chore: upgrade go-authx to v1.2.2 and add configurable gRPC message size limits

Author: Christian

cmd/server/main.go

@@ -53,6 +53,8 @@ func run(ctx context.Context) error {
 	log.Info().
 		Int("grpc_port", cfg.GRPCPort).
 		Int("metrics_port", cfg.MetricsPort).
+		Int("grpc_max_recv_message_size", cfg.GRPCMaxRecvMessageSize).
+		Int("grpc_max_send_message_size", cfg.GRPCMaxSendMessageSize).
 		Str("log_level", cfg.LogLevel).
 		Bool("auth_enabled", cfg.AuthEnabled).
 		Msg("Starting NIST Statistical Test Service")
@@ -304,8 +306,19 @@ func authorizationEnabled(cfg *config.Config) bool {
 // is enabled, it constructs TLS credentials from the configured certificate, key,
 // optional CA file, client authentication mode, and minimum TLS version.
 func buildGRPCServerOptions(cfg *config.Config, unaryInterceptors []grpc.UnaryServerInterceptor) ([]grpc.ServerOption, error) {
+	maxRecvMessageSize := cfg.GRPCMaxRecvMessageSize
+	if maxRecvMessageSize <= 0 {
+		maxRecvMessageSize = 10 * 1024 * 1024
+	}
+	maxSendMessageSize := cfg.GRPCMaxSendMessageSize
+	if maxSendMessageSize <= 0 {
+		maxSendMessageSize = 10 * 1024 * 1024
+	}
+
 	opts := []grpc.ServerOption{
 		grpc.ChainUnaryInterceptor(unaryInterceptors...),
+		grpc.MaxRecvMsgSize(maxRecvMessageSize),
+		grpc.MaxSendMsgSize(maxSendMessageSize),
 	}
 
 	if !cfg.TLSEnabled {

go.mod

@@ -3,7 +3,7 @@ module github.com/AmmannChristian/nist-sp800-22-rev1a
 go 1.25.7
 
 require (
-	github.com/AmmannChristian/go-authx v1.2.0
+	github.com/AmmannChristian/go-authx v1.2.2
 	github.com/golangci/golangci-lint v1.64.8
 	github.com/google/uuid v1.6.0
 	github.com/prometheus/client_golang v1.23.2

go.sum

@@ -12,8 +12,8 @@ github.com/4meepo/tagalign v1.4.2 h1:0hcLHPGMjDyM1gHG58cS73aQF8J4TdVR96TZViorO9E
 github.com/4meepo/tagalign v1.4.2/go.mod h1:+p4aMyFM+ra7nb41CnFG6aSDXqRxU/w1VQqScKqDARI=
 github.com/Abirdcfly/dupword v0.1.3 h1:9Pa1NuAsZvpFPi9Pqkd93I7LIYRURj+A//dFd5tgBeE=
 github.com/Abirdcfly/dupword v0.1.3/go.mod h1:8VbB2t7e10KRNdwTVoxdBaxla6avbhGzb8sCTygUMhw=
-github.com/AmmannChristian/go-authx v1.2.0 h1:ETNvuugwVfztHRFGA+/slV7Jwz7Dr//cEe74FhXPCbY=
-github.com/AmmannChristian/go-authx v1.2.0/go.mod h1:eRp0jNgv25ARPG/dcakOPaU/a5UmqXphngCb0OnjtJg=
+github.com/AmmannChristian/go-authx v1.2.2 h1:wlBsZs2YwI/IE88VsommFRgJq+9lWqagWjhsiaWN9eI=
+github.com/AmmannChristian/go-authx v1.2.2/go.mod h1:eRp0jNgv25ARPG/dcakOPaU/a5UmqXphngCb0OnjtJg=
 github.com/Antonboom/errname v1.0.0 h1:oJOOWR07vS1kRusl6YRSlat7HFnb3mSfMl6sDMRoTBA=
 github.com/Antonboom/errname v1.0.0/go.mod h1:gMOBFzK/vrTiXN9Oh+HFs+e6Ndl0eTFbtsRTSRdXyGI=
 github.com/Antonboom/nilnil v1.0.1 h1:C3Tkm0KUxgfO4Duk3PM+ztPncTFlOf0b2qadmS0s4xs=

internal/config/config.go

@@ -11,11 +11,15 @@ import (
 	"strings"
 )
 
+const defaultGRPCMaxMessageSize = 10 * 1024 * 1024
+
 // Config holds all service configuration loaded from environment variables.
 // Fields map one-to-one to environment variables (e.g. GRPCPort from GRPC_PORT).
 type Config struct {
 	// gRPC server configuration
-	GRPCPort int
+	GRPCPort               int
+	GRPCMaxRecvMessageSize int
+	GRPCMaxSendMessageSize int
 
 	// TLS configuration for gRPC
 	TLSEnabled    bool
@@ -59,6 +63,8 @@ type Config struct {
 func Load() (*Config, error) {
 	cfg := &Config{
 		GRPCPort:                                getEnvInt("GRPC_PORT", 9090),
+		GRPCMaxRecvMessageSize:                  getEnvInt("GRPC_MAX_RECV_MESSAGE_SIZE", defaultGRPCMaxMessageSize),
+		GRPCMaxSendMessageSize:                  getEnvInt("GRPC_MAX_SEND_MESSAGE_SIZE", defaultGRPCMaxMessageSize),
 		TLSEnabled:                              getEnvBool("TLS_ENABLED", false),
 		TLSCertFile:                             getEnvString("TLS_CERT_FILE", ""),
 		TLSKeyFile:                              getEnvString("TLS_KEY_FILE", ""),
@@ -102,6 +108,18 @@ func (c *Config) Validate() error {
 	if c.GRPCPort < 1 || c.GRPCPort > 65535 {
 		return fmt.Errorf("invalid GRPC_PORT: %d (must be 1-65535)", c.GRPCPort)
 	}
+	if c.GRPCMaxRecvMessageSize < 0 {
+		return fmt.Errorf("invalid GRPC_MAX_RECV_MESSAGE_SIZE: %d (must be >= 0)", c.GRPCMaxRecvMessageSize)
+	}
+	if c.GRPCMaxSendMessageSize < 0 {
+		return fmt.Errorf("invalid GRPC_MAX_SEND_MESSAGE_SIZE: %d (must be >= 0)", c.GRPCMaxSendMessageSize)
+	}
+	if c.GRPCMaxRecvMessageSize == 0 {
+		c.GRPCMaxRecvMessageSize = defaultGRPCMaxMessageSize
+	}
+	if c.GRPCMaxSendMessageSize == 0 {
+		c.GRPCMaxSendMessageSize = defaultGRPCMaxMessageSize
+	}
 
 	if c.MetricsPort < 1 || c.MetricsPort > 65535 {
 		return fmt.Errorf("invalid METRICS_PORT: %d (must be 1-65535)", c.MetricsPort)

internal/config/config_test.go

@@ -7,6 +7,8 @@ import (
 
 func TestLoadWithEnvOverrides(t *testing.T) {
 	t.Setenv("GRPC_PORT", "5000")
+	t.Setenv("GRPC_MAX_RECV_MESSAGE_SIZE", "12582912")
+	t.Setenv("GRPC_MAX_SEND_MESSAGE_SIZE", "12582912")
 	t.Setenv("METRICS_PORT", "6000")
 	t.Setenv("LOG_LEVEL", "debug")
 	t.Setenv("AUTH_ENABLED", "true")
@@ -35,6 +37,12 @@ func TestLoadWithEnvOverrides(t *testing.T) {
 	if cfg.GRPCPort != 5000 || cfg.MetricsPort != 6000 {
 		t.Fatalf("unexpected ports: %+v", cfg)
 	}
+	if cfg.GRPCMaxRecvMessageSize != 12582912 {
+		t.Fatalf("unexpected GRPCMaxRecvMessageSize: %d", cfg.GRPCMaxRecvMessageSize)
+	}
+	if cfg.GRPCMaxSendMessageSize != 12582912 {
+		t.Fatalf("unexpected GRPCMaxSendMessageSize: %d", cfg.GRPCMaxSendMessageSize)
+	}
 	if cfg.LogLevel != "debug" {
 		t.Fatalf("unexpected log level: %s", cfg.LogLevel)
 	}
@@ -208,6 +216,8 @@ func TestValidateFailures(t *testing.T) {
 		cfg  Config
 	}{
 		{"bad grpc port", Config{GRPCPort: 0, MetricsPort: 9000, LogLevel: "info"}},
+		{"bad grpc max recv size", Config{GRPCPort: 9000, GRPCMaxRecvMessageSize: -1, MetricsPort: 9000, LogLevel: "info"}},
+		{"bad grpc max send size", Config{GRPCPort: 9000, GRPCMaxSendMessageSize: -1, MetricsPort: 9000, LogLevel: "info"}},
 		{"bad metrics port", Config{GRPCPort: 9000, MetricsPort: 70000, LogLevel: "info"}},
 		{"bad log level", Config{GRPCPort: 9000, MetricsPort: 9001, LogLevel: "verbose"}},
 		{"auth enabled missing issuer", Config{GRPCPort: 9000, MetricsPort: 9001, LogLevel: "info", AuthEnabled: true, AuthAudience: "api"}},
@@ -290,7 +300,7 @@ func TestValidateOpaquePrivateKeyJWTAuthSuccess(t *testing.T) {
 func TestLoadDefaults(t *testing.T) {
 	// Clear any environment variables
 	for _, key := range []string{
-		"GRPC_PORT", "METRICS_PORT", "LOG_LEVEL",
+		"GRPC_PORT", "GRPC_MAX_RECV_MESSAGE_SIZE", "GRPC_MAX_SEND_MESSAGE_SIZE", "METRICS_PORT", "LOG_LEVEL",
 		"AUTH_ENABLED", "AUTH_ISSUER", "AUTH_AUDIENCE", "AUTH_JWKS_URL", "AUTH_TOKEN_TYPE",
 		"AUTH_INTROSPECTION_URL", "AUTH_INTROSPECTION_AUTH_METHOD", "AUTH_INTROSPECTION_CLIENT_ID", "AUTH_INTROSPECTION_CLIENT_SECRET",
 		"AUTH_INTROSPECTION_PRIVATE_KEY", "AUTH_INTROSPECTION_PRIVATE_KEY_FILE",
@@ -311,6 +321,12 @@ func TestLoadDefaults(t *testing.T) {
 	if cfg.GRPCPort != 9090 {
 		t.Errorf("expected default GRPCPort=9090, got %d", cfg.GRPCPort)
 	}
+	if cfg.GRPCMaxRecvMessageSize != 10*1024*1024 {
+		t.Errorf("expected default GRPCMaxRecvMessageSize=10485760, got %d", cfg.GRPCMaxRecvMessageSize)
+	}
+	if cfg.GRPCMaxSendMessageSize != 10*1024*1024 {
+		t.Errorf("expected default GRPCMaxSendMessageSize=10485760, got %d", cfg.GRPCMaxSendMessageSize)
+	}
 	if cfg.MetricsPort != 9091 {
 		t.Errorf("expected default MetricsPort=9091, got %d", cfg.MetricsPort)
 	}

internal/nist/run_all.go

@@ -36,7 +36,7 @@ func RunAllTests(bitstream []byte) ([]TestResult, error) {
 		return nil, fmt.Errorf("insufficient bits: got %d, need at least %d", numBits, MinBits)
 	}
 	if numBits > MaxBits {
-		return nil, fmt.Errorf("too many bits: got %d, maximum %d", numBits, MaxBits)
+		return nil, fmt.Errorf("too many bits wass: got %d, maximum %d", numBits, MaxBits)
 	}
 
 	results := make([]TestResult, 0, 15)