iam-policy-validator 1.0.4__tar.gz → 1.6.0__tar.gz

{iam_policy_validator-1.0.4 → iam_policy_validator-1.6.0}/.github/workflows/ci.yml

@@ -7,6 +7,9 @@ on:
     branches: [main, develop]
   workflow_dispatch:
 
+env:
+  DEFAULT_PYTHON_VERSION: "3.13"
+
 jobs:
   lint:
     name: Lint with Ruff
@@ -18,7 +21,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
         with:
-          python-version: "3.12"
+          python-version: "${{ env.DEFAULT_PYTHON_VERSION }}"
 
       - name: Install uv
         uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
@@ -40,7 +43,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
@@ -72,7 +75,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
         with:
-          python-version: "3.12"
+          python-version: "${{ env.DEFAULT_PYTHON_VERSION }}"
 
       - name: Install uv
         uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
@@ -96,7 +99,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
         with:
-          python-version: "3.12"
+          python-version: "${{ env.DEFAULT_PYTHON_VERSION }}"
 
       - name: Install uv
         uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
@@ -106,17 +109,12 @@ jobs:
       - name: Install dependencies
         run: uv sync
 
-      - name: Run validator on example policies
-        run: |
-          if [ -d "examples" ]; then
-            uv run iam-validator --path examples/ --format console --verbose || true
-          else
-            echo "No examples directory found, skipping integration test"
-          fi
-
       - name: Test CLI help
         run: uv run iam-validator --help
 
+      - name: Test CLI version
+        run: uv run iam-validator --version
+
   all-checks-pass:
     name: All Checks Pass
     runs-on: ubuntu-latest

{iam_policy_validator-1.0.4 → iam_policy_validator-1.6.0}/.github/workflows/release.yml

@@ -9,6 +9,9 @@ permissions:
   contents: write
   id-token: write
 
+env:
+  PYTHON_VERSION: "3.13"
+
 jobs:
   build-and-release:
     name: Build and Create Release
@@ -24,7 +27,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
         with:
-          python-version: "3.12"
+          python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Install uv
         uses: astral-sh/setup-uv@5dbc9fba7434435c4cd0268139340fa3696d98f3 # v7
@@ -32,7 +35,7 @@ jobs:
           enable-cache: true
 
       - name: Install dependencies
-        run: uv sync
+        run: uv sync --frozen
 
       - name: Build package
         run: uv build
@@ -84,9 +87,7 @@ jobs:
           !contains(steps.get_version.outputs.version, 'rc') &&
           !contains(steps.get_version.outputs.version, 'beta') &&
           !contains(steps.get_version.outputs.version, 'alpha')
-        run: uv publish
-        env:
-          UV_PUBLISH_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
+        run: uv publish --trusted-publishing always
 
       - name: Create Release Summary
         if: always()
@@ -138,33 +139,33 @@ jobs:
           \`\`\`
           EOF
 
-  update-action-versions:
-    name: Update Major/Minor Tag References
-    runs-on: ubuntu-latest
-    needs: build-and-release
+  # update-action-versions:
+  #   name: Update Major/Minor Tag References
+  #   runs-on: ubuntu-latest
+  #   needs: build-and-release
 
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+  #   steps:
+  #     - name: Checkout code
+  #       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
-      - name: Configure Git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
+  #     - name: Configure Git
+  #       run: |
+  #         git config user.name "github-actions[bot]"
+  #         git config user.email "github-actions[bot]@users.noreply.github.com"
 
-      - name: Update major and minor version tags
-        run: |
-          VERSION=${GITHUB_REF#refs/tags/v}
-          MAJOR=$(echo $VERSION | cut -d. -f1)
-          MINOR=$(echo $VERSION | cut -d. -f1-2)
+  #     - name: Update major and minor version tags
+  #       run: |
+  #         VERSION=${GITHUB_REF#refs/tags/v}
+  #         MAJOR=$(echo $VERSION | cut -d. -f1)
+  #         MINOR=$(echo $VERSION | cut -d. -f1-2)
 
-          # Update vX tag (e.g., v1) - annotated (unsigned by bot)
-          git tag -fa "v$MAJOR" -m "Update v$MAJOR to $VERSION"
-          git push origin "v$MAJOR" --force
+  #         # Update vX tag (e.g., v1) - annotated (unsigned by bot)
+  #         git tag -fa "v$MAJOR" -m "Update v$MAJOR to $VERSION"
+  #         git push origin "v$MAJOR" --force
 
-          # Update vX.Y tag (e.g., v1.2) - annotated (unsigned by bot)
-          git tag -fa "v$MINOR" -m "Updated v$MINOR to $VERSION"
-          git push origin "v$MINOR" --force
+  #         # Update vX.Y tag (e.g., v1.2) - annotated (unsigned by bot)
+  #         git tag -fa "v$MINOR" -m "Updated v$MINOR to $VERSION"
+  #         git push origin "v$MINOR" --force
 
-          echo "✅ Updated tags: v$MAJOR and v$MINOR to point to $VERSION"
-          echo "ℹ️  Note: Automated tags are annotated but not signed by the bot."
+  #         echo "✅ Updated tags: v$MAJOR and v$MINOR to point to $VERSION"
+  #         echo "ℹ️  Note: Automated tags are annotated but not signed by the bot."

iam_policy_validator-1.6.0/.python-version

@@ -0,0 +1 @@
+3.12

{iam_policy_validator-1.0.4 → iam_policy_validator-1.6.0}/CONTRIBUTING.md

@@ -23,7 +23,7 @@ This project follows a code of conduct to ensure a welcoming environment for all
 
 ### Prerequisites
 
-- Python 3.11 or higher
+- Python 3.12 or higher
 - [uv](https://github.com/astral-sh/uv) package manager
 - Git
 - AWS account (optional, for testing AWS integrations)
@@ -33,8 +33,8 @@ This project follows a code of conduct to ensure a welcoming environment for all
 1. **Fork and Clone the Repository**
 
    ```bash
-   git clone https://github.com/YOUR-USERNAME/iam-policy-auditor.git
-   cd iam-policy-auditor
+   git clone https://github.com/boogy/iam-policy-validator.git
+   cd iam-policy-validator
    ```
 
 2. **Install uv (if not already installed)**
@@ -103,36 +103,46 @@ uv run mypy iam_validator
 ```
 iam-policy-auditor/
 ├── iam_validator/              # Main package
-│   ├── cli.py                  # CLI entry point
-│   ├── checks/                 # Built-in validation checks
+│   ├── checks/                 # Built-in validation checks (18 checks)
 │   ├── commands/               # CLI command implementations
 │   ├── core/                   # Core validation engine
+│   │   ├── cli.py              # CLI entry point
 │   │   ├── formatters/         # Output formatters
-│   │   └── data/               # Static data files
-│   └── integrations/           # External integrations
+│   │   ├── config/             # Configuration system (modular Python configs)
+│   │   ├── models.py           # Data models
+│   │   ├── policy_checks.py   # Policy validation orchestrator
+│   │   └── aws_fetcher.py     # AWS service definition fetcher
+│   ├── integrations/           # External integrations (Access Analyzer, PR comments)
+│   ├── sdk/                    # Python SDK for library usage
+│   └── utils/                  # Utility functions
 │
 ├── tests/                      # Test suite
-│   ├── test_policy_checks.py   # Core validation tests
-│   ├── test_aws_fetcher.py     # AWS integration tests
-│   ├── test_cache_and_optimizations.py  # Cache/optimization tests
-│   └── test_benchmarks.py      # Performance benchmarks
+│   ├── test_*.py               # Test files for each check/module
+│   └── conftest.py             # Pytest configuration and fixtures
 │
 ├── docs/                       # Documentation
-│   ├── getting-started/        # Quick start guides
-│   ├── guides/                 # User guides
-│   ├── reference/              # Reference documentation
-│   ├── advanced/               # Advanced topics
-│   └── development/            # Development docs
+│   ├── check-reference.md      # Complete reference for all 18 checks
+│   ├── CHECKS.md               # Deprecated - migration guide
+│   ├── SDK.md                  # Python SDK documentation
+│   ├── configuration.md        # Configuration guide
+│   ├── condition-requirements.md  # Action condition enforcement
+│   ├── privilege-escalation.md    # Privilege escalation detection
+│   ├── custom-checks.md        # Custom check development guide
+│   └── development/            # Development documentation
 │
-├── examples/                   # Example policies and configs
-│   ├── configs/                # Configuration examples
+├── examples/                   # Examples and sample files
+│   ├── configs/                # 9+ configuration examples
 │   ├── custom_checks/          # Custom check examples
-│   └── github-actions/         # GitHub Actions examples
+│   ├── library-usage/          # Python SDK examples
+│   ├── github-actions/         # GitHub Actions workflow examples
+│   └── iam-test-policies/      # Sample IAM policies for testing
 │
+├── scripts/                    # Development and utility scripts
+├── aws_services/               # Cached AWS service definitions
 ├── .github/workflows/          # CI/CD workflows
-├── pyproject.toml              # Project metadata and dependencies
+├── pyproject.toml              # Project metadata and dependencies (uv)
 ├── Makefile                    # Development commands
-└── iam-validator.yaml          # Default configuration
+└── CONTRIBUTING.md             # This file
 ```
 
 ## Development Workflow
@@ -293,11 +303,17 @@ This runs linting, type checking, and tests.
 
 ### Documentation Structure
 
-- **Getting Started**: Quick start guides for new users
-- **Guides**: In-depth tutorials and how-tos
-- **Reference**: API and configuration reference
-- **Advanced**: Advanced topics and patterns
-- **Development**: Contributor documentation
+- **README.md**: Project overview, quick start, and feature highlights
+- **DOCS.md**: Complete usage guide, CLI reference, and configuration
+- **docs/check-reference.md**: Complete validation checks reference with pass/fail examples
+- **docs/CHECKS.md**: (Deprecated) Migration guide to new check documentation
+- **docs/SDK.md**: Python library documentation and API reference
+- **docs/**: Additional guides and advanced topics
+  - **configuration.md**: Configuration guide
+  - **condition-requirements.md**: Action condition enforcement
+  - **privilege-escalation.md**: Privilege escalation detection
+  - **custom-checks.md**: Custom check development
+  - **development/**: Contributor documentation
 
 ### Building Documentation
 
@@ -371,6 +387,7 @@ Releases are managed by project maintainers. The process includes:
 1. **Version Bump**
    ```bash
    # Update version in pyproject.toml
+   # Update version in __version__.py
    # Update CHANGELOG.md
    ```
 
@@ -400,49 +417,59 @@ For detailed publishing instructions, see [docs/development/PUBLISHING.md](docs/
 
 ### Creating a New Check
 
-1. **Create Check Class**
+See the comprehensive [Custom Checks Guide](docs/custom-checks.md) for detailed instructions on creating custom validation checks.
+
+**Quick Example:**
+
+1. **Create Check File**
    ```python
-   # iam_validator/checks/my_check.py
+   # my_checks/mfa_check.py
    from typing import List
-   from iam_validator.core.models import PolicyCheck, Statement, ValidationIssue
-
-   class MyCustomCheck(PolicyCheck):
-       @property
-       def check_id(self) -> str:
-           return "my_custom_check"
-
-       @property
-       def description(self) -> str:
-           return "Description of what this check does"
-
-       async def execute(
-           self,
-           statement: Statement,
-           statement_idx: int,
-           fetcher,
-           config
-       ) -> List[ValidationIssue]:
-           # Implement your check logic
-           issues = []
-           # ... check logic ...
-           return issues
+   from iam_validator.core.models import PolicyValidationIssue, PolicyStatement
+
+   def execute(statement: PolicyStatement, policy_document: dict) -> List[PolicyValidationIssue]:
+       """Ensure sensitive actions require MFA."""
+       issues = []
+
+       sensitive_actions = ["iam:CreateUser", "iam:DeleteUser"]
+       actions = statement.action if isinstance(statement.action, list) else [statement.action]
+
+       for action in actions:
+           if action in sensitive_actions:
+               # Check for MFA condition
+               has_mfa = statement.condition and "aws:MultiFactorAuthPresent" in str(statement.condition)
+
+               if not has_mfa:
+                   issues.append(
+                       PolicyValidationIssue(
+                           check_name="mfa_required",
+                           severity="high",
+                           message=f"Action '{action}' requires MFA",
+                           statement_index=statement.index,
+                           action=action,
+                           suggestion='Add: {"Bool": {"aws:MultiFactorAuthPresent": "true"}}'
+                       )
+                   )
+
+       return issues
    ```
 
-2. **Register the Check**
-   - Check is auto-discovered if in `checks/` directory
-   - Or register manually in configuration
+2. **Use the Check**
+   ```bash
+   iam-validator validate --path ./policies/ --custom-checks-dir ./my_checks
+   ```
 
 3. **Add Tests**
    ```python
    # tests/test_my_check.py
-   def test_my_custom_check():
+   def test_mfa_check():
        # Test your check
        pass
    ```
 
 4. **Document the Check**
-   - Add to `docs/reference/CHECKS.md`
-   - Add example to `examples/`
+   - Add to `docs/custom-checks.md`
+   - Add example to `examples/custom_checks/`
 
 ### Adding a New Formatter
 
@@ -464,9 +491,16 @@ For detailed publishing instructions, see [docs/development/PUBLISHING.md](docs/
 
 ## Getting Help
 
-- **Documentation**: Check [docs/](docs/)
-- **Issues**: Search [existing issues](https://github.com/Boogy/iam-policy-auditor/issues)
-- **Discussions**: Start a [discussion](https://github.com/Boogy/iam-policy-auditor/discussions)
+### Documentation Resources
+- **[Complete Usage Guide](../DOCS.md)** - CLI, GitHub Actions, configuration
+- **[Validation Checks](docs/check-reference.md)** - All 18 checks with examples
+- **[Python SDK](docs/SDK.md)** - Library usage and API reference
+- **[Additional Docs](docs/)** - Guides and advanced topics
+
+### Support Channels
+- **Issues**: Search [existing issues](https://github.com/boogy/iam-policy-validator/issues)
+- **Discussions**: Start a [discussion](https://github.com/boogy/iam-policy-validator/discussions)
+- **Examples**: Check [examples/](examples/) directory for code samples
 
 ## Recognition