PyPI - iam-policy-validator - Versions diffs - 1.14.2__tar.gz → 1.14.3__tar.gz - Mend

iam-policy-validator 1.14.2tar.gz → 1.14.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (772) hide show

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.14.2
+Version: 1.14.3
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.3}/iam_validator/__version__.py RENAMED Viewed

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
-__version__ = "1.14.2"
+__version__ = "1.14.3"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.3}/iam_validator/checks/condition_key_validation.py RENAMED Viewed

@@ -37,7 +37,7 @@ class ConditionKeyValidationCheck(PolicyCheck):
         resources = statement.get_resources()
         # Extract all condition keys from all condition operators
-        for operator, conditions in statement.condition.items():
+        for _, conditions in statement.condition.items():
             for condition_key in conditions.keys():
                 # Validate this condition key against each action in the statement
                 for action in actions:

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.3}/iam_validator/core/aws_service/validators.py RENAMED Viewed

@@ -5,14 +5,104 @@ including actions, condition keys, and ARN formats.
 """
 import logging
+import re
 from dataclasses import dataclass
 from typing import Any
 from iam_validator.core.aws_service.parsers import ServiceParser
+from iam_validator.core.constants import (
+    AWS_TAG_KEY_ALLOWED_CHARS,
+    AWS_TAG_KEY_MAX_LENGTH,
+    AWS_TAG_KEY_PLACEHOLDERS,
+)
 from iam_validator.core.models import ServiceDetail
 logger = logging.getLogger(__name__)
+# Pre-compiled regex for AWS tag key validation
+# Uses centralized constants from iam_validator.core.constants
+_TAG_KEY_PATTERN = re.compile(rf"^[{AWS_TAG_KEY_ALLOWED_CHARS}]{{1,{AWS_TAG_KEY_MAX_LENGTH}}}$")
+def _is_valid_tag_key(tag_key: str) -> bool:
+    """Validate an AWS tag key format.
+    AWS tag keys must:
+    - Be 1-128 characters long
+    - Contain only: letters, numbers, spaces, and + - = . _ : / @
+    - Not be empty
+    Note: The 'aws:' prefix check is not done here as it's for the condition key prefix,
+    not the tag key portion (e.g., in 'ssm:resourceTag/owner', 'owner' is the tag key).
+    Args:
+        tag_key: The tag key portion to validate
+    Returns:
+        True if valid AWS tag key format
+    """
+    if not tag_key or len(tag_key) > AWS_TAG_KEY_MAX_LENGTH:
+        return False
+    return bool(_TAG_KEY_PATTERN.match(tag_key))
+def _matches_condition_key_pattern(condition_key: str, pattern: str) -> bool:
+    """Check if a condition key matches a pattern with tag-key placeholders.
+    AWS service definitions use patterns like:
+    - `ssm:resourceTag/tag-key` or `ssm:resourceTag/${TagKey}` to match `ssm:resourceTag/owner`
+    - `aws:ResourceTag/${TagKey}` to match `aws:ResourceTag/Environment`
+    Args:
+        condition_key: The actual condition key from the policy (e.g., "ssm:resourceTag/owner")
+        pattern: The pattern from AWS service definition (e.g., "ssm:resourceTag/tag-key")
+    Returns:
+        True if condition_key matches the pattern
+    """
+    # Exact match (fast path)
+    if condition_key == pattern:
+        return True
+    # Check for tag-key placeholder patterns
+    for tag_placeholder in AWS_TAG_KEY_PLACEHOLDERS:
+        if tag_placeholder in pattern:
+            # Extract the prefix before the placeholder
+            prefix = pattern.split(tag_placeholder, 1)[0]
+            prefix_with_slash = prefix + "/"
+            # Check if condition_key starts with prefix and has a tag key after it
+            if condition_key.startswith(prefix_with_slash):
+                # Validate tag key format per AWS constraints
+                tag_key = condition_key[len(prefix_with_slash) :]
+                if _is_valid_tag_key(tag_key):
+                    return True
+    return False
+def _condition_key_in_list(condition_key: str, condition_keys: list[str]) -> bool:
+    """Check if a condition key matches any key in the list, supporting patterns.
+    Args:
+        condition_key: The condition key to check
+        condition_keys: List of condition keys (may include patterns)
+    Returns:
+        True if condition_key matches any entry in the list
+    """
+    # Fast path: check for exact match first (most common case)
+    if condition_key in condition_keys:
+        return True
+    # Slower path: check patterns only if no exact match
+    for pattern in condition_keys:
+        # Skip exact matches (already checked above)
+        if pattern == condition_key:
+            continue
+        if _matches_condition_key_pattern(condition_key, pattern):
+            return True
+    return False
 @dataclass
 class ConditionKeyValidationResult:
@@ -134,7 +224,7 @@ class ServiceValidator:
         action: str,
         condition_key: str,
         service_detail: ServiceDetail,
-        resources: list[str] | None = None,
+        resources: list[str] | None = None,  # pylint: disable=unused-argument - kept for API compatibility
     ) -> ConditionKeyValidationResult:
         """Validate condition key against action and optionally resource types.
@@ -173,22 +263,23 @@ class ServiceValidator:
                         error_message=f"Invalid AWS global condition key: `{condition_key}`.",
                     )
-            # Check service-specific condition keys
-            if condition_key in service_detail.condition_keys:
+            # Check service-specific condition keys (with pattern matching for tag keys)
+            if service_detail.condition_keys and _condition_key_in_list(
+                condition_key, list(service_detail.condition_keys.keys())
+            ):
                 return ConditionKeyValidationResult(is_valid=True)
             # Check action-specific condition keys
             if action_name in service_detail.actions:
                 action_detail = service_detail.actions[action_name]
-                if (
-                    action_detail.action_condition_keys
-                    and condition_key in action_detail.action_condition_keys
+                if action_detail.action_condition_keys and _condition_key_in_list(
+                    condition_key, action_detail.action_condition_keys
                 ):
                     return ConditionKeyValidationResult(is_valid=True)
                 # Check resource-specific condition keys
                 # Get resource types required by this action
-                if resources and action_detail.resources:
+                if action_detail.resources:
                     for res_req in action_detail.resources:
                         resource_name = res_req.get("Name", "")
                         if not resource_name:
@@ -197,7 +288,7 @@ class ServiceValidator:
                         # Look up resource type definition
                         resource_type = service_detail.resources.get(resource_name)
                         if resource_type and resource_type.condition_keys:
-                            if condition_key in resource_type.condition_keys:
+                            if _condition_key_in_list(condition_key, resource_type.condition_keys):
                                 return ConditionKeyValidationResult(is_valid=True)
                 # If it's a global key but the action has specific condition keys defined,

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.3}/iam_validator/core/config/aws_global_conditions.py RENAMED Viewed

@@ -11,6 +11,8 @@ Last updated: 2025-01-17
 import re
 from typing import Any
+from iam_validator.core.constants import AWS_TAG_KEY_ALLOWED_CHARS
 # AWS Global Condition Keys with Type Information
 # These condition keys are available for use in IAM policies across all AWS services
 # Format: {key: type} where type is one of: String, ARN, Bool, Date, IPAddress, Numeric
@@ -71,17 +73,18 @@ AWS_GLOBAL_CONDITION_KEYS = {
 # Patterns that should be recognized (wildcards and tag-based keys)
 # These allow things like aws:RequestTag/Department or aws:PrincipalTag/Environment
+# Uses centralized tag key character class from constants
 AWS_CONDITION_KEY_PATTERNS = [
     {
-        "pattern": r"^aws:RequestTag/[a-zA-Z0-9+\-=._:/@]+$",
+        "pattern": rf"^aws:RequestTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
         "description": "Tag keys in the request (for tag-based access control)",
     },
     {
-        "pattern": r"^aws:ResourceTag/[a-zA-Z0-9+\-=._:/@]+$",
+        "pattern": rf"^aws:ResourceTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
         "description": "Tags on the resource being accessed",
     },
     {
-        "pattern": r"^aws:PrincipalTag/[a-zA-Z0-9+\-=._:/@]+$",
+        "pattern": rf"^aws:PrincipalTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
         "description": "Tags attached to the principal making the request",
     },
 ]
@@ -154,7 +157,8 @@ _global_conditions_instance = None
 def get_global_conditions() -> AWSGlobalConditions:
     """Get singleton instance of AWSGlobalConditions."""
-    global _global_conditions_instance
+    global _global_conditions_instance  # pylint: disable=global-statement
     if _global_conditions_instance is None:
         _global_conditions_instance = AWSGlobalConditions()
     return _global_conditions_instance

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.3}/iam_validator/core/constants.py RENAMED Viewed

@@ -147,3 +147,32 @@ RCP_SUPPORTED_SERVICES = frozenset(
 # AWS Service Authorization Reference (for finding valid actions, resources, and condition keys)
 AWS_SERVICE_AUTH_REF_URL = "https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html"
+# ============================================================================
+# AWS Tag Constraints
+# ============================================================================
+# Reference: https://docs.aws.amazon.com/tag-editor/latest/userguide/best-practices-and-strats.html
+# --- Tag Key Constraints ---
+# Allowed characters in AWS tag keys: letters, numbers, spaces, and + - = . _ : / @
+# This is the character class for use in regex patterns
+AWS_TAG_KEY_ALLOWED_CHARS = r"a-zA-Z0-9 +\-=._:/@"
+# Maximum length for AWS tag keys (per AWS documentation)
+AWS_TAG_KEY_MAX_LENGTH = 128
+# Tag-key placeholder patterns used in AWS service definitions
+# These patterns indicate where a tag key should be substituted
+AWS_TAG_KEY_PLACEHOLDERS = ("/tag-key", "/${TagKey}", "/${tag-key}")
+# --- Tag Value Constraints ---
+# Allowed characters in AWS tag values: letters, numbers, spaces, and + - = . _ : / @
+# Same character set as tag keys
+AWS_TAG_VALUE_ALLOWED_CHARS = r"a-zA-Z0-9 +\-=._:/@"
+# Maximum length for AWS tag values (per AWS documentation)
+# Note: Tag values can be empty (minimum 0), unlike keys which must have at least 1 char
+AWS_TAG_VALUE_MAX_LENGTH = 256
+# Minimum length for AWS tag values (can be empty)
+AWS_TAG_VALUE_MIN_LENGTH = 0

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.3}/iam_validator/integrations/github_integration.py RENAMED Viewed

@@ -34,7 +34,7 @@ class GitHubRateLimitError(Exception):
 class GitHubRetryableError(Exception):
     """Raised for transient GitHub API errors that should be retried."""
-    pass
+    pass  # pylint: disable=unnecessary-pass
 # Retry configuration

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.3}/tests/checks/test_condition_key_validation_check.py RENAMED Viewed

@@ -449,3 +449,198 @@ class TestConditionKeyValidationCheck:
                 "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point",
             ],
         )
+class TestConditionKeyPatternMatching:
+    """Test pattern matching for service-specific condition keys like ssm:resourceTag/tag-key."""
+    @pytest.mark.asyncio
+    async def test_ssm_resource_tag_pattern_matching(self):
+        """Test that ssm:resourceTag/owner matches ssm:resourceTag/tag-key pattern."""
+        from iam_validator.core.aws_service.validators import _matches_condition_key_pattern
+        # These should match the ssm:resourceTag/tag-key pattern
+        assert _matches_condition_key_pattern("ssm:resourceTag/owner", "ssm:resourceTag/tag-key")
+        assert _matches_condition_key_pattern(
+            "ssm:resourceTag/Environment", "ssm:resourceTag/tag-key"
+        )
+        assert _matches_condition_key_pattern(
+            "ssm:resourceTag/CostCenter", "ssm:resourceTag/tag-key"
+        )
+        # Exact match should also work
+        assert _matches_condition_key_pattern("ssm:Overwrite", "ssm:Overwrite")
+        # Non-matching patterns should fail
+        assert not _matches_condition_key_pattern("ssm:resourceTag/owner", "ssm:Overwrite")
+        assert not _matches_condition_key_pattern("ssm:invalid", "ssm:resourceTag/tag-key")
+    @pytest.mark.asyncio
+    async def test_aws_tag_pattern_matching(self):
+        """Test that aws:ResourceTag/owner matches aws:ResourceTag/${TagKey} pattern."""
+        from iam_validator.core.aws_service.validators import _matches_condition_key_pattern
+        # These should match the ${TagKey} pattern
+        assert _matches_condition_key_pattern(
+            "aws:ResourceTag/owner", "aws:ResourceTag/${TagKey}"
+        )
+        assert _matches_condition_key_pattern(
+            "aws:RequestTag/Department", "aws:RequestTag/${TagKey}"
+        )
+    @pytest.mark.asyncio
+    async def test_condition_key_in_list(self):
+        """Test _condition_key_in_list helper function."""
+        from iam_validator.core.aws_service.validators import _condition_key_in_list
+        condition_keys = [
+            "aws:ResourceTag/${TagKey}",
+            "ssm:resourceTag/tag-key",
+            "ssm:Overwrite",
+            "ssm:Policies",
+        ]
+        # Should match pattern-based keys
+        assert _condition_key_in_list("ssm:resourceTag/owner", condition_keys)
+        assert _condition_key_in_list("aws:ResourceTag/Environment", condition_keys)
+        # Should match exact keys
+        assert _condition_key_in_list("ssm:Overwrite", condition_keys)
+        assert _condition_key_in_list("ssm:Policies", condition_keys)
+        # Should not match invalid keys
+        assert not _condition_key_in_list("ssm:InvalidKey", condition_keys)
+        assert not _condition_key_in_list("invalid:key", condition_keys)
+    @pytest.mark.asyncio
+    async def test_ssm_put_parameter_with_resource_tag(self):
+        """Integration test: ssm:resourceTag/owner should be valid for ssm:PutParameter."""
+        from iam_validator.core.aws_service import AWSServiceFetcher
+        async with AWSServiceFetcher() as fetcher:
+            # Test that ssm:resourceTag/owner is now valid for ssm:PutParameter
+            result = await fetcher.validate_condition_key(
+                "ssm:PutParameter",
+                "ssm:resourceTag/owner",
+                ["arn:aws:ssm:us-east-1:123456789012:parameter/test"],
+            )
+            assert result.is_valid is True
+            assert result.error_message is None
+    @pytest.mark.asyncio
+    async def test_invalid_ssm_condition_key(self):
+        """Integration test: invalid condition keys should still be rejected."""
+        from iam_validator.core.aws_service import AWSServiceFetcher
+        async with AWSServiceFetcher() as fetcher:
+            # Test that truly invalid keys are still rejected
+            result = await fetcher.validate_condition_key(
+                "ssm:PutParameter",
+                "ssm:completelyInvalidKey",
+                ["arn:aws:ssm:us-east-1:123456789012:parameter/test"],
+            )
+            assert result.is_valid is False
+            assert result.error_message is not None
+class TestTagKeyValidation:
+    """Test AWS tag key format validation."""
+    def test_valid_tag_keys(self):
+        """Test that valid AWS tag keys are accepted."""
+        from iam_validator.core.aws_service.validators import _is_valid_tag_key
+        # Standard alphanumeric tag keys
+        assert _is_valid_tag_key("owner")
+        assert _is_valid_tag_key("Environment")
+        assert _is_valid_tag_key("CostCenter")
+        assert _is_valid_tag_key("Project123")
+        # Tag keys with allowed special characters
+        assert _is_valid_tag_key("cost-center")
+        assert _is_valid_tag_key("project_name")
+        assert _is_valid_tag_key("env.type")
+        assert _is_valid_tag_key("team:backend")
+        assert _is_valid_tag_key("path/to/resource")
+        assert _is_valid_tag_key("email@domain")
+        assert _is_valid_tag_key("key+value")
+        assert _is_valid_tag_key("key=value")
+        # Tag keys with spaces (allowed by AWS)
+        assert _is_valid_tag_key("Cost Center")
+        assert _is_valid_tag_key("Project Name")
+        # Mixed special characters
+        assert _is_valid_tag_key("my-project_v2.0:prod/main@team+alpha")
+    def test_invalid_tag_keys(self):
+        """Test that invalid AWS tag keys are rejected."""
+        from iam_validator.core.aws_service.validators import _is_valid_tag_key
+        # Empty tag key
+        assert not _is_valid_tag_key("")
+        # Tag keys with invalid characters
+        assert not _is_valid_tag_key("key<value")
+        assert not _is_valid_tag_key("key>value")
+        assert not _is_valid_tag_key("key&value")
+        assert not _is_valid_tag_key("key|value")
+        assert not _is_valid_tag_key("key\\value")
+        assert not _is_valid_tag_key("key*value")
+        assert not _is_valid_tag_key("key?value")
+        assert not _is_valid_tag_key("key#value")
+        assert not _is_valid_tag_key("key$value")
+        assert not _is_valid_tag_key("key%value")
+        assert not _is_valid_tag_key("key^value")
+        assert not _is_valid_tag_key("key!value")
+        assert not _is_valid_tag_key("key`value")
+        assert not _is_valid_tag_key("key~value")
+        assert not _is_valid_tag_key("key(value)")
+        assert not _is_valid_tag_key("key[value]")
+        assert not _is_valid_tag_key("key{value}")
+        assert not _is_valid_tag_key('key"value')
+        assert not _is_valid_tag_key("key'value")
+    def test_tag_key_length_limits(self):
+        """Test AWS tag key length constraints (1-128 characters)."""
+        from iam_validator.core.aws_service.validators import _is_valid_tag_key
+        # Minimum length (1 character)
+        assert _is_valid_tag_key("a")
+        # Maximum length (128 characters)
+        assert _is_valid_tag_key("a" * 128)
+        # Over maximum length (129 characters)
+        assert not _is_valid_tag_key("a" * 129)
+        # Way over maximum
+        assert not _is_valid_tag_key("a" * 500)
+    def test_pattern_matching_rejects_invalid_tag_keys(self):
+        """Test that pattern matching rejects condition keys with invalid tag key formats."""
+        from iam_validator.core.aws_service.validators import _matches_condition_key_pattern
+        # Invalid characters in tag key portion should not match
+        assert not _matches_condition_key_pattern(
+            "ssm:resourceTag/invalid<tag", "ssm:resourceTag/tag-key"
+        )
+        assert not _matches_condition_key_pattern(
+            "aws:ResourceTag/bad*key", "aws:ResourceTag/${TagKey}"
+        )
+        assert not _matches_condition_key_pattern(
+            "ssm:resourceTag/has#hash", "ssm:resourceTag/tag-key"
+        )
+        # Empty tag key should not match
+        assert not _matches_condition_key_pattern(
+            "ssm:resourceTag/", "ssm:resourceTag/tag-key"
+        )
+        # Tag key exceeding 128 characters should not match
+        long_tag_key = "a" * 129
+        assert not _matches_condition_key_pattern(
+            f"ssm:resourceTag/{long_tag_key}", "ssm:resourceTag/tag-key"
+        )