iam-policy-validator 1.14.0__py3-none-any.whl

iam_validator/checks/condition_type_mismatch.py

@@ -0,0 +1,257 @@
+"""Condition Type Mismatch Check.
+
+Validates that condition operators match the expected types for condition keys and values.
+"""
+
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.condition_validators import (
+    normalize_operator,
+    translate_type,
+    validate_value_for_type,
+)
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class ConditionTypeMismatchCheck(PolicyCheck):
+    """Check for type mismatches between operators, keys, and values."""
+
+    check_id: ClassVar[str] = "condition_type_mismatch"
+    description: ClassVar[str] = (
+        "Validates condition operator types match key types and value formats"
+    )
+    default_severity: ClassVar[str] = "error"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """
+        Execute the condition type mismatch check.
+
+        Validates:
+        1. Operator type matches condition key type
+        2. Condition values match the expected type format
+
+        Args:
+            statement: The IAM statement to check
+            statement_idx: Index of this statement in the policy
+            fetcher: AWS service fetcher for looking up condition key types
+            config: Check configuration
+
+        Returns:
+            List of validation issues found
+        """
+        issues = []
+
+        # Only check statements with conditions
+        if not statement.condition:
+            return issues
+
+        # Skip Null operator - it's special and doesn't need type validation
+        # (Null just checks if a key exists or doesn't exist)
+        skip_operators = {"Null"}
+
+        statement_sid = statement.sid
+        line_number = statement.line_number
+        actions = statement.get_actions()
+        resources = statement.get_resources()
+
+        # Check each condition operator and its keys/values
+        for operator, conditions in statement.condition.items():
+            # Normalize the operator and get its expected type
+            base_operator, operator_type, _set_prefix = normalize_operator(operator)
+
+            if operator_type is None:
+                # Unknown operator - this will be caught by another check
+                continue
+
+            if base_operator in skip_operators:
+                continue
+
+            # Check each condition key
+            for condition_key, condition_values in conditions.items():
+                # Normalize values to a list
+                values = (
+                    condition_values if isinstance(condition_values, list) else [condition_values]
+                )
+
+                # Get the expected type for this condition key
+                key_type = await self._get_condition_key_type(
+                    fetcher, condition_key, actions, resources
+                )
+
+                if key_type is None:
+                    # Unknown condition key - will be caught by condition_key_validation check
+                    continue
+
+                # Normalize the key type
+                key_type = translate_type(key_type)
+                operator_type = translate_type(operator_type)
+
+                # Special case: String operators with ARN types (usable but not recommended)
+                if operator_type == "String" and key_type == "ARN":
+                    issues.append(
+                        ValidationIssue(
+                            severity="warning",
+                            message=(
+                                f"Type mismatch (usable but not recommended): Operator `{operator}` expects "
+                                f"`{operator_type}` values, but condition key `{condition_key}` is type `{key_type}`. "
+                                f"Consider using an ARN-specific operator like `ArnEquals` or `ArnLike` instead."
+                            ),
+                            statement_sid=statement_sid,
+                            statement_index=statement_idx,
+                            issue_type="type_mismatch_usable",
+                            line_number=line_number,
+                            field_name="condition",
+                        )
+                    )
+                # Check if operator type matches key type
+                elif not self._types_compatible(operator_type, key_type):
+                    issues.append(
+                        ValidationIssue(
+                            severity=self.get_severity(config),
+                            message=(
+                                f"Type mismatch: Operator `{operator}` expects `{operator_type}` values, "
+                                f"but condition key `{condition_key}` is type `{key_type}`."
+                            ),
+                            statement_sid=statement_sid,
+                            statement_index=statement_idx,
+                            issue_type="type_mismatch",
+                            condition_key=condition_key,
+                            line_number=line_number,
+                            field_name="condition",
+                        )
+                    )
+
+                # Validate that the values match the expected type format
+                is_valid, error_msg = validate_value_for_type(key_type, values)
+                if not is_valid:
+                    issues.append(
+                        ValidationIssue(
+                            severity=self.get_severity(config),
+                            message=(
+                                f"Invalid value format for condition key `{condition_key}`: {error_msg}"
+                            ),
+                            statement_sid=statement_sid,
+                            statement_index=statement_idx,
+                            issue_type="invalid_value_format",
+                            condition_key=condition_key,
+                            line_number=line_number,
+                            field_name="condition",
+                        )
+                    )
+
+        return issues
+
+    async def _get_condition_key_type(
+        self,
+        fetcher: AWSServiceFetcher,
+        condition_key: str,
+        actions: list[str],
+        resources: list[str],
+    ) -> str | None:
+        """
+        Get the expected type for a condition key by checking global keys and service definitions.
+
+        Args:
+            fetcher: AWS service fetcher
+            condition_key: The condition key to look up
+            actions: List of actions from the statement
+            resources: List of resources from the statement
+
+        Returns:
+            Type string or None if not found
+        """
+        from iam_validator.core.config.aws_global_conditions import (  # pylint: disable=import-outside-toplevel
+            get_global_conditions,
+        )
+
+        # Check if it's a global condition key
+        global_conditions = get_global_conditions()
+        key_type = global_conditions.get_key_type(condition_key)
+        if key_type:
+            return key_type
+
+        # Check service-specific and action-specific condition keys
+        for action in actions:
+            if action == "*":
+                continue
+
+            try:
+                service_prefix, action_name = fetcher.parse_action(action)
+                service_detail = await fetcher.fetch_service_by_name(service_prefix)
+
+                # Check service-level condition keys
+                if condition_key in service_detail.condition_keys:
+                    condition_key_obj = service_detail.condition_keys[condition_key]
+                    if condition_key_obj.types:
+                        return condition_key_obj.types[0]
+
+                # Check action-level condition keys
+                if action_name in service_detail.actions:
+                    action_detail = service_detail.actions[action_name]
+
+                    # For action-specific keys, we need to check the service condition keys list
+                    if (
+                        action_detail.action_condition_keys
+                        and condition_key in action_detail.action_condition_keys
+                    ):
+                        if condition_key in service_detail.condition_keys:
+                            condition_key_obj = service_detail.condition_keys[condition_key]
+                            if condition_key_obj.types:
+                                return condition_key_obj.types[0]
+
+                    # Check resource-specific condition keys
+                    if resources and action_detail.resources:
+                        for res_req in action_detail.resources:
+                            resource_name = res_req.get("Name", "")
+                            if not resource_name:
+                                continue
+
+                            resource_type = service_detail.resources.get(resource_name)
+                            if resource_type and resource_type.condition_keys:
+                                if condition_key in resource_type.condition_keys:
+                                    # Resource condition keys reference service condition keys
+                                    if condition_key in service_detail.condition_keys:
+                                        condition_key_obj = service_detail.condition_keys[
+                                            condition_key
+                                        ]
+                                        if condition_key_obj.types:
+                                            return condition_key_obj.types[0]
+
+            except Exception:  # pylint: disable=broad-exception-caught
+                # If we can't look up the action, skip it
+                continue
+
+        return None
+
+    def _types_compatible(self, operator_type: str, key_type: str) -> bool:
+        """
+        Check if an operator type is compatible with a key type.
+
+        Note: String/ARN compatibility is handled separately with a warning,
+        so this method returns False for that combination.
+
+        Args:
+            operator_type: Type expected by the operator
+            key_type: Type of the condition key
+
+        Returns:
+            True if compatible
+        """
+        # Exact match
+        if operator_type == key_type:
+            return True
+
+        # EpochTime can accept both Date and Numeric
+        # (this is a special case mentioned in Parliament)
+        if key_type == "Date" and operator_type == "Numeric":
+            return True
+
+        return False

iam_validator/checks/full_wildcard.py

@@ -0,0 +1,62 @@
+"""Full wildcard check - detects Action: '*' AND Resource: '*' together (critical security risk)."""
+
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class FullWildcardCheck(PolicyCheck):
+    """Checks for both Action: '*' AND Resource: '*' which grants full administrative access."""
+
+    check_id: ClassVar[str] = "full_wildcard"
+    description: ClassVar[str] = (
+        "Checks for both action and resource wildcards together (critical risk)"
+    )
+    default_severity: ClassVar[str] = "critical"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute full wildcard check on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        actions = statement.get_actions()
+        resources = statement.get_resources()
+
+        # Check for both wildcards together (CRITICAL)
+        if "*" in actions and "*" in resources:
+            message = config.config.get(
+                "message",
+                "Statement allows all actions on all resources - **CRITICAL SECURITY RISK**",
+            )
+            suggestion = config.config.get(
+                "suggestion",
+                "This grants full administrative access. Replace both wildcards with specific actions and resources to follow least-privilege principle",
+            )
+            example = config.config.get("example", "")
+
+            issues.append(
+                ValidationIssue(
+                    severity=self.get_severity(config),
+                    statement_sid=statement.sid,
+                    statement_index=statement_idx,
+                    issue_type="security_risk",
+                    message=message,
+                    suggestion=suggestion,
+                    example=example if example else None,
+                    line_number=statement.line_number,
+                    field_name="action",  # Action is primary concern in full wildcard
+                )
+            )
+
+        return issues

iam_validator/checks/mfa_condition_check.py

@@ -0,0 +1,105 @@
+"""MFA Condition Anti-Pattern Check.
+
+Detects dangerous MFA-related condition patterns that may not enforce MFA as intended.
+"""
+
+from typing import ClassVar
+
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class MFAConditionCheck(PolicyCheck):
+    """Check for MFA condition anti-patterns."""
+
+    check_id: ClassVar[str] = "mfa_condition_antipattern"
+    description: ClassVar[str] = "Detects dangerous MFA-related condition patterns"
+    default_severity: ClassVar[str] = "warning"
+
+    async def execute(
+        self, statement: Statement, statement_idx: int, fetcher, config: CheckConfig
+    ) -> list[ValidationIssue]:
+        """
+        Execute the MFA condition anti-pattern check.
+
+        Common anti-patterns:
+        1. Using Bool with aws:MultiFactorAuthPresent = false
+           Problem: The key may not exist in the request, so condition doesn't enforce anything
+
+        2. Using Null with aws:MultiFactorAuthPresent = false
+           Problem: This only checks if the key exists, not if MFA was used
+
+        Args:
+            statement: The IAM statement to check
+            statement_idx: Index of this statement in the policy
+            fetcher: AWS service fetcher (not used in this check)
+            config: Check configuration
+
+        Returns:
+            List of validation issues found
+        """
+        issues = []
+
+        # Only check statements with conditions
+        if not statement.condition:
+            return issues
+
+        statement_sid = statement.sid
+        line_number = statement.line_number
+
+        # Check for anti-pattern #1: Bool with aws:MultiFactorAuthPresent = false
+        bool_conditions = statement.condition.get("Bool", {})
+        for key, value in bool_conditions.items():
+            if key.lower() == "aws:multifactorauthpresent":
+                # Normalize value to list
+                values = value if isinstance(value, list) else [value]
+                # Convert to lowercase strings for comparison
+                values_lower = [str(v).lower() for v in values]
+
+                if "false" in values_lower or False in values:
+                    issues.append(
+                        ValidationIssue(
+                            severity=self.get_severity(config),
+                            message=(
+                                "**Dangerous MFA condition pattern detected.** "
+                                'Using `{"Bool": {"aws:MultiFactorAuthPresent": "false"}}` does not enforce MFA '
+                                "because `aws:MultiFactorAuthPresent` may not exist in the request context. "
+                                'Consider using `{"Bool": {"aws:MultiFactorAuthPresent": "true"}}` in an `Allow` statement, '
+                                "or use `BoolIfExists` in a `Deny` statement."
+                            ),
+                            statement_sid=statement_sid,
+                            statement_index=statement_idx,
+                            issue_type="mfa_antipattern_bool_false",
+                            line_number=line_number,
+                            field_name="condition",
+                        )
+                    )
+
+        # Check for anti-pattern #2: Null with aws:MultiFactorAuthPresent = false
+        null_conditions = statement.condition.get("Null", {})
+        for key, value in null_conditions.items():
+            if key.lower() == "aws:multifactorauthpresent":
+                # Normalize value to list
+                values = value if isinstance(value, list) else [value]
+                # Convert to lowercase strings for comparison
+                values_lower = [str(v).lower() for v in values]
+
+                if "false" in values_lower or False in values:
+                    issues.append(
+                        ValidationIssue(
+                            severity=self.get_severity(config),
+                            message=(
+                                "**Dangerous MFA condition pattern detected.** "
+                                'Using `{"Null": {"aws:MultiFactorAuthPresent": "false"}}` only checks if the key exists, '
+                                "not whether MFA was actually used. This does not enforce MFA. "
+                                'Consider using `{"Bool": {"aws:MultiFactorAuthPresent": "true"}}` in an `Allow` statement instead.'
+                            ),
+                            statement_sid=statement_sid,
+                            statement_index=statement_idx,
+                            issue_type="mfa_antipattern_null_false",
+                            line_number=line_number,
+                            field_name="condition",
+                        )
+                    )
+
+        return issues

iam_validator/checks/policy_size.py

@@ -0,0 +1,114 @@
+"""Policy size validation check.
+
+This check validates that IAM policies don't exceed AWS's maximum size limits.
+AWS enforces different size limits based on policy type:
+- Managed policies: 6,144 characters maximum
+- Inline policies for users: 2,048 characters maximum
+- Inline policies for groups: 5,120 characters maximum
+- Inline policies for roles: 10,240 characters maximum
+
+Note: AWS does not count whitespace when calculating policy size.
+"""
+
+import json
+import re
+from typing import TYPE_CHECKING, ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.constants import AWS_POLICY_SIZE_LIMITS
+from iam_validator.core.models import ValidationIssue
+
+if TYPE_CHECKING:
+    from iam_validator.core.models import IAMPolicy
+
+
+class PolicySizeCheck(PolicyCheck):
+    """Validates that IAM policies don't exceed AWS size limits."""
+
+    # AWS IAM policy size limits (loaded from constants module)
+    DEFAULT_LIMITS = AWS_POLICY_SIZE_LIMITS
+
+    check_id: ClassVar[str] = "policy_size"
+    description: ClassVar[str] = "Validates that IAM policies don't exceed AWS size limits"
+    default_severity: ClassVar[str] = "error"
+
+    async def execute_policy(
+        self,
+        policy: "IAMPolicy",
+        policy_file: str,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+        **kwargs,
+    ) -> list[ValidationIssue]:
+        """Execute the policy size check on the entire policy.
+
+        This method calculates the policy size (excluding whitespace) and validates
+        it against AWS limits based on the configured policy type.
+
+        Args:
+            policy: The complete IAM policy to validate
+            policy_file: Path to the policy file (for context/reporting)
+            fetcher: AWS service fetcher (unused for this check)
+            config: Configuration for this check instance
+
+        Returns:
+            List of ValidationIssue objects if policy exceeds size limits
+        """
+        del policy_file, fetcher  # Unused
+        issues = []
+
+        # Get the policy type from config (default to managed)
+        policy_type = config.config.get("policy_type", "managed")
+
+        # Get custom limits if provided in config, otherwise use defaults
+        size_limits = config.config.get("size_limits", self.DEFAULT_LIMITS.copy())
+
+        # Determine the applicable limit
+        limit_key = policy_type
+        if limit_key not in size_limits:
+            # If custom policy_type not found, default to managed
+            limit_key = "managed"
+
+        max_size = size_limits[limit_key]
+
+        # Convert policy to JSON and calculate size (excluding whitespace)
+        policy_json = policy.model_dump(by_alias=True, exclude_none=True)
+        policy_string = json.dumps(policy_json, separators=(",", ":"))
+
+        # Remove all whitespace as AWS doesn't count it
+        policy_size = len(re.sub(r"\s+", "", policy_string))
+
+        # Check if policy exceeds the limit
+        if policy_size > max_size:
+            severity = self.get_severity(config)
+
+            # Calculate percentage over limit
+            percentage_over = ((policy_size - max_size) / max_size) * 100
+
+            # Determine policy type description
+            policy_type_desc = {
+                "managed": "managed policy",
+                "inline_user": "inline policy for users",
+                "inline_group": "inline policy for groups",
+                "inline_role": "inline policy for roles",
+            }.get(policy_type, policy_type)
+
+            issues.append(
+                ValidationIssue(
+                    severity=severity,
+                    statement_sid=None,  # Policy-level issue
+                    statement_index=-1,  # -1 indicates policy-level issue
+                    issue_type="policy_size_exceeded",
+                    message=f"Policy size ({policy_size:,} characters) exceeds AWS limit for {policy_type_desc} ({max_size:,} characters)",
+                    suggestion=f"The policy is {policy_size - max_size:,} characters over the limit ({percentage_over:.1f}% too large). Consider:\n"
+                    f"  1. Splitting the policy into multiple smaller policies\n"
+                    f"  2. Using more concise action/resource patterns with wildcards\n"
+                    f"  3. Removing unnecessary statements or conditions\n"
+                    f"  4. For inline policies, consider using managed policies instead\n"
+                    f"\nNote: AWS does not count whitespace in the size calculation.",
+                    line_number=None,
+                )
+            )
+
+        return issues