npm - aws-iam-language-server - Versions diffs - 0.0.18 → 0.0.20 - Mend

aws-iam-language-server 0.0.18 → 0.0.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/package.json +1 -1
package/readme.md +4 -0
package/src/handlers/completion/resource-value.js +3 -2
package/src/lib/iam-policy/arn.d.ts +5 -0
package/src/lib/iam-policy/arn.js +30 -1
package/src/lib/treesitter/hcl.js +66 -1
package/src/lib/treesitter/json.js +21 -1
package/src/lib/treesitter/yaml.js +59 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "aws-iam-language-server",
-  "version": "0.0.18",
+  "version": "0.0.20",
   "type": "module",
   "bin": "./src/server.js",
   "publisher": "MichaelBarney",

package/readme.md CHANGED Viewed

@@ -55,6 +55,10 @@ vim.lsp.enable("aws-iam-language-server")
 ## Features
+This language server will detect policies within yaml/json documents, including deeply-nested policies.
+This means it will work for polcies defined as CloudFormation resources or plain policy files.
+Detection of a policy does require that you have a `Version` set to a valid version date: `2012-10-17` or `2008-10-17`).
 ### DocumentLink
 Certain elements within a policy document will have a document link associated with it.

package/src/handlers/completion/resource-value.js CHANGED Viewed

@@ -1,11 +1,12 @@
 import { CompletionItemKind, MarkupKind } from 'vscode-languageserver';
+import { splitArn } from "../../lib/iam-policy/arn.js";
 import { partitions } from "../../lib/iam-policy/partitions.js";
 import { formatResourceDocumentation } from "../../lib/iam-policy/reference/documentation.js";
 import { ServiceReference } from "../../lib/iam-policy/reference/services.js";
 import { expandActionPattern } from "../../lib/iam-policy/wildcard.js";
 import { partialRange } from "./index.js";
 export function completeResourceValue(location, context) {
-    const parts = location.partial.split(':');
+    const parts = splitArn(location.partial);
     const range = partialRange(context.position, location.partial.length);
     const items = [];
     const statement = context.handler.getStatementContext(context.uri, context.position);
@@ -127,7 +128,7 @@ export function completeResourceValue(location, context) {
         const resources = ServiceReference.getResourcesForActions(expandActionPattern(`${service}:*`));
         for (const resource of resources) {
             for (const arn of resource.arnFormats) {
-                const patternParts = arn.split(':');
+                const patternParts = splitArn(arn);
                 const patternRegion = patternParts[3];
                 const patternAccount = patternParts[4];
                 if (region.length > 0 !== patternRegion.length > 0)

package/src/lib/iam-policy/arn.d.ts CHANGED Viewed

@@ -5,6 +5,11 @@ export type ArnParts = {
     account: string;
     resource: string;
 };
+/**
+ * Split a string on `:` while preserving `${...}` placeholders intact.
+ * Colons inside `${...}` (e.g. `${AWS::AccountId}`) are not treated as delimiters.
+ */
+export declare function splitArn(arn: string): string[];
 /**
  * Parse an ARN string into its structural components.
  * Returns null if the string is not a valid ARN structure (fewer than 6 colon-separated segments).

package/src/lib/iam-policy/arn.js CHANGED Viewed

@@ -1,10 +1,39 @@
+/**
+ * Split a string on `:` while preserving `${...}` placeholders intact.
+ * Colons inside `${...}` (e.g. `${AWS::AccountId}`) are not treated as delimiters.
+ */
+export function splitArn(arn) {
+    const segments = [];
+    let current = '';
+    let depth = 0;
+    for (let i = 0; i < arn.length; i++) {
+        if (arn[i] === '$' && arn[i + 1] === '{') {
+            depth++;
+            current += '${';
+            i++;
+        }
+        else if (depth > 0 && arn[i] === '}') {
+            depth--;
+            current += '}';
+        }
+        else if (depth === 0 && arn[i] === ':') {
+            segments.push(current);
+            current = '';
+        }
+        else {
+            current += arn[i];
+        }
+    }
+    segments.push(current);
+    return segments;
+}
 /**
  * Parse an ARN string into its structural components.
  * Returns null if the string is not a valid ARN structure (fewer than 6 colon-separated segments).
  * Everything after the 5th colon is treated as the resource portion.
  */
 export function parseArn(arn) {
-    const segments = arn.split(':');
+    const segments = splitArn(arn);
     if (segments.length < 6)
         return null;
     if (segments[0] !== 'arn')

package/src/lib/treesitter/hcl.js CHANGED Viewed

@@ -376,7 +376,69 @@ export class TreeHcl extends TreeBase {
         }
         if (current?.type !== 'object_elem')
             return false;
-        return this.#getObjectElemKey(current) === 'Statement';
+        if (this.#getObjectElemKey(current) !== 'Statement')
+            return false;
+        // The policy object is the parent of this object_elem
+        const policyObject = current.parent;
+        if (!policyObject || policyObject.type !== 'object')
+            return false;
+        return this.#hasValidJsonencodeVersion(policyObject);
+    }
+    #hasValidJsonencodeVersion(policyObject) {
+        const validVersions = new Set(['2012-10-17', '2008-10-17']);
+        for (const child of policyObject.namedChildren) {
+            if (child.type !== 'object_elem')
+                continue;
+            if (this.#getObjectElemKey(child) !== 'Version')
+                continue;
+            const expressions = child.namedChildren.filter((c) => c.type === 'expression');
+            const valueExpression = expressions.length >= 2 ? expressions[1] : null;
+            if (!valueExpression)
+                return false;
+            const values = this.#readExpressionStringValues(valueExpression);
+            return values.length === 1 && validVersions.has(values[0]);
+        }
+        return false;
+    }
+    /**
+     * Check for a valid Version in an ERROR node's children for jsonencode mode.
+     * Looks for an object_elem with key "Version" and a valid version value, or
+     * an expression "Version" followed by an expression with a valid version string.
+     */
+    #errorNodeHasValidJsonencodeVersion(errorNode) {
+        const validVersions = new Set(['2012-10-17', '2008-10-17']);
+        let sawVersionKey = false;
+        for (const child of errorNode.children) {
+            if (child.type === 'object_elem') {
+                const key = this.#getObjectElemKey(child);
+                if (key === 'Version') {
+                    const expressions = child.namedChildren.filter((c) => c.type === 'expression');
+                    const valueExpression = expressions.length >= 2 ? expressions[1] : null;
+                    if (valueExpression) {
+                        const values = this.#readExpressionStringValues(valueExpression);
+                        if (values.length === 1 && validVersions.has(values[0]))
+                            return true;
+                    }
+                }
+                sawVersionKey = false;
+            }
+            else if (child.type === 'expression') {
+                const id = this.#getExpressionIdentifier(child);
+                if (id === 'Version') {
+                    sawVersionKey = true;
+                }
+                else if (sawVersionKey) {
+                    const values = this.#readExpressionStringValues(child);
+                    if (values.length === 1 && validVersions.has(values[0]))
+                        return true;
+                    sawVersionKey = false;
+                }
+            }
+            else {
+                sawVersionKey = false;
+            }
+        }
+        return false;
     }
     #buildJsonencodeCursorPath(cursorNode, statementObject, position) {
         const keys = [];
@@ -803,6 +865,9 @@ export class TreeHcl extends TreeBase {
         }
         if (!foundStatement || !lastKey || !policyFormat)
             return null;
+        // For jsonencode mode, require a valid Version in the ERROR node
+        if (policyFormat === 'standard' && !this.#errorNodeHasValidJsonencodeVersion(errorNode))
+            return null;
         // Extract partial and value: when the key came from an attribute/object_elem
         // that contains the quote (e.g., `effect = "`), they're empty. When the
         // cursor node is inside a string (open quote slurped subsequent lines),

package/src/lib/treesitter/json.js CHANGED Viewed

@@ -275,7 +275,27 @@ export class TreeJson extends TreeBase {
         const pair = object.parent.parent;
         if (pair?.type !== 'pair')
             return false;
-        return this.#getPairKeyText(pair) === 'Statement';
+        if (this.#getPairKeyText(pair) !== 'Statement')
+            return false;
+        const policyObject = pair.parent;
+        if (!policyObject || policyObject.type !== 'object')
+            return false;
+        return this.#hasValidVersion(policyObject);
+    }
+    #hasValidVersion(policyObject) {
+        const validVersions = new Set(['2012-10-17', '2008-10-17']);
+        for (const child of policyObject.namedChildren) {
+            if (child.type !== 'pair')
+                continue;
+            if (this.#getPairKeyText(child) !== 'Version')
+                continue;
+            const valueNode = child.namedChildren[1];
+            if (valueNode?.type !== 'string')
+                return false;
+            const content = valueNode.namedChildren.find((c) => c.type === 'string_content');
+            return content?.text ? validVersions.has(content.text) : false;
+        }
+        return false;
     }
     /**
      * Get the text content of a pair's key (first named child string).

package/src/lib/treesitter/yaml.js CHANGED Viewed

@@ -380,7 +380,9 @@ export class TreeYaml extends TreeBase {
      */
     #isStatementSequence(sequence) {
         const sequenceParent = this.#skipBlockNode(sequence.parent);
-        return sequenceParent?.type === 'block_mapping_pair' && this.#getPairKeyText(sequenceParent) === 'Statement';
+        return (sequenceParent?.type === 'block_mapping_pair' &&
+            this.#getPairKeyText(sequenceParent) === 'Statement' &&
+            this.#hasValidVersion(sequenceParent));
     }
     #resolveCursorContext(node, statementMapping, position) {
         const cursorPath = this.#buildCursorPath(node, statementMapping, position);
@@ -705,7 +707,59 @@ export class TreeYaml extends TreeBase {
         node = this.#skipBlockNode(node.parent);
         if (node?.type !== 'block_mapping_pair')
             return false;
-        return this.#getPairKeyText(node) === 'Statement';
+        return this.#getPairKeyText(node) === 'Statement' && this.#hasValidVersion(node);
+    }
+    /**
+     * Check that a Statement pair's parent block_mapping contains a Version pair
+     * with a valid IAM policy version value.
+     */
+    #hasValidVersion(statementPair) {
+        const validVersions = new Set(['2012-10-17', '2008-10-17']);
+        const policyMapping = statementPair.parent;
+        if (!policyMapping || policyMapping.type !== 'block_mapping')
+            return false;
+        for (const child of policyMapping.namedChildren) {
+            if (child.type !== 'block_mapping_pair')
+                continue;
+            if (this.#getPairKeyText(child) !== 'Version')
+                continue;
+            const values = this.#readPairStringValues(child);
+            return values.length === 1 && validVersions.has(values[0]);
+        }
+        return false;
+    }
+    /**
+     * Check for a valid Version in an ERROR node's children. Looks for a "Version"
+     * flow_node followed by a valid version string, or a block_mapping_pair with
+     * key "Version" and valid value.
+     */
+    #errorNodeHasValidVersion(errorNode) {
+        const validVersions = new Set(['2012-10-17', '2008-10-17']);
+        let sawVersionKey = false;
+        for (const child of errorNode.children) {
+            if (child.type === 'block_mapping_pair') {
+                const key = this.#getPairKeyText(child);
+                if (key === 'Version') {
+                    const values = this.#readPairStringValues(child);
+                    if (values.length === 1 && validVersions.has(values[0]))
+                        return true;
+                }
+                sawVersionKey = false;
+            }
+            else if (child.type === 'flow_node') {
+                const text = this.#getScalarText(child);
+                if (text === 'Version') {
+                    sawVersionKey = true;
+                }
+                else if (sawVersionKey && text !== null && validVersions.has(text)) {
+                    return true;
+                }
+                else if (text !== ':') {
+                    sawVersionKey = false;
+                }
+            }
+        }
+        return false;
     }
     /**
      * Get the unquoted text of a block_mapping_pair's key.
@@ -805,6 +859,9 @@ export class TreeYaml extends TreeBase {
         }
         if (!errorNode)
             return null;
+        // Pre-scan ERROR children for a valid Version pair
+        if (!this.#errorNodeHasValidVersion(errorNode))
+            return null;
         // Scan ERROR children for a Statement-like structure: "Statement" + ":"
         let foundStatement = false;
         let lastKey = null;