iam-policy-validator 1.2.0__py3-none-any.whl → 1.3.1__py3-none-any.whl

{iam_policy_validator-1.2.0.dist-info → iam_policy_validator-1.3.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.2.0
+Version: 1.3.1
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -651,7 +651,9 @@ Use as a library in your Python applications:
 
 ```python
 import asyncio
-from iam_validator.core import PolicyLoader, validate_policies, ReportGenerator
+from iam_validator.core.policy_loader import PolicyLoader
+from iam_validator.core.policy_checks import validate_policies
+from iam_validator.core.report import ReportGenerator
 
 async def main():
     # Load policies
@@ -669,6 +671,10 @@ async def main():
 asyncio.run(main())
 ```
 
+**📚 For comprehensive Python library documentation, see:**
+- **[Python Library Usage Guide](docs/python-library-usage.md)** - Complete guide with examples
+- **[Library Examples](examples/library-usage/)** - Runnable code examples
+
 ## Validation Checks
 
 ### 1. Action Validation

{iam_policy_validator-1.2.0.dist-info → iam_policy_validator-1.3.1.dist-info}/RECORD

@@ -1,6 +1,6 @@
 iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=DXwy7NFu0sFYGUDCtWhx6tznod1u86TF0qT4bEvP8xQ,206
+iam_validator/__version__.py,sha256=hbgDe5p_vG5JrspHS61bAQLyKxbRMqbUDzeKUVq_gmo,206
 iam_validator/checks/__init__.py,sha256=eKTPgiZ1i3zvyP6OdKgLx9s3u69onITMYifmJPJwZgM,968
 iam_validator/checks/action_condition_enforcement.py,sha256=3M1Wj89Af6H-ywBTruZbJPzhCBBQVanVb5hwv-fkiDE,29721
 iam_validator/checks/action_resource_constraint.py,sha256=p-gP7S9QYR6M7vffrnJY6LOlMUTn0kpEbrxQ8pTY5rs,6031
@@ -14,21 +14,22 @@ iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIe
 iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
 iam_validator/checks/utils/sensitive_action_matcher.py,sha256=VlTpgjMnympYa28kOdm6xRIUL2P87rOvm1O2NdnjtVI,8900
 iam_validator/checks/utils/wildcard_expansion.py,sha256=V3V_KRpapOzPBhpUObJjGHoMhvCH90QvDxppeEHIG_U,3152
-iam_validator/commands/__init__.py,sha256=lF0fSUukLSxTAvhjg-0P79YMseYwihIr_tmQYbfNgcY,425
+iam_validator/commands/__init__.py,sha256=M-5bo8w0TCWydK0cXgJyPD2fmk8bpQs-3b26YbgLzlc,565
 iam_validator/commands/analyze.py,sha256=TWlDaZ8gVOdNv6__KQQfzeLVW36qLiL5IzlhGYfvq_g,16501
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
 iam_validator/commands/cache.py,sha256=NHfbIDWI8tj-3o-4fIZJQS-Vvd9bxIH3Lk6kBtNuiUU,14212
+iam_validator/commands/download_services.py,sha256=anRcobOuhkiEmHpwW_AJb1e2ifgkgYAO2-b9-JBrBcg,9152
 iam_validator/commands/post_to_pr.py,sha256=hl_K-XlELYN-ArjMdgQqysvIE-26yf9XdrMl4ToDwG0,2148
 iam_validator/commands/validate.py,sha256=R295cOTly8n7zL1jfvbh9RuCgiM5edBqbf6YMn_4G9A,14013
 iam_validator/core/__init__.py,sha256=1FvJPMrbzJfS9YbRUJCshJLd5gzWwR9Fd_slS0Aq9c8,416
 iam_validator/core/access_analyzer.py,sha256=poeT1i74jXpKr1B3UmvqiTvCTbq82zffWgZHwiFUwoo,24337
 iam_validator/core/access_analyzer_report.py,sha256=IrQVszlhFfQ6WykYLpig7TU3hf8dnQTegPDsOvHjR5Q,24873
-iam_validator/core/aws_fetcher.py,sha256=6W4ixYEMx4Y5bx9rCB65CDqZh7iUVANAvhFVHu0MOKQ,32654
+iam_validator/core/aws_fetcher.py,sha256=0rG7qi3Lz6ulU6pDL0nZ6sklgSAS5pwo0ViykDspRt8,33382
 iam_validator/core/aws_global_conditions.py,sha256=ADVcMEWhgvDZWdBmRUQN3HB7a9OycbTLecXFAy3LPbo,5837
 iam_validator/core/check_registry.py,sha256=wxqaF2t_3lWgT6x7_PnnZ8XGjHKUxUk72UlmdYBLFyo,15679
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
 iam_validator/core/config_loader.py,sha256=Pq2rd6LJtEZET0ZeW4hEZS2ZRLC5gNRsKbtLyIsT21I,16516
-iam_validator/core/defaults.py,sha256=tp8MPrFicRvI0dp8yH95MzJ9tC33n0N92aUC3HMkmYc,13289
+iam_validator/core/defaults.py,sha256=brGPx0_8zmsMNddYryMKbcoIh8VJq2mdXZdGDItAsQs,13251
 iam_validator/core/models.py,sha256=rWIZnD-I81Sg4asgOhnB10FWJC5mxQ2JO9bdS0sHb4Q,10772
 iam_validator/core/policy_checks.py,sha256=pMlZ2XkuqppVOUZq__e8w_yGoy7lIHjAB5RiTXwJo4Q,25114
 iam_validator/core/policy_loader.py,sha256=TR7SpzlRG3TwH4HBGEFUuhNOmxIR8Cud2SQ-AmHWBpM,14040
@@ -46,8 +47,8 @@ iam_validator/core/formatters/sarif.py,sha256=tqp8g7RmUh0HRk-kKDaucx4sa-5I9ikgkS
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
 iam_validator/integrations/github_integration.py,sha256=bKs94vNT4PmcmUPUeuY2WJFhCYpUY2SWiBP1vj-andA,25673
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
-iam_policy_validator-1.2.0.dist-info/METADATA,sha256=4b0zMRoJwnyeuwQJzR8eyIrZLVB_aFzhwomz0nybwZk,29136
-iam_policy_validator-1.2.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.2.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.2.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.2.0.dist-info/RECORD,,
+iam_policy_validator-1.3.1.dist-info/METADATA,sha256=NNF1fvnG9g8pGMopQ71yn5rHtWnRIVMBUGPEeNLX9jI,29465
+iam_policy_validator-1.3.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.3.1.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.3.1.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.3.1.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,5 +3,5 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.2.0"
+__version__ = "1.3.1"
 __version_info__ = tuple(int(part) for part in __version__.split("."))

iam_validator/commands/__init__.py

@@ -2,6 +2,7 @@
 
 from .analyze import AnalyzeCommand
 from .cache import CacheCommand
+from .download_services import DownloadServicesCommand
 from .post_to_pr import PostToPRCommand
 from .validate import ValidateCommand
 
@@ -11,6 +12,14 @@ ALL_COMMANDS = [
     PostToPRCommand(),
     AnalyzeCommand(),
     CacheCommand(),
+    DownloadServicesCommand(),
 ]
 
-__all__ = ["ValidateCommand", "PostToPRCommand", "AnalyzeCommand", "CacheCommand", "ALL_COMMANDS"]
+__all__ = [
+    "ValidateCommand",
+    "PostToPRCommand",
+    "AnalyzeCommand",
+    "CacheCommand",
+    "DownloadServicesCommand",
+    "ALL_COMMANDS",
+]

iam_validator/commands/download_services.py

@@ -0,0 +1,260 @@
+"""Download AWS service definitions command."""
+
+import argparse
+import asyncio
+import json
+import logging
+from datetime import datetime, timezone
+from pathlib import Path
+
+import httpx
+from rich.console import Console
+from rich.progress import (
+    BarColumn,
+    Progress,
+    TaskID,
+    TextColumn,
+    TimeRemainingColumn,
+)
+
+from iam_validator.commands.base import Command
+
+logger = logging.getLogger(__name__)
+console = Console()
+
+BASE_URL = "https://servicereference.us-east-1.amazonaws.com/"
+DEFAULT_OUTPUT_DIR = Path("aws_services")
+
+
+class DownloadServicesCommand(Command):
+    """Download all AWS service definition JSON files."""
+
+    @property
+    def name(self) -> str:
+        return "sync-services"
+
+    @property
+    def help(self) -> str:
+        return "Sync/download all AWS service definitions for offline use"
+
+    @property
+    def epilog(self) -> str:
+        return """
+Examples:
+  # Sync all AWS service definitions to default directory (aws_services/)
+  iam-validator sync-services
+
+  # Sync to a custom directory
+  iam-validator sync-services --output-dir /path/to/backup
+
+  # Limit concurrent downloads
+  iam-validator sync-services --max-concurrent 5
+
+  # Enable verbose output
+  iam-validator sync-services --log-level debug
+
+Directory structure:
+  aws_services/
+      _manifest.json         # Metadata about the download
+      _services.json         # List of all services
+      s3.json                # Individual service definitions
+      ec2.json
+      iam.json
+      ...
+
+This command is useful for:
+  - Creating offline backups of AWS service definitions
+  - Avoiding API rate limiting during development
+  - Ensuring consistent service definitions across environments
+"""
+
+    def add_arguments(self, parser: argparse.ArgumentParser) -> None:
+        """Add sync-services command arguments."""
+        parser.add_argument(
+            "--output-dir",
+            type=Path,
+            default=DEFAULT_OUTPUT_DIR,
+            help=f"Output directory for downloaded files (default: {DEFAULT_OUTPUT_DIR})",
+        )
+
+        parser.add_argument(
+            "--max-concurrent",
+            type=int,
+            default=10,
+            help="Maximum number of concurrent downloads (default: 10)",
+        )
+
+    async def execute(self, args: argparse.Namespace) -> int:
+        """Execute the sync-services command."""
+        output_dir = args.output_dir
+        max_concurrent = args.max_concurrent
+
+        try:
+            await self._download_all_services(output_dir, max_concurrent)
+            return 0
+        except Exception as e:
+            console.print(f"[red]Error:[/red] {e}")
+            logger.error(f"Download failed: {e}", exc_info=True)
+            return 1
+
+    async def _download_services_list(self, client: httpx.AsyncClient) -> list[dict]:
+        """Download the list of all AWS services.
+
+        Args:
+            client: HTTP client for making requests
+
+        Returns:
+            List of service info dictionaries
+        """
+        console.print(f"[cyan]Fetching services list from {BASE_URL}...[/cyan]")
+
+        try:
+            response = await client.get(BASE_URL, timeout=30.0)
+            response.raise_for_status()
+            services = response.json()
+
+            console.print(f"[green]✓[/green] Found {len(services)} AWS services")
+            return services
+        except Exception as e:
+            logger.error(f"Failed to fetch services list: {e}")
+            raise
+
+    async def _download_service_detail(
+        self,
+        client: httpx.AsyncClient,
+        service_name: str,
+        service_url: str,
+        semaphore: asyncio.Semaphore,
+        progress: Progress,
+        task_id: TaskID,
+    ) -> tuple[str, dict | None]:
+        """Download detailed JSON for a single service.
+
+        Args:
+            client: HTTP client for making requests
+            service_name: Name of the service
+            service_url: URL to fetch service details
+            semaphore: Semaphore to limit concurrent requests
+            progress: Progress bar instance
+            task_id: Progress task ID
+
+        Returns:
+            Tuple of (service_name, service_data) or (service_name, None) if failed
+        """
+        async with semaphore:
+            try:
+                logger.debug(f"Downloading {service_name}...")
+                response = await client.get(service_url, timeout=30.0)
+                response.raise_for_status()
+                data = response.json()
+                logger.debug(f"✓ Downloaded {service_name}")
+                progress.update(task_id, advance=1)
+                return service_name, data
+            except Exception as e:
+                logger.error(f"✗ Failed to download {service_name}: {e}")
+                progress.update(task_id, advance=1)
+                return service_name, None
+
+    async def _download_all_services(self, output_dir: Path, max_concurrent: int = 10) -> None:
+        """Download all AWS service definitions.
+
+        Args:
+            output_dir: Directory to save the downloaded files
+            max_concurrent: Maximum number of concurrent downloads
+        """
+        # Create output directory
+        output_dir.mkdir(parents=True, exist_ok=True)
+        console.print(f"[cyan]Output directory:[/cyan] {output_dir.absolute()}\n")
+
+        # Create HTTP client with connection pooling
+        async with httpx.AsyncClient(
+            limits=httpx.Limits(max_connections=max_concurrent, max_keepalive_connections=5),
+            timeout=httpx.Timeout(30.0),
+        ) as client:
+            # Download services list
+            services = await self._download_services_list(client)
+
+            # Save services list (underscore prefix for easy discovery at top of directory)
+            services_file = output_dir / "_services.json"
+            with open(services_file, "w") as f:
+                json.dump(services, f, indent=2)
+            console.print(f"[green]✓[/green] Saved services list to {services_file}\n")
+
+            # Download all service details with rate limiting and progress bar
+            semaphore = asyncio.Semaphore(max_concurrent)
+            tasks = []
+
+            # Set up progress bar
+            with Progress(
+                TextColumn("[progress.description]{task.description}"),
+                BarColumn(),
+                TextColumn("[progress.percentage]{task.percentage:>3.0f}%"),
+                TextColumn("({task.completed}/{task.total})"),
+                TimeRemainingColumn(),
+                console=console,
+            ) as progress:
+                task_id = progress.add_task(
+                    "[cyan]Downloading service definitions...", total=len(services)
+                )
+
+                for item in services:
+                    service_name = item.get("service")
+                    service_url = item.get("url")
+
+                    if service_name and service_url:
+                        task = self._download_service_detail(
+                            client, service_name, service_url, semaphore, progress, task_id
+                        )
+                        tasks.append(task)
+
+                # Download all services concurrently
+                results = await asyncio.gather(*tasks)
+
+            # Save individual service files
+            successful = 0
+            failed = 0
+
+            console.print("\n[cyan]Saving service definitions...[/cyan]")
+
+            for service_name, data in results:
+                if data is not None:
+                    # Normalize filename (lowercase, safe characters)
+                    filename = f"{service_name.lower().replace(' ', '_')}.json"
+                    service_file = output_dir / filename
+
+                    with open(service_file, "w") as f:
+                        json.dump(data, f, indent=2)
+
+                    successful += 1
+                else:
+                    failed += 1
+
+            # Create manifest with metadata
+            manifest = {
+                "download_date": datetime.now(timezone.utc).isoformat(),
+                "total_services": len(services),
+                "successful_downloads": successful,
+                "failed_downloads": failed,
+                "base_url": BASE_URL,
+            }
+
+            manifest_file = output_dir / "_manifest.json"
+            with open(manifest_file, "w") as f:
+                json.dump(manifest, f, indent=2)
+
+            # Print summary
+            console.print(f"\n{'=' * 60}")
+            console.print("[bold cyan]Download Summary:[/bold cyan]")
+            console.print(f"  Total services: {len(services)}")
+            console.print(f"  [green]Successful:[/green] {successful}")
+            if failed > 0:
+                console.print(f"  [red]Failed:[/red] {failed}")
+            console.print(f"  Output directory: {output_dir.absolute()}")
+            console.print(f"  Manifest: {manifest_file}")
+            console.print(f"{'=' * 60}")
+
+            if failed > 0:
+                console.print(
+                    "\n[yellow]Warning:[/yellow] Some services failed to download. "
+                    "Check the logs for details."
+                )

iam_validator/core/aws_fetcher.py

@@ -804,11 +804,12 @@ class AWSServiceFetcher:
 
             service_prefix, action_name = self.parse_action(action)
 
-            # Check global conditions first (fast)
+            # Check if it's a global condition key
+            is_global_key = False
             if condition_key.startswith("aws:"):
                 global_conditions = get_global_conditions()
                 if global_conditions.is_valid_global_key(condition_key):
-                    return True, None
+                    is_global_key = True
                 else:
                     return (
                         False,
@@ -831,6 +832,19 @@ class AWSServiceFetcher:
                 ):
                     return True, None
 
+                # If it's a global key but the action has specific condition keys defined,
+                # check if the global key is explicitly listed in the action's supported keys
+                if is_global_key and action_detail.action_condition_keys is not None:
+                    return (
+                        False,
+                        f"Condition key '{condition_key}' is not supported by action '{action}'. "
+                        f"This action has a specific set of supported condition keys.",
+                    )
+
+            # If it's a global key and action doesn't define specific keys, allow it
+            if is_global_key:
+                return True, None
+
             return (
                 False,
                 f"Condition key '{condition_key}' is not valid for action '{action}'",

iam_validator/core/defaults.py

@@ -300,7 +300,7 @@ With specific values:
                 ],
             },
             {
-                "actions": ["s3:PutObject", "s3:DeleteObject", "s3:CreateBucket"],
+                "actions": ["s3:PutObject"],
                 "severity": "medium",
                 "required_conditions": [
                     {