Attribute Validation
The IAM service utilizes a dynamic attribute validation system to ensure identity attributes conform to defined standards. This is implemented via the YAMLSchemaValidator.
Overview
The YAMLSchemaValidator allows administrators to define validation rules for identity attributes using a YAML schema. This decouples validation logic from the core code, allowing for configuration updates without recompilation.
Schema Definition
The validation schema is a YAML document where the root key is attributes. Each entry under attributes represents a specific attribute key to be validated.
Rule Properties
| Property | Description | Supported Values |
|---|---|---|
type | Defines the expected data type of the attribute. | string, number |
allowed_values | Defines a strict list of permitted values (Enumeration). | List of strings |
Example Configuration
attributes:
# Validates that 'department' is a string
department:
type: string
# Validates that 'clearance_level' is a number (int or float)
clearance_level:
type: number
# Validates that 'status' is a string AND one of the allowed values
status:
type: string
allowed_values:
- "active"
- "inactive"
- "pending"
Validation Behavior
The validator enforces rules as follows:
- Undefined Attributes: If an attribute key is provided during validation that does not exist in the YAML schema, it is considered valid. The validator only restricts attributes explicitly defined in the schema.
- Type Safety:
- String: Ensures the underlying Go type is
string. - Number: Ensures the underlying Go type is
float64orint.
- String: Ensures the underlying Go type is
- Enumerations: If
allowed_valuesis set, the value must match one of the entries exactly. This is only supported forstringtypes. - Null Safety: If a rule is defined for an attribute, the value cannot be
nil.