PyPI - iam-policy-validator - Versions diffs - 1.0.4__py3-none-any.whl → 1.1.1__py3-none-any.whl - Mend

iam-policy-validator 1.0.4py3-none-any.whl → 1.1.1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of iam-policy-validator might be problematic. Click here for more details.

Files changed (34) hide show

{iam_policy_validator-1.0.4.dist-info → iam_policy_validator-1.1.1.dist-info}/METADATA +88 -10
iam_policy_validator-1.1.1.dist-info/RECORD +53 -0
iam_validator/__version__.py +1 -1
iam_validator/checks/__init__.py +2 -0
iam_validator/checks/action_condition_enforcement.py +112 -28
iam_validator/checks/action_resource_constraint.py +151 -0
iam_validator/checks/action_validation.py +18 -138
iam_validator/checks/security_best_practices.py +241 -400
iam_validator/checks/utils/__init__.py +1 -0
iam_validator/checks/utils/policy_level_checks.py +143 -0
iam_validator/checks/utils/sensitive_action_matcher.py +252 -0
iam_validator/checks/utils/wildcard_expansion.py +89 -0
iam_validator/commands/__init__.py +3 -1
iam_validator/commands/cache.py +402 -0
iam_validator/commands/validate.py +7 -5
iam_validator/core/access_analyzer_report.py +2 -1
iam_validator/core/aws_fetcher.py +79 -19
iam_validator/core/check_registry.py +3 -0
iam_validator/core/cli.py +1 -1
iam_validator/core/config_loader.py +40 -3
iam_validator/core/defaults.py +334 -0
iam_validator/core/formatters/__init__.py +2 -0
iam_validator/core/formatters/console.py +44 -7
iam_validator/core/formatters/csv.py +7 -2
iam_validator/core/formatters/enhanced.py +433 -0
iam_validator/core/formatters/html.py +127 -37
iam_validator/core/formatters/markdown.py +10 -2
iam_validator/core/models.py +30 -6
iam_validator/core/policy_checks.py +21 -2
iam_validator/core/report.py +112 -26
iam_policy_validator-1.0.4.dist-info/RECORD +0 -45
{iam_policy_validator-1.0.4.dist-info → iam_policy_validator-1.1.1.dist-info}/WHEEL +0 -0
{iam_policy_validator-1.0.4.dist-info → iam_policy_validator-1.1.1.dist-info}/entry_points.txt +0 -0
{iam_policy_validator-1.0.4.dist-info → iam_policy_validator-1.1.1.dist-info}/licenses/LICENSE +0 -0

iam_validator/checks/security_best_practices.py CHANGED Viewed

@@ -1,10 +1,16 @@
 """Security best practices check - validates security anti-patterns."""
-import re
-from functools import lru_cache
-from re import Pattern
 from typing import TYPE_CHECKING
+from iam_validator.checks.utils.policy_level_checks import check_policy_level_actions
+from iam_validator.checks.utils.sensitive_action_matcher import (
+    DEFAULT_SENSITIVE_ACTIONS,
+    check_sensitive_actions,
+)
+from iam_validator.checks.utils.wildcard_expansion import (
+    compile_wildcard_pattern,
+    expand_wildcard_actions,
+)
 from iam_validator.core.aws_fetcher import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
@@ -13,49 +19,9 @@ if TYPE_CHECKING:
     from iam_validator.core.models import IAMPolicy
-# Global regex pattern cache for performance
-@lru_cache(maxsize=256)
-def _compile_pattern(pattern: str) -> Pattern[str] | None:
-    """Compile and cache regex patterns.
-    Args:
-        pattern: Regex pattern string
-    Returns:
-        Compiled pattern or None if invalid
-    """
-    try:
-        return re.compile(pattern)
-    except re.error:
-        return None
 class SecurityBestPracticesCheck(PolicyCheck):
     """Checks for common security anti-patterns and best practices violations."""
-    # Default set of sensitive actions that should have conditions
-    # Using frozenset for O(1) lookups and immutability
-    DEFAULT_SENSITIVE_ACTIONS = frozenset(
-        {
-            "iam:CreateUser",
-            "iam:CreateRole",
-            "iam:PutUserPolicy",
-            "iam:PutRolePolicy",
-            "iam:AttachUserPolicy",
-            "iam:AttachRolePolicy",
-            "iam:CreateAccessKey",
-            "iam:DeleteUser",
-            "iam:DeleteRole",
-            "s3:DeleteBucket",
-            "s3:PutBucketPolicy",
-            "s3:DeleteBucketPolicy",
-            "ec2:TerminateInstances",
-            "ec2:DeleteVolume",
-            "rds:DeleteDBInstance",
-            "lambda:DeleteFunction",
-        }
-    )
     @property
     def check_id(self) -> str:
         return "security_best_practices"
@@ -91,14 +57,27 @@ class SecurityBestPracticesCheck(PolicyCheck):
         if self._is_sub_check_enabled(config, "wildcard_action_check"):
             if "*" in actions:
                 severity = self._get_sub_check_severity(config, "wildcard_action_check", "warning")
+                sub_check_config = config.config.get("wildcard_action_check", {})
+                message = sub_check_config.get("message", "Statement allows all actions (*)")
+                suggestion_text = sub_check_config.get(
+                    "suggestion", "Consider limiting to specific actions needed"
+                )
+                example = sub_check_config.get("example", "")
+                # Combine suggestion + example like action_condition_enforcement does
+                suggestion = (
+                    f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                )
                 issues.append(
                     ValidationIssue(
                         severity=severity,
                         statement_sid=statement_sid,
                         statement_index=statement_idx,
                         issue_type="overly_permissive",
-                        message="Statement allows all actions (*)",
-                        suggestion="Consider limiting to specific actions needed",
+                        message=message,
+                        suggestion=suggestion,
                         line_number=line_number,
                     )
                 )
@@ -106,33 +85,69 @@ class SecurityBestPracticesCheck(PolicyCheck):
         # Check 2: Wildcard resource check
         if self._is_sub_check_enabled(config, "wildcard_resource_check"):
             if "*" in resources:
-                severity = self._get_sub_check_severity(
-                    config, "wildcard_resource_check", "warning"
-                )
-                issues.append(
-                    ValidationIssue(
-                        severity=severity,
-                        statement_sid=statement_sid,
-                        statement_index=statement_idx,
-                        issue_type="overly_permissive",
-                        message="Statement applies to all resources (*)",
-                        suggestion="Consider limiting to specific resources",
-                        line_number=line_number,
+                # Check if all actions are in the allowed_wildcards list
+                # This allows Resource: "*" when only safe read-only wildcard actions are used
+                allowed_wildcards = self._get_allowed_wildcards_for_resources(config)
+                # Check if ALL actions (excluding full wildcard "*") match allowed patterns
+                non_wildcard_actions = [a for a in actions if a != "*"]
+                if allowed_wildcards and non_wildcard_actions:
+                    # Check if all actions are allowed wildcards
+                    all_actions_allowed = all(
+                        self._is_action_allowed_wildcard(action, allowed_wildcards)
+                        for action in non_wildcard_actions
+                    )
+                    # If all actions are in the allowed list, skip the wildcard resource warning
+                    if all_actions_allowed:
+                        # All actions are safe wildcards, Resource: "*" is acceptable
+                        pass
+                    else:
+                        # Some actions are not in allowed list, flag the issue
+                        self._add_wildcard_resource_issue(
+                            issues,
+                            config,
+                            statement_sid,
+                            statement_idx,
+                            line_number,
+                        )
+                else:
+                    # No allowed_wildcards configured OR only has "*" action
+                    # Always flag wildcard resources in these cases
+                    self._add_wildcard_resource_issue(
+                        issues, config, statement_sid, statement_idx, line_number
                     )
-                )
         # Check 3: Critical - both wildcards together
         if self._is_sub_check_enabled(config, "full_wildcard_check"):
             if "*" in actions and "*" in resources:
                 severity = self._get_sub_check_severity(config, "full_wildcard_check", "error")
+                sub_check_config = config.config.get("full_wildcard_check", {})
+                message = sub_check_config.get(
+                    "message",
+                    "Statement allows all actions on all resources - CRITICAL SECURITY RISK",
+                )
+                suggestion_text = sub_check_config.get(
+                    "suggestion",
+                    "This grants full administrative access. Restrict to specific actions and resources.",
+                )
+                example = sub_check_config.get("example", "")
+                # Combine suggestion + example
+                suggestion = (
+                    f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                )
                 issues.append(
                     ValidationIssue(
                         severity=severity,
                         statement_sid=statement_sid,
                         statement_index=statement_idx,
                         issue_type="security_risk",
-                        message="Statement allows all actions on all resources - CRITICAL SECURITY RISK",
-                        suggestion="This grants full administrative access. Restrict to specific actions and resources.",
+                        message=message,
+                        suggestion=suggestion,
                         line_number=line_number,
                     )
                 )
@@ -155,15 +170,43 @@ class SecurityBestPracticesCheck(PolicyCheck):
                         severity = self._get_sub_check_severity(
                             config, "service_wildcard_check", "warning"
                         )
+                        sub_check_config = config.config.get("service_wildcard_check", {})
+                        # Get message template and replace placeholders
+                        message_template = sub_check_config.get(
+                            "message",
+                            "Service-level wildcard '{action}' grants all permissions for {service} service",
+                        )
+                        suggestion_template = sub_check_config.get(
+                            "suggestion",
+                            "Consider specifying explicit actions instead of '{action}'. If you need multiple actions, list them individually or use more specific wildcards like '{service}:Get*' or '{service}:List*'.",
+                        )
+                        example_template = sub_check_config.get("example", "")
+                        message = message_template.format(action=action, service=service)
+                        suggestion_text = suggestion_template.format(action=action, service=service)
+                        example = (
+                            example_template.format(action=action, service=service)
+                            if example_template
+                            else ""
+                        )
+                        # Combine suggestion + example
+                        suggestion = (
+                            f"{suggestion_text}\nExample:\n{example}"
+                            if example
+                            else suggestion_text
+                        )
                         issues.append(
                             ValidationIssue(
                                 severity=severity,
                                 statement_sid=statement_sid,
                                 statement_index=statement_idx,
                                 issue_type="overly_permissive",
-                                message=f"Service-level wildcard '{action}' grants all permissions for {service} service",
+                                message=message,
                                 action=action,
-                                suggestion=f"Consider specifying explicit actions instead of '{action}'. If you need multiple actions, list them individually or use more specific wildcards like '{service}:Get*' or '{service}:List*'.",
+                                suggestion=suggestion,
                                 line_number=line_number,
                             )
                         )
@@ -172,18 +215,43 @@ class SecurityBestPracticesCheck(PolicyCheck):
         if self._is_sub_check_enabled(config, "sensitive_action_check"):
             has_conditions = statement.condition is not None and len(statement.condition) > 0
+            # Expand wildcards to actual actions using AWS API
+            expanded_actions = await expand_wildcard_actions(actions, fetcher)
             # Check if sensitive actions match using any_of/all_of logic
-            is_sensitive, matched_actions = self._check_sensitive_actions(actions, config)
+            is_sensitive, matched_actions = check_sensitive_actions(
+                expanded_actions, config, DEFAULT_SENSITIVE_ACTIONS
+            )
             if is_sensitive and not has_conditions:
                 severity = self._get_sub_check_severity(config, "sensitive_action_check", "warning")
+                sub_check_config = config.config.get("sensitive_action_check", {})
-                # Create appropriate message based on matched actions
+                # Create appropriate message based on matched actions using configurable templates
                 if len(matched_actions) == 1:
-                    message = f"Sensitive action '{matched_actions[0]}' should have conditions to limit when it can be used"
+                    message_template = sub_check_config.get(
+                        "message_single",
+                        "Sensitive action '{action}' should have conditions to limit when it can be used",
+                    )
+                    message = message_template.format(action=matched_actions[0])
                 else:
                     action_list = "', '".join(matched_actions)
-                    message = f"Sensitive actions '{action_list}' should have conditions to limit when they can be used"
+                    message_template = sub_check_config.get(
+                        "message_multiple",
+                        "Sensitive actions '{actions}' should have conditions to limit when they can be used",
+                    )
+                    message = message_template.format(actions=action_list)
+                suggestion_text = sub_check_config.get(
+                    "suggestion",
+                    "Add conditions like 'aws:Resource/owner must match aws:Principal/owner', IP restrictions, MFA requirements, or time-based restrictions",
+                )
+                example = sub_check_config.get("example", "")
+                # Combine suggestion + example
+                suggestion = (
+                    f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                )
                 issues.append(
                     ValidationIssue(
@@ -193,7 +261,7 @@ class SecurityBestPracticesCheck(PolicyCheck):
                         issue_type="missing_condition",
                         message=message,
                         action=(matched_actions[0] if len(matched_actions) == 1 else None),
-                        suggestion="Add conditions like 'aws:Resource/owner must match aws:Principal/owner', IP restrictions, MFA requirements, or time-based restrictions",
+                        suggestion=suggestion,
                         line_number=line_number,
                     )
                 )
@@ -262,164 +330,32 @@ class SecurityBestPracticesCheck(PolicyCheck):
         # Check sensitive_actions configuration
         if sensitive_actions_config:
             policy_issues.extend(
-                self._check_policy_level_actions(
+                check_policy_level_actions(
                     list(all_actions),
                     statement_map,
                     sensitive_actions_config,
                     config,
                     "actions",
+                    self._get_sub_check_severity,
                 )
             )
         # Check sensitive_action_patterns configuration
         if sensitive_patterns_config:
             policy_issues.extend(
-                self._check_policy_level_actions(
+                check_policy_level_actions(
                     list(all_actions),
                     statement_map,
                     sensitive_patterns_config,
                     config,
                     "patterns",
+                    self._get_sub_check_severity,
                 )
             )
         issues.extend(policy_issues)
         return issues
-    def _check_policy_level_actions(
-        self,
-        all_actions: list[str],
-        statement_map: dict[str, list[tuple[int, str | None]]],
-        config,
-        check_config: CheckConfig,
-        check_type: str,
-    ) -> list[ValidationIssue]:
-        """
-        Check for policy-level privilege escalation patterns.
-        Args:
-            all_actions: All actions across the entire policy
-            statement_map: Mapping of action -> [(statement_idx, sid), ...]
-            config: The sensitive_actions or sensitive_action_patterns configuration
-            check_config: Full check configuration
-            check_type: Either "actions" (exact match) or "patterns" (regex match)
-        Returns:
-            List of ValidationIssue objects
-        """
-        import re
-        issues = []
-        if not config:
-            return issues
-        # Handle list of items (could be simple strings or dicts with all_of/any_of)
-        if isinstance(config, list):
-            for item in config:
-                if isinstance(item, dict) and "all_of" in item:
-                    # This is a privilege escalation pattern - all actions must be present
-                    required_actions = item["all_of"]
-                    matched_actions = []
-                    if check_type == "actions":
-                        # Exact matching
-                        matched_actions = [a for a in all_actions if a in required_actions]
-                    else:
-                        # Pattern matching - for each pattern, find actions that match
-                        for pattern in required_actions:
-                            for action in all_actions:
-                                try:
-                                    if re.match(pattern, action):
-                                        matched_actions.append(action)
-                                        break  # Found at least one match for this pattern
-                                except re.error:
-                                    continue
-                    # Check if ALL required actions/patterns are present
-                    if len(matched_actions) >= len(required_actions):
-                        # Privilege escalation detected!
-                        severity = self._get_sub_check_severity(
-                            check_config, "sensitive_action_check", "error"
-                        )
-                        # Collect which statements these actions appear in
-                        statement_refs = []
-                        for action in matched_actions:
-                            if action in statement_map:
-                                for stmt_idx, sid in statement_map[action]:
-                                    sid_str = f"'{sid}'" if sid else f"#{stmt_idx}"
-                                    statement_refs.append(f"Statement {sid_str}: {action}")
-                        action_list = "', '".join(matched_actions)
-                        stmt_details = "\n  - ".join(statement_refs)
-                        issues.append(
-                            ValidationIssue(
-                                severity=severity,
-                                statement_sid=None,  # Policy-level issue
-                                statement_index=-1,  # -1 indicates policy-level issue
-                                issue_type="privilege_escalation",
-                                message=f"Policy-level privilege escalation detected: grants all of ['{action_list}'] across multiple statements",
-                                suggestion=f"These actions combined allow privilege escalation. Consider:\n"
-                                f"  1. Splitting into separate policies for different users/roles\n"
-                                f"  2. Adding strict conditions to limit when these actions can be used together\n"
-                                f"  3. Reviewing if all these permissions are truly necessary\n\n"
-                                f"Actions found in:\n  - {stmt_details}",
-                                line_number=None,
-                            )
-                        )
-        # Handle dict with all_of at the top level
-        elif isinstance(config, dict) and "all_of" in config:
-            required_actions = config["all_of"]
-            matched_actions = []
-            if check_type == "actions":
-                matched_actions = [a for a in all_actions if a in required_actions]
-            else:
-                for pattern in required_actions:
-                    for action in all_actions:
-                        try:
-                            if re.match(pattern, action):
-                                matched_actions.append(action)
-                                break
-                        except re.error:
-                            continue
-            if len(matched_actions) >= len(required_actions):
-                severity = self._get_sub_check_severity(
-                    check_config, "sensitive_action_check", "error"
-                )
-                statement_refs = []
-                for action in matched_actions:
-                    if action in statement_map:
-                        for stmt_idx, sid in statement_map[action]:
-                            sid_str = f"'{sid}'" if sid else f"#{stmt_idx}"
-                            statement_refs.append(f"Statement {sid_str}: {action}")
-                action_list = "', '".join(matched_actions)
-                stmt_details = "\n  - ".join(statement_refs)
-                issues.append(
-                    ValidationIssue(
-                        severity=severity,
-                        statement_sid=None,
-                        statement_index=-1,  # -1 indicates policy-level issue
-                        issue_type="privilege_escalation",
-                        message=f"Policy-level privilege escalation detected: grants all of ['{action_list}'] across multiple statements",
-                        suggestion=f"These actions combined allow privilege escalation. Consider:\n"
-                        f"  1. Splitting into separate policies for different users/roles\n"
-                        f"  2. Adding strict conditions to limit when these actions can be used together\n"
-                        f"  3. Reviewing if all these permissions are truly necessary\n\n"
-                        f"Actions found in:\n  - {stmt_details}",
-                        line_number=None,
-                    )
-                )
-        return issues
     def _is_sub_check_enabled(self, config: CheckConfig, sub_check_name: str) -> bool:
         """Check if a sub-check is enabled in the configuration."""
         if sub_check_name not in config.config:
@@ -442,6 +378,50 @@ class SecurityBestPracticesCheck(PolicyCheck):
             return sub_check_config.get("severity", default)
         return default
+    def _add_wildcard_resource_issue(
+        self,
+        issues: list[ValidationIssue],
+        config: CheckConfig,
+        statement_sid: str | None,
+        statement_idx: int,
+        line_number: int | None,
+    ) -> None:
+        """Add a wildcard resource issue to the issues list.
+        This is a helper method to avoid code duplication when adding
+        wildcard resource warnings.
+        Args:
+            issues: List to append the issue to
+            config: Check configuration
+            statement_sid: Statement ID
+            statement_idx: Statement index
+            line_number: Line number in the policy file
+        """
+        severity = self._get_sub_check_severity(config, "wildcard_resource_check", "warning")
+        sub_check_config = config.config.get("wildcard_resource_check", {})
+        message = sub_check_config.get("message", "Statement applies to all resources (*)")
+        suggestion_text = sub_check_config.get(
+            "suggestion", "Consider limiting to specific resources"
+        )
+        example = sub_check_config.get("example", "")
+        # Combine suggestion + example
+        suggestion = f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+        issues.append(
+            ValidationIssue(
+                severity=severity,
+                statement_sid=statement_sid,
+                statement_index=statement_idx,
+                issue_type="overly_permissive",
+                message=message,
+                suggestion=suggestion,
+                line_number=line_number,
+            )
+        )
     def _get_allowed_service_wildcards(self, config: CheckConfig) -> set[str]:
         """
         Get list of services that are allowed to use service-level wildcards.
@@ -463,212 +443,73 @@ class SecurityBestPracticesCheck(PolicyCheck):
         return set()
-    def _check_sensitive_actions(
-        self, actions: list[str], config: CheckConfig
-    ) -> tuple[bool, list[str]]:
-        """
-        Check if actions match sensitive action criteria with any_of/all_of support.
-        Returns:
-            tuple[bool, list[str]]: (is_sensitive, matched_actions)
-                - is_sensitive: True if the actions match the sensitive criteria
-                - matched_actions: List of actions that matched the criteria
-        """
-        # Filter out wildcards
-        filtered_actions = [a for a in actions if a != "*"]
-        if not filtered_actions:
-            return False, []
-        # Get configuration for both sensitive_actions and sensitive_action_patterns
-        sub_check_config = config.config.get("sensitive_action_check", {})
-        if not isinstance(sub_check_config, dict):
-            return False, []
-        sensitive_actions_config = sub_check_config.get("sensitive_actions")
-        sensitive_patterns_config = sub_check_config.get("sensitive_action_patterns")
-        # Check sensitive_actions (exact matches)
-        actions_match, actions_matched = self._check_actions_config(
-            filtered_actions, sensitive_actions_config
-        )
+    def _is_action_allowed_wildcard(
+        self, action: str, allowed_wildcards: frozenset[str] | list[str] | set[str]
+    ) -> bool:
+        """Check if an action matches the allowed_wildcards list.
-        # Check sensitive_action_patterns (regex patterns)
-        patterns_match, patterns_matched = self._check_patterns_config(
-            filtered_actions, sensitive_patterns_config
-        )
+        This method checks if a given action is in the allowed_wildcards configuration
+        from action_validation_check. This is used to determine if wildcard resources
+        are acceptable when only safe wildcard actions are used.
-        # Combine results - if either matched, we consider it sensitive
-        is_sensitive = actions_match or patterns_match
-        # Use set operations for efficient deduplication
-        matched_set = set(actions_matched) | set(patterns_matched)
-        matched_actions = list(matched_set)
+        Args:
+            action: The action to check (e.g., "s3:List*", "ec2:DescribeInstances")
+            allowed_wildcards: Set or list of allowed wildcard patterns
-        return is_sensitive, matched_actions
+        Returns:
+            True if the action matches any pattern in the allowlist
-    def _check_actions_config(self, actions: list[str], config) -> tuple[bool, list[str]]:
+        Note:
+            Exact matches use O(1) set lookup for performance.
+            Pattern matches (wildcards in allowlist) require O(n) iteration.
         """
-        Check actions against sensitive_actions configuration.
-        Supports:
-        - Simple list: ["action1", "action2"] (backward compatible, any_of logic)
-        - any_of: {"any_of": ["action1", "action2"]}
-        - all_of: {"all_of": ["action1", "action2"]}
-        - Multiple groups: [{"all_of": [...]}, {"all_of": [...]}, "action3"]
+        # Fast O(1) exact match using set membership
+        if action in allowed_wildcards:
+            return True
+        # Pattern match - check if action matches any pattern in allowlist
+        # This is needed when allowlist contains wildcards like "s3:*"
+        # Uses cached compiled patterns for 20-30x speedup
+        for pattern in allowed_wildcards:
+            # Skip exact matches (already checked above)
+            if "*" not in pattern:
+                continue
-        Returns:
-            tuple[bool, list[str]]: (matches, matched_actions)
-        """
-        if not config:
-            # If no config, fall back to defaults with any_of logic
-            # DEFAULT_SENSITIVE_ACTIONS is already a frozenset for O(1) lookups
-            matched = [a for a in actions if a in self.DEFAULT_SENSITIVE_ACTIONS]
-            return len(matched) > 0, matched
-        # Handle simple list with potential mixed items
-        if isinstance(config, list):
-            # Use set for O(1) membership checks
-            all_matched = set()
-            actions_set = set(actions)  # Convert once for O(1) lookups
-            for item in config:
-                # Each item can be a string, or a dict with any_of/all_of
-                if isinstance(item, str):
-                    # Simple string - check if action matches (O(1) lookup)
-                    if item in actions_set:
-                        all_matched.add(item)
-                elif isinstance(item, dict):
-                    # Recurse for dict items
-                    matches, matched = self._check_actions_config(actions, item)
-                    if matches:
-                        all_matched.update(matched)
-            return len(all_matched) > 0, list(all_matched)
-        # Handle dict with any_of/all_of
-        if isinstance(config, dict):
-            # any_of: at least one action must match
-            if "any_of" in config:
-                # Convert once for O(1) intersection
-                any_of_set = set(config["any_of"])
-                actions_set = set(actions)
-                matched = list(any_of_set & actions_set)
-                return len(matched) > 0, matched
-            # all_of: all specified actions must be present in the statement
-            if "all_of" in config:
-                all_of_set = set(config["all_of"])
-                actions_set = set(actions)
-                matched = list(all_of_set & actions_set)
-                # All required actions must be present
-                return all_of_set.issubset(actions_set), matched
-        return False, []
-    def _check_patterns_config(self, actions: list[str], config) -> tuple[bool, list[str]]:
-        """
-        Check actions against sensitive_action_patterns configuration.
+            # Use cached compiled pattern
+            compiled = compile_wildcard_pattern(pattern)
+            if compiled.match(action):
+                return True
-        Supports:
-        - Simple list: ["^pattern1.*", "^pattern2.*"] (backward compatible, any_of logic)
-        - any_of: {"any_of": ["^pattern1.*", "^pattern2.*"]}
-        - all_of: {"all_of": ["^pattern1.*", "^pattern2.*"]}
-        - Multiple groups: [{"all_of": [...]}, {"any_of": [...]}, "^pattern.*"]
+        return False
-        Returns:
-            tuple[bool, list[str]]: (matches, matched_actions)
+    def _get_allowed_wildcards_for_resources(self, config: CheckConfig) -> frozenset[str]:
+        """Get allowed_wildcards for resource check configuration.
-        Performance:
-            Uses cached compiled regex patterns for 10-50x speedup
-        """
-        if not config:
-            return False, []
-        # Handle simple list with potential mixed items
-        if isinstance(config, list):
-            # Use set for O(1) membership checks instead of list
-            all_matched = set()
-            for item in config:
-                # Each item can be a string pattern, or a dict with any_of/all_of
-                if isinstance(item, str):
-                    # Simple string pattern - check if any action matches
-                    # Use cached compiled pattern
-                    compiled = _compile_pattern(item)
-                    if compiled:
-                        for action in actions:
-                            if compiled.match(action):
-                                all_matched.add(action)
-                elif isinstance(item, dict):
-                    # Recurse for dict items
-                    matches, matched = self._check_patterns_config(actions, item)
-                    if matches:
-                        all_matched.update(matched)
-            return len(all_matched) > 0, list(all_matched)
-        # Handle dict with any_of/all_of
-        if isinstance(config, dict):
-            # any_of: at least one action must match at least one pattern
-            if "any_of" in config:
-                matched = set()
-                # Pre-compile all patterns
-                compiled_patterns = [_compile_pattern(p) for p in config["any_of"]]
-                for action in actions:
-                    for compiled in compiled_patterns:
-                        if compiled and compiled.match(action):
-                            matched.add(action)
-                            break
-                return len(matched) > 0, list(matched)
-            # all_of: at least one action must match ALL patterns
-            if "all_of" in config:
-                # Pre-compile all patterns
-                compiled_patterns = [_compile_pattern(p) for p in config["all_of"]]
-                # Filter out invalid patterns
-                compiled_patterns = [p for p in compiled_patterns if p]
-                if not compiled_patterns:
-                    return False, []
-                matched = set()
-                for action in actions:
-                    # Check if this action matches ALL patterns
-                    if all(compiled.match(action) for compiled in compiled_patterns):
-                        matched.add(action)
-                return len(matched) > 0, list(matched)
-        return False, []
-    def _matches_sensitive_pattern(self, action: str, config: CheckConfig) -> bool:
-        """
-        DEPRECATED: Use _check_sensitive_actions instead.
+        This checks for explicit allowed_wildcards configuration in wildcard_resource_check.
+        If not configured, it falls back to the parent security_best_practices_check's allowed_wildcards.
-        Check if action matches any sensitive action pattern (supports regex).
+        Args:
+            config: The check configuration
-        This allows configuration like:
-          sensitive_action_patterns:
-            - "^iam:.*"          # All IAM actions
-            - ".*:Delete.*"      # Any delete action
-            - "s3:PutBucket.*"   # S3 bucket modification actions
+        Returns:
+            A frozenset of allowed wildcard patterns
         """
-        import re
-        sub_check_config = config.config.get("sensitive_action_check", {})
-        if not isinstance(sub_check_config, dict):
-            return False
-        patterns = sub_check_config.get("sensitive_action_patterns", [])
-        if not patterns:
-            return False
-        for pattern in patterns:
-            try:
-                if re.match(pattern, action):
-                    return True
-            except re.error:
-                # Invalid regex pattern, skip it
-                continue
-        return False
+        sub_check_config = config.config.get("wildcard_resource_check", {})
+        if isinstance(sub_check_config, dict) and "allowed_wildcards" in sub_check_config:
+            # Explicitly configured in wildcard_resource_check (override)
+            allowed_wildcards = sub_check_config.get("allowed_wildcards", [])
+            if isinstance(allowed_wildcards, list):
+                return frozenset(allowed_wildcards)
+            elif isinstance(allowed_wildcards, set | frozenset):
+                return frozenset(allowed_wildcards)
+            return frozenset()
+        # Fall back to parent security_best_practices_check's allowed_wildcards
+        parent_allowed_wildcards = config.config.get("allowed_wildcards", [])
+        if isinstance(parent_allowed_wildcards, list):
+            return frozenset(parent_allowed_wildcards)
+        elif isinstance(parent_allowed_wildcards, set | frozenset):
+            return frozenset(parent_allowed_wildcards)
+        # No configuration found, return empty set (flag all Resource: "*")
+        return frozenset()

iam-policy-validator 1.0.4__py3-none-any.whl → 1.1.1__py3-none-any.whl

Potentially problematic release.

iam-policy-validator 1.0.4py3-none-any.whl → 1.1.1py3-none-any.whl