iam-policy-validator 1.13.1__py3-none-any.whl → 1.14.1__py3-none-any.whl

iam_validator/checks/trust_policy_validation.py

@@ -262,6 +262,7 @@ class TrustPolicyValidationCheck(PolicyCheck):
                         example=self._get_example_for_action(
                             action, allowed_types[0] if allowed_types else "AWS"
                         ),
+                        field_name="principal",
                     )
                 )
 
@@ -312,6 +313,7 @@ class TrustPolicyValidationCheck(PolicyCheck):
                         f"Expected pattern: `{provider_pattern}`\n"
                         f"Found: `{principal}`",
                         example=self._get_provider_example(provider_type),
+                        field_name="principal",
                     )
                 )
 
@@ -378,6 +380,7 @@ class TrustPolicyValidationCheck(PolicyCheck):
                     f"Missing: `{missing_list}`\n\n"
                     f"{rule.get('description', '')}",
                     example=self._get_condition_example(action, required_conditions[0]),
+                    field_name="condition",
                 )
             )
 

iam_validator/checks/utils/__init__.py

@@ -1 +1,17 @@
 """Utility modules for IAM policy checks."""
+
+from iam_validator.checks.utils.action_parser import (
+    ParsedAction,
+    extract_service,
+    get_action_case_insensitive,
+    is_wildcard_action,
+    parse_action,
+)
+
+__all__ = [
+    "ParsedAction",
+    "extract_service",
+    "get_action_case_insensitive",
+    "is_wildcard_action",
+    "parse_action",
+]

iam_validator/checks/utils/action_parser.py

@@ -0,0 +1,149 @@
+"""Action parsing utility for IAM policy validation.
+
+This module provides a consistent way to parse AWS IAM action names
+(format: service:ActionName) across all validation checks.
+"""
+
+from dataclasses import dataclass
+from typing import TypeVar
+
+# Type variable for generic dictionary value lookup
+T = TypeVar("T")
+
+
+@dataclass(frozen=True, slots=True)
+class ParsedAction:
+    """Represents a parsed AWS IAM action.
+
+    Attributes:
+        service: The AWS service prefix (e.g., "s3", "ec2", "iam")
+        action_name: The action name (e.g., "GetObject", "DescribeInstances")
+        has_wildcard: True if the service or action contains "*"
+        original: The original action string as provided
+    """
+
+    service: str
+    action_name: str
+    has_wildcard: bool
+    original: str
+
+
+def parse_action(action: str) -> ParsedAction | None:
+    """Parse an AWS IAM action string into its components.
+
+    AWS IAM actions follow the format "service:ActionName" where:
+    - service is the AWS service prefix (case-insensitive, typically lowercase)
+    - ActionName is the specific API action (PascalCase or camelCase)
+
+    Args:
+        action: The action string to parse (e.g., "s3:GetObject", "ec2:*")
+
+    Returns:
+        ParsedAction if the action is valid, None if malformed.
+
+    Examples:
+        >>> parse_action("s3:GetObject")
+        ParsedAction(service="s3", action_name="GetObject", has_wildcard=False, original="s3:GetObject")
+
+        >>> parse_action("ec2:Describe*")
+        ParsedAction(service="ec2", action_name="Describe*", has_wildcard=True, original="ec2:Describe*")
+
+        >>> parse_action("InvalidAction")
+        None
+
+        >>> parse_action("*")
+        None
+    """
+    # Handle full wildcard - not a parseable service:action
+    if action == "*":
+        return None
+
+    # Must contain exactly one colon separating service and action
+    if ":" not in action:
+        return None
+
+    # Split on first colon only (action names can theoretically contain colons)
+    parts = action.split(":", 1)
+    if len(parts) != 2:
+        return None
+
+    service, action_name = parts
+
+    # Both service and action name must be non-empty
+    if not service or not action_name:
+        return None
+
+    return ParsedAction(
+        service=service,
+        action_name=action_name,
+        has_wildcard="*" in service or "*" in action_name,
+        original=action,
+    )
+
+
+def is_wildcard_action(action: str) -> bool:
+    """Check if an action contains a wildcard.
+
+    Args:
+        action: The action string to check
+
+    Returns:
+        True if the action is "*" or contains "*" in service or action name
+    """
+    if action == "*":
+        return True
+
+    parsed = parse_action(action)
+    return parsed.has_wildcard if parsed else False
+
+
+def extract_service(action: str) -> str | None:
+    """Extract the service prefix from an action string.
+
+    Args:
+        action: The action string (e.g., "s3:GetObject")
+
+    Returns:
+        The service prefix (e.g., "s3") or None if the action is malformed
+    """
+    if action == "*":
+        return None
+
+    parsed = parse_action(action)
+    return parsed.service if parsed else None
+
+
+def get_action_case_insensitive(actions_dict: dict[str, T], action_name: str) -> T | None:
+    """Look up an action in a dictionary using case-insensitive matching.
+
+    AWS action names are case-insensitive, but our service definitions may have
+    canonical casing. This function tries exact match first, then falls back
+    to case-insensitive lookup.
+
+    Args:
+        actions_dict: Dictionary mapping action names to values (e.g., ActionDetail)
+        action_name: The action name to look up
+
+    Returns:
+        The value if found, None otherwise
+
+    Examples:
+        >>> actions = {"GetObject": detail, "PutObject": detail2}
+        >>> get_action_case_insensitive(actions, "GetObject")  # Exact match
+        detail
+        >>> get_action_case_insensitive(actions, "getobject")  # Case-insensitive
+        detail
+        >>> get_action_case_insensitive(actions, "Unknown")
+        None
+    """
+    # Try exact match first (most common case)
+    if action_name in actions_dict:
+        return actions_dict[action_name]
+
+    # Fall back to case-insensitive lookup
+    action_name_lower = action_name.lower()
+    for key, value in actions_dict.items():
+        if key.lower() == action_name_lower:
+            return value
+
+    return None

iam_validator/checks/wildcard_action.py

@@ -51,6 +51,7 @@ class WildcardActionCheck(PolicyCheck):
                     suggestion=suggestion,
                     example=example if example else None,
                     line_number=statement.line_number,
+                    field_name="action",
                 )
             )
 

iam_validator/checks/wildcard_resource.py

@@ -1,11 +1,73 @@
 """Wildcard resource check - detects Resource: '*' in IAM policies."""
 
+import asyncio
+import logging
 from typing import ClassVar
 
+from iam_validator.checks.utils.action_parser import get_action_case_insensitive, parse_action
 from iam_validator.checks.utils.wildcard_expansion import expand_wildcard_actions
 from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
-from iam_validator.core.models import Statement, ValidationIssue
+from iam_validator.core.models import ActionDetail, ServiceDetail, Statement, ValidationIssue
+
+logger = logging.getLogger(__name__)
+
+# Module-level cache for action resource support lookups.
+# Maps action name (e.g., "s3:GetObject") to whether it supports resource-level permissions.
+# True = supports resources (should be flagged for wildcard)
+# False = doesn't support resources (wildcard is appropriate)
+# None = unknown (be conservative, assume it supports resources)
+_action_resource_support_cache: dict[str, bool | None] = {}
+
+# Module-level cache for action access level lookups.
+# Maps action name (e.g., "s3:ListBuckets") to its access level.
+# "list" = list-level action (safe with wildcards)
+# Other values or None = unknown
+_action_access_level_cache: dict[str, str | None] = {}
+
+
+def _get_access_level(action_detail: ActionDetail) -> str:
+    """Derive access level from action annotations.
+
+    AWS API provides Properties dict with boolean flags instead of AccessLevel string.
+    We derive the access level from these flags.
+
+    Args:
+        action_detail: Action detail object with annotations
+
+    Returns:
+        Access level string: "permissions-management", "tagging", "write", "list", or "read"
+    """
+    if not action_detail.annotations:
+        return "unknown"
+
+    props = action_detail.annotations.get("Properties", {})
+    if not props:
+        return "unknown"
+
+    # Check flags in priority order
+    if props.get("IsPermissionManagement"):
+        return "permissions-management"
+    if props.get("IsTaggingOnly"):
+        return "tagging"
+    if props.get("IsWrite"):
+        return "write"
+    if props.get("IsList"):
+        return "list"
+
+    # Default to read if none of the above
+    return "read"
+
+
+def clear_resource_support_cache() -> None:
+    """Clear the action resource support and access level caches.
+
+    This is primarily useful for testing to ensure a clean state between tests.
+    In production, the cache persists for the lifetime of the process, which is
+    beneficial as AWS action definitions don't change frequently.
+    """
+    _action_resource_support_cache.clear()
+    _action_access_level_cache.clear()
 
 
 class WildcardResourceCheck(PolicyCheck):
@@ -34,6 +96,18 @@ class WildcardResourceCheck(PolicyCheck):
 
         # Check for wildcard resource (Resource: "*")
         if "*" in resources:
+            # First, filter out actions that don't support resource-level permissions
+            # These actions legitimately require Resource: "*"
+            actions_requiring_specific_resources = await self._filter_actions_requiring_resources(
+                actions, fetcher
+            )
+
+            # If all actions don't support resources, wildcard is appropriate - no issue
+            if not actions_requiring_specific_resources:
+                return issues
+
+            # Use filtered actions for the rest of the check
+            actions = actions_requiring_specific_resources
             # Check if all actions are in the allowed_wildcards list
             # allowed_wildcards works by expanding wildcard patterns (like "ec2:Describe*")
             # to all matching AWS actions using the AWS API, then checking if the policy's
@@ -78,9 +152,25 @@ class WildcardResourceCheck(PolicyCheck):
                         return issues
 
             # Flag the issue if actions are not all allowed or no allowed_wildcards configured
-            message = config.config.get(
-                "message", 'Statement applies to all resources `"*"` (wildcard resource).'
-            )
+            # Build a helpful message showing which actions require specific resources
+            custom_message = config.config.get("message")
+            if custom_message:
+                message = custom_message
+            else:
+                # Build default message with action list
+                # Note: actions_requiring_specific_resources is guaranteed non-empty here
+                # because we return early above if it's empty
+                sorted_actions = sorted(actions_requiring_specific_resources)
+                if len(sorted_actions) <= 5:
+                    action_list = ", ".join(f"`{a}`" for a in sorted_actions)
+                else:
+                    action_list = ", ".join(f"`{a}`" for a in sorted_actions[:5])
+                    action_list += f" (+{len(sorted_actions) - 5} more)"
+                message = (
+                    f'Statement applies to all resources `"*"`. '
+                    f"Actions that support resource-level permissions: {action_list}"
+                )
+
             suggestion = config.config.get(
                 "suggestion", "Replace wildcard with specific resource ARNs"
             )
@@ -96,6 +186,7 @@ class WildcardResourceCheck(PolicyCheck):
                     suggestion=suggestion,
                     example=example if example else None,
                     line_number=statement.line_number,
+                    field_name="resource",
                 )
             )
 
@@ -145,3 +236,139 @@ class WildcardResourceCheck(PolicyCheck):
         expanded_actions = await expand_wildcard_actions(patterns_to_expand, fetcher)
 
         return frozenset(expanded_actions)
+
+    async def _filter_actions_requiring_resources(
+        self, actions: list[str], fetcher: AWSServiceFetcher
+    ) -> list[str]:
+        """Filter actions to only those that should be flagged for wildcard resources.
+
+        This method filters out actions that legitimately use Resource: "*":
+        1. Actions that don't support resource-level permissions (e.g., sts:GetCallerIdentity)
+        2. List-level actions (e.g., s3:ListBuckets) - these only enumerate resources
+           and are not dangerous with wildcards
+
+        Examples of actions filtered out:
+        - iam:ListUsers (list-level, must use Resource: "*")
+        - sts:GetCallerIdentity (must use Resource: "*")
+        - ec2:DescribeInstances (must use Resource: "*")
+        - s3:ListAllMyBuckets (list-level)
+
+        This method uses a module-level cache to avoid repeated lookups and
+        fetches all required services in parallel for better performance.
+
+        Args:
+            actions: List of actions from the policy statement
+            fetcher: AWS service fetcher for looking up action definitions
+
+        Returns:
+            List of actions that should be flagged for wildcard resource usage
+        """
+        actions_requiring_resources = []
+        # Actions that need service lookup, grouped by service
+        service_actions: dict[str, list[tuple[str, str]]] = {}  # service -> [(action, action_name)]
+
+        for action in actions:
+            # Full wildcard "*" - keep it (it's too broad to determine)
+            if action == "*":
+                actions_requiring_resources.append(action)
+                continue
+
+            # Parse action using the utility
+            parsed = parse_action(action)
+            if not parsed:
+                # Malformed action - keep it (be conservative)
+                actions_requiring_resources.append(action)
+                continue
+
+            # Wildcard in service or action name - keep it (can't determine resource support)
+            if parsed.has_wildcard:
+                actions_requiring_resources.append(action)
+                continue
+
+            service = parsed.service
+            action_name = parsed.action_name
+
+            # Check module-level caches first
+            if action in _action_resource_support_cache and action in _action_access_level_cache:
+                cached_resource_support = _action_resource_support_cache[action]
+                cached_access_level = _action_access_level_cache[action]
+
+                # Skip list-level actions - they're safe with wildcards
+                if cached_access_level == "list":
+                    continue
+
+                if cached_resource_support is True or cached_resource_support is None:
+                    # Supports resources or unknown - include it
+                    actions_requiring_resources.append(action)
+                # If False, action doesn't support resources - skip it
+                continue
+
+            # Group actions by service for parallel fetching
+            if service not in service_actions:
+                service_actions[service] = []
+            service_actions[service].append((action, action_name))
+
+        # If no services to look up, return early
+        if not service_actions:
+            return actions_requiring_resources
+
+        # Fetch all services in parallel
+        services = list(service_actions.keys())
+        results = await asyncio.gather(
+            *[fetcher.fetch_service_by_name(s) for s in services],
+            return_exceptions=True,
+        )
+
+        # Build service cache from successful results
+        service_cache: dict[str, ServiceDetail | None] = {}
+        for service, result in zip(services, results):
+            if isinstance(result, BaseException):
+                logger.debug(f"Could not look up service {service}: {result}")
+                # Mark service as failed - will keep all its actions (conservative)
+                service_cache[service] = None
+            else:
+                # Result is ServiceDetail when not an exception
+                service_cache[service] = result
+
+        # Process actions using cached service data
+        for service, action_list in service_actions.items():
+            service_detail = service_cache.get(service)
+
+            if not service_detail:
+                # Unknown service - keep all its actions (be conservative)
+                for action, _ in action_list:
+                    _action_resource_support_cache[action] = None  # Cache as unknown
+                    _action_access_level_cache[action] = None  # Cache as unknown
+                    actions_requiring_resources.append(action)
+                continue
+
+            for action, action_name in action_list:
+                # Use case-insensitive lookup since AWS actions are case-insensitive
+                action_detail = get_action_case_insensitive(service_detail.actions, action_name)
+                if not action_detail:
+                    # Unknown action - keep it (be conservative)
+                    _action_resource_support_cache[action] = None  # Cache as unknown
+                    _action_access_level_cache[action] = None  # Cache as unknown
+                    actions_requiring_resources.append(action)
+                    continue
+
+                # Get action's access level and cache it
+                access_level = _get_access_level(action_detail)
+                _action_access_level_cache[action] = access_level
+
+                # Skip list-level actions - they only enumerate resources and are safe with wildcards
+                if access_level == "list":
+                    _action_resource_support_cache[action] = False  # Mark as not needing resources
+                    continue
+
+                # Check if action supports resource-level permissions
+                # action_detail.resources is empty for actions that don't support resources
+                supports_resources = bool(action_detail.resources)
+                _action_resource_support_cache[action] = supports_resources  # Cache result
+
+                if supports_resources:
+                    # Action supports resources - should be flagged for wildcard
+                    actions_requiring_resources.append(action)
+                # Else: action doesn't support resources, Resource: "*" is appropriate
+
+        return actions_requiring_resources

iam_validator/commands/analyze.py

@@ -387,10 +387,28 @@ Examples:
 
         # Post to GitHub if configured
         if args.github_comment:
+            from iam_validator.core.config.config_loader import ConfigLoader
             from iam_validator.core.pr_commenter import PRCommenter
 
+            # Load config to get fail_on_severity, severity_labels, and ignore settings
+            config_path = getattr(args, "config", None)
+            config = ConfigLoader.load_config(config_path)
+            fail_on_severities = config.get_setting("fail_on_severity", ["error", "critical"])
+            severity_labels = config.get_setting("severity_labels", {})
+
+            # Get ignore settings from config
+            ignore_settings = config.get_setting("ignore_settings", {})
+            enable_ignore = ignore_settings.get("enabled", True)
+            allowed_users = ignore_settings.get("allowed_users", [])
+
             async with GitHubIntegration() as github:
-                commenter = PRCommenter(github)
+                commenter = PRCommenter(
+                    github,
+                    fail_on_severities=fail_on_severities,
+                    severity_labels=severity_labels,
+                    enable_codeowners_ignore=enable_ignore,
+                    allowed_ignore_users=allowed_users,
+                )
                 success = await commenter.post_findings_to_pr(
                     validation_report,
                     create_review=getattr(args, "github_review", False),

iam_validator/commands/completion.py

@@ -247,7 +247,7 @@ _iam_validator_completion() {{
             return 0
             ;;
         validate)
-            opts="--path -p --stdin --format -f --output -o --no-recursive --fail-on-warnings --policy-type -t --github-comment --github-review --github-summary --verbose -v --config -c --custom-checks-dir --aws-services-dir --stream --batch-size --summary --severity-breakdown"
+            opts="--path -p --stdin --format -f --output -o --no-recursive --fail-on-warnings --policy-type -t --github-comment --github-review --github-summary --verbose -v --config -c --custom-checks-dir --aws-services-dir --stream --batch-size --summary --severity-breakdown --allow-owner-ignore --no-owner-ignore --ci --ci-output"
             COMPREPLY=( $(compgen -W "$opts" -- "$cur") )
             return 0
             ;;
@@ -376,7 +376,11 @@ _iam_validator() {{
                         '--stream[Process files one-by-one]' \\
                         '--batch-size[Policies per batch]:number:' \\
                         '--summary[Show Executive Summary section]' \\
-                        '--severity-breakdown[Show Issue Severity Breakdown section]'
+                        '--severity-breakdown[Show Issue Severity Breakdown section]' \\
+                        '--allow-owner-ignore[Allow CODEOWNERS to ignore findings]' \\
+                        '--no-owner-ignore[Disable CODEOWNERS ignore feature]' \\
+                        '--ci[CI mode - print enhanced output, write JSON to file]' \\
+                        '--ci-output[Output file for JSON report in CI mode]:file:_files'
                     ;;
                 post-to-pr)
                     _arguments \\