iam-policy-validator 1.14.2__tar.gz → 1.14.4__tar.gz

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.14.2
+Version: 1.14.4
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.4}/iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.14.2"
+__version__ = "1.14.4"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.4}/iam_validator/checks/condition_key_validation.py

@@ -37,7 +37,7 @@ class ConditionKeyValidationCheck(PolicyCheck):
         resources = statement.get_resources()
 
         # Extract all condition keys from all condition operators
-        for operator, conditions in statement.condition.items():
+        for _, conditions in statement.condition.items():
             for condition_key in conditions.keys():
                 # Validate this condition key against each action in the statement
                 for action in actions:

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.4}/iam_validator/core/aws_service/validators.py

@@ -5,14 +5,104 @@ including actions, condition keys, and ARN formats.
 """
 
 import logging
+import re
 from dataclasses import dataclass
 from typing import Any
 
 from iam_validator.core.aws_service.parsers import ServiceParser
+from iam_validator.core.constants import (
+    AWS_TAG_KEY_ALLOWED_CHARS,
+    AWS_TAG_KEY_MAX_LENGTH,
+    AWS_TAG_KEY_PLACEHOLDERS,
+)
 from iam_validator.core.models import ServiceDetail
 
 logger = logging.getLogger(__name__)
 
+# Pre-compiled regex for AWS tag key validation
+# Uses centralized constants from iam_validator.core.constants
+_TAG_KEY_PATTERN = re.compile(rf"^[{AWS_TAG_KEY_ALLOWED_CHARS}]{{1,{AWS_TAG_KEY_MAX_LENGTH}}}$")
+
+
+def _is_valid_tag_key(tag_key: str) -> bool:
+    """Validate an AWS tag key format.
+
+    AWS tag keys must:
+    - Be 1-128 characters long
+    - Contain only: letters, numbers, spaces, and + - = . _ : / @
+    - Not be empty
+
+    Note: The 'aws:' prefix check is not done here as it's for the condition key prefix,
+    not the tag key portion (e.g., in 'ssm:resourceTag/owner', 'owner' is the tag key).
+
+    Args:
+        tag_key: The tag key portion to validate
+
+    Returns:
+        True if valid AWS tag key format
+    """
+    if not tag_key or len(tag_key) > AWS_TAG_KEY_MAX_LENGTH:
+        return False
+    return bool(_TAG_KEY_PATTERN.match(tag_key))
+
+
+def _matches_condition_key_pattern(condition_key: str, pattern: str) -> bool:
+    """Check if a condition key matches a pattern with tag-key placeholders.
+
+    AWS service definitions use patterns like:
+    - `ssm:resourceTag/tag-key` or `ssm:resourceTag/${TagKey}` to match `ssm:resourceTag/owner`
+    - `aws:ResourceTag/${TagKey}` to match `aws:ResourceTag/Environment`
+
+    Args:
+        condition_key: The actual condition key from the policy (e.g., "ssm:resourceTag/owner")
+        pattern: The pattern from AWS service definition (e.g., "ssm:resourceTag/tag-key")
+
+    Returns:
+        True if condition_key matches the pattern
+    """
+    # Exact match (fast path)
+    if condition_key == pattern:
+        return True
+
+    # Check for tag-key placeholder patterns
+    for tag_placeholder in AWS_TAG_KEY_PLACEHOLDERS:
+        if tag_placeholder in pattern:
+            # Extract the prefix before the placeholder
+            prefix = pattern.split(tag_placeholder, 1)[0]
+            prefix_with_slash = prefix + "/"
+            # Check if condition_key starts with prefix and has a tag key after it
+            if condition_key.startswith(prefix_with_slash):
+                # Validate tag key format per AWS constraints
+                tag_key = condition_key[len(prefix_with_slash) :]
+                if _is_valid_tag_key(tag_key):
+                    return True
+
+    return False
+
+
+def _condition_key_in_list(condition_key: str, condition_keys: list[str]) -> bool:
+    """Check if a condition key matches any key in the list, supporting patterns.
+
+    Args:
+        condition_key: The condition key to check
+        condition_keys: List of condition keys (may include patterns)
+
+    Returns:
+        True if condition_key matches any entry in the list
+    """
+    # Fast path: check for exact match first (most common case)
+    if condition_key in condition_keys:
+        return True
+
+    # Slower path: check patterns only if no exact match
+    for pattern in condition_keys:
+        # Skip exact matches (already checked above)
+        if pattern == condition_key:
+            continue
+        if _matches_condition_key_pattern(condition_key, pattern):
+            return True
+    return False
+
 
 @dataclass
 class ConditionKeyValidationResult:
@@ -134,7 +224,7 @@ class ServiceValidator:
         action: str,
         condition_key: str,
         service_detail: ServiceDetail,
-        resources: list[str] | None = None,
+        resources: list[str] | None = None,  # pylint: disable=unused-argument - kept for API compatibility
     ) -> ConditionKeyValidationResult:
         """Validate condition key against action and optionally resource types.
 
@@ -173,22 +263,23 @@ class ServiceValidator:
                         error_message=f"Invalid AWS global condition key: `{condition_key}`.",
                     )
 
-            # Check service-specific condition keys
-            if condition_key in service_detail.condition_keys:
+            # Check service-specific condition keys (with pattern matching for tag keys)
+            if service_detail.condition_keys and _condition_key_in_list(
+                condition_key, list(service_detail.condition_keys.keys())
+            ):
                 return ConditionKeyValidationResult(is_valid=True)
 
             # Check action-specific condition keys
             if action_name in service_detail.actions:
                 action_detail = service_detail.actions[action_name]
-                if (
-                    action_detail.action_condition_keys
-                    and condition_key in action_detail.action_condition_keys
+                if action_detail.action_condition_keys and _condition_key_in_list(
+                    condition_key, action_detail.action_condition_keys
                 ):
                     return ConditionKeyValidationResult(is_valid=True)
 
                 # Check resource-specific condition keys
                 # Get resource types required by this action
-                if resources and action_detail.resources:
+                if action_detail.resources:
                     for res_req in action_detail.resources:
                         resource_name = res_req.get("Name", "")
                         if not resource_name:
@@ -197,7 +288,7 @@ class ServiceValidator:
                         # Look up resource type definition
                         resource_type = service_detail.resources.get(resource_name)
                         if resource_type and resource_type.condition_keys:
-                            if condition_key in resource_type.condition_keys:
+                            if _condition_key_in_list(condition_key, resource_type.condition_keys):
                                 return ConditionKeyValidationResult(is_valid=True)
 
                 # If it's a global key but the action has specific condition keys defined,

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.4}/iam_validator/core/config/aws_global_conditions.py

@@ -11,6 +11,8 @@ Last updated: 2025-01-17
 import re
 from typing import Any
 
+from iam_validator.core.constants import AWS_TAG_KEY_ALLOWED_CHARS
+
 # AWS Global Condition Keys with Type Information
 # These condition keys are available for use in IAM policies across all AWS services
 # Format: {key: type} where type is one of: String, ARN, Bool, Date, IPAddress, Numeric
@@ -71,17 +73,18 @@ AWS_GLOBAL_CONDITION_KEYS = {
 
 # Patterns that should be recognized (wildcards and tag-based keys)
 # These allow things like aws:RequestTag/Department or aws:PrincipalTag/Environment
+# Uses centralized tag key character class from constants
 AWS_CONDITION_KEY_PATTERNS = [
     {
-        "pattern": r"^aws:RequestTag/[a-zA-Z0-9+\-=._:/@]+$",
+        "pattern": rf"^aws:RequestTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
         "description": "Tag keys in the request (for tag-based access control)",
     },
     {
-        "pattern": r"^aws:ResourceTag/[a-zA-Z0-9+\-=._:/@]+$",
+        "pattern": rf"^aws:ResourceTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
         "description": "Tags on the resource being accessed",
     },
     {
-        "pattern": r"^aws:PrincipalTag/[a-zA-Z0-9+\-=._:/@]+$",
+        "pattern": rf"^aws:PrincipalTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
         "description": "Tags attached to the principal making the request",
     },
 ]
@@ -154,7 +157,8 @@ _global_conditions_instance = None
 
 def get_global_conditions() -> AWSGlobalConditions:
     """Get singleton instance of AWSGlobalConditions."""
-    global _global_conditions_instance
+    global _global_conditions_instance  # pylint: disable=global-statement
+
     if _global_conditions_instance is None:
         _global_conditions_instance = AWSGlobalConditions()
     return _global_conditions_instance

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.4}/iam_validator/core/constants.py

@@ -147,3 +147,32 @@ RCP_SUPPORTED_SERVICES = frozenset(
 
 # AWS Service Authorization Reference (for finding valid actions, resources, and condition keys)
 AWS_SERVICE_AUTH_REF_URL = "https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html"
+
+# ============================================================================
+# AWS Tag Constraints
+# ============================================================================
+# Reference: https://docs.aws.amazon.com/tag-editor/latest/userguide/best-practices-and-strats.html
+
+# --- Tag Key Constraints ---
+# Allowed characters in AWS tag keys: letters, numbers, spaces, and + - = . _ : / @
+# This is the character class for use in regex patterns
+AWS_TAG_KEY_ALLOWED_CHARS = r"a-zA-Z0-9 +\-=._:/@"
+
+# Maximum length for AWS tag keys (per AWS documentation)
+AWS_TAG_KEY_MAX_LENGTH = 128
+
+# Tag-key placeholder patterns used in AWS service definitions
+# These patterns indicate where a tag key should be substituted
+AWS_TAG_KEY_PLACEHOLDERS = ("/tag-key", "/${TagKey}", "/${tag-key}")
+
+# --- Tag Value Constraints ---
+# Allowed characters in AWS tag values: letters, numbers, spaces, and + - = . _ : / @
+# Same character set as tag keys
+AWS_TAG_VALUE_ALLOWED_CHARS = r"a-zA-Z0-9 +\-=._:/@"
+
+# Maximum length for AWS tag values (per AWS documentation)
+# Note: Tag values can be empty (minimum 0), unlike keys which must have at least 1 char
+AWS_TAG_VALUE_MAX_LENGTH = 256
+
+# Minimum length for AWS tag values (can be empty)
+AWS_TAG_VALUE_MIN_LENGTH = 0

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.4}/iam_validator/core/pr_commenter.py

@@ -17,7 +17,7 @@ from iam_validator.core.diff_parser import DiffParser
 from iam_validator.core.label_manager import LabelManager
 from iam_validator.core.models import ValidationIssue, ValidationReport
 from iam_validator.core.policy_loader import PolicyLineMap, PolicyLoader
-from iam_validator.core.report import ReportGenerator
+from iam_validator.core.report import IgnoredFindingInfo, ReportGenerator
 from iam_validator.integrations.github_integration import GitHubIntegration, ReviewEvent
 
 logger = logging.getLogger(__name__)
@@ -96,6 +96,8 @@ class PRCommenter:
         self._context_issues: list[ContextIssue] = []
         # Track ignored finding IDs for the current run
         self._ignored_finding_ids: frozenset[str] = frozenset()
+        # Store full ignored findings for display in summary
+        self._ignored_findings: dict[str, Any] = {}
         # Cache for PolicyLineMap per file (for field-level line detection)
         self._policy_line_maps: dict[str, PolicyLineMap] = {}
 
@@ -155,8 +157,28 @@ class PRCommenter:
             generator = ReportGenerator()
             # Pass ignored count to show in summary
             ignored_count = len(self._ignored_finding_ids) if self._ignored_finding_ids else 0
+
+            # Convert ignored findings to IgnoredFindingInfo for display
+            ignored_findings_info: list[IgnoredFindingInfo] = []
+            if self._ignored_findings:
+                for finding in self._ignored_findings.values():
+                    ignored_findings_info.append(
+                        IgnoredFindingInfo(
+                            file_path=finding.file_path,
+                            issue_type=finding.issue_type,
+                            ignored_by=finding.ignored_by,
+                            reason=finding.reason,
+                        )
+                    )
+
+            # Determine if all blocking issues are ignored
+            all_blocking_ignored = self._are_all_blocking_issues_ignored(report)
+
             comment_parts = generator.generate_github_comment_parts(
-                report, ignored_count=ignored_count
+                report,
+                ignored_count=ignored_count,
+                ignored_findings=ignored_findings_info if ignored_findings_info else None,
+                all_blocking_ignored=all_blocking_ignored,
             )
 
             # Post all parts using the multipart method
@@ -694,7 +716,10 @@ class PRCommenter:
         )
 
         store = IgnoredFindingsStore(self.github)
-        self._ignored_finding_ids = await store.get_ignored_ids()
+        # Load full ignored findings for display in summary
+        self._ignored_findings = await store.load()
+        # Also get just the IDs for fast lookup
+        self._ignored_finding_ids = frozenset(self._ignored_findings.keys())
         if self._ignored_finding_ids:
             logger.debug(f"Loaded {len(self._ignored_finding_ids)} ignored finding(s)")
 
@@ -718,6 +743,36 @@ class PRCommenter:
         fingerprint = FindingFingerprint.from_issue(issue, file_path)
         return fingerprint.to_hash() in self._ignored_finding_ids
 
+    def _are_all_blocking_issues_ignored(self, report: ValidationReport) -> bool:
+        """Check if all blocking issues (based on fail_on_severities) are ignored.
+
+        Args:
+            report: The validation report
+
+        Returns:
+            True if there are no unignored blocking issues (i.e., all blocking
+            issues have been ignored, or there were no blocking issues to begin with)
+        """
+        if not self._ignored_finding_ids:
+            # No ignored findings - check if there are any blocking issues at all
+            for result in report.results:
+                for issue in result.issues:
+                    if issue.severity in self.fail_on_severities:
+                        return False
+            return True
+
+        # Check each blocking issue to see if it's ignored
+        for result in report.results:
+            relative_path = self._make_relative_path(result.policy_file)
+            if not relative_path:
+                continue
+            for issue in result.issues:
+                if issue.severity in self.fail_on_severities:
+                    if not self._is_issue_ignored(issue, relative_path):
+                        return False
+
+        return True
+
 
 async def post_report_to_pr(
     report_file: str,

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.4}/iam_validator/core/report.py

@@ -5,6 +5,7 @@ including console output, JSON, and GitHub-flavored markdown for PR comments.
 """
 
 import logging
+from dataclasses import dataclass
 
 from rich.console import Console
 from rich.panel import Panel
@@ -29,6 +30,24 @@ from iam_validator.core.models import (
     ValidationReport,
 )
 
+
+@dataclass
+class IgnoredFindingInfo:
+    """Information about an ignored finding for display in summary.
+
+    Attributes:
+        file_path: Path to the policy file
+        issue_type: Type of issue (e.g., "invalid_action")
+        ignored_by: Username who ignored the finding
+        reason: Optional reason provided by the user
+    """
+
+    file_path: str
+    issue_type: str
+    ignored_by: str
+    reason: str | None = None
+
+
 logger = logging.getLogger(__name__)
 
 
@@ -239,6 +258,8 @@ class ReportGenerator:
         report: ValidationReport,
         max_length_per_part: int = constants.GITHUB_COMMENT_SPLIT_LIMIT,
         ignored_count: int = 0,
+        ignored_findings: list[IgnoredFindingInfo] | None = None,
+        all_blocking_ignored: bool = False,
     ) -> list[str]:
         """Generate GitHub PR comment(s), splitting into multiple parts if needed.
 
@@ -246,6 +267,8 @@ class ReportGenerator:
             report: Validation report
             max_length_per_part: Maximum character length per comment part (default from GITHUB_COMMENT_SPLIT_LIMIT)
             ignored_count: Number of findings that were ignored (will be shown in summary)
+            ignored_findings: List of ignored finding details for display in summary
+            all_blocking_ignored: True if all blocking issues were ignored (shows "Passed" status)
 
         Returns:
             List of comment parts (each under max_length_per_part)
@@ -257,13 +280,19 @@ class ReportGenerator:
         if estimated_size <= max_length_per_part:
             # Try single comment
             single_comment = self.generate_github_comment(
-                report, max_length=max_length_per_part * 2, ignored_count=ignored_count
+                report,
+                max_length=max_length_per_part * 2,
+                ignored_count=ignored_count,
+                ignored_findings=ignored_findings,
+                all_blocking_ignored=all_blocking_ignored,
             )
             if len(single_comment) <= max_length_per_part:
                 return [single_comment]
 
         # Need to split into multiple parts
-        return self._generate_split_comments(report, max_length_per_part, ignored_count)
+        return self._generate_split_comments(
+            report, max_length_per_part, ignored_count, ignored_findings, all_blocking_ignored
+        )
 
     def _estimate_report_size(self, report: ValidationReport) -> int:
         """Estimate the size of the report in characters.
@@ -280,7 +309,12 @@ class ReportGenerator:
         )
 
     def _generate_split_comments(
-        self, report: ValidationReport, max_length: int, ignored_count: int = 0
+        self,
+        report: ValidationReport,
+        max_length: int,
+        ignored_count: int = 0,
+        ignored_findings: list[IgnoredFindingInfo] | None = None,
+        all_blocking_ignored: bool = False,
     ) -> list[str]:
         """Split a large report into multiple comment parts.
 
@@ -288,6 +322,8 @@ class ReportGenerator:
             report: Validation report
             max_length: Maximum length per part
             ignored_count: Number of ignored findings to show in summary
+            ignored_findings: List of ignored finding details for display
+            all_blocking_ignored: True if all blocking issues were ignored
 
         Returns:
             List of comment parts
@@ -295,7 +331,9 @@ class ReportGenerator:
         parts: list[str] = []
 
         # Generate header (will be in first part only)
-        header_lines = self._generate_header(report, ignored_count)
+        header_lines = self._generate_header(
+            report, ignored_count, ignored_findings, all_blocking_ignored
+        )
         header_content = "\n".join(header_lines)
 
         # Generate footer (will be in all parts)
@@ -388,17 +426,27 @@ class ReportGenerator:
 
         return parts
 
-    def _generate_header(self, report: ValidationReport, ignored_count: int = 0) -> list[str]:
+    def _generate_header(
+        self,
+        report: ValidationReport,
+        ignored_count: int = 0,
+        ignored_findings: list[IgnoredFindingInfo] | None = None,
+        all_blocking_ignored: bool = False,
+    ) -> list[str]:
         """Generate the comment header with summary.
 
         Args:
             report: Validation report
             ignored_count: Number of findings that were ignored
+            ignored_findings: List of ignored finding details for display
+            all_blocking_ignored: True if all blocking issues were ignored (shows "Passed" status)
         """
         lines = []
 
         # Title with emoji and status badge
-        if report.invalid_policies == 0:
+        # Pass if: no invalid policies, OR all blocking issues were ignored
+        is_passing = report.invalid_policies == 0 or all_blocking_ignored
+        if is_passing:
             lines.append("# 🎉 IAM Policy Validation Passed!")
             status_badge = (
                 "![Status](https://img.shields.io/badge/status-passed-success?style=flat-square)"
@@ -456,6 +504,56 @@ class ReportGenerator:
                 lines.append(f"| 🔵 **Info** | {infos} |")
             lines.append("")
 
+        # Ignored findings section
+        if ignored_findings:
+            lines.extend(self._generate_ignored_findings_section(ignored_findings))
+
+        return lines
+
+    def _generate_ignored_findings_section(
+        self, ignored_findings: list[IgnoredFindingInfo]
+    ) -> list[str]:
+        """Generate the ignored findings section for the summary comment.
+
+        Args:
+            ignored_findings: List of ignored finding details
+
+        Returns:
+            List of markdown lines for the section
+        """
+        lines = []
+        lines.append("### 🔕 Ignored Findings")
+        lines.append("")
+        lines.append(
+            "> The following findings were ignored by authorized users and are excluded from validation:"
+        )
+        lines.append("")
+
+        lines.append("<details>")
+        lines.append(f"<summary>View {len(ignored_findings)} ignored finding(s)</summary>")
+        lines.append("")
+
+        lines.append("| File | Issue Type | Ignored By | Reason |")
+        lines.append("|------|------------|------------|--------|")
+
+        for finding in ignored_findings:
+            # Truncate file path if too long
+            file_display = finding.file_path
+            if len(file_display) > 50:
+                file_display = "..." + file_display[-47:]
+
+            reason_display = finding.reason if finding.reason else "-"
+            if len(reason_display) > 30:
+                reason_display = reason_display[:27] + "..."
+
+            lines.append(
+                f"| `{file_display}` | `{finding.issue_type}` | @{finding.ignored_by} | {reason_display} |"
+            )
+
+        lines.append("")
+        lines.append("</details>")
+        lines.append("")
+
         return lines
 
     def _generate_footer(self) -> str:
@@ -540,6 +638,8 @@ class ReportGenerator:
         report: ValidationReport,
         max_length: int = constants.GITHUB_MAX_COMMENT_LENGTH,
         ignored_count: int = 0,
+        ignored_findings: list[IgnoredFindingInfo] | None = None,
+        all_blocking_ignored: bool = False,
     ) -> str:
         """Generate a GitHub-flavored markdown comment for PR reviews.
 
@@ -547,6 +647,8 @@ class ReportGenerator:
             report: Validation report
             max_length: Maximum character length (default from GITHUB_MAX_COMMENT_LENGTH constant)
             ignored_count: Number of findings that were ignored (will be shown in summary)
+            ignored_findings: List of ignored finding details for display in summary
+            all_blocking_ignored: True if all blocking issues were ignored (shows "Passed" status)
 
         Returns:
             Markdown formatted string
@@ -554,8 +656,12 @@ class ReportGenerator:
         lines = []
 
         # Header with emoji and status badge
+        # Pass if: no invalid policies, OR all blocking issues were ignored
         has_parsing_errors = len(report.parsing_errors) > 0
-        if report.invalid_policies == 0 and not has_parsing_errors:
+        is_passing = (
+            report.invalid_policies == 0 or all_blocking_ignored
+        ) and not has_parsing_errors
+        if is_passing:
             lines.append("# 🎉 IAM Policy Validation Passed!")
             status_badge = (
                 "![Status](https://img.shields.io/badge/status-passed-success?style=flat-square)"
@@ -613,6 +719,10 @@ class ReportGenerator:
                 lines.append(f"| 🔵 **Info** | {infos} |")
             lines.append("")
 
+        # Ignored findings section
+        if ignored_findings:
+            lines.extend(self._generate_ignored_findings_section(ignored_findings))
+
         # Parsing errors section (if any)
         if report.parsing_errors:
             lines.append("### ⚠️ Parsing Errors")

{iam_policy_validator-1.14.2 → iam_policy_validator-1.14.4}/iam_validator/integrations/github_integration.py

@@ -34,7 +34,7 @@ class GitHubRateLimitError(Exception):
 class GitHubRetryableError(Exception):
     """Raised for transient GitHub API errors that should be retried."""
 
-    pass
+    pass  # pylint: disable=unnecessary-pass
 
 
 # Retry configuration