iam-policy-validator 1.15.0__tar.gz → 1.15.1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/CHANGELOG.md +120 -12
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/PKG-INFO +1 -1
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/__version__.py +1 -1
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/aws_service/validators.py +37 -11
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/config/aws_global_conditions.py +5 -9
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_aws_global_conditions.py +32 -24
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_condition_key_validation_check.py +63 -27
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/.github/dependabot.yml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/.github/workflows/ci.yml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/.github/workflows/cleanup-prereleases.yml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/.github/workflows/codeql.yml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/.github/workflows/docs.yml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/.github/workflows/pre-release.yml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/.github/workflows/release.yml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/.github/workflows/scorecard.yml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/.gitignore +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/CONTRIBUTING.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/LICENSE +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/Makefile +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/README.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/SECURITY.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/action.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/api-reference/checks.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/api-reference/exceptions.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/api-reference/index.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/api-reference/models.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/api-reference/sdk.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/changelog.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/contributing/development-setup.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/contributing/index.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/contributing/releasing.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/contributing/testing.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/developer-guide/architecture.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/developer-guide/custom-checks/best-practices.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/developer-guide/custom-checks/examples.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/developer-guide/custom-checks/index.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/developer-guide/custom-checks/tutorial.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/developer-guide/index.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/developer-guide/sdk/advanced.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/developer-guide/sdk/index.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/developer-guide/sdk/policy-utilities.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/developer-guide/sdk/quickstart.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/developer-guide/sdk/validation.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/getting-started/first-validation.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/getting-started/index.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/getting-started/installation.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/getting-started/quickstart.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/includes/abbreviations.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/index.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/integrations/github-actions.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/integrations/gitlab-ci.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/integrations/index.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/integrations/mcp-server.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/integrations/pre-commit.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/stylesheets/extra.css +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/user-guide/checks/advanced-checks.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/user-guide/checks/aws-validation.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/user-guide/checks/index.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/user-guide/checks/security-checks.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/user-guide/cli-reference.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/user-guide/configuration.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/user-guide/index.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/user-guide/output-formats.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/docs/user-guide/troubleshooting.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/README.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/access-analyzer/example1.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/access-analyzer/example2.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/aws-service-definitions/iam.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/aws-service-definitions/s3.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/configs/full-reference-config.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/configs/github-labels-config.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/configs/minimal-validation-config.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/configs/offline-validation.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/configs/policy-level-condition-enforcement-config.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/configs/strict-security.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/custom_checks/cross_account_external_id_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/custom_checks/domain_restriction_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/github-actions/access-analyzer-only.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/github-actions/basic-validation.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/github-actions/custom-policy-checks.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/github-actions/multi-region-validation.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/github-actions/resource-policy-validation.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/github-actions/sarif-code-scanning.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/github-actions/sequential-validation.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/github-actions/two-step-validation.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/github-actions/validate-changed-files.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/allowed-wildcard-resource.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/api_gateway_management.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/athena_query_access.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/backup_vault_access.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/cloudformation_deployer.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/cloudwatch_monitoring.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/cognito_user_pool.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/dynamodb_table_access.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/ecs_task_execution.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/eventbridge_rules.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/glue_etl_jobs.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/insecure_policy.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/insecure_policy.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/invalid-resource-constraint.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/invalid-sid-special-chars.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/invalid-sid-with-spaces.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/invalid_policy.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/kms_encryption_keys.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/lambda_developer.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/lambda_developer.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/maximum_size_policy.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/policy_missing_required_tags.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/policy_tag_enforcement_example.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/policy_with_wildcard_resources.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/privilege_escalation_scattered.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/rds_database_admin.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/s3_bucket_access.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/sample_policy.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/sample_policy.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/secrets_manager_access.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/sensitive-action-wildcards.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/sns_sqs_messaging.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/step_functions_workflow.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/terraform-template-policy.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/test_none_of_valid.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/test_none_of_violations.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/valid-sid-formats.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/wildcard_examples.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/wildcard_examples.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/wrong-condition-key.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/identity-policies/wrong-s3-condition.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-control-policies/rcp-invalid-allow-effect.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-control-policies/rcp-invalid-not-action.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-control-policies/rcp-invalid-specific-principal.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-control-policies/rcp-invalid-unsupported-service.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-control-policies/rcp-invalid-wildcard-action.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-control-policies/rcp-valid-enforce-encryption.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/backup-vault-policy-org-access.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/ecr-repository-policy-org-restricted.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/ecr-repository-policy-public.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/efs-filesystem-policy-vpc-only.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/glacier-vault-policy-cross-account.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/kms-key-policy-cross-account.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/kms-key-policy-insecure.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/kms-key-policy-org-restricted.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/kms-key-policy-service-specific.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/lambda-permission-api-gateway.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/lambda-permission-cross-account-invoke.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/lambda-permission-eventbridge-multiple.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/lambda-permission-public-url.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/lambda-permission-s3-trigger.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/opensearch-domain-policy-ip-restricted.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/s3-bucket-policy-cloudfront.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/s3-bucket-policy-cross-account-org.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/s3-bucket-policy-insecure-transport.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/s3-bucket-policy-ip-restriction.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/s3-bucket-policy-public-with-conditions.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/s3-bucket-policy-public.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/s3-bucket-policy-specific-account.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/s3-bucket-policy-vpc-endpoint.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/s3-bucket-policy-wildcard-actions.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/secrets-manager-policy-cross-account.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/sns-topic-policy-cross-account-mfa.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/sns-topic-policy-cross-account.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/sns-topic-policy-eventbridge.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/sns-topic-policy-org-wide.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/sns-topic-policy-public-no-conditions.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/sqs-queue-policy-cross-account-role.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/sqs-queue-policy-iam-users-mfa.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/sqs-queue-policy-public.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/resource-policies/sqs-queue-policy-sns-subscription.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/service-control-policies/deny-root-account-usage.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/service-control-policies/require-mfa.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/service-control-policies/restrict-regions.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/wrong_actions_mismatch/correct-condition-wrong-key.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/wrong_actions_mismatch/dynamodb-wrong-resources.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/wrong_actions_mismatch/ec2-wrong-resources.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/wrong_actions_mismatch/iam-wrong-resources.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/wrong_actions_mismatch/lambda-wrong-resources.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/wrong_actions_mismatch/s3-wrong-resources.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/wrong_actions_mismatch/sqs-sns-wrong-resources.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/iam-test-policies/wrong_actions_mismatch/typo-condition-field.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/mcp-llm-instructions/README.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/mcp-llm-instructions/SYSTEM_PROMPT.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/mcp-llm-instructions/example_conversation.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/mcp-llm-instructions/organization_config.yaml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/quick-start/lambda-policy.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/quick-start/s3-policy.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/quick-start/user-policy.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/trust-policies/INVALID-wrong-principal-type.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/trust-policies/cross-account-trust-policy.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/trust-policies/github-actions-oidc-trust-policy.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/trust-policies/lambda-service-role-trust-policy.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/examples/trust-policies/saml-federated-trust-policy.json +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/__main__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/action_condition_enforcement.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/action_resource_matching.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/action_validation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/condition_key_validation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/condition_type_mismatch.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/full_wildcard.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/mfa_condition_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/not_action_not_resource.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/policy_size.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/policy_structure.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/policy_type_validation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/principal_validation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/resource_validation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/sensitive_action.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/service_wildcard.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/set_operator_validation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/sid_uniqueness.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/trust_policy_validation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/utils/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/utils/action_parser.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/utils/policy_level_checks.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/utils/sensitive_action_matcher.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/utils/wildcard_expansion.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/wildcard_action.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/checks/wildcard_resource.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/commands/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/commands/analyze.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/commands/base.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/commands/cache.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/commands/completion.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/commands/download_services.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/commands/mcp.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/commands/post_to_pr.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/commands/query.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/commands/validate.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/access_analyzer.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/access_analyzer_report.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/aws_fetcher.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/aws_service/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/aws_service/cache.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/aws_service/client.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/aws_service/fetcher.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/aws_service/parsers.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/aws_service/patterns.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/aws_service/storage.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/check_registry.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/cli.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/codeowners.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/condition_validators.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/config/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/config/aws_api.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/config/category_suggestions.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/config/check_documentation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/config/condition_requirements.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/config/config_loader.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/config/defaults.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/config/principal_requirements.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/config/sensitive_actions.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/config/service_principals.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/config/wildcards.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/constants.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/diff_parser.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/finding_fingerprint.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/formatters/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/formatters/base.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/formatters/console.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/formatters/csv.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/formatters/enhanced.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/formatters/html.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/formatters/json.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/formatters/markdown.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/formatters/sarif.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/ignore_patterns.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/ignore_processor.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/ignored_findings.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/label_manager.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/models.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/policy_checks.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/policy_loader.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/pr_commenter.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/core/report.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/integrations/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/integrations/github_integration.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/integrations/ms_teams.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/mcp/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/mcp/models.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/mcp/server.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/mcp/session_config.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/mcp/templates/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/mcp/templates/builtin.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/mcp/tools/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/mcp/tools/generation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/mcp/tools/org_config_tools.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/mcp/tools/query.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/mcp/tools/validation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/sdk/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/sdk/arn_matching.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/sdk/context.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/sdk/exceptions.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/sdk/helpers.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/sdk/policy_utils.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/sdk/query_utils.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/sdk/shortcuts.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/utils/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/utils/cache.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/utils/regex.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/iam_validator/utils/terminal.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/mkdocs.yml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/pyproject.toml +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/README.md +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_action_validation_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_condition_type_mismatch.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_custom_policy_checks.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_full_wildcard_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_mfa_condition_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_not_action_not_resource.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_policy_size_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_principal_validation_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_resource_validation_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_sensitive_action_filtering.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_sensitive_action_suggestions.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_sensitive_action_wildcard_expansion.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_service_principal_wildcard.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_service_wildcard_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_sid_uniqueness_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_wildcard_action_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/checks/test_wildcard_resource_check.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/commands/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/commands/test_completion_command.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/commands/test_query_command.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/config/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/config/test_config_loader.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_action_condition_enforcement.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_action_condition_enforcement_policy_level.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_action_resource_matching.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_aws_api_config.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_aws_fetcher_wildcards.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_check_id_in_comments.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_check_id_injection.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_check_registry.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_codeowners.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_comment_truncation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_diff_parser.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_finding_fingerprint.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_ignore_patterns.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_ignored_findings.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_models.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_multipart_comments.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_policy_loader.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_policy_type_validation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_pr_commenter_diff_filtering.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_regex_utils.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_set_operator_validation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_trust_policy_detection.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_trust_policy_multiple_statements.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_trust_policy_oidc_aud_required.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/core/test_trust_policy_validation.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/integrations/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/integrations/test_comment_deduplication.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/integrations/test_github_pagination.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/integrations/test_label_manager.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/mcp/__init__.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/mcp/conftest.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/mcp/test_custom_instructions.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/mcp/test_generation_tools.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/mcp/test_org_config.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/mcp/test_query_tools.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/mcp/test_server_integration.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/mcp/test_templates.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/tests/mcp/test_validation_tools.py +0 -0
- {iam_policy_validator-1.15.0 → iam_policy_validator-1.15.1}/uv.lock +0 -0
|
@@ -8,18 +8,93 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
10
|
### Planned
|
|
11
|
-
|
|
11
|
+
|
|
12
12
|
- Enhanced PR comment management with configurable limits
|
|
13
13
|
|
|
14
14
|
---
|
|
15
15
|
|
|
16
|
+
## [1.15.0] - 2025-01-22
|
|
17
|
+
|
|
18
|
+
### Added
|
|
19
|
+
|
|
20
|
+
**MCP Server Integration**
|
|
21
|
+
|
|
22
|
+
- Full FastMCP server with 25+ tools for AI assistants (`iam-validator mcp` command)
|
|
23
|
+
- Standalone `iam-validator-mcp` entry point for easy integration
|
|
24
|
+
- Policy validation, generation, and AWS service querying tools
|
|
25
|
+
- 15 built-in secure policy templates for common use cases
|
|
26
|
+
- Session-wide organization configuration management
|
|
27
|
+
- MCP Prompts for guided workflows (generate_secure_policy, fix_policy_issues_workflow, review_policy_security)
|
|
28
|
+
- Custom instructions support via YAML config, environment variable, CLI, or MCP tools
|
|
29
|
+
- Comprehensive MCP documentation with usage examples
|
|
30
|
+
|
|
31
|
+
**New Security Check**
|
|
32
|
+
|
|
33
|
+
- `not_action_not_resource` check for detecting dangerous NotAction/NotResource patterns (high severity)
|
|
34
|
+
|
|
35
|
+
**Query Command Enhancements**
|
|
36
|
+
|
|
37
|
+
- Support multiple actions in single query (`--name s3:GetObject dynamodb:Query`)
|
|
38
|
+
- Wildcard pattern expansion (`--name "iam:Get*"` or `--name "s3:*Object*"`)
|
|
39
|
+
- Field filter options: `--show-condition-keys`, `--show-resource-types`, `--show-access-level`
|
|
40
|
+
- Allow service prefix in `--name`, making `--service` optional (`--name s3:GetObject`)
|
|
41
|
+
- Deduplicate results when querying overlapping patterns
|
|
42
|
+
|
|
43
|
+
**Validation Improvements**
|
|
44
|
+
|
|
45
|
+
- `action_validation` now validates wildcard patterns (e.g., `s3:Get*`) to ensure they match real AWS actions
|
|
46
|
+
- `action_validation` now validates NotAction field
|
|
47
|
+
- `resource_validation` now validates NotResource field
|
|
48
|
+
- `wildcard_resource` check has condition-aware severity adjustment:
|
|
49
|
+
- MEDIUM → LOW when global resource-scoping conditions present (aws:ResourceAccount, aws:ResourceOrgID, aws:ResourceOrgPaths)
|
|
50
|
+
- MEDIUM → LOW when aws:ResourceTag/\* conditions are used AND all actions support the condition key
|
|
51
|
+
|
|
52
|
+
**Configuration**
|
|
53
|
+
|
|
54
|
+
- Add `hide_severities` option for severity-based finding filtering (global and per-check)
|
|
55
|
+
- Add `iam-policy-validator` CLI alias matching PyPI package name
|
|
56
|
+
|
|
57
|
+
**Cache Improvements**
|
|
58
|
+
|
|
59
|
+
- Cache refresh now updates all cached services (not just common ones)
|
|
60
|
+
- Expired cache files are kept for refresh instead of deleted
|
|
61
|
+
- Stale cache fallback when AWS API fails for graceful degradation
|
|
62
|
+
|
|
63
|
+
**SDK**
|
|
64
|
+
|
|
65
|
+
- Export `extract_condition_keys_from_statement()` in public API
|
|
66
|
+
- Add `is_condition_key_supported()` to AWSServiceFetcher
|
|
67
|
+
|
|
68
|
+
### Changed
|
|
69
|
+
|
|
70
|
+
- Development status upgraded to Production/Stable
|
|
71
|
+
- Batch operations use `asyncio.gather()` for parallel execution
|
|
72
|
+
- Template listing includes full variable metadata (name, description, required)
|
|
73
|
+
- Simplified condition key pattern matching for tag-key placeholders (forward-compatible)
|
|
74
|
+
- Test suite consolidated using `@pytest.mark.parametrize` (919 → 850 tests)
|
|
75
|
+
|
|
76
|
+
### Fixed
|
|
77
|
+
|
|
78
|
+
- Support parameterized condition key patterns like `s3:RequestObjectTag/<key>`
|
|
79
|
+
- MCP tests skip properly when fastmcp is not installed
|
|
80
|
+
- Improved loop prevention guidance for LLM clients
|
|
81
|
+
|
|
82
|
+
### Dependencies
|
|
83
|
+
|
|
84
|
+
- fastmcp as optional dependency (install with `[mcp]` extra)
|
|
85
|
+
- Updated CI dependencies (actions/cache, codeql-action, setup-uv, upload-pages-artifact)
|
|
86
|
+
|
|
87
|
+
---
|
|
88
|
+
|
|
16
89
|
## [1.14.7] - 2025-12-17
|
|
17
90
|
|
|
18
91
|
### Added
|
|
92
|
+
|
|
19
93
|
- MkDocs documentation site deployed to GitHub Pages
|
|
20
94
|
- Comprehensive SDK API reference documentation
|
|
21
95
|
|
|
22
96
|
### Fixed
|
|
97
|
+
|
|
23
98
|
- Correct repository name in all documentation links (iam-policy-auditor → iam-policy-validator)
|
|
24
99
|
- Fix SDK docstring formatting for proper mkdocstrings rendering
|
|
25
100
|
- Update PyPI metadata with correct documentation and changelog URLs
|
|
@@ -29,6 +104,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
29
104
|
## [1.14.6] - 2025-12-15
|
|
30
105
|
|
|
31
106
|
### Fixed
|
|
107
|
+
|
|
32
108
|
- Separate security findings from validity errors in PR comments
|
|
33
109
|
- Respect ignored findings when managing PR labels and review state
|
|
34
110
|
|
|
@@ -37,6 +113,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
37
113
|
## [1.14.5] - 2025-12-15
|
|
38
114
|
|
|
39
115
|
### Fixed
|
|
116
|
+
|
|
40
117
|
- Respect ignored findings when managing PR labels and review state
|
|
41
118
|
|
|
42
119
|
---
|
|
@@ -44,6 +121,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
44
121
|
## [1.14.4] - 2025-12-12
|
|
45
122
|
|
|
46
123
|
### Fixed
|
|
124
|
+
|
|
47
125
|
- Show pass status and list ignored findings in summary when all blocking issues are ignored
|
|
48
126
|
|
|
49
127
|
---
|
|
@@ -51,6 +129,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
51
129
|
## [1.14.3] - 2025-12-12
|
|
52
130
|
|
|
53
131
|
### Fixed
|
|
132
|
+
|
|
54
133
|
- Add pattern matching for service-specific condition keys with tag validation
|
|
55
134
|
|
|
56
135
|
---
|
|
@@ -58,6 +137,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
58
137
|
## [1.14.2] - 2025-12-12
|
|
59
138
|
|
|
60
139
|
### Fixed
|
|
140
|
+
|
|
61
141
|
- Use APPROVE review event when validation passes to dismiss REQUEST_CHANGES
|
|
62
142
|
|
|
63
143
|
---
|
|
@@ -65,10 +145,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
65
145
|
## [1.14.1] - 2025-12-11
|
|
66
146
|
|
|
67
147
|
### Fixed
|
|
148
|
+
|
|
68
149
|
- Enhanced SARIF formatter with dynamic rules and rich context
|
|
69
150
|
- Improved finding fingerprints for better PR comment deduplication
|
|
70
151
|
|
|
71
152
|
### Changed
|
|
153
|
+
|
|
72
154
|
- Updated dependencies (setup-uv, actions/checkout, codeql-action)
|
|
73
155
|
|
|
74
156
|
---
|
|
@@ -76,11 +158,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
76
158
|
## [1.14.0] - 2024-12-10
|
|
77
159
|
|
|
78
160
|
### Added
|
|
161
|
+
|
|
79
162
|
- Enhanced PR comments with fingerprint-based matching
|
|
80
163
|
- Finding ignore system via PR comment replies
|
|
81
164
|
- Improved review comment deduplication
|
|
82
165
|
|
|
83
166
|
### Changed
|
|
167
|
+
|
|
84
168
|
- Better production readiness for GitHub Action integration
|
|
85
169
|
|
|
86
170
|
---
|
|
@@ -88,6 +172,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
88
172
|
## [1.13.1] - 2024-12
|
|
89
173
|
|
|
90
174
|
### Fixed
|
|
175
|
+
|
|
91
176
|
- Bug fixes and stability improvements
|
|
92
177
|
|
|
93
178
|
---
|
|
@@ -95,6 +180,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
95
180
|
## [1.13.0] - 2024-12
|
|
96
181
|
|
|
97
182
|
### Added
|
|
183
|
+
|
|
98
184
|
- Query command for exploring AWS service definitions
|
|
99
185
|
- Shell completion support (bash, zsh, fish)
|
|
100
186
|
|
|
@@ -103,10 +189,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
103
189
|
## [1.12.0] - 2024-11
|
|
104
190
|
|
|
105
191
|
### Added
|
|
192
|
+
|
|
106
193
|
- Trust policy validation check
|
|
107
194
|
- Enhanced condition type mismatch detection
|
|
108
195
|
|
|
109
196
|
### Changed
|
|
197
|
+
|
|
110
198
|
- Improved AWS service fetcher performance
|
|
111
199
|
|
|
112
200
|
---
|
|
@@ -114,10 +202,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
114
202
|
## [1.11.0] - 2024-11
|
|
115
203
|
|
|
116
204
|
### Added
|
|
205
|
+
|
|
117
206
|
- Action-resource matching validation
|
|
118
207
|
- Set operator validation for conditions (ForAllValues/ForAnyValue)
|
|
119
208
|
|
|
120
209
|
### Changed
|
|
210
|
+
|
|
121
211
|
- Expanded sensitive actions database (490+ actions)
|
|
122
212
|
|
|
123
213
|
---
|
|
@@ -125,10 +215,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
125
215
|
## [1.10.0] - 2024-10
|
|
126
216
|
|
|
127
217
|
### Added
|
|
218
|
+
|
|
128
219
|
- MFA condition check for sensitive operations
|
|
129
220
|
- Condition key validation improvements
|
|
130
221
|
|
|
131
222
|
### Changed
|
|
223
|
+
|
|
132
224
|
- Better error messages for validation failures
|
|
133
225
|
|
|
134
226
|
---
|
|
@@ -136,6 +228,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
136
228
|
## [1.9.0] - 2024-10
|
|
137
229
|
|
|
138
230
|
### Added
|
|
231
|
+
|
|
139
232
|
- GitHub PR review comments (inline comments on changed lines)
|
|
140
233
|
- Multiple output formats (JSON, SARIF, CSV, HTML, Markdown)
|
|
141
234
|
|
|
@@ -144,6 +237,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
144
237
|
## [1.8.0] - 2024-09
|
|
145
238
|
|
|
146
239
|
### Added
|
|
240
|
+
|
|
147
241
|
- AWS Access Analyzer integration
|
|
148
242
|
- Offline validation mode with pre-downloaded service definitions
|
|
149
243
|
|
|
@@ -152,10 +246,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
152
246
|
## [1.7.0] - 2024-09
|
|
153
247
|
|
|
154
248
|
### Added
|
|
249
|
+
|
|
155
250
|
- Custom checks support via `--custom-checks-dir`
|
|
156
251
|
- Configuration file support (`iam-validator.yaml`)
|
|
157
252
|
|
|
158
253
|
### Changed
|
|
254
|
+
|
|
159
255
|
- Modular check architecture
|
|
160
256
|
|
|
161
257
|
---
|
|
@@ -163,6 +259,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
163
259
|
## [1.6.0] - 2024-08
|
|
164
260
|
|
|
165
261
|
### Added
|
|
262
|
+
|
|
166
263
|
- Service Control Policy (SCP) validation
|
|
167
264
|
- Principal validation for resource policies
|
|
168
265
|
|
|
@@ -171,17 +268,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
171
268
|
## [1.5.0] - 2024-08
|
|
172
269
|
|
|
173
270
|
### Added
|
|
271
|
+
|
|
174
272
|
- Modular Python configuration system (5-10x faster startup)
|
|
175
273
|
- Split security checks into individual modules:
|
|
176
|
-
- `wildcard_action` - Wildcard actions (Action: "
|
|
177
|
-
- `wildcard_resource` - Wildcard resources (Resource: "
|
|
178
|
-
- `service_wildcard` - Service-level wildcards (e.g., "s3
|
|
274
|
+
- `wildcard_action` - Wildcard actions (Action: "\*")
|
|
275
|
+
- `wildcard_resource` - Wildcard resources (Resource: "\*")
|
|
276
|
+
- `service_wildcard` - Service-level wildcards (e.g., "s3:\*")
|
|
179
277
|
- `sensitive_action` - Sensitive actions without conditions
|
|
180
|
-
- `full_wildcard` - Action
|
|
278
|
+
- `full_wildcard` - Action:_ + Resource:_ (critical)
|
|
181
279
|
- GitHub Action RESOURCE_CONTROL_POLICY support
|
|
182
280
|
- GitHub Actions job summary output
|
|
183
281
|
|
|
184
282
|
### Changed
|
|
283
|
+
|
|
185
284
|
- Comprehensive documentation overhaul
|
|
186
285
|
|
|
187
286
|
---
|
|
@@ -189,9 +288,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
189
288
|
## [1.4.0] - 2024-07
|
|
190
289
|
|
|
191
290
|
### Added
|
|
291
|
+
|
|
192
292
|
- Resource Control Policy (RCP) support with 8 validation checks
|
|
193
293
|
- Enhanced principal validation:
|
|
194
|
-
- Blocked principals (e.g., public access "
|
|
294
|
+
- Blocked principals (e.g., public access "\*")
|
|
195
295
|
- Allowed principals whitelist
|
|
196
296
|
- Required conditions for specific principals
|
|
197
297
|
- Service principal validation
|
|
@@ -203,6 +303,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
203
303
|
## [1.3.0] - 2024-06
|
|
204
304
|
|
|
205
305
|
### Added
|
|
306
|
+
|
|
206
307
|
- Modular Python configuration system
|
|
207
308
|
- Condition requirement templates
|
|
208
309
|
- Action condition enforcement check
|
|
@@ -212,6 +313,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
212
313
|
## [1.2.0] - 2024-05
|
|
213
314
|
|
|
214
315
|
### Added
|
|
316
|
+
|
|
215
317
|
- Smart IAM policy detection and filtering
|
|
216
318
|
- YAML policy support
|
|
217
319
|
- Streaming mode for large policy sets
|
|
@@ -221,6 +323,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
221
323
|
## [1.1.0] - 2024-04
|
|
222
324
|
|
|
223
325
|
### Added
|
|
326
|
+
|
|
224
327
|
- Split security checks into individual modules
|
|
225
328
|
- Configurable check system
|
|
226
329
|
- Per-check severity overrides
|
|
@@ -230,6 +333,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
230
333
|
## [1.0.0] - 2024-03
|
|
231
334
|
|
|
232
335
|
### Added
|
|
336
|
+
|
|
233
337
|
- Initial release
|
|
234
338
|
- Core IAM policy validation engine
|
|
235
339
|
- AWS service definition fetching with caching
|
|
@@ -249,11 +353,11 @@ This project follows [Semantic Versioning](https://semver.org/):
|
|
|
249
353
|
|
|
250
354
|
### Supported Versions
|
|
251
355
|
|
|
252
|
-
| Version | Support Status
|
|
253
|
-
| ------- |
|
|
254
|
-
| 1.
|
|
255
|
-
| 1.
|
|
256
|
-
| < 1.
|
|
356
|
+
| Version | Support Status |
|
|
357
|
+
| ------- | ---------------------- |
|
|
358
|
+
| 1.15.x | ✅ Active development |
|
|
359
|
+
| 1.14.x | ⚠️ Critical fixes only |
|
|
360
|
+
| < 1.14 | ❌ End of life |
|
|
257
361
|
|
|
258
362
|
### Deprecation Policy
|
|
259
363
|
|
|
@@ -270,6 +374,7 @@ This project follows [Semantic Versioning](https://semver.org/):
|
|
|
270
374
|
The modular configuration system introduced in v1.5.0 changed how checks are configured:
|
|
271
375
|
|
|
272
376
|
**Before (v1.4.x):**
|
|
377
|
+
|
|
273
378
|
```yaml
|
|
274
379
|
checks:
|
|
275
380
|
wildcard: high
|
|
@@ -277,6 +382,7 @@ checks:
|
|
|
277
382
|
```
|
|
278
383
|
|
|
279
384
|
**After (v1.5.0+):**
|
|
385
|
+
|
|
280
386
|
```yaml
|
|
281
387
|
wildcard_action:
|
|
282
388
|
enabled: true
|
|
@@ -298,7 +404,9 @@ iam-validator validate --policy-type RESOURCE_CONTROL_POLICY policies/
|
|
|
298
404
|
|
|
299
405
|
---
|
|
300
406
|
|
|
301
|
-
[Unreleased]: https://github.com/boogy/iam-policy-validator/compare/v1.
|
|
407
|
+
[Unreleased]: https://github.com/boogy/iam-policy-validator/compare/v1.15.0...HEAD
|
|
408
|
+
[1.15.0]: https://github.com/boogy/iam-policy-validator/compare/v1.14.7...v1.15.0
|
|
409
|
+
[1.14.7]: https://github.com/boogy/iam-policy-validator/compare/v1.14.6...v1.14.7
|
|
302
410
|
[1.14.6]: https://github.com/boogy/iam-policy-validator/compare/v1.14.5...v1.14.6
|
|
303
411
|
[1.14.5]: https://github.com/boogy/iam-policy-validator/compare/v1.14.4...v1.14.5
|
|
304
412
|
[1.14.4]: https://github.com/boogy/iam-policy-validator/compare/v1.14.3...v1.14.4
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: iam-policy-validator
|
|
3
|
-
Version: 1.15.
|
|
3
|
+
Version: 1.15.1
|
|
4
4
|
Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
|
|
5
5
|
Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
|
|
6
6
|
Project-URL: Documentation, https://boogy.github.io/iam-policy-validator
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
This file is the single source of truth for the package version.
|
|
4
4
|
"""
|
|
5
5
|
|
|
6
|
-
__version__ = "1.15.
|
|
6
|
+
__version__ = "1.15.1"
|
|
7
7
|
# Parse version, handling pre-release suffixes like -rc, -alpha, -beta
|
|
8
8
|
_version_base = __version__.split("-", maxsplit=1)[0] # Remove pre-release suffix if present
|
|
9
9
|
__version_info__ = tuple(int(part) for part in _version_base.split("."))
|
|
@@ -243,22 +243,30 @@ class ServiceValidator:
|
|
|
243
243
|
_, action_name = self._parser.parse_action(action)
|
|
244
244
|
|
|
245
245
|
# Check if it's a global condition key
|
|
246
|
+
# Note: Some aws: prefixed keys like aws:RequestTag/* and aws:ResourceTag/* are NOT
|
|
247
|
+
# global keys - they're action-specific or resource-specific. We'll check those later.
|
|
246
248
|
is_global_key = False
|
|
247
249
|
if condition_key.startswith("aws:"):
|
|
248
250
|
global_conditions = get_global_conditions()
|
|
249
251
|
if global_conditions.is_valid_global_key(condition_key):
|
|
250
252
|
is_global_key = True
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
is_valid=False,
|
|
254
|
-
error_message=f"Invalid AWS global condition key: `{condition_key}`.",
|
|
255
|
-
)
|
|
253
|
+
# If not a global key, continue to check action/resource-specific keys
|
|
254
|
+
# Don't return an error yet - aws:RequestTag, aws:ResourceTag are action-specific
|
|
256
255
|
|
|
257
256
|
# Check service-specific condition keys (with pattern matching for tag keys)
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
257
|
+
# IMPORTANT: aws:RequestTag and aws:ResourceTag patterns in service-level keys
|
|
258
|
+
# are NOT universally valid for all actions. Skip them here - they'll be checked
|
|
259
|
+
# at action/resource level.
|
|
260
|
+
if service_detail.condition_keys:
|
|
261
|
+
# Check if it matches service-level keys, but exclude RequestTag/ResourceTag
|
|
262
|
+
if condition_key_in_list(condition_key, list(service_detail.condition_keys.keys())):
|
|
263
|
+
# If it's RequestTag or ResourceTag, don't return valid here - check action/resource level
|
|
264
|
+
if not (
|
|
265
|
+
condition_key.startswith("aws:RequestTag/")
|
|
266
|
+
or condition_key.startswith("aws:ResourceTag/")
|
|
267
|
+
):
|
|
268
|
+
return ConditionKeyValidationResult(is_valid=True)
|
|
269
|
+
# For RequestTag/ResourceTag, continue to check action/resource level
|
|
262
270
|
|
|
263
271
|
# Check action-specific condition keys
|
|
264
272
|
if action_name in service_detail.actions:
|
|
@@ -298,8 +306,26 @@ class ServiceValidator:
|
|
|
298
306
|
if is_global_key:
|
|
299
307
|
return ConditionKeyValidationResult(is_valid=True)
|
|
300
308
|
|
|
301
|
-
#
|
|
302
|
-
|
|
309
|
+
# If we reach here, the condition key was not found in any valid location
|
|
310
|
+
# Check if it's an aws: prefixed key that's not global - provide specific error
|
|
311
|
+
if condition_key.startswith("aws:"):
|
|
312
|
+
# Special handling for aws:RequestTag and aws:ResourceTag patterns
|
|
313
|
+
if condition_key.startswith("aws:RequestTag/"):
|
|
314
|
+
error_msg = (
|
|
315
|
+
f"Condition key `{condition_key}` is not supported by action `{action}`. "
|
|
316
|
+
f"The `aws:RequestTag/${{TagKey}}` condition is only supported by actions that "
|
|
317
|
+
f"create or modify resources with tags. This action does not support tag operations."
|
|
318
|
+
)
|
|
319
|
+
elif condition_key.startswith("aws:ResourceTag/"):
|
|
320
|
+
error_msg = (
|
|
321
|
+
f"Condition key `{condition_key}` is not supported by the resources used by action `{action}`. "
|
|
322
|
+
f"The `aws:ResourceTag/${{TagKey}}` condition is only supported by resources that have tags."
|
|
323
|
+
)
|
|
324
|
+
else:
|
|
325
|
+
error_msg = f"Invalid AWS condition key: `{condition_key}`. This key is not a valid global condition key and is not supported by action `{action}`."
|
|
326
|
+
else:
|
|
327
|
+
# Short error message for non-aws: keys
|
|
328
|
+
error_msg = f"Condition key `{condition_key}` is not valid for action `{action}`"
|
|
303
329
|
|
|
304
330
|
# Collect valid condition keys for this action
|
|
305
331
|
valid_keys: set[str] = set()
|
|
@@ -85,17 +85,13 @@ GLOBAL_RESOURCE_SCOPING_CONDITION_KEYS = frozenset(
|
|
|
85
85
|
)
|
|
86
86
|
|
|
87
87
|
# Patterns that should be recognized (wildcards and tag-based keys)
|
|
88
|
-
#
|
|
88
|
+
# IMPORTANT: aws:RequestTag and aws:ResourceTag are NOT global condition keys!
|
|
89
|
+
# They are action-specific or resource-specific and must be explicitly listed in
|
|
90
|
+
# the action's ActionConditionKeys or the resource's ConditionKeys.
|
|
91
|
+
# Only aws:PrincipalTag is a true global condition key.
|
|
92
|
+
#
|
|
89
93
|
# Uses centralized tag key character class from constants
|
|
90
94
|
AWS_CONDITION_KEY_PATTERNS = [
|
|
91
|
-
{
|
|
92
|
-
"pattern": rf"^aws:RequestTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
|
|
93
|
-
"description": "Tag keys in the request (for tag-based access control)",
|
|
94
|
-
},
|
|
95
|
-
{
|
|
96
|
-
"pattern": rf"^aws:ResourceTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
|
|
97
|
-
"description": "Tags on the resource being accessed",
|
|
98
|
-
},
|
|
99
95
|
{
|
|
100
96
|
"pattern": rf"^aws:PrincipalTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
|
|
101
97
|
"description": "Tags attached to the principal making the request",
|
|
@@ -40,19 +40,21 @@ class TestAWSGlobalConditions:
|
|
|
40
40
|
assert conditions.is_valid_global_key("") is False
|
|
41
41
|
|
|
42
42
|
def test_request_tag_pattern(self, conditions):
|
|
43
|
-
"""Test
|
|
44
|
-
|
|
45
|
-
assert conditions.is_valid_global_key("aws:RequestTag/
|
|
46
|
-
assert conditions.is_valid_global_key("aws:RequestTag/
|
|
47
|
-
assert conditions.is_valid_global_key("aws:RequestTag/
|
|
48
|
-
assert conditions.is_valid_global_key("aws:RequestTag/
|
|
43
|
+
"""Test that aws:RequestTag/* are NOT global keys (they're action-specific)."""
|
|
44
|
+
# aws:RequestTag is NOT a global key - it's only supported by specific actions
|
|
45
|
+
assert conditions.is_valid_global_key("aws:RequestTag/Environment") is False
|
|
46
|
+
assert conditions.is_valid_global_key("aws:RequestTag/Owner") is False
|
|
47
|
+
assert conditions.is_valid_global_key("aws:RequestTag/CostCenter") is False
|
|
48
|
+
assert conditions.is_valid_global_key("aws:RequestTag/Team-Name") is False
|
|
49
|
+
assert conditions.is_valid_global_key("aws:RequestTag/app.example.com/role") is False
|
|
49
50
|
|
|
50
51
|
def test_resource_tag_pattern(self, conditions):
|
|
51
|
-
"""Test
|
|
52
|
-
|
|
53
|
-
assert conditions.is_valid_global_key("aws:ResourceTag/
|
|
54
|
-
assert conditions.is_valid_global_key("aws:ResourceTag/
|
|
55
|
-
assert conditions.is_valid_global_key("aws:ResourceTag/
|
|
52
|
+
"""Test that aws:ResourceTag/* are NOT global keys (they're resource-specific)."""
|
|
53
|
+
# aws:ResourceTag is NOT a global key - it's only supported by resources that have tags
|
|
54
|
+
assert conditions.is_valid_global_key("aws:ResourceTag/Environment") is False
|
|
55
|
+
assert conditions.is_valid_global_key("aws:ResourceTag/Owner") is False
|
|
56
|
+
assert conditions.is_valid_global_key("aws:ResourceTag/Project") is False
|
|
57
|
+
assert conditions.is_valid_global_key("aws:ResourceTag/app:component") is False
|
|
56
58
|
|
|
57
59
|
def test_principal_tag_pattern(self, conditions):
|
|
58
60
|
"""Test validation of aws:PrincipalTag/* patterns."""
|
|
@@ -95,11 +97,13 @@ class TestAWSGlobalConditions:
|
|
|
95
97
|
assert conditions.get_key_type("aws:MultiFactorAuthAge") == "Numeric"
|
|
96
98
|
assert conditions.get_key_type("aws:username") == "String"
|
|
97
99
|
|
|
98
|
-
# Pattern matches (
|
|
99
|
-
assert conditions.get_key_type("aws:RequestTag/Environment") == "String"
|
|
100
|
-
assert conditions.get_key_type("aws:ResourceTag/Name") == "String"
|
|
100
|
+
# Pattern matches (only PrincipalTag is global) - all tag keys are String type
|
|
101
101
|
assert conditions.get_key_type("aws:PrincipalTag/Department") == "String"
|
|
102
102
|
|
|
103
|
+
# RequestTag and ResourceTag are NOT global
|
|
104
|
+
assert conditions.get_key_type("aws:RequestTag/Environment") is None
|
|
105
|
+
assert conditions.get_key_type("aws:ResourceTag/Name") is None
|
|
106
|
+
|
|
103
107
|
# Invalid keys
|
|
104
108
|
assert conditions.get_key_type("invalid:key") is None
|
|
105
109
|
assert conditions.get_key_type("s3:prefix") is None
|
|
@@ -108,7 +112,7 @@ class TestAWSGlobalConditions:
|
|
|
108
112
|
"""Test getting all condition key patterns."""
|
|
109
113
|
patterns = conditions.get_patterns()
|
|
110
114
|
assert isinstance(patterns, list)
|
|
111
|
-
assert len(patterns) ==
|
|
115
|
+
assert len(patterns) == 1 # Only PrincipalTag (RequestTag and ResourceTag are NOT global)
|
|
112
116
|
|
|
113
117
|
# Verify pattern structure
|
|
114
118
|
for pattern_config in patterns:
|
|
@@ -117,7 +121,7 @@ class TestAWSGlobalConditions:
|
|
|
117
121
|
|
|
118
122
|
# Ensure it's a copy, not the original
|
|
119
123
|
patterns.append({"pattern": "test", "description": "test"})
|
|
120
|
-
assert len(conditions._patterns) ==
|
|
124
|
+
assert len(conditions._patterns) == 1
|
|
121
125
|
|
|
122
126
|
def test_singleton_get_global_conditions(self):
|
|
123
127
|
"""Test the singleton factory function."""
|
|
@@ -146,14 +150,18 @@ class TestAWSGlobalConditions:
|
|
|
146
150
|
def test_tag_with_special_characters(self, conditions):
|
|
147
151
|
"""Test tag patterns with allowed special characters."""
|
|
148
152
|
# According to the pattern: [a-zA-Z0-9+\-=._:/@]+
|
|
149
|
-
|
|
150
|
-
assert conditions.is_valid_global_key("aws:
|
|
151
|
-
assert conditions.is_valid_global_key("aws:
|
|
152
|
-
assert conditions.is_valid_global_key("aws:
|
|
153
|
-
assert conditions.is_valid_global_key("aws:
|
|
154
|
-
assert conditions.is_valid_global_key("aws:
|
|
155
|
-
assert conditions.is_valid_global_key("aws:
|
|
156
|
-
assert conditions.is_valid_global_key("aws:
|
|
153
|
+
# Only PrincipalTag is global, so test with it
|
|
154
|
+
assert conditions.is_valid_global_key("aws:PrincipalTag/my-tag") is True
|
|
155
|
+
assert conditions.is_valid_global_key("aws:PrincipalTag/my_tag") is True
|
|
156
|
+
assert conditions.is_valid_global_key("aws:PrincipalTag/my.tag") is True
|
|
157
|
+
assert conditions.is_valid_global_key("aws:PrincipalTag/my:tag") is True
|
|
158
|
+
assert conditions.is_valid_global_key("aws:PrincipalTag/my/tag") is True
|
|
159
|
+
assert conditions.is_valid_global_key("aws:PrincipalTag/my@tag") is True
|
|
160
|
+
assert conditions.is_valid_global_key("aws:PrincipalTag/my+tag") is True
|
|
161
|
+
assert conditions.is_valid_global_key("aws:PrincipalTag/my=tag") is True
|
|
162
|
+
|
|
163
|
+
# RequestTag is NOT global
|
|
164
|
+
assert conditions.is_valid_global_key("aws:RequestTag/my-tag") is False
|
|
157
165
|
|
|
158
166
|
def test_known_service_specific_keys_are_invalid(self, conditions):
|
|
159
167
|
"""Test that service-specific condition keys are not treated as global."""
|