LiteBus
CatalogIngress

Ingress Safety and Authorization Options

  • ID: ingress.safety-options
  • Name: Ingress safety and authorization options
  • Maturity: GA
  • Summary: Configures provider-neutral body, identity, authorization, admission, and batch limits for every ingress adapter.

Purpose and Scope

Every broker-specific ingress record exposes one TransportInboxIngressSafetyOptions value through its Safety property. The adapter preserves that record when it creates TransportInboxIngressOptions. Broker destinations and native receive controls remain on their adapter records because those settings do not share semantics.

For example, an SQS service can request 10 messages per receive call while keeping LiteBus handler admission at one:

ingress.UseOptions(new AwsSqsInboxIngressOptions
{
    Destination = queueUrl,
    ReceiveBatchSize = 10,
    Safety = new TransportInboxIngressSafetyOptions
    {
        MaxInFlightMessages = 1,
        MaxMessageBytes = 1024 * 1024
    }
});

Option Model

Type / memberDefaultRole
TransportInboxIngressOptions.DestinationrequiredQueue, topic, or channel name
TransportInboxIngressOptions.PrefetchCount0Native RabbitMQ or Azure Service Bus prefetch only
TransportInboxIngressOptions.ReceiveBatchSize1SQS messages requested per receive call only
TransportInboxIngressOptions.MaxConcurrentCallsnullNative Azure Service Bus callback concurrency only
TransportInboxIngressOptions.SubscriptionNamenullNamed subscription when a destination is a topic
TransportInboxIngressOptions.DeclareDestinationfalseDeclare an AMQP queue before subscribing
TransportInboxIngressOptions.DurableDestinationfalseMake a declared AMQP queue durable
TransportInboxIngressOptions.RequeueOnFailuretrueRequeue transient accept failures
TransportInboxIngressOptions.Safetydefault safety recordProvider-neutral ingress safety settings
Safety.MaxMessageBytes4 MiBReject oversized bodies before deserialize; zero disables the limit
Safety.RequireStableIdentitytrueFail when broker delivery id is missing
Safety.TrustApplicationHeadersfalseHonor application idempotency, tenant, and message id headers
Safety.AuthorizeDeliveryAsyncnullHost callback before deserialize and accept
Safety.MaxInFlightMessages32Cap concurrent LiteBus delivery handlers
Safety.EnableBatchAcceptfalseEnable buffered inbox batch accepts
Safety.BatchSize10Deliveries stored in one inbox batch
Safety.BatchMaxWait200 msPartial batch flush delay

Each ingress module calls Safety.Validate() during composition. Negative message limits or wait durations, zero batch sizes, and zero maximum-in-flight values fail before the host starts. AWS also rejects ReceiveBatchSize outside 1 through 10. Azure rejects negative prefetch and non-positive MaxConcurrentCalls.

Broker Option Parity

Broker options typeShared SafetyNative receive controlDestination declaration
AmqpInboxIngressOptionsyesPrefetchCountqueue declare and durable flags
KafkaInboxIngressOptionsyesnone; the consume loop reads one record at a timeno
AwsSqsInboxIngressOptionsyesReceiveBatchSizeno
AzureServiceBusInboxIngressOptionsyesPrefetchCount, MaxConcurrentCallsno
InMemoryInboxIngressOptionsyesnone; capacity belongs to the transport moduleno

Public Surface

  • TransportInboxIngressOptions, the runtime bridge record
  • TransportInboxIngressSafetyOptions, the provider-neutral safety record
  • One broker-specific ingress options record in each adapter package

Packages

  • LiteBus.Inbox.Ingress
  • Broker option records in each LiteBus.Inbox.Ingress.* package

Requires

  • ingress.registration to register options in DI

Invariants

  • Safety.AuthorizeDeliveryAsync exceptions follow the same requeue and discard path as store failures.
  • Safety.MaxMessageBytes is checked before deserialization.
  • Safety.TrustApplicationHeaders stays false unless the broker binding authenticates upstream publishers.
  • Safety.RequireStableIdentity=true and broker message ids provide deterministic duplicate absorption across retries.
  • Safety.MaxInFlightMessages is independent from broker prefetch, receive batch size, and native callback concurrency.

Non-Goals

  • Authentication framework integration. The host supplies AuthorizeDeliveryAsync.
  • Per-tenant broker bindings.
  • Store retention or dead-letter tuning.

Observability

Option violationObservable signal
Safety.MaxMessageBytes exceededException before store; consumer discards or requeues per ingress.ack-policy
Missing broker id when stable identity is requiredInboxIngressException from the mapper
Safety.AuthorizeDeliveryAsync rejectionThe same ack policy path as a store failure
Invalid numeric boundComposition exception before background services start

Test Coverage

Test methodProject
AcceptAsync_WhenBodyExceedsMaxMessageBytes_ShouldThrowLiteBus.Inbox.UnitTests (Ingress/)
AcceptAsync_WithAuthorizationCallback_ShouldAuthorizeBeforeStoreWriteLiteBus.Inbox.UnitTests (Ingress/)
HandleDeliveryAsync_WhenAuthorizationRejects_ShouldDiscardWithoutAcceptLiteBus.Inbox.UnitTests (Ingress/)
InboxIngressOptions_ShouldPreserveSafetyAndNativeConsumerSettingsLiteBus.Durable.IntegrationTests (Registration/)
AwsSqsIngress_WithInvalidReceiveBatchSize_ShouldRejectCompositionLiteBus.Durable.IntegrationTests (Registration/)
AzureServiceBusIngress_WithInvalidMaxConcurrentCalls_ShouldRejectCompositionLiteBus.Durable.IntegrationTests (Registration/)
InMemoryIngress_WithInvalidMaxInFlightMessages_ShouldRejectCompositionLiteBus.Durable.IntegrationTests (Registration/)

Live broker authorization rejection coverage remains limited to AMQP. Shared mapping and composition propagation are covered for all five ingress builders.

Deep Docs

On this page