As you may know, for IdentityNow Cloud Rules – they have to be submitted to SailPoint for upload to the tenant. We have a rule validator tool to validate IdentityNow rules for malformed or incorrect code fragments, and help make sure they conform to the SailPoint IdentityNow Rule Guide before rule submission.
We have had a great release of a brand new IdentityNow Rule Validator v3.0 (currently sitting on 3.0.23 at the time of writing). This is a major jump forward with mention in release notes (many more enhancements than what it states 🙂 )
- BeanShell linter will now validate syntax and usage to help discover issues in your code before you deploy
- A watch option which continually monitors and validate/lint your code while you develop.
Download: https://community.sailpoint.com/t5/Professional-Services/IdentityNow-Rule-Validator/ta-p/166116
Please download and use the latest one when submitting rules for deployment otherwise you rule will get rejected for using the old version.
What I wanted to point out was that Generic Rules may start failing validation as it is doing much strict linting check for variables coming from transform which are not defined in the rule. You will need to add them to <Signature> tag for it to now pass validator.
Example
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd"> <Rule language="beanshell" name="Example Rule"> <Description></Description> <Source><![CDATA[ import org.apache.commons.lang.StringUtils; String identityName = identity.getName(); String endDateStr = StringUtils.trimToNull(identityEndDate); // identityEndDate will be passed in from a transform ]]></Source> </Rule> |
You will see two inputs
- identity – this is the identity context which every cloud rule has access to but not predefined as input in the Generic Rule type.
- identityEndDate – this is an input coming from a transform which is calling the rule
If I run this on the rule validator, it will fail with the following errors
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
Errors: (2) Line 5 - [LintBSHMethodInvocation(93)] null Exception: Could not retrieve definition for variable name 'identity' 5: String identityName = identity .getName ( ) Variables may be injected by IDN, these variables can be injected into the rule by modifying the Rule's XML Signature, Add an Argument to the Input Section. Example adding a variable 'academicLevel': <Inputs> <Argument name="academicLevel" type="java.lang.String"... Line 6 - [LintBSHAmbiguousName(69)] null Exception: Could not retrieve definition for variable name 'identityEndDate' 6: String endDateStr = StringUtils .trimToNull ( identityEndDate ) Validation status: FAILURE |
As you can see – it couldn’t retrieve the definition for both the attributes
Solution
You need to define them under the Signature XML tag so that the validator allows it through
1 2 3 4 5 6 7 8 9 10 |
<Signature returnType="Object"> <Inputs> <Argument name="identity" type="sailpoint.object.Identity"> <Description>Get Identity Object</Description> </Argument> <Argument name="identityEndDate" type="java.lang.String"> <Description>EndDate coming from Transform</Description> </Argument> </Inputs> </Signature> |
As you can see the Signature tag is defined with Argument name and type. This will allow the rule validator to understand what they are. So the rule will now look like
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
<?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd"> <Rule language="beanshell" name="Example Rule"> <Description></Description> <Signature returnType="Object"> <Inputs> <Argument name="identity" type="sailpoint.object.Identity"> <Description>Get Identity Object</Description> </Argument> <Argument name="identityEndDate" type="java.lang.String"> <Description>EndDate coming from Transform</Description> </Argument> </Inputs> </Signature> <Source><![CDATA[ import org.apache.commons.lang.StringUtils; String identityName = identity.getName(); String endDateStr = StringUtils.trimToNull(identityEndDate); // identityEndDate will be passed in from a transform ]]> </Source> </Rule> |
Now the rule will pass
1 2 3 |
No errors found. Validation status: SUCCESS |
You are good to submit your rule now…
Happy coding!!!
0 Comments