iam-policy-validator 1.14.3__tar.gz → 1.14.5__tar.gz

{iam_policy_validator-1.14.3 → iam_policy_validator-1.14.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.14.3
+Version: 1.14.5
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs

{iam_policy_validator-1.14.3 → iam_policy_validator-1.14.5}/iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.14.3"
+__version__ = "1.14.5"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

{iam_policy_validator-1.14.3 → iam_policy_validator-1.14.5}/iam_validator/core/label_manager.py

@@ -6,10 +6,11 @@ When those severities are not found, it removes the labels if present.
 """
 
 import logging
+from collections.abc import Callable
 from typing import TYPE_CHECKING
 
 if TYPE_CHECKING:
-    from iam_validator.core.models import PolicyValidationResult, ValidationReport
+    from iam_validator.core.models import PolicyValidationResult, ValidationIssue, ValidationReport
     from iam_validator.integrations.github_integration import GitHubIntegration
 
 logger = logging.getLogger(__name__)
@@ -48,11 +49,17 @@ class LabelManager:
         """
         return bool(self.severity_labels) and self.github.is_configured()
 
-    def _get_severities_in_results(self, results: list["PolicyValidationResult"]) -> set[str]:
+    def _get_severities_in_results(
+        self,
+        results: list["PolicyValidationResult"],
+        is_issue_ignored: Callable[["ValidationIssue", str], bool] | None = None,
+    ) -> set[str]:
         """Extract all severity levels found in validation results.
 
         Args:
             results: List of PolicyValidationResult objects
+            is_issue_ignored: Optional callback to check if an issue is ignored.
+                            Takes (issue, file_path) and returns True if ignored.
 
         Returns:
             Set of severity levels found (e.g., {"error", "critical", "high"})
@@ -60,6 +67,9 @@ class LabelManager:
         severities = set()
         for result in results:
             for issue in result.issues:
+                # Skip ignored issues if a filter is provided
+                if is_issue_ignored and is_issue_ignored(issue, result.policy_file):
+                    continue
                 severities.add(issue.severity)
         return severities
 
@@ -113,17 +123,22 @@ class LabelManager:
         return labels_to_remove
 
     async def manage_labels_from_results(
-        self, results: list["PolicyValidationResult"]
+        self,
+        results: list["PolicyValidationResult"],
+        is_issue_ignored: Callable[["ValidationIssue", str], bool] | None = None,
     ) -> tuple[bool, int, int]:
         """Manage PR labels based on validation results.
 
         This method will:
-        1. Determine which severity levels are present in the results
+        1. Determine which severity levels are present in the results (excluding ignored issues)
         2. Add labels for severities that are found
         3. Remove labels for severities that are not found
 
         Args:
             results: List of PolicyValidationResult objects
+            is_issue_ignored: Optional callback to check if an issue is ignored.
+                            Takes (issue, file_path) and returns True if ignored.
+                            Ignored issues are excluded from label determination.
 
         Returns:
             Tuple of (success, labels_added, labels_removed)
@@ -132,8 +147,8 @@ class LabelManager:
             logger.debug("Label management not enabled (no severity_labels configured)")
             return (True, 0, 0)
 
-        # Get all severities found in results
-        found_severities = self._get_severities_in_results(results)
+        # Get all severities found in results (excluding ignored issues)
+        found_severities = self._get_severities_in_results(results, is_issue_ignored)
         logger.debug(f"Found severities in results: {found_severities}")
 
         # Determine which labels to apply/remove
@@ -182,7 +197,11 @@ class LabelManager:
 
         return (success, added_count, removed_count)
 
-    async def manage_labels_from_report(self, report: "ValidationReport") -> tuple[bool, int, int]:
+    async def manage_labels_from_report(
+        self,
+        report: "ValidationReport",
+        is_issue_ignored: Callable[["ValidationIssue", str], bool] | None = None,
+    ) -> tuple[bool, int, int]:
         """Manage PR labels based on validation report.
 
         This is a convenience method that extracts results from the report
@@ -190,8 +209,11 @@ class LabelManager:
 
         Args:
             report: ValidationReport object
+            is_issue_ignored: Optional callback to check if an issue is ignored.
+                            Takes (issue, file_path) and returns True if ignored.
+                            Ignored issues are excluded from label determination.
 
         Returns:
             Tuple of (success, labels_added, labels_removed)
         """
-        return await self.manage_labels_from_results(report.results)
+        return await self.manage_labels_from_results(report.results, is_issue_ignored)

{iam_policy_validator-1.14.3 → iam_policy_validator-1.14.5}/iam_validator/core/pr_commenter.py

@@ -17,7 +17,7 @@ from iam_validator.core.diff_parser import DiffParser
 from iam_validator.core.label_manager import LabelManager
 from iam_validator.core.models import ValidationIssue, ValidationReport
 from iam_validator.core.policy_loader import PolicyLineMap, PolicyLoader
-from iam_validator.core.report import ReportGenerator
+from iam_validator.core.report import IgnoredFindingInfo, ReportGenerator
 from iam_validator.integrations.github_integration import GitHubIntegration, ReviewEvent
 
 logger = logging.getLogger(__name__)
@@ -96,6 +96,8 @@ class PRCommenter:
         self._context_issues: list[ContextIssue] = []
         # Track ignored finding IDs for the current run
         self._ignored_finding_ids: frozenset[str] = frozenset()
+        # Store full ignored findings for display in summary
+        self._ignored_findings: dict[str, Any] = {}
         # Cache for PolicyLineMap per file (for field-level line detection)
         self._policy_line_maps: dict[str, PolicyLineMap] = {}
 
@@ -155,8 +157,28 @@ class PRCommenter:
             generator = ReportGenerator()
             # Pass ignored count to show in summary
             ignored_count = len(self._ignored_finding_ids) if self._ignored_finding_ids else 0
+
+            # Convert ignored findings to IgnoredFindingInfo for display
+            ignored_findings_info: list[IgnoredFindingInfo] = []
+            if self._ignored_findings:
+                for finding in self._ignored_findings.values():
+                    ignored_findings_info.append(
+                        IgnoredFindingInfo(
+                            file_path=finding.file_path,
+                            issue_type=finding.issue_type,
+                            ignored_by=finding.ignored_by,
+                            reason=finding.reason,
+                        )
+                    )
+
+            # Determine if all blocking issues are ignored
+            all_blocking_ignored = self._are_all_blocking_issues_ignored(report)
+
             comment_parts = generator.generate_github_comment_parts(
-                report, ignored_count=ignored_count
+                report,
+                ignored_count=ignored_count,
+                ignored_findings=ignored_findings_info if ignored_findings_info else None,
+                all_blocking_ignored=all_blocking_ignored,
             )
 
             # Post all parts using the multipart method
@@ -174,7 +196,17 @@ class PRCommenter:
         # Manage PR labels based on severity findings
         if manage_labels and self.severity_labels:
             label_manager = LabelManager(self.github, self.severity_labels)
-            label_success, added, removed = await label_manager.manage_labels_from_report(report)
+
+            # Create a filter function that uses relative paths for ignored finding lookup
+            def is_issue_ignored_for_labels(issue: ValidationIssue, file_path: str) -> bool:
+                relative_path = self._make_relative_path(file_path)
+                if not relative_path:
+                    return False
+                return self._is_issue_ignored(issue, relative_path)
+
+            label_success, added, removed = await label_manager.manage_labels_from_report(
+                report, is_issue_ignored=is_issue_ignored_for_labels
+            )
 
             if not label_success:
                 logger.error("Failed to manage PR labels")
@@ -694,7 +726,10 @@ class PRCommenter:
         )
 
         store = IgnoredFindingsStore(self.github)
-        self._ignored_finding_ids = await store.get_ignored_ids()
+        # Load full ignored findings for display in summary
+        self._ignored_findings = await store.load()
+        # Also get just the IDs for fast lookup
+        self._ignored_finding_ids = frozenset(self._ignored_findings.keys())
         if self._ignored_finding_ids:
             logger.debug(f"Loaded {len(self._ignored_finding_ids)} ignored finding(s)")
 
@@ -718,6 +753,36 @@ class PRCommenter:
         fingerprint = FindingFingerprint.from_issue(issue, file_path)
         return fingerprint.to_hash() in self._ignored_finding_ids
 
+    def _are_all_blocking_issues_ignored(self, report: ValidationReport) -> bool:
+        """Check if all blocking issues (based on fail_on_severities) are ignored.
+
+        Args:
+            report: The validation report
+
+        Returns:
+            True if there are no unignored blocking issues (i.e., all blocking
+            issues have been ignored, or there were no blocking issues to begin with)
+        """
+        if not self._ignored_finding_ids:
+            # No ignored findings - check if there are any blocking issues at all
+            for result in report.results:
+                for issue in result.issues:
+                    if issue.severity in self.fail_on_severities:
+                        return False
+            return True
+
+        # Check each blocking issue to see if it's ignored
+        for result in report.results:
+            relative_path = self._make_relative_path(result.policy_file)
+            if not relative_path:
+                continue
+            for issue in result.issues:
+                if issue.severity in self.fail_on_severities:
+                    if not self._is_issue_ignored(issue, relative_path):
+                        return False
+
+        return True
+
 
 async def post_report_to_pr(
     report_file: str,

{iam_policy_validator-1.14.3 → iam_policy_validator-1.14.5}/iam_validator/core/report.py

@@ -5,6 +5,7 @@ including console output, JSON, and GitHub-flavored markdown for PR comments.
 """
 
 import logging
+from dataclasses import dataclass
 
 from rich.console import Console
 from rich.panel import Panel
@@ -29,6 +30,24 @@ from iam_validator.core.models import (
     ValidationReport,
 )
 
+
+@dataclass
+class IgnoredFindingInfo:
+    """Information about an ignored finding for display in summary.
+
+    Attributes:
+        file_path: Path to the policy file
+        issue_type: Type of issue (e.g., "invalid_action")
+        ignored_by: Username who ignored the finding
+        reason: Optional reason provided by the user
+    """
+
+    file_path: str
+    issue_type: str
+    ignored_by: str
+    reason: str | None = None
+
+
 logger = logging.getLogger(__name__)
 
 
@@ -239,6 +258,8 @@ class ReportGenerator:
         report: ValidationReport,
         max_length_per_part: int = constants.GITHUB_COMMENT_SPLIT_LIMIT,
         ignored_count: int = 0,
+        ignored_findings: list[IgnoredFindingInfo] | None = None,
+        all_blocking_ignored: bool = False,
     ) -> list[str]:
         """Generate GitHub PR comment(s), splitting into multiple parts if needed.
 
@@ -246,6 +267,8 @@ class ReportGenerator:
             report: Validation report
             max_length_per_part: Maximum character length per comment part (default from GITHUB_COMMENT_SPLIT_LIMIT)
             ignored_count: Number of findings that were ignored (will be shown in summary)
+            ignored_findings: List of ignored finding details for display in summary
+            all_blocking_ignored: True if all blocking issues were ignored (shows "Passed" status)
 
         Returns:
             List of comment parts (each under max_length_per_part)
@@ -257,13 +280,19 @@ class ReportGenerator:
         if estimated_size <= max_length_per_part:
             # Try single comment
             single_comment = self.generate_github_comment(
-                report, max_length=max_length_per_part * 2, ignored_count=ignored_count
+                report,
+                max_length=max_length_per_part * 2,
+                ignored_count=ignored_count,
+                ignored_findings=ignored_findings,
+                all_blocking_ignored=all_blocking_ignored,
             )
             if len(single_comment) <= max_length_per_part:
                 return [single_comment]
 
         # Need to split into multiple parts
-        return self._generate_split_comments(report, max_length_per_part, ignored_count)
+        return self._generate_split_comments(
+            report, max_length_per_part, ignored_count, ignored_findings, all_blocking_ignored
+        )
 
     def _estimate_report_size(self, report: ValidationReport) -> int:
         """Estimate the size of the report in characters.
@@ -280,7 +309,12 @@ class ReportGenerator:
         )
 
     def _generate_split_comments(
-        self, report: ValidationReport, max_length: int, ignored_count: int = 0
+        self,
+        report: ValidationReport,
+        max_length: int,
+        ignored_count: int = 0,
+        ignored_findings: list[IgnoredFindingInfo] | None = None,
+        all_blocking_ignored: bool = False,
     ) -> list[str]:
         """Split a large report into multiple comment parts.
 
@@ -288,6 +322,8 @@ class ReportGenerator:
             report: Validation report
             max_length: Maximum length per part
             ignored_count: Number of ignored findings to show in summary
+            ignored_findings: List of ignored finding details for display
+            all_blocking_ignored: True if all blocking issues were ignored
 
         Returns:
             List of comment parts
@@ -295,7 +331,9 @@ class ReportGenerator:
         parts: list[str] = []
 
         # Generate header (will be in first part only)
-        header_lines = self._generate_header(report, ignored_count)
+        header_lines = self._generate_header(
+            report, ignored_count, ignored_findings, all_blocking_ignored
+        )
         header_content = "\n".join(header_lines)
 
         # Generate footer (will be in all parts)
@@ -388,17 +426,27 @@ class ReportGenerator:
 
         return parts
 
-    def _generate_header(self, report: ValidationReport, ignored_count: int = 0) -> list[str]:
+    def _generate_header(
+        self,
+        report: ValidationReport,
+        ignored_count: int = 0,
+        ignored_findings: list[IgnoredFindingInfo] | None = None,
+        all_blocking_ignored: bool = False,
+    ) -> list[str]:
         """Generate the comment header with summary.
 
         Args:
             report: Validation report
             ignored_count: Number of findings that were ignored
+            ignored_findings: List of ignored finding details for display
+            all_blocking_ignored: True if all blocking issues were ignored (shows "Passed" status)
         """
         lines = []
 
         # Title with emoji and status badge
-        if report.invalid_policies == 0:
+        # Pass if: no invalid policies, OR all blocking issues were ignored
+        is_passing = report.invalid_policies == 0 or all_blocking_ignored
+        if is_passing:
             lines.append("# 🎉 IAM Policy Validation Passed!")
             status_badge = (
                 "![Status](https://img.shields.io/badge/status-passed-success?style=flat-square)"
@@ -456,6 +504,56 @@ class ReportGenerator:
                 lines.append(f"| 🔵 **Info** | {infos} |")
             lines.append("")
 
+        # Ignored findings section
+        if ignored_findings:
+            lines.extend(self._generate_ignored_findings_section(ignored_findings))
+
+        return lines
+
+    def _generate_ignored_findings_section(
+        self, ignored_findings: list[IgnoredFindingInfo]
+    ) -> list[str]:
+        """Generate the ignored findings section for the summary comment.
+
+        Args:
+            ignored_findings: List of ignored finding details
+
+        Returns:
+            List of markdown lines for the section
+        """
+        lines = []
+        lines.append("### 🔕 Ignored Findings")
+        lines.append("")
+        lines.append(
+            "> The following findings were ignored by authorized users and are excluded from validation:"
+        )
+        lines.append("")
+
+        lines.append("<details>")
+        lines.append(f"<summary>View {len(ignored_findings)} ignored finding(s)</summary>")
+        lines.append("")
+
+        lines.append("| File | Issue Type | Ignored By | Reason |")
+        lines.append("|------|------------|------------|--------|")
+
+        for finding in ignored_findings:
+            # Truncate file path if too long
+            file_display = finding.file_path
+            if len(file_display) > 50:
+                file_display = "..." + file_display[-47:]
+
+            reason_display = finding.reason if finding.reason else "-"
+            if len(reason_display) > 30:
+                reason_display = reason_display[:27] + "..."
+
+            lines.append(
+                f"| `{file_display}` | `{finding.issue_type}` | @{finding.ignored_by} | {reason_display} |"
+            )
+
+        lines.append("")
+        lines.append("</details>")
+        lines.append("")
+
         return lines
 
     def _generate_footer(self) -> str:
@@ -540,6 +638,8 @@ class ReportGenerator:
         report: ValidationReport,
         max_length: int = constants.GITHUB_MAX_COMMENT_LENGTH,
         ignored_count: int = 0,
+        ignored_findings: list[IgnoredFindingInfo] | None = None,
+        all_blocking_ignored: bool = False,
     ) -> str:
         """Generate a GitHub-flavored markdown comment for PR reviews.
 
@@ -547,6 +647,8 @@ class ReportGenerator:
             report: Validation report
             max_length: Maximum character length (default from GITHUB_MAX_COMMENT_LENGTH constant)
             ignored_count: Number of findings that were ignored (will be shown in summary)
+            ignored_findings: List of ignored finding details for display in summary
+            all_blocking_ignored: True if all blocking issues were ignored (shows "Passed" status)
 
         Returns:
             Markdown formatted string
@@ -554,8 +656,12 @@ class ReportGenerator:
         lines = []
 
         # Header with emoji and status badge
+        # Pass if: no invalid policies, OR all blocking issues were ignored
         has_parsing_errors = len(report.parsing_errors) > 0
-        if report.invalid_policies == 0 and not has_parsing_errors:
+        is_passing = (
+            report.invalid_policies == 0 or all_blocking_ignored
+        ) and not has_parsing_errors
+        if is_passing:
             lines.append("# 🎉 IAM Policy Validation Passed!")
             status_badge = (
                 "![Status](https://img.shields.io/badge/status-passed-success?style=flat-square)"
@@ -613,6 +719,10 @@ class ReportGenerator:
                 lines.append(f"| 🔵 **Info** | {infos} |")
             lines.append("")
 
+        # Ignored findings section
+        if ignored_findings:
+            lines.extend(self._generate_ignored_findings_section(ignored_findings))
+
         # Parsing errors section (if any)
         if report.parsing_errors:
             lines.append("### ⚠️ Parsing Errors")

{iam_policy_validator-1.14.3 → iam_policy_validator-1.14.5}/iam_validator/integrations/github_integration.py

@@ -1265,6 +1265,26 @@ class GitHubIntegration:
             f"{created_count} created, {deleted_count} deleted (resolved)"
         )
 
+        # Step 4: If no new comments were created but we need to submit APPROVE/REQUEST_CHANGES,
+        # submit a review without inline comments to update the PR review state.
+        # This is important when all issues are ignored/resolved - we need to dismiss
+        # the previous REQUEST_CHANGES review by submitting an APPROVE review.
+        if not new_comments_for_review and event in (
+            ReviewEvent.APPROVE,
+            ReviewEvent.REQUEST_CHANGES,
+        ):
+            # Only submit if there's a meaningful state change to make
+            # (submitting APPROVE when all issues are resolved/ignored)
+            logger.info(f"Submitting {event.value} review (no inline comments)")
+            success = await self.create_review_with_comments(
+                comments=[],
+                body=body or f"<!-- {identifier} -->\nValidation complete.",
+                event=event,
+            )
+            if not success:
+                logger.warning(f"Failed to submit {event.value} review")
+                # Don't fail the whole operation - comments were managed successfully
+
         return True
 
     def _extract_finding_id(self, body: str) -> str | None:

{iam_policy_validator-1.14.3 → iam_policy_validator-1.14.5}/tests/core/test_multipart_comments.py

@@ -3,7 +3,7 @@
 import pytest
 
 from iam_validator.core.models import PolicyValidationResult, ValidationIssue
-from iam_validator.core.report import ReportGenerator
+from iam_validator.core.report import IgnoredFindingInfo, ReportGenerator
 
 
 def create_large_issue(severity: str, index: int) -> ValidationIssue:
@@ -235,5 +235,130 @@ def test_empty_report_single_part():
     assert "Part 1" not in parts[0]
 
 
+def test_ignored_findings_displayed_in_summary():
+    """Test that ignored findings are displayed in the summary comment."""
+    generator = ReportGenerator()
+
+    results = [create_large_result("policy-1.json", 2)]
+    report = generator.generate_report(results)
+
+    ignored_findings = [
+        IgnoredFindingInfo(
+            file_path="policy-1.json",
+            issue_type="TEST_ISSUE",
+            ignored_by="testuser",
+            reason="Approved by security team",
+        ),
+        IgnoredFindingInfo(
+            file_path="policy-2.json",
+            issue_type="ANOTHER_ISSUE",
+            ignored_by="admin",
+            reason=None,
+        ),
+    ]
+
+    parts = generator.generate_github_comment_parts(
+        report, ignored_count=2, ignored_findings=ignored_findings
+    )
+
+    assert len(parts) == 1
+    # Check ignored findings section exists
+    assert "Ignored Findings" in parts[0]
+    assert "testuser" in parts[0]
+    assert "TEST_ISSUE" in parts[0]
+    assert "policy-1.json" in parts[0]
+    assert "Approved by security team" in parts[0]
+    assert "admin" in parts[0]
+    # Verify collapsible section
+    assert "View 2 ignored finding(s)" in parts[0]
+
+
+def test_all_blocking_ignored_shows_passed():
+    """Test that when all blocking issues are ignored, status shows Passed."""
+    generator = ReportGenerator()
+
+    # Create a report with errors (normally fails)
+    results = [
+        PolicyValidationResult(
+            policy_file="policy-1.json",
+            is_valid=False,
+            issues=[
+                ValidationIssue(
+                    severity="error",
+                    issue_type="CRITICAL_ERROR",
+                    message="Critical error",
+                    statement_index=0,
+                )
+            ],
+        )
+    ]
+    report = generator.generate_report(results)
+
+    # Without all_blocking_ignored=True, it should show Failed
+    parts_failed = generator.generate_github_comment_parts(report)
+    assert "Validation Failed" in parts_failed[0]
+
+    # With all_blocking_ignored=True, it should show Passed
+    parts_passed = generator.generate_github_comment_parts(
+        report, ignored_count=1, all_blocking_ignored=True
+    )
+    assert "Validation Passed" in parts_passed[0]
+
+
+def test_ignored_count_shown_in_summary_table():
+    """Test that ignored count appears in the summary table."""
+    generator = ReportGenerator()
+
+    results = [create_large_result("policy-1.json", 1)]
+    report = generator.generate_report(results)
+
+    parts = generator.generate_github_comment_parts(report, ignored_count=5)
+
+    assert "Ignored Findings" in parts[0]
+    assert "5" in parts[0]  # The count
+    assert "🔕" in parts[0]  # The emoji
+
+
+def test_no_ignored_findings_section_when_empty():
+    """Test that no ignored findings section is shown when list is empty."""
+    generator = ReportGenerator()
+
+    results = [create_large_result("policy-1.json", 1)]
+    report = generator.generate_report(results)
+
+    parts = generator.generate_github_comment_parts(
+        report, ignored_count=0, ignored_findings=None
+    )
+
+    assert "### 🔕 Ignored Findings" not in parts[0]
+
+
+def test_ignored_findings_with_long_paths_truncated():
+    """Test that long file paths in ignored findings are truncated."""
+    generator = ReportGenerator()
+
+    results = [create_large_result("policy-1.json", 1)]
+    report = generator.generate_report(results)
+
+    long_path = "very/long/path/that/exceeds/the/maximum/allowed/length/for/display/purposes/policy.json"
+    ignored_findings = [
+        IgnoredFindingInfo(
+            file_path=long_path,
+            issue_type="TEST_ISSUE",
+            ignored_by="testuser",
+            reason=None,
+        )
+    ]
+
+    parts = generator.generate_github_comment_parts(
+        report, ignored_count=1, ignored_findings=ignored_findings
+    )
+
+    # Path should be truncated with ellipsis
+    assert "..." in parts[0]
+    # But end of path should still be visible
+    assert "policy.json" in parts[0]
+
+
 if __name__ == "__main__":
     pytest.main([__file__, "-v"])