RSPEED-2652: validate type and format of rh-identity fields

[major]

Description

Add type and format validation to all string fields extracted from the x-rh-identity header in RHIdentityData. Fields like user_id, username, cn, account_number, and org_id were only checked for presence but never validated for type, emptiness, length, or control characters. These values flow into request.state, logs, database queries, and telemetry as trusted strings, enabling potential log injection via control characters and data integrity issues from non-string types.

Changes:

• Add _validate_string_field() helper that checks: type (must be str), non-emptiness (including whitespace-only), length bounds (max 256), and control characters (ASCII 0-31, DEL)
• Wire validation into _validate_structure() for User fields (user_id, username), System fields (cn, account_number), and org_id (conditional: validated only when present and non-empty)
• Extract _validate_user_fields() and _validate_system_fields() to reduce cyclomatic complexity of _validate_structure from C (14) to B (8)
• Add 37 parametrized unit tests covering non-string types, empty/whitespace, control chars, oversized values, boundary cases, org_id conditional logic, and regression

Note: PR #1352 (RSPEED-2651) also modifies rh_identity.py but touches RHIdentityAuthDependency.__call__(), a completely different class. Zero source code overlap; only trivial test EOF append merge conflict possible.

Type of change

• Bug fix
• Refactor
• Unit tests improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• RSPEED-2652
• Related: RSPEED-2651 / PR RSPEED-2651: enforce max header size on x-rh-identity before base64 decode #1352 (header size limits on same file, different class)

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• uv run pytest tests/unit/authentication/test_rh_identity.py -v --tb=short passes 87/87 tests (50 existing + 37 new)
• uv run make verify passes all linters (black, pylint 10/10, pyright 0 errors, ruff, pydocstyle, mypy 0 issues)
• uv run radon cc src/authentication/rh_identity.py -s shows all methods at A or B complexity
• Validated scenarios: non-string types (None, int, bool, list, dict, float), empty/whitespace strings, control characters (null byte, newline, CR, US, DEL), oversized values (257 chars rejected, 256 accepted), org_id conditional (missing/empty accepted, non-string/oversized/control chars rejected)

Summary by CodeRabbit

• Bug Fixes

  • Stricter validation for user and system identity fields, rejecting non-strings, empty/whitespace-only values, control characters, and overly long values.
  • Optional organizational ID now validated when present.
  • Improved error reporting for missing or malformed identity data.

• Tests

  • Added comprehensive unit tests covering field types, emptiness, control characters, and length boundaries.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 105d6345-881e-4f5a-943e-3901e3b1d91d

📥 Commits

Reviewing files that changed from the base of the PR and between e274f9f and 3f58309.

📒 Files selected for processing (2)

• src/authentication/rh_identity.py
• tests/unit/authentication/test_rh_identity.py

🚧 Files skipped from review as they are similar to previous changes (2)

• tests/unit/authentication/test_rh_identity.py
• src/authentication/rh_identity.py

---

Walkthrough

Adds centralized string validation and two new helpers on RHIdentityData to enforce well-formed user and system identity fields (user_id, username, system.cn, account_number) and optional org_id checks; rejects non-strings, empty/whitespace, control characters, and enforces a 256-char max.

Changes

Cohort / File(s)	Summary
Validation Implementation src/authentication/rh_identity.py	Introduces _validate_string_field(field_name, value, max_length=256), _validate_user_fields(identity), and _validate_system_fields(identity) on RHIdentityData. Validations now reject non-strings, empty/whitespace-only values, ASCII control characters, and strings >256 chars; _validate_structure() updated to delegate and reflect “missing or malformed” errors.
Validation Tests tests/unit/authentication/test_rh_identity.py	Adds TestRHIdentityFieldValidation covering non-string types, empty/whitespace-only values, control-character rejection, length boundary tests (accepts 256, rejects >256), optional org_id behavior, and regression cases ensuring valid user/system identity data still pass.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding validation for type and format of rh-identity fields, which is the primary focus of both the implementation and test changes.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tisnik]

LGTM

[tisnik]

@major LGTM, but please rebase first before merge

[major]

@tisnik Done. Thank you!