iam-policy-validator 1.1.0__py3-none-any.whl → 1.1.1__py3-none-any.whl

iam_validator/checks/security_best_practices.py

@@ -1,10 +1,16 @@
 """Security best practices check - validates security anti-patterns."""
 
-import re
-from functools import lru_cache
-from re import Pattern
 from typing import TYPE_CHECKING
 
+from iam_validator.checks.utils.policy_level_checks import check_policy_level_actions
+from iam_validator.checks.utils.sensitive_action_matcher import (
+    DEFAULT_SENSITIVE_ACTIONS,
+    check_sensitive_actions,
+)
+from iam_validator.checks.utils.wildcard_expansion import (
+    compile_wildcard_pattern,
+    expand_wildcard_actions,
+)
 from iam_validator.core.aws_fetcher import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
@@ -13,49 +19,9 @@ if TYPE_CHECKING:
     from iam_validator.core.models import IAMPolicy
 
 
-# Global regex pattern cache for performance
-@lru_cache(maxsize=256)
-def _compile_pattern(pattern: str) -> Pattern[str] | None:
-    """Compile and cache regex patterns.
-
-    Args:
-        pattern: Regex pattern string
-
-    Returns:
-        Compiled pattern or None if invalid
-    """
-    try:
-        return re.compile(pattern)
-    except re.error:
-        return None
-
-
 class SecurityBestPracticesCheck(PolicyCheck):
     """Checks for common security anti-patterns and best practices violations."""
 
-    # Default set of sensitive actions that should have conditions
-    # Using frozenset for O(1) lookups and immutability
-    DEFAULT_SENSITIVE_ACTIONS = frozenset(
-        {
-            "iam:CreateUser",
-            "iam:CreateRole",
-            "iam:PutUserPolicy",
-            "iam:PutRolePolicy",
-            "iam:AttachUserPolicy",
-            "iam:AttachRolePolicy",
-            "iam:CreateAccessKey",
-            "iam:DeleteUser",
-            "iam:DeleteRole",
-            "s3:DeleteBucket",
-            "s3:PutBucketPolicy",
-            "s3:DeleteBucketPolicy",
-            "ec2:TerminateInstances",
-            "ec2:DeleteVolume",
-            "rds:DeleteDBInstance",
-            "lambda:DeleteFunction",
-        }
-    )
-
     @property
     def check_id(self) -> str:
         return "security_best_practices"
@@ -119,33 +85,39 @@ class SecurityBestPracticesCheck(PolicyCheck):
         # Check 2: Wildcard resource check
         if self._is_sub_check_enabled(config, "wildcard_resource_check"):
             if "*" in resources:
-                severity = self._get_sub_check_severity(
-                    config, "wildcard_resource_check", "warning"
-                )
-                sub_check_config = config.config.get("wildcard_resource_check", {})
-
-                message = sub_check_config.get("message", "Statement applies to all resources (*)")
-                suggestion_text = sub_check_config.get(
-                    "suggestion", "Consider limiting to specific resources"
-                )
-                example = sub_check_config.get("example", "")
-
-                # Combine suggestion + example
-                suggestion = (
-                    f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
-                )
+                # Check if all actions are in the allowed_wildcards list
+                # This allows Resource: "*" when only safe read-only wildcard actions are used
+                allowed_wildcards = self._get_allowed_wildcards_for_resources(config)
+
+                # Check if ALL actions (excluding full wildcard "*") match allowed patterns
+                non_wildcard_actions = [a for a in actions if a != "*"]
+
+                if allowed_wildcards and non_wildcard_actions:
+                    # Check if all actions are allowed wildcards
+                    all_actions_allowed = all(
+                        self._is_action_allowed_wildcard(action, allowed_wildcards)
+                        for action in non_wildcard_actions
+                    )
 
-                issues.append(
-                    ValidationIssue(
-                        severity=severity,
-                        statement_sid=statement_sid,
-                        statement_index=statement_idx,
-                        issue_type="overly_permissive",
-                        message=message,
-                        suggestion=suggestion,
-                        line_number=line_number,
+                    # If all actions are in the allowed list, skip the wildcard resource warning
+                    if all_actions_allowed:
+                        # All actions are safe wildcards, Resource: "*" is acceptable
+                        pass
+                    else:
+                        # Some actions are not in allowed list, flag the issue
+                        self._add_wildcard_resource_issue(
+                            issues,
+                            config,
+                            statement_sid,
+                            statement_idx,
+                            line_number,
+                        )
+                else:
+                    # No allowed_wildcards configured OR only has "*" action
+                    # Always flag wildcard resources in these cases
+                    self._add_wildcard_resource_issue(
+                        issues, config, statement_sid, statement_idx, line_number
                     )
-                )
 
         # Check 3: Critical - both wildcards together
         if self._is_sub_check_enabled(config, "full_wildcard_check"):
@@ -243,8 +215,13 @@ class SecurityBestPracticesCheck(PolicyCheck):
         if self._is_sub_check_enabled(config, "sensitive_action_check"):
             has_conditions = statement.condition is not None and len(statement.condition) > 0
 
+            # Expand wildcards to actual actions using AWS API
+            expanded_actions = await expand_wildcard_actions(actions, fetcher)
+
             # Check if sensitive actions match using any_of/all_of logic
-            is_sensitive, matched_actions = self._check_sensitive_actions(actions, config)
+            is_sensitive, matched_actions = check_sensitive_actions(
+                expanded_actions, config, DEFAULT_SENSITIVE_ACTIONS
+            )
 
             if is_sensitive and not has_conditions:
                 severity = self._get_sub_check_severity(config, "sensitive_action_check", "warning")
@@ -353,164 +330,32 @@ class SecurityBestPracticesCheck(PolicyCheck):
         # Check sensitive_actions configuration
         if sensitive_actions_config:
             policy_issues.extend(
-                self._check_policy_level_actions(
+                check_policy_level_actions(
                     list(all_actions),
                     statement_map,
                     sensitive_actions_config,
                     config,
                     "actions",
+                    self._get_sub_check_severity,
                 )
             )
 
         # Check sensitive_action_patterns configuration
         if sensitive_patterns_config:
             policy_issues.extend(
-                self._check_policy_level_actions(
+                check_policy_level_actions(
                     list(all_actions),
                     statement_map,
                     sensitive_patterns_config,
                     config,
                     "patterns",
+                    self._get_sub_check_severity,
                 )
             )
 
         issues.extend(policy_issues)
         return issues
 
-    def _check_policy_level_actions(
-        self,
-        all_actions: list[str],
-        statement_map: dict[str, list[tuple[int, str | None]]],
-        config,
-        check_config: CheckConfig,
-        check_type: str,
-    ) -> list[ValidationIssue]:
-        """
-        Check for policy-level privilege escalation patterns.
-
-        Args:
-            all_actions: All actions across the entire policy
-            statement_map: Mapping of action -> [(statement_idx, sid), ...]
-            config: The sensitive_actions or sensitive_action_patterns configuration
-            check_config: Full check configuration
-            check_type: Either "actions" (exact match) or "patterns" (regex match)
-
-        Returns:
-            List of ValidationIssue objects
-        """
-        import re
-
-        issues = []
-
-        if not config:
-            return issues
-
-        # Handle list of items (could be simple strings or dicts with all_of/any_of)
-        if isinstance(config, list):
-            for item in config:
-                if isinstance(item, dict) and "all_of" in item:
-                    # This is a privilege escalation pattern - all actions must be present
-                    required_actions = item["all_of"]
-                    matched_actions = []
-
-                    if check_type == "actions":
-                        # Exact matching
-                        matched_actions = [a for a in all_actions if a in required_actions]
-                    else:
-                        # Pattern matching - for each pattern, find actions that match
-                        for pattern in required_actions:
-                            for action in all_actions:
-                                try:
-                                    if re.match(pattern, action):
-                                        matched_actions.append(action)
-                                        break  # Found at least one match for this pattern
-                                except re.error:
-                                    continue
-
-                    # Check if ALL required actions/patterns are present
-                    if len(matched_actions) >= len(required_actions):
-                        # Privilege escalation detected!
-                        severity = self._get_sub_check_severity(
-                            check_config, "sensitive_action_check", "error"
-                        )
-
-                        # Collect which statements these actions appear in
-                        statement_refs = []
-                        for action in matched_actions:
-                            if action in statement_map:
-                                for stmt_idx, sid in statement_map[action]:
-                                    sid_str = f"'{sid}'" if sid else f"#{stmt_idx}"
-                                    statement_refs.append(f"Statement {sid_str}: {action}")
-
-                        action_list = "', '".join(matched_actions)
-                        stmt_details = "\n  - ".join(statement_refs)
-
-                        issues.append(
-                            ValidationIssue(
-                                severity=severity,
-                                statement_sid=None,  # Policy-level issue
-                                statement_index=-1,  # -1 indicates policy-level issue
-                                issue_type="privilege_escalation",
-                                message=f"Policy-level privilege escalation detected: grants all of ['{action_list}'] across multiple statements",
-                                suggestion=f"These actions combined allow privilege escalation. Consider:\n"
-                                f"  1. Splitting into separate policies for different users/roles\n"
-                                f"  2. Adding strict conditions to limit when these actions can be used together\n"
-                                f"  3. Reviewing if all these permissions are truly necessary\n\n"
-                                f"Actions found in:\n  - {stmt_details}",
-                                line_number=None,
-                            )
-                        )
-
-        # Handle dict with all_of at the top level
-        elif isinstance(config, dict) and "all_of" in config:
-            required_actions = config["all_of"]
-            matched_actions = []
-
-            if check_type == "actions":
-                matched_actions = [a for a in all_actions if a in required_actions]
-            else:
-                for pattern in required_actions:
-                    for action in all_actions:
-                        try:
-                            if re.match(pattern, action):
-                                matched_actions.append(action)
-                                break
-                        except re.error:
-                            continue
-
-            if len(matched_actions) >= len(required_actions):
-                severity = self._get_sub_check_severity(
-                    check_config, "sensitive_action_check", "error"
-                )
-
-                statement_refs = []
-                for action in matched_actions:
-                    if action in statement_map:
-                        for stmt_idx, sid in statement_map[action]:
-                            sid_str = f"'{sid}'" if sid else f"#{stmt_idx}"
-                            statement_refs.append(f"Statement {sid_str}: {action}")
-
-                action_list = "', '".join(matched_actions)
-                stmt_details = "\n  - ".join(statement_refs)
-
-                issues.append(
-                    ValidationIssue(
-                        severity=severity,
-                        statement_sid=None,
-                        statement_index=-1,  # -1 indicates policy-level issue
-                        issue_type="privilege_escalation",
-                        message=f"Policy-level privilege escalation detected: grants all of ['{action_list}'] across multiple statements",
-                        suggestion=f"These actions combined allow privilege escalation. Consider:\n"
-                        f"  1. Splitting into separate policies for different users/roles\n"
-                        f"  2. Adding strict conditions to limit when these actions can be used together\n"
-                        f"  3. Reviewing if all these permissions are truly necessary\n\n"
-                        f"Actions found in:\n  - {stmt_details}",
-                        line_number=None,
-                    )
-                )
-
-        return issues
-
     def _is_sub_check_enabled(self, config: CheckConfig, sub_check_name: str) -> bool:
         """Check if a sub-check is enabled in the configuration."""
         if sub_check_name not in config.config:
@@ -533,6 +378,50 @@ class SecurityBestPracticesCheck(PolicyCheck):
             return sub_check_config.get("severity", default)
         return default
 
+    def _add_wildcard_resource_issue(
+        self,
+        issues: list[ValidationIssue],
+        config: CheckConfig,
+        statement_sid: str | None,
+        statement_idx: int,
+        line_number: int | None,
+    ) -> None:
+        """Add a wildcard resource issue to the issues list.
+
+        This is a helper method to avoid code duplication when adding
+        wildcard resource warnings.
+
+        Args:
+            issues: List to append the issue to
+            config: Check configuration
+            statement_sid: Statement ID
+            statement_idx: Statement index
+            line_number: Line number in the policy file
+        """
+        severity = self._get_sub_check_severity(config, "wildcard_resource_check", "warning")
+        sub_check_config = config.config.get("wildcard_resource_check", {})
+
+        message = sub_check_config.get("message", "Statement applies to all resources (*)")
+        suggestion_text = sub_check_config.get(
+            "suggestion", "Consider limiting to specific resources"
+        )
+        example = sub_check_config.get("example", "")
+
+        # Combine suggestion + example
+        suggestion = f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+
+        issues.append(
+            ValidationIssue(
+                severity=severity,
+                statement_sid=statement_sid,
+                statement_index=statement_idx,
+                issue_type="overly_permissive",
+                message=message,
+                suggestion=suggestion,
+                line_number=line_number,
+            )
+        )
+
     def _get_allowed_service_wildcards(self, config: CheckConfig) -> set[str]:
         """
         Get list of services that are allowed to use service-level wildcards.
@@ -554,212 +443,73 @@ class SecurityBestPracticesCheck(PolicyCheck):
 
         return set()
 
-    def _check_sensitive_actions(
-        self, actions: list[str], config: CheckConfig
-    ) -> tuple[bool, list[str]]:
-        """
-        Check if actions match sensitive action criteria with any_of/all_of support.
-
-        Returns:
-            tuple[bool, list[str]]: (is_sensitive, matched_actions)
-                - is_sensitive: True if the actions match the sensitive criteria
-                - matched_actions: List of actions that matched the criteria
-        """
-        # Filter out wildcards
-        filtered_actions = [a for a in actions if a != "*"]
-        if not filtered_actions:
-            return False, []
-
-        # Get configuration for both sensitive_actions and sensitive_action_patterns
-        sub_check_config = config.config.get("sensitive_action_check", {})
-        if not isinstance(sub_check_config, dict):
-            return False, []
-
-        sensitive_actions_config = sub_check_config.get("sensitive_actions")
-        sensitive_patterns_config = sub_check_config.get("sensitive_action_patterns")
-
-        # Check sensitive_actions (exact matches)
-        actions_match, actions_matched = self._check_actions_config(
-            filtered_actions, sensitive_actions_config
-        )
+    def _is_action_allowed_wildcard(
+        self, action: str, allowed_wildcards: frozenset[str] | list[str] | set[str]
+    ) -> bool:
+        """Check if an action matches the allowed_wildcards list.
 
-        # Check sensitive_action_patterns (regex patterns)
-        patterns_match, patterns_matched = self._check_patterns_config(
-            filtered_actions, sensitive_patterns_config
-        )
+        This method checks if a given action is in the allowed_wildcards configuration
+        from action_validation_check. This is used to determine if wildcard resources
+        are acceptable when only safe wildcard actions are used.
 
-        # Combine results - if either matched, we consider it sensitive
-        is_sensitive = actions_match or patterns_match
-        # Use set operations for efficient deduplication
-        matched_set = set(actions_matched) | set(patterns_matched)
-        matched_actions = list(matched_set)
+        Args:
+            action: The action to check (e.g., "s3:List*", "ec2:DescribeInstances")
+            allowed_wildcards: Set or list of allowed wildcard patterns
 
-        return is_sensitive, matched_actions
+        Returns:
+            True if the action matches any pattern in the allowlist
 
-    def _check_actions_config(self, actions: list[str], config) -> tuple[bool, list[str]]:
+        Note:
+            Exact matches use O(1) set lookup for performance.
+            Pattern matches (wildcards in allowlist) require O(n) iteration.
         """
-        Check actions against sensitive_actions configuration.
-
-        Supports:
-        - Simple list: ["action1", "action2"] (backward compatible, any_of logic)
-        - any_of: {"any_of": ["action1", "action2"]}
-        - all_of: {"all_of": ["action1", "action2"]}
-        - Multiple groups: [{"all_of": [...]}, {"all_of": [...]}, "action3"]
+        # Fast O(1) exact match using set membership
+        if action in allowed_wildcards:
+            return True
+
+        # Pattern match - check if action matches any pattern in allowlist
+        # This is needed when allowlist contains wildcards like "s3:*"
+        # Uses cached compiled patterns for 20-30x speedup
+        for pattern in allowed_wildcards:
+            # Skip exact matches (already checked above)
+            if "*" not in pattern:
+                continue
 
-        Returns:
-            tuple[bool, list[str]]: (matches, matched_actions)
-        """
-        if not config:
-            # If no config, fall back to defaults with any_of logic
-            # DEFAULT_SENSITIVE_ACTIONS is already a frozenset for O(1) lookups
-            matched = [a for a in actions if a in self.DEFAULT_SENSITIVE_ACTIONS]
-            return len(matched) > 0, matched
-
-        # Handle simple list with potential mixed items
-        if isinstance(config, list):
-            # Use set for O(1) membership checks
-            all_matched = set()
-            actions_set = set(actions)  # Convert once for O(1) lookups
-
-            for item in config:
-                # Each item can be a string, or a dict with any_of/all_of
-                if isinstance(item, str):
-                    # Simple string - check if action matches (O(1) lookup)
-                    if item in actions_set:
-                        all_matched.add(item)
-                elif isinstance(item, dict):
-                    # Recurse for dict items
-                    matches, matched = self._check_actions_config(actions, item)
-                    if matches:
-                        all_matched.update(matched)
-
-            return len(all_matched) > 0, list(all_matched)
-
-        # Handle dict with any_of/all_of
-        if isinstance(config, dict):
-            # any_of: at least one action must match
-            if "any_of" in config:
-                # Convert once for O(1) intersection
-                any_of_set = set(config["any_of"])
-                actions_set = set(actions)
-                matched = list(any_of_set & actions_set)
-                return len(matched) > 0, matched
-
-            # all_of: all specified actions must be present in the statement
-            if "all_of" in config:
-                all_of_set = set(config["all_of"])
-                actions_set = set(actions)
-                matched = list(all_of_set & actions_set)
-                # All required actions must be present
-                return all_of_set.issubset(actions_set), matched
-
-        return False, []
-
-    def _check_patterns_config(self, actions: list[str], config) -> tuple[bool, list[str]]:
-        """
-        Check actions against sensitive_action_patterns configuration.
+            # Use cached compiled pattern
+            compiled = compile_wildcard_pattern(pattern)
+            if compiled.match(action):
+                return True
 
-        Supports:
-        - Simple list: ["^pattern1.*", "^pattern2.*"] (backward compatible, any_of logic)
-        - any_of: {"any_of": ["^pattern1.*", "^pattern2.*"]}
-        - all_of: {"all_of": ["^pattern1.*", "^pattern2.*"]}
-        - Multiple groups: [{"all_of": [...]}, {"any_of": [...]}, "^pattern.*"]
+        return False
 
-        Returns:
-            tuple[bool, list[str]]: (matches, matched_actions)
+    def _get_allowed_wildcards_for_resources(self, config: CheckConfig) -> frozenset[str]:
+        """Get allowed_wildcards for resource check configuration.
 
-        Performance:
-            Uses cached compiled regex patterns for 10-50x speedup
-        """
-        if not config:
-            return False, []
-
-        # Handle simple list with potential mixed items
-        if isinstance(config, list):
-            # Use set for O(1) membership checks instead of list
-            all_matched = set()
-
-            for item in config:
-                # Each item can be a string pattern, or a dict with any_of/all_of
-                if isinstance(item, str):
-                    # Simple string pattern - check if any action matches
-                    # Use cached compiled pattern
-                    compiled = _compile_pattern(item)
-                    if compiled:
-                        for action in actions:
-                            if compiled.match(action):
-                                all_matched.add(action)
-                elif isinstance(item, dict):
-                    # Recurse for dict items
-                    matches, matched = self._check_patterns_config(actions, item)
-                    if matches:
-                        all_matched.update(matched)
-
-            return len(all_matched) > 0, list(all_matched)
-
-        # Handle dict with any_of/all_of
-        if isinstance(config, dict):
-            # any_of: at least one action must match at least one pattern
-            if "any_of" in config:
-                matched = set()
-                # Pre-compile all patterns
-                compiled_patterns = [_compile_pattern(p) for p in config["any_of"]]
-
-                for action in actions:
-                    for compiled in compiled_patterns:
-                        if compiled and compiled.match(action):
-                            matched.add(action)
-                            break
-                return len(matched) > 0, list(matched)
-
-            # all_of: at least one action must match ALL patterns
-            if "all_of" in config:
-                # Pre-compile all patterns
-                compiled_patterns = [_compile_pattern(p) for p in config["all_of"]]
-                # Filter out invalid patterns
-                compiled_patterns = [p for p in compiled_patterns if p]
-
-                if not compiled_patterns:
-                    return False, []
-
-                matched = set()
-                for action in actions:
-                    # Check if this action matches ALL patterns
-                    if all(compiled.match(action) for compiled in compiled_patterns):
-                        matched.add(action)
-
-                return len(matched) > 0, list(matched)
-
-        return False, []
-
-    def _matches_sensitive_pattern(self, action: str, config: CheckConfig) -> bool:
-        """
-        DEPRECATED: Use _check_sensitive_actions instead.
+        This checks for explicit allowed_wildcards configuration in wildcard_resource_check.
+        If not configured, it falls back to the parent security_best_practices_check's allowed_wildcards.
 
-        Check if action matches any sensitive action pattern (supports regex).
+        Args:
+            config: The check configuration
 
-        This allows configuration like:
-          sensitive_action_patterns:
-            - "^iam:.*"          # All IAM actions
-            - ".*:Delete.*"      # Any delete action
-            - "s3:PutBucket.*"   # S3 bucket modification actions
+        Returns:
+            A frozenset of allowed wildcard patterns
         """
-        import re
-
-        sub_check_config = config.config.get("sensitive_action_check", {})
-        if not isinstance(sub_check_config, dict):
-            return False
-
-        patterns = sub_check_config.get("sensitive_action_patterns", [])
-        if not patterns:
-            return False
-
-        for pattern in patterns:
-            try:
-                if re.match(pattern, action):
-                    return True
-            except re.error:
-                # Invalid regex pattern, skip it
-                continue
-
-        return False
+        sub_check_config = config.config.get("wildcard_resource_check", {})
+        if isinstance(sub_check_config, dict) and "allowed_wildcards" in sub_check_config:
+            # Explicitly configured in wildcard_resource_check (override)
+            allowed_wildcards = sub_check_config.get("allowed_wildcards", [])
+            if isinstance(allowed_wildcards, list):
+                return frozenset(allowed_wildcards)
+            elif isinstance(allowed_wildcards, set | frozenset):
+                return frozenset(allowed_wildcards)
+            return frozenset()
+
+        # Fall back to parent security_best_practices_check's allowed_wildcards
+        parent_allowed_wildcards = config.config.get("allowed_wildcards", [])
+        if isinstance(parent_allowed_wildcards, list):
+            return frozenset(parent_allowed_wildcards)
+        elif isinstance(parent_allowed_wildcards, set | frozenset):
+            return frozenset(parent_allowed_wildcards)
+
+        # No configuration found, return empty set (flag all Resource: "*")
+        return frozenset()

iam_validator/checks/utils/__init__.py

@@ -0,0 +1 @@
+"""Utility modules for IAM policy checks."""