iam-policy-validator 1.14.0__py3-none-any.whl

iam_validator/core/formatters/markdown.py

@@ -0,0 +1,64 @@
+"""Markdown formatter - placeholder for existing functionality."""
+
+from iam_validator.core import constants
+from iam_validator.core.formatters.base import OutputFormatter
+from iam_validator.core.models import ValidationReport
+
+
+class MarkdownFormatter(OutputFormatter):
+    """Markdown formatter for GitHub comments and documentation."""
+
+    @property
+    def format_id(self) -> str:
+        return "markdown"
+
+    @property
+    def description(self) -> str:
+        return "GitHub-flavored markdown for PR comments"
+
+    @property
+    def file_extension(self) -> str:
+        return "md"
+
+    @property
+    def content_type(self) -> str:
+        return "text/markdown"
+
+    def format(self, report: ValidationReport, **kwargs) -> str:
+        """Format as Markdown.
+
+        Note: The primary markdown generation is handled by ReportGenerator.generate_github_comment().
+        This is a simplified formatter for the registry system.
+        """
+        # Count issues by severity - support both IAM validity and security severities
+        errors = sum(
+            1
+            for r in report.results
+            for i in r.issues
+            if i.severity in constants.HIGH_SEVERITY_LEVELS
+        )
+        warnings = sum(
+            1 for r in report.results for i in r.issues if i.severity in ("warning", "medium")
+        )
+        infos = sum(1 for r in report.results for i in r.issues if i.severity in ("info", "low"))
+
+        output = [
+            "# IAM Policy Validation Report\n",
+            "## Summary",
+            f"**Total Policies:** {report.total_policies}",
+            f"**Valid (IAM):** {report.valid_policies} ✅",
+            f"**Invalid (IAM):** {report.invalid_policies} ❌",
+            f"**Security Findings:** {report.policies_with_security_issues} ⚠️",
+            "",
+            "## Issue Breakdown",
+            f"**Total Issues:** {report.total_issues}",
+            f"**Validity Issues:** {report.validity_issues} (error/warning/info)",
+            f"**Security Issues:** {report.security_issues} (critical/high/medium/low)",
+            "",
+            "## Legacy Severity Counts",
+            f"**Errors:** {errors}",
+            f"**Warnings:** {warnings}",
+            f"**Info:** {infos}\n",
+        ]
+
+        return "\n".join(output)

iam_validator/core/formatters/sarif.py

@@ -0,0 +1,251 @@
+"""SARIF (Static Analysis Results Interchange Format) formatter for GitHub integration."""
+
+import json
+from datetime import datetime, timezone
+from typing import Any
+
+from iam_validator.core.formatters.base import OutputFormatter
+from iam_validator.core.models import ValidationIssue, ValidationReport
+
+
+class SARIFFormatter(OutputFormatter):
+    """Formats validation results in SARIF format for GitHub code scanning."""
+
+    @property
+    def format_id(self) -> str:
+        return "sarif"
+
+    @property
+    def description(self) -> str:
+        return "SARIF format for GitHub code scanning integration"
+
+    @property
+    def file_extension(self) -> str:
+        return "sarif"
+
+    @property
+    def content_type(self) -> str:
+        return "application/sarif+json"
+
+    def format(self, report: ValidationReport, **kwargs) -> str:
+        """Format report as SARIF.
+
+        Args:
+            report: The validation report
+            **kwargs: Additional options like 'tool_version'
+
+        Returns:
+            SARIF JSON string
+        """
+        sarif = self._create_sarif_output(report, **kwargs)
+        return json.dumps(sarif, indent=2)
+
+    def _create_sarif_output(self, report: ValidationReport, **kwargs) -> dict[str, Any]:
+        """Create SARIF output structure."""
+        tool_version = kwargs.get("tool_version", "1.0.0")
+
+        # Map severity levels to SARIF - support both IAM validity and security severities
+        severity_map = {
+            "error": "error",
+            "critical": "error",
+            "high": "error",
+            "warning": "warning",
+            "medium": "warning",
+            "info": "note",
+            "low": "note",
+        }
+
+        # Create SARIF structure
+        sarif = {
+            "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+            "version": "2.1.0",
+            "runs": [
+                {
+                    "tool": {
+                        "driver": {
+                            "name": "IAM Validator",
+                            "version": tool_version,
+                            "informationUri": "https://github.com/boogy/iam-validator",
+                            "rules": self._create_rules(),
+                        }
+                    },
+                    "results": self._create_results(report, severity_map),
+                    "invocations": [
+                        {
+                            "executionSuccessful": len([r for r in report.results if r.is_valid])
+                            > 0,
+                            "endTimeUtc": datetime.now(timezone.utc).isoformat(),
+                        }
+                    ],
+                }
+            ],
+        }
+
+        return sarif
+
+    def _create_rules(self) -> list[dict[str, Any]]:
+        """Create SARIF rules definitions."""
+        return [
+            {
+                "id": "invalid-action",
+                "shortDescription": {"text": "Invalid IAM Action"},
+                "fullDescription": {"text": "The specified IAM action does not exist in AWS"},
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html",
+                "defaultConfiguration": {"level": "error"},
+            },
+            {
+                "id": "invalid-condition-key",
+                "shortDescription": {"text": "Invalid Condition Key"},
+                "fullDescription": {
+                    "text": "The specified condition key is not valid for this action"
+                },
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html",
+                "defaultConfiguration": {"level": "error"},
+            },
+            {
+                "id": "invalid-resource",
+                "shortDescription": {"text": "Invalid Resource ARN"},
+                "fullDescription": {"text": "The resource ARN format is invalid"},
+                "helpUri": "https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html",
+                "defaultConfiguration": {"level": "error"},
+            },
+            {
+                "id": "duplicate-sid",
+                "shortDescription": {"text": "Duplicate Statement ID"},
+                "fullDescription": {
+                    "text": "Multiple statements use the same Statement ID (Sid), which can cause confusion"
+                },
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html",
+                "defaultConfiguration": {"level": "error"},
+            },
+            {
+                "id": "overly-permissive",
+                "shortDescription": {"text": "Overly Permissive Policy"},
+                "fullDescription": {
+                    "text": "Policy grants overly broad permissions using wildcards in actions or resources"
+                },
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege",
+                "defaultConfiguration": {"level": "warning"},
+            },
+            {
+                "id": "missing-condition",
+                "shortDescription": {"text": "Missing Condition Restrictions"},
+                "fullDescription": {
+                    "text": "Sensitive actions should include condition restrictions to limit when they can be used"
+                },
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-policy-conditions",
+                "defaultConfiguration": {"level": "warning"},
+            },
+            {
+                "id": "missing-required-condition",
+                "shortDescription": {"text": "Missing Required Condition"},
+                "fullDescription": {
+                    "text": "Specific actions require certain conditions to prevent privilege escalation or security issues"
+                },
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html",
+                "defaultConfiguration": {"level": "error"},
+            },
+            {
+                "id": "invalid-principal",
+                "shortDescription": {"text": "Invalid Principal"},
+                "fullDescription": {
+                    "text": "The specified principal is invalid or improperly formatted"
+                },
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html",
+                "defaultConfiguration": {"level": "error"},
+            },
+            {
+                "id": "general-issue",
+                "shortDescription": {"text": "IAM Policy Issue"},
+                "fullDescription": {"text": "General IAM policy validation issue"},
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html",
+                "defaultConfiguration": {"level": "warning"},
+            },
+        ]
+
+    def _create_results(
+        self, report: ValidationReport, severity_map: dict[str, str]
+    ) -> list[dict[str, Any]]:
+        """Create SARIF results from validation issues."""
+        results = []
+
+        for policy_result in report.results:
+            if not policy_result.issues:
+                continue
+
+            for issue in policy_result.issues:
+                result = {
+                    "ruleId": self._get_rule_id(issue),
+                    "level": severity_map.get(issue.severity, "note"),
+                    "message": {"text": issue.message},
+                    "locations": [
+                        {
+                            "physicalLocation": {
+                                "artifactLocation": {
+                                    "uri": policy_result.policy_file,
+                                    "uriBaseId": "SRCROOT",
+                                },
+                                "region": {
+                                    "startLine": issue.line_number or 1,
+                                    "startColumn": 1,
+                                },
+                            }
+                        }
+                    ],
+                }
+
+                # Add fix suggestions if available
+                if issue.suggestion:
+                    result["fixes"] = [
+                        {
+                            "description": {"text": issue.suggestion},
+                        }
+                    ]
+
+                results.append(result)
+
+        return results
+
+    def _get_rule_id(self, issue: ValidationIssue) -> str:
+        """Map issue to SARIF rule ID.
+
+        Uses the issue_type field directly, converting underscores to hyphens
+        for SARIF rule ID format. Falls back to heuristic matching for unknown types.
+        """
+        # Map common issue types directly
+        issue_type_map = {
+            "invalid_action": "invalid-action",
+            "invalid_condition_key": "invalid-condition-key",
+            "invalid_resource": "invalid-resource",
+            "duplicate_sid": "duplicate-sid",
+            "overly_permissive": "overly-permissive",
+            "missing_condition": "missing-condition",
+            "missing_required_condition": "missing-required-condition",
+            "invalid_principal": "invalid-principal",
+        }
+
+        # Try direct mapping from issue_type
+        if issue.issue_type in issue_type_map:
+            return issue_type_map[issue.issue_type]
+
+        # Fallback: heuristic matching based on message
+        message_lower = issue.message.lower()
+
+        if "action" in message_lower and "not found" in message_lower:
+            return "invalid-action"
+        elif "condition key" in message_lower:
+            return "invalid-condition-key"
+        elif "duplicate" in message_lower and "sid" in message_lower:
+            return "duplicate-sid"
+        elif "wildcard" in message_lower or "overly permissive" in message_lower:
+            return "overly-permissive"
+        elif "missing" in message_lower and "condition" in message_lower:
+            if "required" in message_lower:
+                return "missing-required-condition"
+            return "missing-condition"
+        elif "principal" in message_lower:
+            return "invalid-principal"
+        elif "resource" in message_lower or "arn" in message_lower:
+            return "invalid-resource"
+        else:
+            return "general-issue"

iam_validator/core/ignore_patterns.py

@@ -0,0 +1,297 @@
+"""
+Centralized ignore patterns utility with caching and performance optimization.
+
+This module provides high-performance pattern matching for ignore_patterns across
+all checks. Uses LRU caching and compiled regex patterns for optimal performance.
+"""
+
+import re
+from functools import lru_cache
+from typing import Any
+
+from iam_validator.core.models import ValidationIssue
+
+
+# Global regex pattern cache (shared across all checks for maximum efficiency)
+@lru_cache(maxsize=512)
+def compile_pattern(pattern: str) -> re.Pattern[str] | None:
+    """
+    Compile and cache regex patterns.
+
+    Uses LRU cache to avoid recompiling the same patterns across multiple calls.
+    This is critical for performance when the same patterns are used repeatedly.
+
+    This is a public API function used across multiple modules for consistent
+    regex caching.
+
+    Args:
+        pattern: Regex pattern string
+
+    Returns:
+        Compiled pattern or None if invalid
+
+    Performance:
+        - First call: O(n) compile time
+        - Cached calls: O(1) lookup
+    """
+    try:
+        return re.compile(str(pattern), re.IGNORECASE)
+    except re.error:
+        return None
+
+
+class IgnorePatternMatcher:
+    """
+    High-performance pattern matcher for ignore_patterns.
+
+    Features:
+    - Cached compiled regex patterns (LRU cache)
+    - Support for new (simple) and old (verbose) field names
+    - Efficient filtering with early exit optimization
+    - Field-specific validation logic
+
+    Thread-safe: Yes (regex compilation is cached globally)
+    """
+
+    # Supported field name mappings (new -> old for backward compatibility)
+    FIELD_ALIASES = {
+        "filepath": "filepath_regex",
+        "action": "action_matches",
+        "resource": "resource_matches",
+        "sid": "statement_sid",
+        "condition_key": "condition_key_matches",
+    }
+
+    @staticmethod
+    def should_ignore_issue(
+        issue: ValidationIssue,
+        filepath: str,
+        ignore_patterns: list[dict[str, Any]],
+    ) -> bool:
+        """
+        Check if a ValidationIssue should be ignored based on patterns.
+
+        Pattern Matching Logic:
+        - Multiple fields in ONE pattern = AND logic (all must match)
+        - Multiple patterns = OR logic (any pattern matches → ignore)
+
+        Args:
+            issue: The validation issue to check
+            filepath: Path to the policy file
+            ignore_patterns: List of pattern dictionaries
+
+        Returns:
+            True if the issue should be ignored
+
+        Performance:
+            - Early exit on first match (OR logic)
+            - Cached regex compilation
+            - O(p * f) where p=patterns, f=fields per pattern
+        """
+        if not ignore_patterns:
+            return False
+
+        for pattern in ignore_patterns:
+            if IgnorePatternMatcher._matches_pattern(pattern, issue, filepath):
+                return True  # Early exit on first match
+
+        return False
+
+    @staticmethod
+    def filter_actions(
+        actions: frozenset[str],
+        ignore_patterns: list[dict[str, Any]],
+    ) -> frozenset[str]:
+        """
+        Filter actions based on action ignore patterns.
+
+        Only considers patterns that contain an "action" or "action_matches" field.
+        This is optimized for the sensitive_action check which needs to filter
+        actions before creating ValidationIssues.
+
+        Supports both single action patterns and lists:
+        - action: "s3:.*"  # Single regex pattern
+        - action: ["s3:GetObject", "s3:PutObject"]  # List of patterns
+
+        Args:
+            actions: Set of actions to filter
+            ignore_patterns: List of pattern dictionaries
+
+        Returns:
+            Filtered set of actions (actions matching patterns removed)
+
+        Performance:
+            - Extracts action patterns once: O(p) where p=patterns
+            - Filters with cached regex: O(a * p) where a=actions, p=patterns
+            - Early exit per action when match found
+        """
+        if not ignore_patterns:
+            return actions
+
+        # Extract action patterns once (cache-friendly)
+        action_patterns = []
+        for pattern in ignore_patterns:
+            # Support both new and old field names
+            action_regex = pattern.get("action") or pattern.get("action_matches")
+            if action_regex:
+                # Support both single string and list of strings
+                if isinstance(action_regex, list):
+                    action_patterns.extend(action_regex)
+                else:
+                    action_patterns.append(action_regex)
+
+        if not action_patterns:
+            return actions
+
+        # Filter actions with compiled patterns (cached)
+        filtered = set()
+        for action in actions:
+            should_keep = True
+            for pattern_str in action_patterns:
+                compiled = compile_pattern(pattern_str)
+                if compiled and compiled.search(str(action)):
+                    should_keep = False
+                    break  # Early exit on first match
+
+            if should_keep:
+                filtered.add(action)
+
+        return frozenset(filtered)
+
+    @staticmethod
+    def _matches_pattern(
+        pattern: dict[str, Any],
+        issue: ValidationIssue,
+        filepath: str,
+    ) -> bool:
+        """
+        Check if issue matches a single ignore pattern.
+
+        All fields in pattern must match (AND logic).
+        For list-based fields (like action), ANY match from the list counts (OR logic).
+
+        Args:
+            pattern: Pattern dict with optional fields
+            issue: ValidationIssue to check
+            filepath: Path to policy file
+
+        Returns:
+            True if all fields in pattern match the issue
+
+        Performance:
+            - Early exit on first non-match (AND logic)
+            - Uses cached compiled patterns
+        """
+        for field_name, regex_pattern in pattern.items():
+            # Get actual value from issue based on field name
+            actual_value = IgnorePatternMatcher._get_field_value(field_name, issue, filepath)
+
+            # Handle special case: SID with exact match (no regex)
+            if field_name in ("sid", "statement_sid"):
+                # Support both single string and list of strings
+                if isinstance(regex_pattern, list):
+                    # List of SIDs - exact match or regex
+                    matched = False
+                    for single_sid in regex_pattern:
+                        if isinstance(single_sid, str) and "*" not in single_sid:
+                            # Exact match
+                            if issue.statement_sid == single_sid:
+                                matched = True
+                                break
+                        else:
+                            # Regex match
+                            compiled = compile_pattern(str(single_sid))
+                            if compiled and compiled.search(str(issue.statement_sid or "")):
+                                matched = True
+                                break
+                    if not matched:
+                        return False
+                    continue
+                elif isinstance(regex_pattern, str) and "*" not in regex_pattern:
+                    # Single SID - exact match (not a regex)
+                    if issue.statement_sid != regex_pattern:
+                        return False  # Early exit on non-match
+                    continue
+
+            # Regex match for all other cases
+            if actual_value is None:
+                return False  # Early exit on missing value
+
+            # Support list of patterns (OR logic - any match succeeds)
+            if isinstance(regex_pattern, list):
+                matched = False
+                for single_pattern in regex_pattern:
+                    compiled = compile_pattern(str(single_pattern))
+                    if compiled and compiled.search(str(actual_value)):
+                        matched = True
+                        break  # Found a match in the list
+                if not matched:
+                    return False  # None of the patterns matched
+            else:
+                # Single pattern
+                compiled = compile_pattern(str(regex_pattern))
+                if not compiled or not compiled.search(str(actual_value)):
+                    return False  # Early exit on non-match
+
+        return True  # All fields matched
+
+    @staticmethod
+    def _get_field_value(
+        field_name: str,
+        issue: ValidationIssue,
+        filepath: str,
+    ) -> str | None:
+        """
+        Extract field value from issue or filepath.
+
+        Supports both new (simple) and old (verbose) field names for
+        backward compatibility.
+
+        Args:
+            field_name: Name of the field to extract
+            issue: ValidationIssue to extract from
+            filepath: Policy file path
+
+        Returns:
+            Field value as string, or None if field not recognized
+        """
+        # Normalize field name (support both old and new names)
+        if field_name in ("filepath", "filepath_regex"):
+            return filepath
+        elif field_name in ("action", "action_matches"):
+            return issue.action or ""
+        elif field_name in ("resource", "resource_matches"):
+            return issue.resource or ""
+        elif field_name in ("sid", "statement_sid"):
+            return issue.statement_sid or ""
+        elif field_name in ("condition_key", "condition_key_matches"):
+            return issue.condition_key or ""
+        else:
+            # Unknown field - skip (don't fail)
+            return None
+
+
+# Convenience functions for backward compatibility
+def should_ignore_issue(
+    issue: ValidationIssue,
+    filepath: str,
+    ignore_patterns: list[dict[str, Any]],
+) -> bool:
+    """
+    Convenience function for checking if an issue should be ignored.
+
+    See IgnorePatternMatcher.should_ignore_issue() for details.
+    """
+    return IgnorePatternMatcher.should_ignore_issue(issue, filepath, ignore_patterns)
+
+
+def filter_actions(
+    actions: frozenset[str],
+    ignore_patterns: list[dict[str, Any]],
+) -> frozenset[str]:
+    """
+    Convenience function for filtering actions.
+
+    See IgnorePatternMatcher.filter_actions() for details.
+    """
+    return IgnorePatternMatcher.filter_actions(actions, ignore_patterns)