReconnectBackoff()
+        : this(DefaultJitter)
+    {
+    }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="ReconnectBackoff"/> class
+    /// with an injected jitter source. Provided primarily for deterministic
+    /// unit testing of the algorithm.
+    /// </summary>
+    /// <param name="jitterSource">
+    /// A function returning a value in <c>[0.0, 1.0)</c>. Values outside that
+    /// range are clamped. Must not be <c>null</c>.
+    /// </param>
+    public ReconnectBackoff(Func<double> jitterSource)
+    {
+        _jitterSource = jitterSource ?? throw new ArgumentNullException(nameof(jitterSource));
+    }
+
+    /// <summary>
+    /// Computes the next delay and advances the internal attempt counter.
+    /// </summary>
+    /// <returns>A <see cref="TimeSpan"/> with the delay to wait before the next reconnect attempt.</returns>
+    public TimeSpan GetNextDelay()
+    {
+        int currentAttempt;
+        lock (_lock)
+        {
+            currentAttempt = _attempt;
+            _attempt++;
+        }
+
+        var baseSeconds = ComputeBaseDelaySeconds(currentAttempt);
+        var raw = _jitterSource();
+        var clamped = ClampUnitInterval(raw);
+        var jitterMultiplier = 1.0 - JitterFraction + (2.0 * JitterFraction * clamped);
+        return TimeSpan.FromSeconds(baseSeconds * jitterMultiplier);
+    }
+
+    /// <summary>
+    /// Resets the attempt counter so the next call to <see cref="GetNextDelay"/>
+    /// returns an n = 0 (≈1 second) delay. Call this immediately after a
+    /// successful reconnect.
+    /// </summary>
+    public void OnSuccess()
+    {
+        lock (_lock)
+        {
+            _attempt = 0;
+        }
+    }
+
+    private static double ComputeBaseDelaySeconds(int attempt)
+    {
+        // 2^attempt * InitialDelaySeconds, capped at MaxDelaySeconds.
+        // attempt is clamped at 30 to avoid double overflow even though the cap
+        // engages long before that point.
+        var safeAttempt = ClampAttempt(attempt);
+        var doubled = InitialDelaySeconds * Math.Pow(2.0, safeAttempt);
+        return doubled > MaxDelaySeconds ? MaxDelaySeconds : doubled;
+    }
+
+    private static int ClampAttempt(int attempt)
+    {
+        if (attempt < 0)
+        {
+            return 0;
+        }
+
+        if (attempt > 30)
+        {
+            return 30;
+        }
+
+        return attempt;
+    }
+
+    private static double ClampUnitInterval(double value)
+    {
+        if (value < 0.0)
+        {
+            return 0.0;
+        }
+
+        if (value > 1.0)
+        {
+            return 1.0;
+        }
+
+        return value;
+    }
+
+    private static double DefaultJitter()
+    {
+        // Random is not thread-safe in netstandard2.0. Synchronize on the
+        // shared instance so concurrent reconnect loops can share one RNG.
+        lock (DefaultRandom)
+        {
+            return DefaultRandom.NextDouble();
+        }
+    }
+}
@@ -0,0 +1,5 @@
+// Copyright (c) One Identity LLC. All rights reserved.
+
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("SafeguardDotNetUnitTest")]
@@ -34,3 +34,34 @@ most secure automated Safeguard API authentication mechanism.
 
   This project was initially developed using Visual Studio 2017.  It targets .NET
   Framework 4.6.2.  It can be modified to suit your needs.
+
+## TLS Certificate Validation
+
+Both sample `app.config` files ship with `SafeguardIgnoreSsl=true`. This setting
+exists so the samples run out-of-the-box against **development appliances that
+use self-signed TLS certificates**. It tells the SDK to skip Safeguard appliance
+certificate validation when negotiating the TLS handshake.
+
+**Disabling TLS validation removes the SDK's protection against man-in-the-middle
+attacks.** Treat the default in these samples as a starting point for local
+development only.
+
+When you adapt a sample for a real deployment:
+
+- **Production deployments must set `SafeguardIgnoreSsl=false`** in `app.config`
+  (or omit the key and rely on the SDK default). The appliance certificate chain
+  must then validate against the host's trusted root store.
+- If the appliance uses an internal / private CA, **install that CA certificate
+  in the host machine's trust store** (`Cert:\LocalMachine\Root` on Windows or
+  the OS trust bundle on Linux/macOS) rather than disabling validation.
+- For certificate pinning or other custom trust policies, supply a
+  `RemoteCertificateValidationCallback` via the `Safeguard.Connect(...)`
+  overloads that accept a validation callback, instead of setting
+  `SafeguardIgnoreSsl=true`. Implement the pinning logic (e.g. compare against
+  a known SPKI hash) inside that callback.
+- Code review your sample fork: searching for `IgnoreSsl` /
+  `SafeguardIgnoreSsl` / `-IgnoreSsl` should yield only configuration
+  intentionally scoped to non-production environments.
+
+The `SafeguardIgnoreSsl` flag is a developer convenience, not a deployment
+default. Leaving it set to `true` in production is a security defect.
@@ -66,6 +66,16 @@
     <add key="SafeguardAddress" value="" />
     <add key="SafeguardClientCertificateThumbprint" value="" />
     <add key="SafeguardApiVersion" value="4" />
+    <!--
+      SafeguardIgnoreSsl: development / self-signed appliances ONLY.
+      When set to "true" the Safeguard appliance TLS certificate is NOT validated,
+      which removes protection against man-in-the-middle attacks.
+      Production deployments MUST set this to "false" so the appliance certificate
+      chain is verified against the trusted root store. If the appliance uses a
+      private CA, install that CA in the host trust store instead of disabling
+      validation. See ../README.md ("TLS Certificate Validation") for details and
+      for pointers to configuring a custom certificate-validation callback.
+    -->
     <add key="SafeguardIgnoreSsl" value="true" />
     <add key="ServiceNowDnsName" value="" />
     <add key="ServiceNowClientSecret" value="" />