iam-policy-validator 1.4.0__py3-none-any.whl → 1.5.0__py3-none-any.whl

iam_validator/core/aws_fetcher.py

@@ -33,6 +33,7 @@ from typing import Any
 
 import httpx
 
+from iam_validator.core.config import AWS_SERVICE_REFERENCE_BASE_URL
 from iam_validator.core.models import ServiceDetail, ServiceInfo
 
 logger = logging.getLogger(__name__)
@@ -121,7 +122,7 @@ class CompiledPatterns:
 class AWSServiceFetcher:
     """Fetches AWS service information from the AWS service reference API with enhanced performance features."""
 
-    BASE_URL = "https://servicereference.us-east-1.amazonaws.com/"
+    BASE_URL = AWS_SERVICE_REFERENCE_BASE_URL
 
     # Common AWS services to pre-fetch
     # All other services will be fetched on-demand (lazy loading if found in policies)
@@ -797,8 +798,15 @@ class AWSServiceFetcher:
 
     async def validate_condition_key(
         self, action: str, condition_key: str
-    ) -> tuple[bool, str | None]:
-        """Validate condition key with optimized caching."""
+    ) -> tuple[bool, str | None, str | None]:
+        """Validate condition key with optimized caching.
+
+        Returns:
+            Tuple of (is_valid, error_message, warning_message)
+            - is_valid: True if key is valid (even with warning)
+            - error_message: Error message if invalid (is_valid=False)
+            - warning_message: Warning message if valid but not recommended
+        """
         try:
             from iam_validator.core.aws_global_conditions import get_global_conditions
 
@@ -814,6 +822,7 @@ class AWSServiceFetcher:
                     return (
                         False,
                         f"Invalid AWS global condition key: '{condition_key}'.",
+                        None,
                     )
 
             # Fetch service detail (cached)
@@ -821,7 +830,7 @@ class AWSServiceFetcher:
 
             # Check service-specific condition keys
             if condition_key in service_detail.condition_keys:
-                return True, None
+                return True, None, None
 
             # Check action-specific condition keys
             if action_name in service_detail.actions:
@@ -830,29 +839,33 @@ class AWSServiceFetcher:
                     action_detail.action_condition_keys
                     and condition_key in action_detail.action_condition_keys
                 ):
-                    return True, None
+                    return True, None, None
 
                 # If it's a global key but the action has specific condition keys defined,
-                # check if the global key is explicitly listed in the action's supported keys
+                # AWS allows it but the key may not be available in every request context
                 if is_global_key and action_detail.action_condition_keys is not None:
-                    return (
-                        False,
-                        f"Condition key '{condition_key}' is not supported by action '{action}'. "
-                        f"This action has a specific set of supported condition keys.",
+                    warning_msg = (
+                        f"Global condition key '{condition_key}' is used with action '{action}'. "
+                        f"While global condition keys can be used across all AWS services, "
+                        f"the key may not be available in every request context. "
+                        f"Verify that '{condition_key}' is available for this specific action's request context. "
+                        f"Consider using '*IfExists' operators (e.g., StringEqualsIfExists) if the key might be missing."
                     )
+                    return True, None, warning_msg
 
             # If it's a global key and action doesn't define specific keys, allow it
             if is_global_key:
-                return True, None
+                return True, None, None
 
             return (
                 False,
                 f"Condition key '{condition_key}' is not valid for action '{action}'",
+                None,
             )
 
         except Exception as e:
             logger.error(f"Error validating condition key {condition_key} for {action}: {e}")
-            return False, f"Failed to validate condition key: {str(e)}"
+            return False, f"Failed to validate condition key: {str(e)}", None
 
     async def clear_caches(self) -> None:
         """Clear all caches (memory and disk)."""

iam_validator/core/check_registry.py

@@ -440,27 +440,21 @@ def create_default_registry(
 
     if include_builtin_checks:
         # Import and register built-in checks
-        from iam_validator.checks import (
-            ActionConditionEnforcementCheck,
-            ActionResourceConstraintCheck,
-            ActionValidationCheck,
-            ConditionKeyValidationCheck,
-            PolicySizeCheck,
-            PrincipalValidationCheck,
-            ResourceValidationCheck,
-            SecurityBestPracticesCheck,
-            SidUniquenessCheck,
-        )
-
-        registry.register(ActionValidationCheck())
-        registry.register(ConditionKeyValidationCheck())
-        registry.register(ResourceValidationCheck())
-        registry.register(SecurityBestPracticesCheck())
-        registry.register(ActionConditionEnforcementCheck())
-        registry.register(ActionResourceConstraintCheck())
-        registry.register(SidUniquenessCheck())
-        registry.register(PolicySizeCheck())
-        registry.register(PrincipalValidationCheck())
+        from iam_validator import checks
+
+        registry.register(checks.ActionValidationCheck())
+        registry.register(checks.ConditionKeyValidationCheck())
+        registry.register(checks.ResourceValidationCheck())
+        registry.register(checks.WildcardActionCheck())
+        registry.register(checks.WildcardResourceCheck())
+        registry.register(checks.FullWildcardCheck())
+        registry.register(checks.ServiceWildcardCheck())
+        registry.register(checks.SensitiveActionCheck())
+        registry.register(checks.ActionConditionEnforcementCheck())
+        registry.register(checks.ActionResourceConstraintCheck())
+        registry.register(checks.SidUniquenessCheck())
+        registry.register(checks.PolicySizeCheck())
+        registry.register(checks.PrincipalValidationCheck())
 
         # Note: SID uniqueness check is registered above but its actual execution
         # happens at the policy level in _validate_policy_with_registry() since it

iam_validator/core/config/__init__.py

@@ -0,0 +1,83 @@
+"""
+Core configuration modules for IAM Policy Validator.
+
+This package contains default configuration data used by validators, organized into
+logical modules for better maintainability and performance.
+
+All configuration is defined as Python code (not YAML/JSON) for:
+- Faster loading (no parsing overhead)
+- Better PyPI packaging (no data files to manage)
+- Type hints and IDE support
+- Compiled to .pyc for even faster imports
+
+Performance benefits:
+- 5-10x faster than YAML parsing
+- Zero runtime parsing overhead
+- Lazy loading support
+- O(1) frozenset lookups
+"""
+
+from iam_validator.core.config.aws_api import (
+    AWS_SERVICE_REFERENCE_BASE_URL,
+    get_service_reference_url,
+)
+from iam_validator.core.config.condition_requirements import (
+    ALL_CONDITION_REQUIREMENTS,
+    DEFAULT_CONDITION_REQUIREMENTS,
+    get_all_requirement_names,
+    get_default_requirements,
+    get_requirement,
+    get_requirements_by_names,
+    get_requirements_by_severity,
+)
+from iam_validator.core.config.defaults import DEFAULT_CONFIG
+from iam_validator.core.config.principal_requirements import (
+    ALL_PRINCIPAL_REQUIREMENTS,
+    DEFAULT_ENABLED_REQUIREMENTS,
+    get_all_principal_requirement_names,
+    get_default_principal_requirements,
+    get_principal_requirement,
+    get_principal_requirements_by_names,
+    get_principal_requirements_by_severity,
+)
+from iam_validator.core.config.sensitive_actions import (
+    DEFAULT_SENSITIVE_ACTIONS,
+    get_sensitive_actions,
+)
+from iam_validator.core.config.service_principals import DEFAULT_SERVICE_PRINCIPALS
+from iam_validator.core.config.wildcards import (
+    DEFAULT_ALLOWED_WILDCARDS,
+    DEFAULT_SERVICE_WILDCARDS,
+)
+
+__all__ = [
+    # Default configuration
+    "DEFAULT_CONFIG",
+    # AWS API endpoints
+    "AWS_SERVICE_REFERENCE_BASE_URL",
+    "get_service_reference_url",
+    # Sensitive actions
+    "DEFAULT_SENSITIVE_ACTIONS",
+    "get_sensitive_actions",
+    # Condition requirements (for actions)
+    "DEFAULT_CONDITION_REQUIREMENTS",
+    "ALL_CONDITION_REQUIREMENTS",
+    "get_default_requirements",
+    "get_requirement",
+    "get_all_requirement_names",
+    "get_requirements_by_names",
+    "get_requirements_by_severity",
+    # Principal requirements (for principals)
+    "ALL_PRINCIPAL_REQUIREMENTS",
+    "DEFAULT_ENABLED_REQUIREMENTS",
+    "get_default_principal_requirements",
+    "get_principal_requirement",
+    "get_all_principal_requirement_names",
+    "get_principal_requirements_by_names",
+    "get_principal_requirements_by_severity",
+    # Wildcards
+    "DEFAULT_ALLOWED_WILDCARDS",
+    "DEFAULT_SERVICE_WILDCARDS",
+    # Service principals
+    "DEFAULT_SERVICE_PRINCIPALS",
+]

iam_validator/core/config/aws_api.py

@@ -0,0 +1,35 @@
+"""
+AWS API configuration constants.
+
+This module centralizes AWS API endpoints and related configuration
+used throughout the IAM Policy Validator.
+"""
+
+# AWS Service Reference API base URL
+# This is the official AWS service reference that provides action, resource, and condition key metadata
+AWS_SERVICE_REFERENCE_BASE_URL = "https://servicereference.us-east-1.amazonaws.com/"
+
+# Alternative endpoints for different regions (currently not used, but available for future expansion)
+AWS_SERVICE_REFERENCE_ENDPOINTS = {
+    "us-east-1": "https://servicereference.us-east-1.amazonaws.com/",
+    # Add other regional endpoints if they become available
+}
+
+
+def get_service_reference_url(region: str = "us-east-1") -> str:
+    """
+    Get the AWS Service Reference API URL for a specific region.
+
+    Args:
+        region: AWS region (default: us-east-1)
+
+    Returns:
+        The service reference base URL for the specified region
+
+    Example:
+        >>> get_service_reference_url()
+        'https://servicereference.us-east-1.amazonaws.com/'
+        >>> get_service_reference_url("us-east-1")
+        'https://servicereference.us-east-1.amazonaws.com/'
+    """
+    return AWS_SERVICE_REFERENCE_ENDPOINTS.get(region, AWS_SERVICE_REFERENCE_BASE_URL)