iam-policy-validator 1.11.0__py3-none-any.whl → 1.12.0__py3-none-any.whl

{iam_policy_validator-1.11.0.dist-info → iam_policy_validator-1.12.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.11.0
+Version: 1.12.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs

{iam_policy_validator-1.11.0.dist-info → iam_policy_validator-1.12.0.dist-info}/RECORD

@@ -1,8 +1,8 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=QDfo5_PdJfgisRdaZ8ltIgqPu_z6ugxj636N7IepezA,374
+iam_validator/__version__.py,sha256=W6lxpjiojokhUhDmTpeymt8Z-W7jmcwUbVTvLyrpAko,374
 iam_validator/checks/__init__.py,sha256=OTkPnmlelu4YjMO8krjhu2wXiTV72RzopA5u1SfPQA0,1990
-iam_validator/checks/action_condition_enforcement.py,sha256=6LJfO7DCgf10rtPjaZ5P4fmb5hfxJUBS5w1CrOiCu5Q,52442
+iam_validator/checks/action_condition_enforcement.py,sha256=oj3hsh3LwPneYAsQ6iBd61ToIJMr6aDIixKP-zkaqKI,55053
 iam_validator/checks/action_resource_matching.py,sha256=WiGJmCIJfx5yituMjZxpKmk-99N6nK20ueN02ddy9oM,19296
 iam_validator/checks/action_validation.py,sha256=QXfNamcstQIO41zNed1-bCmXYkXdV77owu8G2cZ09-A,2517
 iam_validator/checks/condition_key_validation.py,sha256=QJjG82wxvjdG2m-YuEzAjKRRiWaaPkf_LChdUTvm9g4,3919
@@ -29,7 +29,7 @@ iam_validator/commands/__init__.py,sha256=RBEz-Kgt3aRVn_9B1HRy_XgQMIKzlSSQs4Gtg2
 iam_validator/commands/analyze.py,sha256=rvLBJ5_A3HB530xtixhaIsC19QON68olEQnn8TievgI,20784
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
 iam_validator/commands/cache.py,sha256=llfyQzPE5Azd5YcW0ohYcYjF_OCyiQ1GoJQ982t71lQ,14294
-iam_validator/commands/completion.py,sha256=oPUZkY0U3x-DU3bNB0UmdpXxxKibTBB8_TDPcQLWc10,15175
+iam_validator/commands/completion.py,sha256=1TfkVjeltsf2jAZy5RqaxKVIxpbL_bnZc6k8uvrk6Xg,18915
 iam_validator/commands/download_services.py,sha256=KKz3ybMLT8DQUf9aFZ0tilJ-o1b6PE8Pf1pC4K6cT8I,9175
 iam_validator/commands/post_to_pr.py,sha256=CvUXs2xvO-UhluxdfNM6F0TCWD8hDBEOiYw60fm1Dms,2363
 iam_validator/commands/query.py,sha256=ft8ptWfsNUK4Wprq_A11txdV_chBgqkoAo7SQfzEwK0,17079
@@ -93,8 +93,8 @@ iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYu
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.11.0.dist-info/METADATA,sha256=OL4Pb02Cgtv4XL1AXoupb1KYc5fUMXUNfiqquaFyn24,34456
-iam_policy_validator-1.11.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.11.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.11.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.11.0.dist-info/RECORD,,
+iam_policy_validator-1.12.0.dist-info/METADATA,sha256=oRx7SWFfzvm7WejCfUXLfGDYYAe-lnIBf74cfwigqT8,34456
+iam_policy_validator-1.12.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.12.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.12.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.12.0.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.11.0"
+__version__ = "1.12.0"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/action_condition_enforcement.py

@@ -125,6 +125,22 @@ Configuration in iam-validator.yaml:
                 - "iam:DeleteUser"
                 - "s3:DeleteBucket"
             description: "These dangerous actions should never be used"
+
+          # Per-requirement ignore_patterns: Skip specific requirements for certain files/actions
+          - actions:
+              - "iam:CreateRole"
+              - "iam:PutRolePolicy"
+              - "iam:AttachRolePolicy"
+            required_conditions:
+              - condition_key: "iam:PermissionsBoundary"
+                description: "Require permissions boundary for IAM operations"
+            ignore_patterns:
+              # Ignore this requirement for iam-openid modules (they enforce boundary by default)
+              - filepath_regex: ".*modules//?iam-openid.*"
+
+Note: ignore_patterns can be specified at TWO levels:
+  1. Check-level (applies to ALL requirements): Useful for broad exclusions
+  2. Requirement-level (applies to ONE requirement): Useful for fine-grained control
 """
 
 import re
@@ -132,6 +148,7 @@ from typing import TYPE_CHECKING, Any, ClassVar
 
 from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.ignore_patterns import IgnorePatternMatcher
 from iam_validator.core.models import Statement, ValidationIssue
 from iam_validator.utils.regex import compile_and_cache
 
@@ -181,7 +198,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         Returns:
             List of ValidationIssue objects found by this check
         """
-        del policy_file, kwargs  # Not used in current implementation
+        del kwargs  # Not used in current implementation
         issues = []
 
         # Get action condition requirements from config
@@ -211,16 +228,60 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             if uses_logical_operators:
                 # Policy-wide detection (all_of/any_of/none_of)
                 policy_issues = await self._check_policy_wide(policy, requirement, fetcher, config)
+                # Filter by requirement-level ignore_patterns
+                policy_issues = self._filter_requirement_issues(
+                    policy_issues, requirement.get("ignore_patterns", []), policy_file
+                )
                 issues.extend(policy_issues)
             else:
                 # Per-statement check (simple list)
                 statement_issues = await self._check_per_statement(
                     policy, requirement, fetcher, config
                 )
+                # Filter by requirement-level ignore_patterns
+                statement_issues = self._filter_requirement_issues(
+                    statement_issues, requirement.get("ignore_patterns", []), policy_file
+                )
                 issues.extend(statement_issues)
 
         return issues
 
+    def _filter_requirement_issues(
+        self,
+        issues: list[ValidationIssue],
+        ignore_patterns: list[dict[str, Any]],
+        filepath: str,
+    ) -> list[ValidationIssue]:
+        """
+        Filter issues based on requirement-level ignore patterns.
+
+        This allows each requirement within action_condition_enforcement to have its own
+        ignore patterns, enabling fine-grained control over which findings to suppress.
+
+        Args:
+            issues: List of validation issues to filter
+            ignore_patterns: List of ignore pattern dictionaries for this requirement
+            filepath: Path to the policy file being checked
+
+        Returns:
+            Filtered list of issues (issues matching ignore patterns are removed)
+
+        Example:
+            A requirement can ignore specific files while other requirements check them:
+            - actions: ["iam:CreateRole"]
+              required_conditions: [...]
+              ignore_patterns:
+                - filepath_regex: ".*modules/iam-openid.*"
+        """
+        if not ignore_patterns:
+            return issues
+
+        return [
+            issue
+            for issue in issues
+            if not IgnorePatternMatcher.should_ignore_issue(issue, filepath, ignore_patterns)
+        ]
+
     async def _check_policy_wide(
         self,
         policy: "IAMPolicy",

iam_validator/commands/completion.py

@@ -135,7 +135,7 @@ _iam_validator_completion() {{
     prev="${{COMP_WORDS[COMP_CWORD-1]}}"
 
     # Main commands
-    local commands="validate post-to-pr analyze cache download-services query completion"
+    local commands="validate post-to-pr analyze cache sync-services query completion"
 
     # Get the command (first non-option argument)
     local cmd=""
@@ -215,6 +215,7 @@ _iam_validator_completion() {{
             fi
 
             # Complete options for query subcommands
+            local opts=""
             case "$query_subcmd" in
                 action)
                     opts="--service --name --access-level --resource-type --condition --output"
@@ -226,7 +227,23 @@ _iam_validator_completion() {{
                     opts="--service --name --output"
                     ;;
             esac
-            COMPREPLY=( $(compgen -W "$opts" -- "$cur") )
+
+            # Filter out already used options
+            local used_opts=""
+            for ((i=2; i<COMP_CWORD; i++)); do
+                if [[ ${{COMP_WORDS[i]}} == --* ]]; then
+                    used_opts="$used_opts ${{COMP_WORDS[i]}}"
+                fi
+            done
+
+            local available_opts=""
+            for opt in $opts; do
+                if [[ ! " $used_opts " =~ " $opt " ]]; then
+                    available_opts="$available_opts $opt"
+                fi
+            done
+
+            COMPREPLY=( $(compgen -W "$available_opts" -- "$cur") )
             return 0
             ;;
         validate)
@@ -234,18 +251,36 @@ _iam_validator_completion() {{
             COMPREPLY=( $(compgen -W "$opts" -- "$cur") )
             return 0
             ;;
+        post-to-pr)
+            opts="--report -r --create-review --no-review --add-summary --no-summary --config -c"
+            COMPREPLY=( $(compgen -W "$opts" -- "$cur") )
+            return 0
+            ;;
         analyze)
-            opts="--policy --format --output"
+            opts="--path -p --policy-type -t --region --profile --format -f --output -o --no-recursive --fail-on-warnings --github-comment --github-review --github-summary --run-all-checks --check-access-not-granted --check-access-resources --check-no-new-access --check-no-public-access --public-access-resource-type --verbose -v"
             COMPREPLY=( $(compgen -W "$opts" -- "$cur") )
             return 0
             ;;
         cache)
-            opts="--clear --info"
-            COMPREPLY=( $(compgen -W "$opts" -- "$cur") )
+            # Check if we need to complete the cache subcommand
+            local cache_subcmd=""
+            for ((i=2; i<COMP_CWORD; i++)); do
+                if [[ ${{COMP_WORDS[i]}} =~ ^(info|list|clear|refresh|prefetch|location)$ ]]; then
+                    cache_subcmd=${{COMP_WORDS[i]}}
+                    break
+                fi
+            done
+
+            if [[ -z "$cache_subcmd" ]]; then
+                # Complete cache subcommand
+                COMPREPLY=( $(compgen -W "info list clear refresh prefetch location" -- "$cur") )
+                return 0
+            fi
+            # Cache subcommands have no additional options
             return 0
             ;;
-        download-services)
-            opts="--output-dir --force"
+        sync-services)
+            opts="--output-dir --max-concurrent"
             COMPREPLY=( $(compgen -W "$opts" -- "$cur") )
             return 0
             ;;
@@ -272,72 +307,34 @@ complete -F _iam_validator_completion iam-validator
 # Generated by: iam-validator completion zsh
 
 _iam_validator() {{
-    local -a commands
-    commands=(
-        'validate:Validate IAM policies'
-        'post-to-pr:Post validation results to GitHub PR'
-        'analyze:Analyze IAM policies'
-        'cache:Manage cache'
-        'download-services:Download AWS service definitions'
-        'query:Query AWS service definitions'
-        'completion:Generate shell completion scripts'
-    )
-
-    local -a query_subcommands
-    query_subcommands=(
-        'action:Query IAM actions'
-        'arn:Query ARN formats'
-        'condition:Query condition keys'
-    )
-
-    local -a access_levels
-    access_levels=(
-        'read:Read-only actions'
-        'write:Write actions'
-        'list:List actions'
-        'tagging:Tagging actions'
-        'permissions-management:Permission management actions'
-    )
-
-    local -a formats
-    formats=(
-        'json:JSON output'
-        'yaml:YAML output'
-        'text:Plain text output'
-    )
-
-    local -a shells
-    shells=(
-        'bash:Bash completion'
-        'zsh:Zsh completion'
-    )
+    local curcontext="$curcontext" state line
+    typeset -A opt_args
 
     # Cached AWS services
     local -a aws_services
     aws_services=({services_list})
 
     _arguments -C \\
-        '1: :->command' \\
-        '*:: :->args'
+        '1: :_iam_validator_commands' \\
+        '*::arg:->args'
 
     case $state in
-        command)
-            _describe 'command' commands
-            ;;
         args)
             case $words[1] in
                 query)
-                    case $CURRENT in
-                        2)
-                            _describe 'query subcommand' query_subcommands
-                            ;;
-                        *)
-                            case $words[2] in
+                    local query_state
+                    _arguments -C \\
+                        '1: :_iam_validator_query_subcommands' \\
+                        '*::arg:->query_args' && return 0
+
+                    case $state in
+                        query_args)
+                            case $words[1] in
                                 action)
                                     _arguments \\
                                         '--service[AWS service name]:service:($aws_services)' \\
                                         '--name[Action name]:action name:' \\
-                                        '--access-level[Filter by access level]:access level:($access_levels)' \\
+                                        '--access-level[Filter by access level]:access level:(read write list tagging permissions-management)' \\
                                         '--resource-type[Filter by resource type]:resource type:' \\
                                         '--condition[Filter by condition key]:condition key:' \\
                                         '--output[Output format]:format:(json yaml text)'
@@ -361,7 +358,8 @@ _iam_validator() {{
                     ;;
                 validate)
                     _arguments \\
-                        '(--path -p)'{{--path,-p}}'[Path to policy file or directory]:file:_files' \\
+                        '*--path[Path to policy file or directory]:file:_files' \\
+                        '*-p[Path to policy file or directory]:file:_files' \\
                         '--stdin[Read policy from stdin]' \\
                         '(--format -f)'{{--format,-f}}'[Output format]:format:(console enhanced json markdown html csv sarif)' \\
                         '(--output -o)'{{--output,-o}}'[Output file path]:file:_files' \\
@@ -380,30 +378,79 @@ _iam_validator() {{
                         '--summary[Show Executive Summary section]' \\
                         '--severity-breakdown[Show Issue Severity Breakdown section]'
                     ;;
+                post-to-pr)
+                    _arguments \\
+                        '(--report -r)'{{--report,-r}}'[Path to JSON report file]:file:_files' \\
+                        '--create-review[Create line-specific review comments]' \\
+                        '--no-review[Do not create line-specific review comments]' \\
+                        '--add-summary[Add summary comment]' \\
+                        '--no-summary[Do not add summary comment]' \\
+                        '(--config -c)'{{--config,-c}}'[Configuration file]:file:_files'
+                    ;;
                 analyze)
                     _arguments \\
-                        '--policy[Policy file]:file:_files' \\
-                        '--format[Output format]:format:($formats)' \\
-                        '--output[Output file]:file:_files'
+                        '*--path[Path to policy file or directory]:file:_files' \\
+                        '*-p[Path to policy file or directory]:file:_files' \\
+                        '(--policy-type -t)'{{--policy-type,-t}}'[Type of IAM policy]:policy type:(IDENTITY_POLICY RESOURCE_POLICY SERVICE_CONTROL_POLICY)' \\
+                        '--region[AWS region]:region:' \\
+                        '--profile[AWS profile]:profile:' \\
+                        '(--format -f)'{{--format,-f}}'[Output format]:format:(console json markdown)' \\
+                        '(--output -o)'{{--output,-o}}'[Output file path]:file:_files' \\
+                        '--no-recursive[Do not recursively search directories]' \\
+                        '--fail-on-warnings[Fail validation if warnings are found]' \\
+                        '--github-comment[Post validation results as GitHub PR comment]' \\
+                        '--github-review[Create line-specific review comments on PR]' \\
+                        '--github-summary[Write validation summary to GitHub Actions job summary]' \\
+                        '--run-all-checks[Run full validation checks if Access Analyzer passes]' \\
+                        '*--check-access-not-granted[Actions to check are NOT granted]:action:' \\
+                        '*--check-access-resources[Resources to check]:resource:' \\
+                        '--check-no-new-access[Path to existing policy]:file:_files' \\
+                        '--check-no-public-access[Check that resource policy does not allow public access]' \\
+                        '*--public-access-resource-type[Resource type for public access check]:resource type:' \\
+                        '(--verbose -v)'{{--verbose,-v}}'[Enable verbose logging]'
                     ;;
                 cache)
                     _arguments \\
-                        '--clear[Clear cache]' \\
-                        '--info[Show cache info]'
+                        '1: :(info list clear refresh prefetch location)'
                     ;;
-                download-services)
+                sync-services)
                     _arguments \\
                         '--output-dir[Output directory]:directory:_directories' \\
-                        '--force[Force re-download]'
+                        '--max-concurrent[Maximum concurrent downloads]:number:'
                     ;;
                 completion)
-                    _describe 'shell' shells
+                    _arguments \\
+                        '1: :(bash zsh)'
                     ;;
             esac
             ;;
     esac
 }}
 
+_iam_validator_commands() {{
+    local -a commands
+    commands=(
+        'validate:Validate IAM policies'
+        'post-to-pr:Post validation results to GitHub PR'
+        'analyze:Analyze IAM policies using AWS IAM Access Analyzer'
+        'cache:Manage AWS service definition cache'
+        'sync-services:Sync/download all AWS service definitions for offline use'
+        'query:Query AWS service definitions (actions, ARNs, condition keys)'
+        'completion:Generate shell completion scripts (bash or zsh)'
+    )
+    _describe 'command' commands
+}}
+
+_iam_validator_query_subcommands() {{
+    local -a subcommands
+    subcommands=(
+        'action:Query IAM actions'
+        'arn:Query ARN formats'
+        'condition:Query condition keys'
+    )
+    _describe 'query subcommand' subcommands
+}}
+
 _iam_validator "$@"
 """