iam-policy-validator 1.0.2__tar.gz → 1.5.0__tar.gz

{iam_policy_validator-1.0.2 → iam_policy_validator-1.5.0}/.github/workflows/ci.yml

@@ -13,17 +13,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
         with:
           python-version: "3.12"
 
       - name: Install uv
-        run: |
-          curl -LsSf https://astral.sh/uv/install.sh | sh
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
+        uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
+        with:
+          enable-cache: true
 
       - name: Install dependencies
         run: uv sync --all-extras
@@ -34,30 +34,6 @@ jobs:
       - name: Run Ruff formatter check
         run: uv run ruff format --check .
 
-  # Temporarily disabled - will re-enable when type annotations are complete
-  # type-check:
-  #   name: Type Check with mypy
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - name: Checkout code
-  #       uses: actions/checkout@v5
-
-  #     - name: Set up Python
-  #       uses: actions/setup-python@v6
-  #       with:
-  #         python-version: "3.12"
-
-  #     - name: Install uv
-  #       run: |
-  #         curl -LsSf https://astral.sh/uv/install.sh | sh
-  #         echo "$HOME/.local/bin" >> $GITHUB_PATH
-
-  #     - name: Install dependencies
-  #       run: uv sync --all-extras
-
-  #     - name: Run mypy
-  #       run: uv run mypy iam_validator/
-
   test:
     name: Test (Python ${{ matrix.python-version }})
     runs-on: ubuntu-latest
@@ -67,17 +43,17 @@ jobs:
         python-version: ["3.10", "3.11", "3.12", "3.13"]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
         with:
           python-version: ${{ matrix.python-version }}
 
       - name: Install uv
-        run: |
-          curl -LsSf https://astral.sh/uv/install.sh | sh
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
+        uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
+        with:
+          enable-cache: true
 
       - name: Install dependencies
         run: uv sync --all-extras
@@ -91,17 +67,17 @@ jobs:
     needs: [lint, test]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
         with:
           python-version: "3.12"
 
       - name: Install uv
-        run: |
-          curl -LsSf https://astral.sh/uv/install.sh | sh
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
+        uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
+        with:
+          enable-cache: true
 
       - name: Install dependencies
         run: uv sync
@@ -109,30 +85,23 @@ jobs:
       - name: Build package
         run: uv build
 
-      - name: Upload build artifacts
-        uses: actions/upload-artifact@v5
-        with:
-          name: dist-packages
-          path: dist/
-          retention-days: 7
-
   integration-test:
     name: Integration Test (Self-Test)
     runs-on: ubuntu-latest
     needs: [lint, test]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
         with:
           python-version: "3.12"
 
       - name: Install uv
-        run: |
-          curl -LsSf https://astral.sh/uv/install.sh | sh
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
+        uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
+        with:
+          enable-cache: true
 
       - name: Install dependencies
         run: uv sync

iam_policy_validator-1.5.0/.github/workflows/release.yml

@@ -0,0 +1,168 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  build-and-release:
+    name: Build and Create Release
+    runs-on: ubuntu-latest
+    environment: production
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          fetch-depth: 0 # Full history for changelog generation
+
+      - name: Set up Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
+        with:
+          python-version: "3.12"
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
+        with:
+          enable-cache: true
+
+      - name: Install dependencies
+        run: uv sync
+
+      - name: Build package
+        run: uv build
+
+      - name: Get version from tag
+        id: get_version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/v}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+
+      - name: Generate changelog
+        id: changelog
+        run: |
+          # Get the previous tag
+          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+
+          if [ -z "$PREV_TAG" ]; then
+            # First release - get all commits
+            CHANGELOG=$(git log --pretty=format:"- %s (%h)" --no-merges)
+          else
+            # Get commits since previous tag
+            CHANGELOG=$(git log ${PREV_TAG}..HEAD --pretty=format:"- %s (%h)" --no-merges)
+          fi
+
+          # Save to file for multiline output
+          echo "$CHANGELOG" > CHANGELOG.txt
+
+          # Also create a summary
+          COMMIT_COUNT=$(echo "$CHANGELOG" | wc -l)
+          echo "Generated changelog with $COMMIT_COUNT commits"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2
+        with:
+          name: ${{ steps.get_version.outputs.tag }}
+          body_path: CHANGELOG.txt
+          files: |
+            dist/*.whl
+            dist/*.tar.gz
+          draft: false
+          prerelease: ${{ contains(steps.get_version.outputs.version, 'rc') || contains(steps.get_version.outputs.version, 'beta') || contains(steps.get_version.outputs.version, 'alpha') }}
+          generate_release_notes: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish to PyPI
+        if: |
+          !contains(steps.get_version.outputs.version, 'rc') &&
+          !contains(steps.get_version.outputs.version, 'beta') &&
+          !contains(steps.get_version.outputs.version, 'alpha')
+        run: uv publish --trusted-publishing always
+
+      - name: Create Release Summary
+        if: always()
+        run: |
+          VERSION="${{ steps.get_version.outputs.version }}"
+          TAG="${{ steps.get_version.outputs.tag }}"
+          IS_PRERELEASE="${{ contains(steps.get_version.outputs.version, 'rc') || contains(steps.get_version.outputs.version, 'beta') || contains(steps.get_version.outputs.version, 'alpha') }}"
+
+          # Extract major and minor versions
+          MAJOR=$(echo "$VERSION" | cut -d. -f1)
+          MINOR=$(echo "$VERSION" | cut -d. -f1-2)
+
+          cat >> $GITHUB_STEP_SUMMARY << EOF
+          # 🚀 Release Summary
+
+          ## 📦 Package Information
+          - **Package**: \`iam-policy-validator\`
+          - **Version**: \`$VERSION\`
+          - **Tag**: \`$TAG\`
+
+          ## 📋 What Was Published
+
+          ### GitHub Release
+          - ✅ Created release: [$TAG](https://github.com/${{ github.repository }}/releases/tag/$TAG)
+          - 📄 Changelog generated from commits
+          - 📦 Artifacts attached: wheel + source distribution
+
+          ### PyPI
+          $(if [ "$IS_PRERELEASE" = "false" ]; then echo "- ✅ Published to [PyPI](https://pypi.org/project/iam-policy-validator/)"; else echo "- ⏭️ Skipped (pre-release version)"; fi)
+
+          ### Version Tags
+          - 🏷️ Major tag: \`v$MAJOR\`
+          - 🏷️ Minor tag: \`v$MINOR\`
+          - 🏷️ Full tag: \`v$VERSION\`
+
+          ## 🔗 Quick Links
+          - [📦 PyPI Package](https://pypi.org/project/iam-policy-validator/)
+          - [📚 GitHub Release](https://github.com/${{ github.repository }}/releases/tag/$TAG)
+          - [📖 Repository](https://github.com/${{ github.repository }})
+
+          ## 📥 Installation
+          \`\`\`bash
+          pip install iam-policy-validator==$VERSION
+          \`\`\`
+
+          or use the latest:
+          \`\`\`bash
+          pip install iam-policy-validator
+          \`\`\`
+          EOF
+
+  # update-action-versions:
+  #   name: Update Major/Minor Tag References
+  #   runs-on: ubuntu-latest
+  #   needs: build-and-release
+
+  #   steps:
+  #     - name: Checkout code
+  #       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+  #     - name: Configure Git
+  #       run: |
+  #         git config user.name "github-actions[bot]"
+  #         git config user.email "github-actions[bot]@users.noreply.github.com"
+
+  #     - name: Update major and minor version tags
+  #       run: |
+  #         VERSION=${GITHUB_REF#refs/tags/v}
+  #         MAJOR=$(echo $VERSION | cut -d. -f1)
+  #         MINOR=$(echo $VERSION | cut -d. -f1-2)
+
+  #         # Update vX tag (e.g., v1) - annotated (unsigned by bot)
+  #         git tag -fa "v$MAJOR" -m "Update v$MAJOR to $VERSION"
+  #         git push origin "v$MAJOR" --force
+
+  #         # Update vX.Y tag (e.g., v1.2) - annotated (unsigned by bot)
+  #         git tag -fa "v$MINOR" -m "Updated v$MINOR to $VERSION"
+  #         git push origin "v$MINOR" --force
+
+  #         echo "✅ Updated tags: v$MAJOR and v$MINOR to point to $VERSION"
+  #         echo "ℹ️  Note: Automated tags are annotated but not signed by the bot."

iam_policy_validator-1.5.0/.python-version

@@ -0,0 +1 @@
+3.12

{iam_policy_validator-1.0.2 → iam_policy_validator-1.5.0}/CONTRIBUTING.md

@@ -132,7 +132,7 @@ iam-policy-auditor/
 ├── .github/workflows/          # CI/CD workflows
 ├── pyproject.toml              # Project metadata and dependencies
 ├── Makefile                    # Development commands
-└── iam-validator.yaml          # Default configuration
+└── default-config.yaml         # Example configuration file
 ```
 
 ## Development Workflow
@@ -400,49 +400,59 @@ For detailed publishing instructions, see [docs/development/PUBLISHING.md](docs/
 
 ### Creating a New Check
 
-1. **Create Check Class**
+See the comprehensive [Custom Checks Guide](docs/custom-checks.md) for detailed instructions on creating custom validation checks.
+
+**Quick Example:**
+
+1. **Create Check File**
    ```python
-   # iam_validator/checks/my_check.py
+   # my_checks/mfa_check.py
    from typing import List
-   from iam_validator.core.models import PolicyCheck, Statement, ValidationIssue
-
-   class MyCustomCheck(PolicyCheck):
-       @property
-       def check_id(self) -> str:
-           return "my_custom_check"
-
-       @property
-       def description(self) -> str:
-           return "Description of what this check does"
-
-       async def execute(
-           self,
-           statement: Statement,
-           statement_idx: int,
-           fetcher,
-           config
-       ) -> List[ValidationIssue]:
-           # Implement your check logic
-           issues = []
-           # ... check logic ...
-           return issues
+   from iam_validator.core.models import PolicyValidationIssue, PolicyStatement
+
+   def execute(statement: PolicyStatement, policy_document: dict) -> List[PolicyValidationIssue]:
+       """Ensure sensitive actions require MFA."""
+       issues = []
+
+       sensitive_actions = ["iam:CreateUser", "iam:DeleteUser"]
+       actions = statement.action if isinstance(statement.action, list) else [statement.action]
+
+       for action in actions:
+           if action in sensitive_actions:
+               # Check for MFA condition
+               has_mfa = statement.condition and "aws:MultiFactorAuthPresent" in str(statement.condition)
+
+               if not has_mfa:
+                   issues.append(
+                       PolicyValidationIssue(
+                           check_name="mfa_required",
+                           severity="high",
+                           message=f"Action '{action}' requires MFA",
+                           statement_index=statement.index,
+                           action=action,
+                           suggestion='Add: {"Bool": {"aws:MultiFactorAuthPresent": "true"}}'
+                       )
+                   )
+
+       return issues
    ```
 
-2. **Register the Check**
-   - Check is auto-discovered if in `checks/` directory
-   - Or register manually in configuration
+2. **Use the Check**
+   ```bash
+   iam-validator validate --path ./policies/ --custom-checks-dir ./my_checks
+   ```
 
 3. **Add Tests**
    ```python
    # tests/test_my_check.py
-   def test_my_custom_check():
+   def test_mfa_check():
        # Test your check
        pass
    ```
 
 4. **Document the Check**
-   - Add to `docs/reference/CHECKS.md`
-   - Add example to `examples/`
+   - Add to `docs/custom-checks.md`
+   - Add example to `examples/custom_checks/`
 
 ### Adding a New Formatter