iam-policy-validator 1.14.2__py3-none-any.whl → 1.14.3__py3-none-any.whl

{iam_policy_validator-1.14.2.dist-info → iam_policy_validator-1.14.3.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.14.2
+Version: 1.14.3
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs

{iam_policy_validator-1.14.2.dist-info → iam_policy_validator-1.14.3.dist-info}/RECORD

@@ -1,11 +1,11 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=aKdF7mPOKj0H8xIHMqcgUIdAMplJ350c2A8EWCObeRY,374
+iam_validator/__version__.py,sha256=Gm8njL8lXkcG-nPd19SPPxnjvafHZUsjluEm-8FCYvo,374
 iam_validator/checks/__init__.py,sha256=OTkPnmlelu4YjMO8krjhu2wXiTV72RzopA5u1SfPQA0,1990
 iam_validator/checks/action_condition_enforcement.py,sha256=2-XUMbof9tQ7SHZNmAHMkR1DgbOIzY2eFWlp9S9dwLk,60625
 iam_validator/checks/action_resource_matching.py,sha256=qND0hfDgNoxFEdLWwrxOPVDfdj3k50nzedT2qF7nK7o,19428
 iam_validator/checks/action_validation.py,sha256=glA2F3iQBU-d8rruiyB9IdzVOESC2Kb-91SnwRCdQF0,2562
-iam_validator/checks/condition_key_validation.py,sha256=u9eCxI_OjkWqK_KcgPPxu4ZO16E9pqjK8CDiW7QbvZ4,4031
+iam_validator/checks/condition_key_validation.py,sha256=5i8LqqV78SjWK6pLrbttWmeMAD4pDC12_FjTjx5dFSU,4024
 iam_validator/checks/condition_type_mismatch.py,sha256=KJp7zQHDd8VeTcfjcD-ur3S4070cXEDTWkFtxfp7CuE,10652
 iam_validator/checks/full_wildcard.py,sha256=0TkkHtV0MZ6nZtJRtGdn3wwOMM96TRyGO7l7mmdHNUo,2325
 iam_validator/checks/mfa_condition_check.py,sha256=y1LbqcvQ_fL2BPTNaKRQoBYM5hM7JET9cDPUOWKFEVs,4814
@@ -43,7 +43,7 @@ iam_validator/core/check_registry.py,sha256=oRCdWoCGQ8VZERVYd821u9r5NdKQ9FMC54e6
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
 iam_validator/core/codeowners.py,sha256=dfRjYTpcTVmc-h95i4EoPXCXlcblD8yryeJBaTKQfjM,7530
 iam_validator/core/condition_validators.py,sha256=7zBjlcf2xGFKGbcFrXSLvWT5tFhWxoqwzhsJqS2E8uY,21524
-iam_validator/core/constants.py,sha256=tHAZwINyB1wj_l5ZjnhFZ_LIA8S2C5lF-9CZtKijFac,6192
+iam_validator/core/constants.py,sha256=YRT_uOUs1Dnt9J1hE-zG6Ja0numsH4Mf7RNNXNJWZIY,7447
 iam_validator/core/diff_parser.py,sha256=5Jxa6WvQZtG5grblZeUH2OQ2R46tFLK-h8tvkHOSfLk,12110
 iam_validator/core/finding_fingerprint.py,sha256=NJIlu8NhdenWbLS7ww8LyWFasJgpKWN63-DprrNW7Zs,4353
 iam_validator/core/ignore_patterns.py,sha256=pZqDJBtkbck-85QK5eFPM5ZOPEKs3McRh3avqiCT5z0,10398
@@ -62,10 +62,10 @@ iam_validator/core/aws_service/fetcher.py,sha256=TD9qQ4tQF4xdEGhVVADGgF8QlXe15R3
 iam_validator/core/aws_service/parsers.py,sha256=gJzR7HCD8ItCWCCbguTQIZpPEdj2rdMwC7LPhu7ve14,5174
 iam_validator/core/aws_service/patterns.py,sha256=gGc55Tn-EJ3cmcWtmYAZROUajKYz7DaMchYWGEhHpC0,1726
 iam_validator/core/aws_service/storage.py,sha256=PrfKdvF60IL7E_8xYs_XwFoAJPRcVYw57FVLHCoqwVk,10429
-iam_validator/core/aws_service/validators.py,sha256=L9XRJdGmR-vZ1r0bj5SCznULyKEY_G1OAjij7-kOZPM,16463
+iam_validator/core/aws_service/validators.py,sha256=7izAvL92TsWpQePU7g9qvegT_F2xz8CqpbrnSgE40Xg,19890
 iam_validator/core/config/__init__.py,sha256=CWSyIA7kEyzrskEenjYbs9Iih10BXRpiY9H2dHg61rU,2671
 iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
-iam_validator/core/config/aws_global_conditions.py,sha256=gdmMxXGBy95B3uYUG-J7rnM6Ixgc6L7Y9Pcd2XAMb60,7170
+iam_validator/core/config/aws_global_conditions.py,sha256=PO3zMdzM_QWZduxL3lV2nrmpcMEEwKASCUYHcqX0LBg,7363
 iam_validator/core/config/category_suggestions.py,sha256=fopaZ9kXDrsLgi_r0pERrLwgdPPJl5VIiKvXtQK9tj0,8583
 iam_validator/core/config/check_documentation.py,sha256=Adyt3Q4JSRlVNPWulXVlRIEorxXG_nt0mkPz_ySa8y4,15931
 iam_validator/core/config/condition_requirements.py,sha256=1CeQJfWV-Y2ImW0Mq9YdrgvH-hj9IXe0gVOm3B36Rc8,10655
@@ -85,7 +85,7 @@ iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFV
 iam_validator/core/formatters/markdown.py,sha256=dk4STeY-tOEZsVrlmolIEqZvWYP9JhRtygxxNA49DEE,2293
 iam_validator/core/formatters/sarif.py,sha256=03MHSyuZm9FlzaPeWg7wH-UTzzCDhSy6vMPrFpFNkS8,18884
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
-iam_validator/integrations/github_integration.py,sha256=2pOjTVsLMymx-wU31Ly7JqODgNXf5U7lvteVqBpaRgE,67913
+iam_validator/integrations/github_integration.py,sha256=OZjVFkeEK0PYerqHFOuc0tFtTMmo78JhbqZgFduzq-8,67949
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
 iam_validator/sdk/__init__.py,sha256=AZLnfdn3A9AWb0pMhsbu3GAOAzt6rV7Fi3E3d9_3ZdI,6388
 iam_validator/sdk/arn_matching.py,sha256=HSDpLltOYISq-SoPebAlM89mKOaUaghq_04urchEFDA,12778
@@ -99,8 +99,8 @@ iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYu
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.14.2.dist-info/METADATA,sha256=63ruVMh-1wI_vzVi2Elo6UC6LlmTbyZ7q1vr_-9n_rg,34456
-iam_policy_validator-1.14.2.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-iam_policy_validator-1.14.2.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.14.2.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.14.2.dist-info/RECORD,,
+iam_policy_validator-1.14.3.dist-info/METADATA,sha256=aH2RAojXqwEay7CKD89eRTVCHphTpvyXON4XUdMcRfg,34456
+iam_policy_validator-1.14.3.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+iam_policy_validator-1.14.3.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.14.3.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.14.3.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.14.2"
+__version__ = "1.14.3"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/condition_key_validation.py

@@ -37,7 +37,7 @@ class ConditionKeyValidationCheck(PolicyCheck):
         resources = statement.get_resources()
 
         # Extract all condition keys from all condition operators
-        for operator, conditions in statement.condition.items():
+        for _, conditions in statement.condition.items():
             for condition_key in conditions.keys():
                 # Validate this condition key against each action in the statement
                 for action in actions:

iam_validator/core/aws_service/validators.py

@@ -5,14 +5,104 @@ including actions, condition keys, and ARN formats.
 """
 
 import logging
+import re
 from dataclasses import dataclass
 from typing import Any
 
 from iam_validator.core.aws_service.parsers import ServiceParser
+from iam_validator.core.constants import (
+    AWS_TAG_KEY_ALLOWED_CHARS,
+    AWS_TAG_KEY_MAX_LENGTH,
+    AWS_TAG_KEY_PLACEHOLDERS,
+)
 from iam_validator.core.models import ServiceDetail
 
 logger = logging.getLogger(__name__)
 
+# Pre-compiled regex for AWS tag key validation
+# Uses centralized constants from iam_validator.core.constants
+_TAG_KEY_PATTERN = re.compile(rf"^[{AWS_TAG_KEY_ALLOWED_CHARS}]{{1,{AWS_TAG_KEY_MAX_LENGTH}}}$")
+
+
+def _is_valid_tag_key(tag_key: str) -> bool:
+    """Validate an AWS tag key format.
+
+    AWS tag keys must:
+    - Be 1-128 characters long
+    - Contain only: letters, numbers, spaces, and + - = . _ : / @
+    - Not be empty
+
+    Note: The 'aws:' prefix check is not done here as it's for the condition key prefix,
+    not the tag key portion (e.g., in 'ssm:resourceTag/owner', 'owner' is the tag key).
+
+    Args:
+        tag_key: The tag key portion to validate
+
+    Returns:
+        True if valid AWS tag key format
+    """
+    if not tag_key or len(tag_key) > AWS_TAG_KEY_MAX_LENGTH:
+        return False
+    return bool(_TAG_KEY_PATTERN.match(tag_key))
+
+
+def _matches_condition_key_pattern(condition_key: str, pattern: str) -> bool:
+    """Check if a condition key matches a pattern with tag-key placeholders.
+
+    AWS service definitions use patterns like:
+    - `ssm:resourceTag/tag-key` or `ssm:resourceTag/${TagKey}` to match `ssm:resourceTag/owner`
+    - `aws:ResourceTag/${TagKey}` to match `aws:ResourceTag/Environment`
+
+    Args:
+        condition_key: The actual condition key from the policy (e.g., "ssm:resourceTag/owner")
+        pattern: The pattern from AWS service definition (e.g., "ssm:resourceTag/tag-key")
+
+    Returns:
+        True if condition_key matches the pattern
+    """
+    # Exact match (fast path)
+    if condition_key == pattern:
+        return True
+
+    # Check for tag-key placeholder patterns
+    for tag_placeholder in AWS_TAG_KEY_PLACEHOLDERS:
+        if tag_placeholder in pattern:
+            # Extract the prefix before the placeholder
+            prefix = pattern.split(tag_placeholder, 1)[0]
+            prefix_with_slash = prefix + "/"
+            # Check if condition_key starts with prefix and has a tag key after it
+            if condition_key.startswith(prefix_with_slash):
+                # Validate tag key format per AWS constraints
+                tag_key = condition_key[len(prefix_with_slash) :]
+                if _is_valid_tag_key(tag_key):
+                    return True
+
+    return False
+
+
+def _condition_key_in_list(condition_key: str, condition_keys: list[str]) -> bool:
+    """Check if a condition key matches any key in the list, supporting patterns.
+
+    Args:
+        condition_key: The condition key to check
+        condition_keys: List of condition keys (may include patterns)
+
+    Returns:
+        True if condition_key matches any entry in the list
+    """
+    # Fast path: check for exact match first (most common case)
+    if condition_key in condition_keys:
+        return True
+
+    # Slower path: check patterns only if no exact match
+    for pattern in condition_keys:
+        # Skip exact matches (already checked above)
+        if pattern == condition_key:
+            continue
+        if _matches_condition_key_pattern(condition_key, pattern):
+            return True
+    return False
+
 
 @dataclass
 class ConditionKeyValidationResult:
@@ -134,7 +224,7 @@ class ServiceValidator:
         action: str,
         condition_key: str,
         service_detail: ServiceDetail,
-        resources: list[str] | None = None,
+        resources: list[str] | None = None,  # pylint: disable=unused-argument - kept for API compatibility
     ) -> ConditionKeyValidationResult:
         """Validate condition key against action and optionally resource types.
 
@@ -173,22 +263,23 @@ class ServiceValidator:
                         error_message=f"Invalid AWS global condition key: `{condition_key}`.",
                     )
 
-            # Check service-specific condition keys
-            if condition_key in service_detail.condition_keys:
+            # Check service-specific condition keys (with pattern matching for tag keys)
+            if service_detail.condition_keys and _condition_key_in_list(
+                condition_key, list(service_detail.condition_keys.keys())
+            ):
                 return ConditionKeyValidationResult(is_valid=True)
 
             # Check action-specific condition keys
             if action_name in service_detail.actions:
                 action_detail = service_detail.actions[action_name]
-                if (
-                    action_detail.action_condition_keys
-                    and condition_key in action_detail.action_condition_keys
+                if action_detail.action_condition_keys and _condition_key_in_list(
+                    condition_key, action_detail.action_condition_keys
                 ):
                     return ConditionKeyValidationResult(is_valid=True)
 
                 # Check resource-specific condition keys
                 # Get resource types required by this action
-                if resources and action_detail.resources:
+                if action_detail.resources:
                     for res_req in action_detail.resources:
                         resource_name = res_req.get("Name", "")
                         if not resource_name:
@@ -197,7 +288,7 @@ class ServiceValidator:
                         # Look up resource type definition
                         resource_type = service_detail.resources.get(resource_name)
                         if resource_type and resource_type.condition_keys:
-                            if condition_key in resource_type.condition_keys:
+                            if _condition_key_in_list(condition_key, resource_type.condition_keys):
                                 return ConditionKeyValidationResult(is_valid=True)
 
                 # If it's a global key but the action has specific condition keys defined,

iam_validator/core/config/aws_global_conditions.py

@@ -11,6 +11,8 @@ Last updated: 2025-01-17
 import re
 from typing import Any
 
+from iam_validator.core.constants import AWS_TAG_KEY_ALLOWED_CHARS
+
 # AWS Global Condition Keys with Type Information
 # These condition keys are available for use in IAM policies across all AWS services
 # Format: {key: type} where type is one of: String, ARN, Bool, Date, IPAddress, Numeric
@@ -71,17 +73,18 @@ AWS_GLOBAL_CONDITION_KEYS = {
 
 # Patterns that should be recognized (wildcards and tag-based keys)
 # These allow things like aws:RequestTag/Department or aws:PrincipalTag/Environment
+# Uses centralized tag key character class from constants
 AWS_CONDITION_KEY_PATTERNS = [
     {
-        "pattern": r"^aws:RequestTag/[a-zA-Z0-9+\-=._:/@]+$",
+        "pattern": rf"^aws:RequestTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
         "description": "Tag keys in the request (for tag-based access control)",
     },
     {
-        "pattern": r"^aws:ResourceTag/[a-zA-Z0-9+\-=._:/@]+$",
+        "pattern": rf"^aws:ResourceTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
         "description": "Tags on the resource being accessed",
     },
     {
-        "pattern": r"^aws:PrincipalTag/[a-zA-Z0-9+\-=._:/@]+$",
+        "pattern": rf"^aws:PrincipalTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
         "description": "Tags attached to the principal making the request",
     },
 ]
@@ -154,7 +157,8 @@ _global_conditions_instance = None
 
 def get_global_conditions() -> AWSGlobalConditions:
     """Get singleton instance of AWSGlobalConditions."""
-    global _global_conditions_instance
+    global _global_conditions_instance  # pylint: disable=global-statement
+
     if _global_conditions_instance is None:
         _global_conditions_instance = AWSGlobalConditions()
     return _global_conditions_instance

iam_validator/core/constants.py

@@ -147,3 +147,32 @@ RCP_SUPPORTED_SERVICES = frozenset(
 
 # AWS Service Authorization Reference (for finding valid actions, resources, and condition keys)
 AWS_SERVICE_AUTH_REF_URL = "https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html"
+
+# ============================================================================
+# AWS Tag Constraints
+# ============================================================================
+# Reference: https://docs.aws.amazon.com/tag-editor/latest/userguide/best-practices-and-strats.html
+
+# --- Tag Key Constraints ---
+# Allowed characters in AWS tag keys: letters, numbers, spaces, and + - = . _ : / @
+# This is the character class for use in regex patterns
+AWS_TAG_KEY_ALLOWED_CHARS = r"a-zA-Z0-9 +\-=._:/@"
+
+# Maximum length for AWS tag keys (per AWS documentation)
+AWS_TAG_KEY_MAX_LENGTH = 128
+
+# Tag-key placeholder patterns used in AWS service definitions
+# These patterns indicate where a tag key should be substituted
+AWS_TAG_KEY_PLACEHOLDERS = ("/tag-key", "/${TagKey}", "/${tag-key}")
+
+# --- Tag Value Constraints ---
+# Allowed characters in AWS tag values: letters, numbers, spaces, and + - = . _ : / @
+# Same character set as tag keys
+AWS_TAG_VALUE_ALLOWED_CHARS = r"a-zA-Z0-9 +\-=._:/@"
+
+# Maximum length for AWS tag values (per AWS documentation)
+# Note: Tag values can be empty (minimum 0), unlike keys which must have at least 1 char
+AWS_TAG_VALUE_MAX_LENGTH = 256
+
+# Minimum length for AWS tag values (can be empty)
+AWS_TAG_VALUE_MIN_LENGTH = 0

iam_validator/integrations/github_integration.py

@@ -34,7 +34,7 @@ class GitHubRateLimitError(Exception):
 class GitHubRetryableError(Exception):
     """Raised for transient GitHub API errors that should be retried."""
 
-    pass
+    pass  # pylint: disable=unnecessary-pass
 
 
 # Retry configuration