feat(jans-cedarling): cap HTTP response body size on every remote fetch

[tareknaser]

Description

Every Cedarling HTTP fetch currently reads the full response body into memory with no size limit. A hostile or compromised remote can OOM the backend by serving a giant body.

This PR adds a configurable cap (default 10 MB) that is enforced before the body is fully buffered: if Content-Length is above the cap, the fetch is rejected without reading the body; otherwise the body is streamed chunk by chunk and aborted as soon as the accumulated size would exceed the cap.

Implementation Details

• http_utils: add an optional max_response_size field on Sender and a public read_response_capped helper. Sender::send, send_text, send_bytes, and send_once now route through the helper.
• Documented in docs/cedarling/reference/cedarling-properties.md under the existing HTTP client section.
• 1 new unit test in http_utils proving the cap rejects oversized responses.

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Closes #14167

Summary by CodeRabbit

• New Features

  • Added a configurable HTTP response size limit to prevent memory exhaustion from oversized HTTP responses (JWKS, OIDC discovery, status lists, policy store, Lock Server). Default: 10 MB; setting CEDARLING_HTTP_MAX_RESPONSE_SIZE_BYTES=0 disables the limit.

• Documentation

  • Documented the new bootstrap property CEDARLING_HTTP_MAX_RESPONSE_SIZE_BYTES and its behavior.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR prevents memory exhaustion attacks by capping HTTP response body sizes across Cedarling's HTTP operations. A new configurable limit (default 10 MB, disabled at 0) is threaded through bootstrap configuration and enforced in the HTTP utilities layer, rejecting oversized responses before buffering into memory.

Changes

HTTP Response Body Size Capping

Layer / File(s)	Summary
Environment variable and bootstrap configuration docs/cedarling/reference/cedarling-properties.md, jans-cedarling/cedarling/src/bootstrap_config/raw_config/config.rs, jans-cedarling/cedarling/src/bootstrap_config/raw_config/default_values.rs, jans-cedarling/cedarling/src/bootstrap_config/decode.rs	New CEDARLING_HTTP_MAX_RESPONSE_SIZE_BYTES documented and added to BootstrapConfigRaw with a serde default helper; bootstrap decoding maps 0 → None, otherwise Some(n).
HTTP utilities—capped response reading and sender wiring jans-cedarling/http_utils/Cargo.toml, jans-cedarling/http_utils/src/lib.rs	Adds read_response_capped() enforcing size caps (Content-Length fast-path and per-chunk checks), adds Sender::max_response_size and with_max_response_size(), switches JSON/text/bytes paths to use capped bytes with new error variants (DeserializeBytesToJson, InvalidUtf8, ResponseTooLarge), and updates tests.
HTTP client config and sender integration jans-cedarling/cedarling/src/http/mod.rs	HttpClientConfig adds max_response_size_bytes: Option<u64> with DEFAULT_MAX_RESPONSE_SIZE_BYTES = 10 * 1024 * 1024; HttpClient stores and exposes the cap and wires it into Sender::with_max_response_size(); tests disable the cap by setting None.
JWT HTTP operations using capped responses jans-cedarling/cedarling/src/jwt/http_utils.rs	JWKS and status-list fetches now read capped bytes and deserialize via serde_json::from_slice / String::from_utf8 instead of response.json() / response.text(); HttpError gains JsonDeserializeBytes and InvalidUtf8.
Test HTTP client configuration updates jans-cedarling/cedarling/src/init/policy_store.rs, jans-cedarling/cedarling/src/jwt/key_service.rs, jans-cedarling/cedarling/src/jwt/mod.rs, jans-cedarling/cedarling/src/jwt/status_list/cache.rs, jans-cedarling/cedarling/src/jwt/trusted_issuers_loader.rs	Test-only HttpClientConfig initializations updated to set max_response_size_bytes: None, disabling the cap in test environments.

---

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• JanssenProject/jans#13956: Both PRs modify jans-cedarling/cedarling/src/jwt/http_utils.rs—this PR adds capped response-body reading while #13956 changes JWKS auto-rotation logic.
• JanssenProject/jans#14003: Both PRs touch HTTP client construction and outbound plumbing; this PR adds max-response-size wiring while #14003 adjusts timeouts and related client config.

Suggested reviewers

• olehbozhok
• haileyesus2433

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly describes the main change: adding HTTP response body size caps to Cedarling remote fetches.
Description check	✅ Passed	The PR description includes the target issue, implementation details, and completion of the template checklist items.
Linked Issues check	✅ Passed	The PR fully addresses issue #14167 by implementing configurable HTTP response body size limits with a 10 MB default, rejecting oversized responses before buffering.
Out of Scope Changes check	✅ Passed	All changes are scoped to implementing HTTP response size limits and updating test configurations; no unrelated modifications are present.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/cedarling-http-response-size-limit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@jans-cedarling/http_utils/src/lib.rs`:
- Around line 362-365: The test assertion using matches! on the variable err
against HttpRequestReasonError::ResponseTooLarge lacks a descriptive failure
message; update the assertion to include a clear message (e.g., explaining we
expect a ResponseTooLarge with limit 1024) so failures report intent—locate the
assert!(matches!(err, HttpRequestReasonError::ResponseTooLarge { limit: 1024, ..
})) and add a descriptive string as the second argument to assert! per test
guidelines.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2118d9ec-72b3-4a1d-8e98-7dd8dfc5b25a

📥 Commits

Reviewing files that changed from the base of the PR and between a8dc7ae and 03bc859.

⛔ Files ignored due to path filters (1)

• jans-cedarling/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (13)

• docs/cedarling/reference/cedarling-properties.md
• jans-cedarling/cedarling/src/bootstrap_config/decode.rs
• jans-cedarling/cedarling/src/bootstrap_config/raw_config/config.rs
• jans-cedarling/cedarling/src/bootstrap_config/raw_config/default_values.rs
• jans-cedarling/cedarling/src/http/mod.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/jwt/http_utils.rs
• jans-cedarling/cedarling/src/jwt/key_service.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/jwt/status_list/cache.rs
• jans-cedarling/cedarling/src/jwt/trusted_issuers_loader.rs
• jans-cedarling/http_utils/Cargo.toml
• jans-cedarling/http_utils/src/lib.rs

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@jans-cedarling/cedarling/src/jwt/http_utils.rs`:
- Around line 193-194: The enum in jwt/http_utils.rs contains dead variants
JsonDeserializeResponse and ReadTextResponse that are never constructed or
matched; remove those two variants from the error enum (and any associated
#[error(...)] attributes) and clean up any now-unused imports or uses in the
jwt::http_utils module (e.g., remove references to these variant names and
ensure the enum still compiles and is used where needed); run cargo build/tests
to validate there are no remaining references to JsonDeserializeResponse or
ReadTextResponse.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 34ddeb05-7cfc-49d6-b382-047ea72c961b

📥 Commits

Reviewing files that changed from the base of the PR and between 03bc859 and 947f1a0.

⛔ Files ignored due to path filters (1)

• jans-cedarling/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (13)

• docs/cedarling/reference/cedarling-properties.md
• jans-cedarling/cedarling/src/bootstrap_config/decode.rs
• jans-cedarling/cedarling/src/bootstrap_config/raw_config/config.rs
• jans-cedarling/cedarling/src/bootstrap_config/raw_config/default_values.rs
• jans-cedarling/cedarling/src/http/mod.rs
• jans-cedarling/cedarling/src/init/policy_store.rs
• jans-cedarling/cedarling/src/jwt/http_utils.rs
• jans-cedarling/cedarling/src/jwt/key_service.rs
• jans-cedarling/cedarling/src/jwt/mod.rs
• jans-cedarling/cedarling/src/jwt/status_list/cache.rs
• jans-cedarling/cedarling/src/jwt/trusted_issuers_loader.rs
• jans-cedarling/http_utils/Cargo.toml
• jans-cedarling/http_utils/src/lib.rs