iam-policy-validator 1.14.7__py3-none-any.whl → 1.15.1__py3-none-any.whl

iam_validator/checks/resource_validation.py

@@ -20,6 +20,103 @@ class ResourceValidationCheck(PolicyCheck):
     description: ClassVar[str] = "Validates ARN format for resources"
     default_severity: ClassVar[str] = "error"
 
+    def _validate_resource(
+        self,
+        resource: str,
+        arn_pattern: re.Pattern[str],
+        allow_template_variables: bool,
+        config: CheckConfig,
+        statement_sid: str | None,
+        statement_idx: int,
+        line_number: int | None,
+        field_name: str,
+    ) -> ValidationIssue | None:
+        """Validate a single resource ARN and return an issue if invalid.
+
+        Args:
+            resource: The resource ARN string to validate
+            arn_pattern: Compiled regex pattern for ARN validation
+            allow_template_variables: Whether to allow template variables
+            config: Check configuration
+            statement_sid: Statement ID for error reporting
+            statement_idx: Statement index for error reporting
+            line_number: Line number for error reporting
+            field_name: Field name ("resource" or "not_resource") for error reporting
+
+        Returns:
+            ValidationIssue if resource is invalid, None otherwise
+        """
+        # Skip wildcard resources (handled by security checks)
+        if resource == "*":
+            return None
+
+        # Validate ARN length to prevent ReDoS attacks
+        if len(resource) > MAX_ARN_LENGTH:
+            return ValidationIssue(
+                severity=self.get_severity(config),
+                statement_sid=statement_sid,
+                statement_index=statement_idx,
+                issue_type="invalid_resource",
+                message=f"Resource ARN exceeds maximum length ({len(resource)} > {MAX_ARN_LENGTH}): {resource[:100]}...",
+                resource=resource[:100] + "...",
+                suggestion="`ARN` is too long and may be invalid",
+                line_number=line_number,
+                field_name=field_name,
+            )
+
+        # Check if resource contains template variables
+        has_templates = has_template_variables(resource)
+
+        # If template variables are found and allowed, normalize them for validation
+        validation_resource = resource
+        if has_templates and allow_template_variables:
+            validation_resource = normalize_template_variables(resource)
+
+        # Validate ARN format
+        try:
+            if not arn_pattern.match(validation_resource):
+                # If original resource had templates and normalization didn't help,
+                # provide a more informative message
+                if has_templates and allow_template_variables:
+                    return ValidationIssue(
+                        severity=self.get_severity(config),
+                        statement_sid=statement_sid,
+                        statement_index=statement_idx,
+                        issue_type="invalid_resource",
+                        message=f"Invalid `ARN` format even after normalizing template variables: `{resource}`",
+                        resource=resource,
+                        suggestion="`ARN` should follow format: `arn:partition:service:region:account-id:resource` (template variables like `${aws_account_id}` are supported)",
+                        line_number=line_number,
+                        field_name=field_name,
+                    )
+                else:
+                    return ValidationIssue(
+                        severity=self.get_severity(config),
+                        statement_sid=statement_sid,
+                        statement_index=statement_idx,
+                        issue_type="invalid_resource",
+                        message=f"Invalid `ARN` format: `{resource}`",
+                        resource=resource,
+                        suggestion="`ARN` should follow format: `arn:partition:service:region:account-id:resource`",
+                        line_number=line_number,
+                        field_name=field_name,
+                    )
+        except Exception:  # pylint: disable=broad-exception-caught
+            # If regex matching fails (shouldn't happen with length check), treat as invalid
+            return ValidationIssue(
+                severity=self.get_severity(config),
+                statement_sid=statement_sid,
+                statement_index=statement_idx,
+                issue_type="invalid_resource",
+                message=f"Could not validate `ARN` format: `{resource}`",
+                resource=resource,
+                suggestion="`ARN` validation failed - may contain unexpected characters",
+                line_number=line_number,
+                field_name=field_name,
+            )
+
+        return None
+
     async def execute(
         self,
         statement: Statement,
@@ -27,11 +124,14 @@ class ResourceValidationCheck(PolicyCheck):
         fetcher: AWSServiceFetcher,
         config: CheckConfig,
     ) -> list[ValidationIssue]:
-        """Execute resource ARN validation on a statement."""
+        """Execute resource ARN validation on a statement.
+
+        Validates both Resource and NotResource fields to ensure all specified
+        ARNs follow the correct format.
+        """
+        del fetcher  # Unused
         issues = []
 
-        # Get resources from statement
-        resources = statement.get_resources()
         statement_sid = statement.sid
         line_number = statement.line_number
 
@@ -53,83 +153,34 @@ class ResourceValidationCheck(PolicyCheck):
             config.config.get("allow_template_variables", True),
         )
 
-        for resource in resources:
-            # Skip wildcard resources (handled by security checks)
-            if resource == "*":
-                continue
-
-            # Validate ARN length to prevent ReDoS attacks
-            if len(resource) > MAX_ARN_LENGTH:
-                issues.append(
-                    ValidationIssue(
-                        severity=self.get_severity(config),
-                        statement_sid=statement_sid,
-                        statement_index=statement_idx,
-                        issue_type="invalid_resource",
-                        message=f"Resource ARN exceeds maximum length ({len(resource)} > {MAX_ARN_LENGTH}): {resource[:100]}...",
-                        resource=resource[:100] + "...",
-                        suggestion="`ARN` is too long and may be invalid",
-                        line_number=line_number,
-                        field_name="resource",
-                    )
-                )
-                continue
-
-            # Check if resource contains template variables
-            has_templates = has_template_variables(resource)
-
-            # If template variables are found and allowed, normalize them for validation
-            validation_resource = resource
-            if has_templates and allow_template_variables:
-                validation_resource = normalize_template_variables(resource)
-
-            # Validate ARN format
-            try:
-                if not arn_pattern.match(validation_resource):
-                    # If original resource had templates and normalization didn't help,
-                    # provide a more informative message
-                    if has_templates and allow_template_variables:
-                        issues.append(
-                            ValidationIssue(
-                                severity=self.get_severity(config),
-                                statement_sid=statement_sid,
-                                statement_index=statement_idx,
-                                issue_type="invalid_resource",
-                                message=f"Invalid `ARN` format even after normalizing template variables: `{resource}`",
-                                resource=resource,
-                                suggestion="`ARN` should follow format: `arn:partition:service:region:account-id:resource` (template variables like `${aws_account_id}` are supported)",
-                                line_number=line_number,
-                                field_name="resource",
-                            )
-                        )
-                    else:
-                        issues.append(
-                            ValidationIssue(
-                                severity=self.get_severity(config),
-                                statement_sid=statement_sid,
-                                statement_index=statement_idx,
-                                issue_type="invalid_resource",
-                                message=f"Invalid `ARN` format: `{resource}`",
-                                resource=resource,
-                                suggestion="`ARN` should follow format: `arn:partition:service:region:account-id:resource`",
-                                line_number=line_number,
-                                field_name="resource",
-                            )
-                        )
-            except Exception:  # pylint: disable=broad-exception-caught
-                # If regex matching fails (shouldn't happen with length check), treat as invalid
-                issues.append(
-                    ValidationIssue(
-                        severity=self.get_severity(config),
-                        statement_sid=statement_sid,
-                        statement_index=statement_idx,
-                        issue_type="invalid_resource",
-                        message=f"Could not validate `ARN` format: `{resource}`",
-                        resource=resource,
-                        suggestion="`ARN` validation failed - may contain unexpected characters",
-                        line_number=line_number,
-                        field_name="resource",
-                    )
-                )
+        # Validate Resource field
+        for resource in statement.get_resources():
+            issue = self._validate_resource(
+                resource=resource,
+                arn_pattern=arn_pattern,
+                allow_template_variables=allow_template_variables,
+                config=config,
+                statement_sid=statement_sid,
+                statement_idx=statement_idx,
+                line_number=line_number,
+                field_name="resource",
+            )
+            if issue:
+                issues.append(issue)
+
+        # Validate NotResource field (same validation - typos in NotResource are equally problematic)
+        for resource in statement.get_not_resources():
+            issue = self._validate_resource(
+                resource=resource,
+                arn_pattern=arn_pattern,
+                allow_template_variables=allow_template_variables,
+                config=config,
+                statement_sid=statement_sid,
+                statement_idx=statement_idx,
+                line_number=line_number,
+                field_name="not_resource",
+            )
+            if issue:
+                issues.append(issue)
 
         return issues

iam_validator/checks/wildcard_resource.py

@@ -1,4 +1,13 @@
-"""Wildcard resource check - detects Resource: '*' in IAM policies."""
+"""Wildcard resource check - detects Resource: '*' in IAM policies.
+
+This check detects statements with Resource: '*' that could grant overly broad access.
+It intelligently adjusts severity based on conditions that restrict resource scope:
+
+- Global resource-scoping conditions (aws:ResourceAccount, aws:ResourceOrgID, aws:ResourceOrgPaths)
+  always lower severity since they apply to all services.
+- Resource tag conditions (aws:ResourceTag/*) lower severity only if ALL actions in the
+  statement support the condition (validated against AWS service definitions).
+"""
 
 import asyncio
 import logging
@@ -8,7 +17,9 @@ from iam_validator.checks.utils.action_parser import get_action_case_insensitive
 from iam_validator.checks.utils.wildcard_expansion import expand_wildcard_actions
 from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.config.aws_global_conditions import GLOBAL_RESOURCE_SCOPING_CONDITION_KEYS
 from iam_validator.core.models import ActionDetail, ServiceDetail, Statement, ValidationIssue
+from iam_validator.sdk.policy_utils import extract_condition_keys_from_statement
 
 logger = logging.getLogger(__name__)
 
@@ -70,6 +81,54 @@ def clear_resource_support_cache() -> None:
     _action_access_level_cache.clear()
 
 
+def _has_global_resource_scoping(condition_keys: set[str]) -> bool:
+    """Check if any global resource-scoping conditions are present.
+
+    Args:
+        condition_keys: Set of condition keys from the statement
+
+    Returns:
+        True if any global resource-scoping condition is present
+    """
+    return bool(condition_keys & GLOBAL_RESOURCE_SCOPING_CONDITION_KEYS)
+
+
+async def _validate_condition_key_support(
+    actions: list[str],
+    condition_key: str,
+    fetcher: AWSServiceFetcher,
+) -> tuple[bool, list[str]]:
+    """Validate if all actions support a specific condition key.
+
+    This is a generic function that works for any condition key,
+    including aws:ResourceTag/*, service-specific tags, etc.
+
+    Uses parallel execution for performance when validating multiple actions.
+
+    Args:
+        actions: List of actions to validate
+        condition_key: The condition key to check support for
+        fetcher: AWS service fetcher for looking up service definitions
+
+    Returns:
+        Tuple of (all_support, unsupported_actions) where all_support is True
+        if all actions support the condition key
+    """
+    # Validate all actions in parallel for performance using centralized fetcher method
+    results = await asyncio.gather(
+        *[fetcher.is_condition_key_supported(action, condition_key) for action in actions],
+        return_exceptions=True,
+    )
+
+    unsupported = []
+    for action, result in zip(actions, results):
+        # Treat exceptions as unsupported (conservative)
+        if isinstance(result, BaseException) or not result:
+            unsupported.append(action)
+
+    return (len(unsupported) == 0, unsupported)
+
+
 class WildcardResourceCheck(PolicyCheck):
     """Checks for wildcard resources (Resource: '*') which grant access to all resources."""
 
@@ -152,6 +211,15 @@ class WildcardResourceCheck(PolicyCheck):
                         return issues
 
             # Flag the issue if actions are not all allowed or no allowed_wildcards configured
+            # First, determine if severity should be adjusted based on conditions
+            base_severity = self.get_severity(config)
+            adjusted_severity, adjustment_reason = await self._determine_severity_adjustment(
+                statement,
+                actions_requiring_specific_resources,
+                fetcher,
+                base_severity,
+            )
+
             # Build a helpful message showing which actions require specific resources
             custom_message = config.config.get("message")
             if custom_message:
@@ -166,10 +234,11 @@ class WildcardResourceCheck(PolicyCheck):
                 else:
                     action_list = ", ".join(f"`{a}`" for a in sorted_actions[:5])
                     action_list += f" (+{len(sorted_actions) - 5} more)"
-                message = (
-                    f'Statement applies to all resources `"*"`. '
-                    f"Actions that support resource-level permissions: {action_list}"
-                )
+                message = 'Statement applies to all resources (`"*"`)'
+
+                # Add adjustment reason if present
+                if adjustment_reason:
+                    message += f". {adjustment_reason}"
 
             suggestion = config.config.get(
                 "suggestion", "Replace wildcard with specific resource ARNs"
@@ -178,7 +247,7 @@ class WildcardResourceCheck(PolicyCheck):
 
             issues.append(
                 ValidationIssue(
-                    severity=self.get_severity(config),
+                    severity=adjusted_severity,
                     statement_sid=statement.sid,
                     statement_index=statement_idx,
                     issue_type="overly_permissive",
@@ -237,6 +306,67 @@ class WildcardResourceCheck(PolicyCheck):
 
         return frozenset(expanded_actions)
 
+    async def _determine_severity_adjustment(
+        self,
+        statement: Statement,
+        actions: list[str],
+        fetcher: AWSServiceFetcher,
+        base_severity: str,
+    ) -> tuple[str, str | None]:
+        """Determine if severity should be adjusted based on resource-scoping conditions.
+
+        This method checks if the statement has conditions that meaningfully restrict
+        resource scope:
+        1. Global resource-scoping conditions (aws:ResourceAccount, etc.) always lower severity
+        2. Resource tag conditions (aws:ResourceTag/*) lower severity only if ALL actions support them
+
+        Args:
+            statement: The policy statement being checked
+            actions: List of actions that require specific resources
+            fetcher: AWS service fetcher for validating condition key support
+            base_severity: The default severity level
+
+        Returns:
+            Tuple of (adjusted_severity, reason) where reason explains the adjustment
+        """
+        condition_keys = extract_condition_keys_from_statement(statement)
+        if not condition_keys:
+            return (base_severity, None)
+
+        # Check for global resource-scoping conditions (always valid for all services)
+        if _has_global_resource_scoping(condition_keys):
+            global_keys = condition_keys & GLOBAL_RESOURCE_SCOPING_CONDITION_KEYS
+            return (
+                "low",
+                f"Severity lowered: resource scope restricted by `{', '.join(sorted(global_keys))}`",
+            )
+
+        # Check for aws:ResourceTag conditions (must validate per-action support)
+        resource_tag_keys = {k for k in condition_keys if k.startswith("aws:ResourceTag/")}
+        if resource_tag_keys:
+            # Use the first tag key for validation (all should have same support pattern)
+            tag_key = next(iter(resource_tag_keys))
+            all_support, unsupported = await _validate_condition_key_support(
+                actions, tag_key, fetcher
+            )
+            if all_support:
+                return (
+                    "low",
+                    f"Severity lowered: resource scope restricted by `{', '.join(sorted(resource_tag_keys))}`",
+                )
+            else:
+                # Tag condition present but not all actions support it
+                unsupported_display = unsupported[:3]
+                more = f" (+{len(unsupported) - 3} more)" if len(unsupported) > 3 else ""
+                return (
+                    base_severity,
+                    f"Note: `aws:ResourceTag` condition found but these actions don't support "
+                    f"resource tags: `{', '.join(unsupported_display)}`{more}",
+                )
+
+        # Has conditions but none that scope resources
+        return (base_severity, None)
+
     async def _filter_actions_requiring_resources(
         self, actions: list[str], fetcher: AWSServiceFetcher
     ) -> list[str]:

iam_validator/commands/__init__.py

@@ -4,6 +4,7 @@ from .analyze import AnalyzeCommand
 from .cache import CacheCommand
 from .completion import CompletionCommand
 from .download_services import DownloadServicesCommand
+from .mcp import MCPCommand
 from .post_to_pr import PostToPRCommand
 from .query import QueryCommand
 from .validate import ValidateCommand
@@ -17,6 +18,7 @@ ALL_COMMANDS = [
     DownloadServicesCommand(),
     QueryCommand(),
     CompletionCommand(),
+    MCPCommand(),
 ]
 
 __all__ = [
@@ -27,5 +29,6 @@ __all__ = [
     "DownloadServicesCommand",
     "QueryCommand",
     "CompletionCommand",
+    "MCPCommand",
     "ALL_COMMANDS",
 ]

iam_validator/commands/cache.py

@@ -40,7 +40,7 @@ Examples:
   # Clear all cached AWS service definitions
   iam-validator cache clear
 
-  # Refresh cache (clear and pre-fetch common services)
+  # Refresh all cached services with fresh data
   iam-validator cache refresh
 
   # Pre-fetch common AWS services
@@ -88,7 +88,7 @@ Examples:
 
         # Refresh subcommand
         refresh_parser = subparsers.add_parser(
-            "refresh", help="Clear cache and pre-fetch common AWS services"
+            "refresh", help="Refresh all cached AWS services with fresh data"
         )
         refresh_parser.add_argument(
             "--config",
@@ -314,44 +314,86 @@ Examples:
     async def _refresh_cache(
         self, cache_enabled: bool, cache_ttl_seconds: int, cache_directory: str | None
     ) -> int:
-        """Clear cache and pre-fetch common services."""
+        """Refresh all cached services with fresh data from AWS."""
         if not cache_enabled:
             console.print("[red]Error:[/red] Cache is disabled in config")
             console.print("Enable cache by setting 'cache_enabled: true' in your config")
             return 1
 
-        console.print("[cyan]Refreshing cache...[/cyan]")
+        # Get cache directory
+        cache_dir = (
+            Path(cache_directory) if cache_directory else ServiceFileStorage.get_cache_directory()
+        )
+
+        if not cache_dir.exists():
+            console.print("[yellow]Cache directory does not exist, nothing to refresh[/yellow]")
+            console.print("Run 'iam-validator cache prefetch' to populate the cache first")
+            return 0
+
+        # Get list of cached services from cache files
+        cache_files = list(cache_dir.glob("*.json"))
+        if not cache_files:
+            console.print("[yellow]No services cached yet, nothing to refresh[/yellow]")
+            console.print("Run 'iam-validator cache prefetch' to populate the cache first")
+            return 0
+
+        # Extract service names from cache files
+        cached_services: list[str] = []
+        for f in cache_files:
+            if f.stem == "services_list":
+                continue  # Skip the services list file, we'll refresh it separately
+            # Extract service name (before underscore or full name)
+            name = f.stem.split("_")[0] if "_" in f.stem else f.stem
+            cached_services.append(name)
+
+        cached_services.sort()
+        console.print(f"[cyan]Refreshing {len(cached_services)} cached services...[/cyan]")
 
-        # Create fetcher and clear cache
         async with AWSServiceFetcher(
             enable_cache=cache_enabled,
             cache_ttl=cache_ttl_seconds,
             cache_dir=cache_directory,
-            prefetch_common=False,  # Don't prefetch yet, we'll do it after clearing
+            prefetch_common=False,  # We'll refresh manually
         ) as fetcher:
-            # Clear existing cache
-            console.print("Clearing old cache...")
-            await fetcher.clear_caches()
-
-            # Prefetch common services
-            console.print("Fetching fresh AWS service definitions...")
+            # First refresh the services list
+            console.print("Refreshing AWS services list...")
             services = await fetcher.fetch_services()
-            console.print(f"[green]✓[/green] Fetched list of {len(services)} AWS services")
+            console.print(f"[green]✓[/green] Refreshed services list ({len(services)} services)")
+
+            # Build a set of valid service names for validation
+            valid_services = {svc.service for svc in services}
+
+            # Refresh each cached service
+            console.print(f"Refreshing {len(cached_services)} cached service definitions...")
+            refreshed = 0
+            failed = 0
+            skipped = 0
+
+            for service_name in cached_services:
+                # Skip services that no longer exist in AWS
+                if service_name not in valid_services:
+                    logger.warning(f"Service '{service_name}' no longer exists, skipping")
+                    skipped += 1
+                    continue
 
-            # Prefetch common services
-            console.print("Pre-fetching common services...")
-            prefetched = 0
-            for service_name in fetcher.COMMON_SERVICES:
                 try:
                     await fetcher.fetch_service_by_name(service_name)
-                    prefetched += 1
+                    refreshed += 1
                 except Exception as e:
-                    logger.warning(f"Failed to prefetch {service_name}: {e}")
-
-            console.print(f"[green]✓[/green] Pre-fetched {prefetched} common services")
-
-        console.print("[green]✓[/green] Cache refreshed successfully")
-        return 0
+                    logger.warning(f"Failed to refresh {service_name}: {e}")
+                    failed += 1
+
+            # Print summary
+            if failed == 0 and skipped == 0:
+                console.print(f"[green]✓[/green] Refreshed {refreshed} services successfully")
+            else:
+                console.print(
+                    f"[yellow]![/yellow] Refreshed {refreshed} services, "
+                    f"{failed} failed, {skipped} skipped (no longer exist)"
+                )
+
+        console.print("[green]✓[/green] Cache refresh complete")
+        return 0 if failed == 0 else 1
 
     async def _prefetch_services(
         self, cache_enabled: bool, cache_ttl_seconds: int, cache_directory: str | None