feat: add validation for user object

[Konrad-Simso]

Description

Add validation for user object on instance events.

Verification

• Your code builds clean without any errors or warnings
• Manual testing done (required)
• Relevant automated test added (if you find this hard, leave it and we'll help out)
• All tests run green

Summary by CodeRabbit

• Bug Fixes

  • Strengthened per-event validation of user identity in instance events. Events with incomplete or inconsistent user data now return Bad Request; supplying a system user identifier requires the corresponding owner organization number.

• Tests

  • Added unit tests covering the new per-event user validation to verify accepted and rejected input combinations.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Added per-event validation of InstanceEvent.User in PutInstanceAndEvents by calling a new ValidateInstanceEventUserObject helper (duplicate declaration present). Validation runs before other per-event checks. Four unit tests were added to cover valid and invalid user-object combinations.

Changes

Cohort / File(s)	Summary
Instance Event User Validation src/Storage/Controllers/ProcessController.cs	Added per-event call to ValidateInstanceEventUserObject inside PutInstanceAndEvents (validation performed before other per-event checks). Added helper ValidateInstanceEventUserObject(int? userId, string? orgId, Guid? systemUserId, string? systemUserOwnerOrgNo, int? endUserSystemId); duplicate declaration observed in diff.
Unit tests test/UnitTest/TestingControllers/ProcessControllerTest.cs	Added four tests: ValidateInstanceEventUserObject_ReturnsTrueForValidUserObject (theory with InlineData variations), ValidateInstanceEventUserObject_ReturnsFalseWhenMissingSystemUerIdForSystemUser, ValidateInstanceEventUserObject_ReturnsFalseWhenMissingPartialSystemUser, and ValidateInstanceEventUserObject_ReturnsFalseWhenAllParametersAreNull. Covers valid and multiple invalid/null combinations.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.11% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (6 files): ⚔️ src/Storage.Interface/Models/InstanceOwner.cs (content) ⚔️ src/Storage/Altinn.Platform.Storage.csproj (content) ⚔️ src/Storage/Controllers/ProcessController.cs (content) ⚔️ test/UnitTest/TestData/TestData.cs (content) ⚔️ test/UnitTest/TestingControllers/ProcessControllerTest.cs (content) ⚔️ test/UnitTest/TestingRepositories/InstanceTests.cs (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add validation for user object' directly and clearly describes the main change: adding validation for user objects on instance events.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/add-validation-for-user

⚔️ Resolve merge conflicts (beta)

• Auto-commit resolved conflicts to branch feat/add-validation-for-user
• Create stacked PR with resolved conflicts
• Post resolved changes as copyable diffs in a comment

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/Storage/Controllers/ProcessController.cs`:
- Around line 380-398: Rename the parameter SystemUserOwnerOrgNo in the
ValidateInstanceEventUserObject method to use camelCase (e.g.,
systemUserOwnerOrgNo) and update all internal references inside the method (the
null check) to the new name; then update all call sites that pass or reference
this parameter to use the new parameter name so signatures match (search for
ValidateInstanceEventUserObject usages and adjust callers and any related
delegates/overloads accordingly).

🧹 Nitpick comments (2)

src/Storage/Controllers/ProcessController.cs (2)

162-173: Error message is misleading for the SystemUserId/SystemUserOwnerOrgNo case.

ValidateInstanceEventUserObject returns false for two distinct reasons:

1. All user identifiers are null (truly missing user object).
2. SystemUserId is provided but SystemUserOwnerOrgNo is missing.

The error message on line 172 always says "Missing user object", which is inaccurate for case 2. Consider either returning distinct messages or having the validation method provide a reason string.

Suggested approach

-            bool validUserObject = ValidateInstanceEventUserObject(
-                user?.UserId,
-                user?.OrgId,
-                user?.SystemUserId,
-                user?.SystemUserOwnerOrgNo,
-                user?.EndUserSystemId
-            );
-            if (!validUserObject)
-            {
-                return BadRequest($"Missing user object in {nameof(instanceEvent.User)}");
-            }
+            string? userValidationError = ValidateInstanceEventUserObject(
+                user?.UserId,
+                user?.OrgId,
+                user?.SystemUserId,
+                user?.SystemUserOwnerOrgNo,
+                user?.EndUserSystemId
+            );
+            if (userValidationError is not null)
+            {
+                return BadRequest(userValidationError);
+            }

And update the helper accordingly:

private static string? ValidateInstanceEventUserObject(
    int? userId,
    string? orgId,
    Guid? systemUserId,
    string? systemUserOwnerOrgNo,
    int? endUserSystemId
)
{
    if (userId is null && orgId is null && systemUserId is null && endUserSystemId is null)
    {
        return "Missing user object in User";
    }
    if (systemUserId is not null && systemUserOwnerOrgNo is null)
    {
        return "SystemUserOwnerOrgNo is required when SystemUserId is provided";
    }

    return null;
}

---

388-391: Consider whether empty/whitespace strings should also be rejected.

orgId and SystemUserOwnerOrgNo are only checked for null, but an empty or whitespace-only string would pass validation. Elsewhere in this method (line 175), IsNullOrWhiteSpace is used for InstanceId. If blank strings are invalid for these fields, consider using string.IsNullOrWhiteSpace here as well.

Example

-        if (userId is null && orgId is null && systemUserId is null && endUserSystemId is null)
+        if (userId is null && string.IsNullOrWhiteSpace(orgId) && systemUserId is null && endUserSystemId is null)
         {
             return false;
         }
-        if (systemUserId is not null && SystemUserOwnerOrgNo is null)
+        if (systemUserId is not null && string.IsNullOrWhiteSpace(systemUserOwnerOrgNo))

[HauklandJ]

At least a test for ValidateInstanceEventUserObject

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@test/UnitTest/TestingControllers/ProcessControllerTest.cs`:
- Around line 677-700: Add an InlineData row to exercise the branch where
systemUserId is non-null but systemUserOwnerOrgNo is null so the rule
(systemUserId is not null && systemUserOwnerOrgNo is null) is tested; update the
Theory data in ProcessControllerTest.ValidateInstanceEventUserObject to include
an entry like a GUID string for the systemUserId parameter (e.g.
"00000000-0000-0000-0000-000000000001") with systemUserOwnerOrgNo null and
expectedResult false so
ProcessController.ValidateInstanceEventUserObject(userId, orgId, systemUserId,
systemUserOwnerOrgNo, endUserSystemId) covers that branch.

🧹 Nitpick comments (1)

src/Storage/Controllers/ProcessController.cs (1)

380-403: Consider adding a reverse check: systemUserOwnerOrgNo without systemUserId.

The method enforces that systemUserId requires systemUserOwnerOrgNo, but the opposite is not checked. When another identifier is present (e.g., userId), a request with an orphaned systemUserOwnerOrgNo (no systemUserId) passes validation silently. This likely indicates a malformed payload.

Suggested addition

         if (systemUserId is not null && string.IsNullOrWhiteSpace(systemUserOwnerOrgNo))
         {
             return false;
         }
+        if (systemUserId is null && !string.IsNullOrWhiteSpace(systemUserOwnerOrgNo))
+        {
+            return false;
+        }

         return true;

[sonarqubecloud]

Quality Gate failed

Failed conditions
45.5% Coverage on New Code (required ≥ 65%)
45.8% Condition Coverage on New Code (required ≥ 65%)

See analysis details on SonarQube Cloud

[Konrad-Simso]

Have tried rerunning Code test and analysis pipeline, it meets a problem with the following ERROR: Something went wrong while trying to get the pullrequest with key '925' Unsure how to fix it.