chore: add gRPC max message size configuration and update dependencies

Christian · Christian · commit f01fb1a503f7 · 2026-02-13T02:18:25.000+01:00
- Upgrade `go-authx` to v1.2.2.
- Add support for `GRPC_MAX_RECV_MESSAGE_SIZE` and `GRPC_MAX_SEND_MESSAGE_SIZE` configurations.
- Update gRPC server to handle message size limits with defaults and validation.
- Extend configuration logic and tests for new gRPC message size options.
diff --git a/__debug_bin2302434005 b/__debug_bin2302434005
diff --git a/cmd/server/main.go b/cmd/server/main.go
@@ -64,6 +64,8 @@ func run() error {
 		Str("version", version).
 		Int("metrics_port", cfg.ServerPort).
 		Int("grpc_port", cfg.GRPCPort).
+		Int("grpc_max_recv_message_size", cfg.GRPCMaxRecvMessageSize).
+		Int("grpc_max_send_message_size", cfg.GRPCMaxSendMessageSize).
 		Bool("grpc_enabled", cfg.GRPCEnabled).
 		Bool("auth_enabled", cfg.AuthEnabled).
 		Int64("max_upload_bytes", cfg.MaxUploadSize).
@@ -266,8 +268,19 @@ func authorizationEnabled(cfg *config.Config) bool {
 // configuration. When TLS is enabled, it loads certificates and configures
 // client authentication and minimum protocol version.
 func buildGRPCServerOptions(cfg *config.Config, unaryInterceptors []grpc.UnaryServerInterceptor) ([]grpc.ServerOption, error) {
+	maxRecvMessageSize := cfg.GRPCMaxRecvMessageSize
+	if maxRecvMessageSize <= 0 {
+		maxRecvMessageSize = 10 * 1024 * 1024
+	}
+	maxSendMessageSize := cfg.GRPCMaxSendMessageSize
+	if maxSendMessageSize <= 0 {
+		maxSendMessageSize = 10 * 1024 * 1024
+	}
+
 	opts := []grpc.ServerOption{
 		grpc.ChainUnaryInterceptor(unaryInterceptors...),
+		grpc.MaxRecvMsgSize(maxRecvMessageSize),
+		grpc.MaxSendMsgSize(maxSendMessageSize),
 	}
 
 	if !cfg.TLSEnabled {
diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/AmmannChristian/nist-800-90b
 go 1.25.7
 
 require (
-	github.com/AmmannChristian/go-authx v1.2.0
+	github.com/AmmannChristian/go-authx v1.2.2
 	github.com/golangci/golangci-lint v1.64.8
 	github.com/google/uuid v1.6.0
 	github.com/prometheus/client_golang v1.23.2
diff --git a/go.sum b/go.sum
@@ -12,8 +12,8 @@ github.com/4meepo/tagalign v1.4.2 h1:0hcLHPGMjDyM1gHG58cS73aQF8J4TdVR96TZViorO9E
 github.com/4meepo/tagalign v1.4.2/go.mod h1:+p4aMyFM+ra7nb41CnFG6aSDXqRxU/w1VQqScKqDARI=
 github.com/Abirdcfly/dupword v0.1.3 h1:9Pa1NuAsZvpFPi9Pqkd93I7LIYRURj+A//dFd5tgBeE=
 github.com/Abirdcfly/dupword v0.1.3/go.mod h1:8VbB2t7e10KRNdwTVoxdBaxla6avbhGzb8sCTygUMhw=
-github.com/AmmannChristian/go-authx v1.2.0 h1:ETNvuugwVfztHRFGA+/slV7Jwz7Dr//cEe74FhXPCbY=
-github.com/AmmannChristian/go-authx v1.2.0/go.mod h1:eRp0jNgv25ARPG/dcakOPaU/a5UmqXphngCb0OnjtJg=
+github.com/AmmannChristian/go-authx v1.2.2 h1:wlBsZs2YwI/IE88VsommFRgJq+9lWqagWjhsiaWN9eI=
+github.com/AmmannChristian/go-authx v1.2.2/go.mod h1:eRp0jNgv25ARPG/dcakOPaU/a5UmqXphngCb0OnjtJg=
 github.com/Antonboom/errname v1.0.0 h1:oJOOWR07vS1kRusl6YRSlat7HFnb3mSfMl6sDMRoTBA=
 github.com/Antonboom/errname v1.0.0/go.mod h1:gMOBFzK/vrTiXN9Oh+HFs+e6Ndl0eTFbtsRTSRdXyGI=
 github.com/Antonboom/nilnil v1.0.1 h1:C3Tkm0KUxgfO4Duk3PM+ztPncTFlOf0b2qadmS0s4xs=
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -12,14 +12,18 @@ import (
 	"time"
 )
 
+const defaultGRPCMaxMessageSize = 10 * 1024 * 1024
+
 // Config holds all runtime parameters for the server, including network
 // addresses, TLS settings, authentication, logging, and resource limits.
 type Config struct {
 	// Server configuration (HTTP metrics/health)
-	ServerPort  int
-	ServerHost  string
-	GRPCEnabled bool
-	GRPCPort    int
+	ServerPort             int
+	ServerHost             string
+	GRPCEnabled            bool
+	GRPCPort               int
+	GRPCMaxRecvMessageSize int
+	GRPCMaxSendMessageSize int
 
 	// TLS for gRPC
 	TLSEnabled    bool
@@ -73,6 +77,8 @@ func LoadConfig() (*Config, error) {
 		ServerHost:                              getEnv("SERVER_HOST", "0.0.0.0"),
 		GRPCEnabled:                             getEnvAsBool("GRPC_ENABLED", false),
 		GRPCPort:                                getEnvAsInt("GRPC_PORT", 9090),
+		GRPCMaxRecvMessageSize:                  getEnvAsInt("GRPC_MAX_RECV_MESSAGE_SIZE", defaultGRPCMaxMessageSize),
+		GRPCMaxSendMessageSize:                  getEnvAsInt("GRPC_MAX_SEND_MESSAGE_SIZE", defaultGRPCMaxMessageSize),
 		TLSEnabled:                              getEnvAsBool("TLS_ENABLED", false),
 		TLSCertFile:                             getEnv("TLS_CERT_FILE", ""),
 		TLSKeyFile:                              getEnv("TLS_KEY_FILE", ""),
@@ -122,6 +128,18 @@ func (c *Config) Validate() error {
 	if c.GRPCEnabled && (c.GRPCPort < 1 || c.GRPCPort > 65535) {
 		return fmt.Errorf("invalid gRPC port: %d (must be 1-65535)", c.GRPCPort)
 	}
+	if c.GRPCMaxRecvMessageSize < 0 {
+		return fmt.Errorf("invalid GRPC_MAX_RECV_MESSAGE_SIZE: %d (must be >= 0)", c.GRPCMaxRecvMessageSize)
+	}
+	if c.GRPCMaxSendMessageSize < 0 {
+		return fmt.Errorf("invalid GRPC_MAX_SEND_MESSAGE_SIZE: %d (must be >= 0)", c.GRPCMaxSendMessageSize)
+	}
+	if c.GRPCMaxRecvMessageSize == 0 {
+		c.GRPCMaxRecvMessageSize = defaultGRPCMaxMessageSize
+	}
+	if c.GRPCMaxSendMessageSize == 0 {
+		c.GRPCMaxSendMessageSize = defaultGRPCMaxMessageSize
+	}
 
 	if c.MaxUploadSize < 1024 {
 		return fmt.Errorf("max upload size too small: %d (must be at least 1024 bytes)", c.MaxUploadSize)
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
@@ -20,6 +20,8 @@ func TestLoadConfig_Defaults(t *testing.T) {
 	assert.Equal(t, "0.0.0.0", cfg.ServerHost)
 	assert.False(t, cfg.GRPCEnabled)
 	assert.Equal(t, 9090, cfg.GRPCPort)
+	assert.Equal(t, 10*1024*1024, cfg.GRPCMaxRecvMessageSize)
+	assert.Equal(t, 10*1024*1024, cfg.GRPCMaxSendMessageSize)
 	assert.False(t, cfg.TLSEnabled)
 	assert.Empty(t, cfg.TLSCertFile)
 	assert.Empty(t, cfg.TLSKeyFile)
@@ -59,6 +61,8 @@ func TestLoadConfig_EnvironmentVariables(t *testing.T) {
 	os.Setenv("SERVER_HOST", "127.0.0.1")
 	os.Setenv("GRPC_ENABLED", "true")
 	os.Setenv("GRPC_PORT", "50051")
+	os.Setenv("GRPC_MAX_RECV_MESSAGE_SIZE", "12582912")
+	os.Setenv("GRPC_MAX_SEND_MESSAGE_SIZE", "12582912")
 	os.Setenv("TLS_ENABLED", "true")
 	os.Setenv("TLS_CERT_FILE", "/tmp/server.crt")
 	os.Setenv("TLS_KEY_FILE", "/tmp/server.key")
@@ -88,6 +92,8 @@ func TestLoadConfig_EnvironmentVariables(t *testing.T) {
 	assert.Equal(t, "127.0.0.1", cfg.ServerHost)
 	assert.True(t, cfg.GRPCEnabled)
 	assert.Equal(t, 50051, cfg.GRPCPort)
+	assert.Equal(t, 12582912, cfg.GRPCMaxRecvMessageSize)
+	assert.Equal(t, 12582912, cfg.GRPCMaxSendMessageSize)
 	assert.True(t, cfg.TLSEnabled)
 	assert.Equal(t, "/tmp/server.crt", cfg.TLSCertFile)
 	assert.Equal(t, "/tmp/server.key", cfg.TLSKeyFile)
@@ -233,6 +239,32 @@ func TestConfig_Validate(t *testing.T) {
 			wantErr: true,
 			errMsg:  "invalid gRPC port",
 		},
+		{
+			name: "invalid gRPC max receive message size",
+			cfg: &Config{
+				ServerPort:             8080,
+				GRPCEnabled:            true,
+				GRPCPort:               9090,
+				GRPCMaxRecvMessageSize: -1,
+				MaxUploadSize:          1024,
+				LogLevel:               "info",
+			},
+			wantErr: true,
+			errMsg:  "GRPC_MAX_RECV_MESSAGE_SIZE",
+		},
+		{
+			name: "invalid gRPC max send message size",
+			cfg: &Config{
+				ServerPort:             8080,
+				GRPCEnabled:            true,
+				GRPCPort:               9090,
+				GRPCMaxSendMessageSize: -1,
+				MaxUploadSize:          1024,
+				LogLevel:               "info",
+			},
+			wantErr: true,
+			errMsg:  "GRPC_MAX_SEND_MESSAGE_SIZE",
+		},
 		{
 			name: "invalid max upload size",
 			cfg: &Config{
@@ -657,7 +689,7 @@ func TestLoadConfig_ValidationFailure(t *testing.T) {
 func clearEnv(t *testing.T) {
 	t.Helper()
 	envVars := []string{
-		"SERVER_PORT", "SERVER_HOST", "GRPC_ENABLED", "GRPC_PORT", "METRICS_PORT",
+		"SERVER_PORT", "SERVER_HOST", "GRPC_ENABLED", "GRPC_PORT", "GRPC_MAX_RECV_MESSAGE_SIZE", "GRPC_MAX_SEND_MESSAGE_SIZE", "METRICS_PORT",
 		"TLS_ENABLED", "TLS_CERT_FILE", "TLS_KEY_FILE", "TLS_CA_FILE", "TLS_CLIENT_AUTH", "TLS_MIN_VERSION",
 		"LOG_LEVEL", "MAX_UPLOAD_SIZE", "TIMEOUT", "METRICS_ENABLED",
 		"AUTH_ENABLED", "AUTH_ISSUER", "AUTH_AUDIENCE", "AUTH_JWKS_URL",
