feat(authz): make v2 request limits configurable [backport to release/service/v0.11]

[opentdf-automation]

Description

Backport of #3508 to release/service/v0.11.

[opentdf-automation]

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin backport-3508-to-release/service/v0.11
git worktree add --checkout .worktree/backport-3508-to-release/service/v0.11 backport-3508-to-release/service/v0.11
cd .worktree/backport-3508-to-release/service/v0.11
git reset --hard HEAD^
git cherry-pick -x 9d16f8062e6164748a6a27c497272209b743339f
git push --force-with-lease

[github-actions]

X-Test Failure Report

[github-actions]

Dependency Review

The following issues were found:

• ❌ 5 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 11 package(s) with unknown licenses.

See the Details below.

Vulnerabilities

tests-bdd/go.mod

Name	Version	Vulnerability	Severity
github.com/containerd/containerd/v2	2.1.5	containerd user ID handling bypass allows runAsNonRoot evasion	high
		containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull	high
		Arbitrary host CRI log file read via symlink following in CRI checkpoint restore	high
		containerd CRI checkpoint restore CDI annotation smuggling	high
		containerd image-triggered runtime DoS via unbounded group parsing	moderate
		containerd: CRI checkpoint import allows local image tag poisoning	moderate
github.com/docker/cli	28.5.1+incompatible	Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows	high
github.com/docker/docker	28.5.1+incompatible	Moby has AuthZ plugin bypass when provided oversized request bodies	high
		Docker: `PUT /containers/{id}/archive` executes container binary on the host	high
		Docker: Race condition in docker cp allows bind mount redirection to host path	high
		Moby has an Off-by-one error in its plugin privilege validation	moderate
		Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap	moderate
github.com/moby/buildkit	0.25.1	BuildKit's Malicious frontend can cause file escape outside of storage root	high
		BuildKit Git URL subdir component can cause access to restricted files	high
golang.org/x/crypto	0.43.0	golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption	moderate
		golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read	moderate

License Issues

tests-bdd/go.mod

Package	Version	License	Issue Type
github.com/containerd/containerd/v2	2.1.5	Null	Unknown License
github.com/docker/cli	28.5.1+incompatible	Null	Unknown License
github.com/docker/docker	28.5.1+incompatible	Null	Unknown License
github.com/moby/buildkit	0.25.1	Null	Unknown License
github.com/docker/compose/v2	2.40.2	Null	Unknown License
github.com/docker/go-connections	0.6.0	Null	Unknown License
github.com/spf13/cobra	1.10.1	Null	Unknown License
github.com/spf13/pflag	1.0.10	Null	Unknown License
github.com/stretchr/testify	1.11.1	Null	Unknown License
github.com/testcontainers/testcontainers-go	0.39.0	Null	Unknown License
github.com/zclconf/go-cty	1.17.0	Null	Unknown License

Denied Licenses: GPL-2.0, AGPL-1.0, AGPL-1.0-or-later, AGPL-1.0-only, AGPL-3.0, AGPL-3.0-only, AGPL-3.0-or-later, GPL-1.0, GPL-1.0+, GPL-1.0-only, GPL-1.0-or-later, CNRI-Python-GPL-Compatible, GPL-2.0+, GPL-2.0-only, GPL-2.0-or-later, GPL-2.0-with-GCC-exception, GPL-2.0-with-autoconf-exception, GPL-2.0-with-bison-exception, GPL-2.0-with-classpath-exception, GPL-2.0-with-font-exception, GPL-3.0, GPL-3.0+, GPL-3.0-only, GPL-3.0-or-later, GPL-3.0-with-GCC-exception, GPL-3.0-with-autoconf-exception, LGPL-2.0, LGPL-2.0+, LGPL-2.0-only, LGPL-2.0-or-later, LGPL-2.1, LGPL-2.1+, LGPL-2.1-only, LGPL-2.1-or-later, LGPL-3.0, LGPL-3.0+, LGPL-3.0-only, LGPL-3.0-or-later, LGPLLR, NGPL

Excluded from license check: pkg:githubactions/SonarSource/sonarqube-scan-action

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
gomod/github.com/opentdf/platform/sdk	0.10.1	Unknown	Unknown
gomod/github.com/containerd/containerd/v2	2.1.5	Unknown	Unknown
gomod/github.com/docker/cli	28.5.1+incompatible	Unknown	Unknown
gomod/github.com/docker/docker	28.5.1+incompatible	Unknown	Unknown
gomod/github.com/moby/buildkit	0.25.1	Unknown	Unknown
gomod/golang.org/x/crypto	0.43.0	Unknown	Unknown
gomod/github.com/compose-spec/compose-go/v2	2.9.1	🟢 5.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 18 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 18/19 approved changesets -- score normalized to 9 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
gomod/github.com/docker/buildx	0.29.1	🟢 8.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Binary-Artifacts 🟢 9 binaries present in source code Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases 🟢 8 5 out of the last 5 releases have a total of 5 signed artifacts. SAST 🟢 8 SAST tool detected but not run on all commits Pinned-Dependencies 🟢 4 dependency not pinned by hash detected -- score normalized to 4
gomod/github.com/docker/compose/v2	2.40.2	Unknown	Unknown
gomod/github.com/docker/go-connections	0.6.0	Unknown	Unknown
gomod/github.com/shirou/gopsutil/v4	4.25.6	🟢 7.4	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Code-Review 🟢 6 Found 6/9 approved changesets -- score normalized to 6 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing 🟢 10 project is fuzzed License 🟢 9 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found SAST 🟢 3 SAST tool is not run on all commits -- score normalized to 3
gomod/github.com/spf13/cobra	1.10.1	Unknown	Unknown
gomod/github.com/spf13/pflag	1.0.10	Unknown	Unknown
gomod/github.com/stretchr/testify	1.11.1	Unknown	Unknown
gomod/github.com/testcontainers/testcontainers-go	0.39.0	Unknown	Unknown
gomod/github.com/testcontainers/testcontainers-go/modules/compose	0.39.1	🟢 6.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 3 Found 6/16 approved changesets -- score normalized to 3 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 CII-Best-Practices ⚠️ 2 badge detected: InProgress Signed-Releases ⚠️ -1 no releases found SAST 🟢 9 SAST tool detected but not run on all commits Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected CI-Tests 🟢 10 27 out of 27 merged PRs checked by a CI test -- score normalized to 10 Vulnerabilities ⚠️ 0 36 existing vulnerabilities detected Contributors 🟢 10 project has 60 contributing companies or organizations
gomod/github.com/zclconf/go-cty	1.17.0	Unknown	Unknown
gomod/go.uber.org/mock	0.6.0	Unknown	Unknown
gomod/golang.org/x/net	0.45.0	Unknown	Unknown
gomod/golang.org/x/sync	0.17.0	Unknown	Unknown
gomod/golang.org/x/sys	0.37.0	Unknown	Unknown
gomod/golang.org/x/term	0.36.0	Unknown	Unknown
gomod/golang.org/x/text	0.30.0	Unknown	Unknown
gomod/google.golang.org/protobuf	1.36.9	Unknown	Unknown

Scanned Files

• service/go.mod
• tests-bdd/go.mod

[github-actions]

X-Test Failure Report

✅ go@main-v0.9.0
✅ java@main-v0.9.0
✅ js@main-v0.9.0
opentdfplatformPF9TN1.dockerbuild