iam-policy-validator 1.4.0__py3-none-any.whl → 1.5.0__py3-none-any.whl

iam_validator/core/config/wildcards.py

@@ -0,0 +1,124 @@
+"""
+Default wildcard configurations for security best practices checks.
+
+These wildcards define which actions are considered "safe" to use with
+Resource: "*" (e.g., read-only describe operations).
+
+Using Python tuples instead of YAML lists provides:
+- Zero parsing overhead
+- Immutable by default (tuples)
+- Better performance
+- Easy PyPI packaging
+"""
+
+from typing import Final
+
+# ============================================================================
+# Allowed Wildcards for Resource: "*"
+# ============================================================================
+# These action patterns are considered safe to use with wildcard resources
+# They are typically read-only operations that need broad resource access
+
+DEFAULT_ALLOWED_WILDCARDS: Final[tuple[str, ...]] = (
+    # Auto Scaling
+    "autoscaling:Describe*",
+    # CloudWatch
+    "cloudwatch:Describe*",
+    "cloudwatch:Get*",
+    "cloudwatch:List*",
+    # DynamoDB
+    "dynamodb:Describe*",
+    # EC2
+    "ec2:Describe*",
+    # Elastic Load Balancing
+    "elasticloadbalancing:Describe*",
+    # IAM (non-sensitive read operations)
+    "iam:Get*",
+    "iam:List*",
+    # KMS
+    "kms:Describe*",
+    # Lambda
+    "lambda:Get*",
+    "lambda:List*",
+    # CloudWatch Logs
+    "logs:Describe*",
+    "logs:Filter*",
+    "logs:Get*",
+    # RDS
+    "rds:Describe*",
+    # Route53
+    "route53:Get*",
+    "route53:List*",
+    # S3 (safe read operations only)
+    "s3:Describe*",
+    "s3:GetBucket*",
+    "s3:GetM*",
+    "s3:List*",
+    # SQS
+    "sqs:Get*",
+    "sqs:List*",
+    # API Gateway
+    "apigateway:GET",
+)
+
+# ============================================================================
+# Service-Level Wildcards (Allowed Services)
+# ============================================================================
+# Services that are allowed to use service-level wildcards like "logs:*"
+# These are typically low-risk monitoring/logging services
+
+DEFAULT_SERVICE_WILDCARDS: Final[tuple[str, ...]] = (
+    "logs",
+    "cloudwatch",
+    "xray",
+)
+
+
+def get_allowed_wildcards() -> tuple[str, ...]:
+    """
+    Get tuple of allowed wildcard action patterns.
+
+    Returns:
+        Tuple of action patterns that are safe to use with Resource: "*"
+    """
+    return DEFAULT_ALLOWED_WILDCARDS
+
+
+def get_allowed_service_wildcards() -> tuple[str, ...]:
+    """
+    Get tuple of services allowed to use service-level wildcards.
+
+    Returns:
+        Tuple of service names (e.g., "logs", "cloudwatch")
+    """
+    return DEFAULT_SERVICE_WILDCARDS
+
+
+def is_allowed_wildcard(pattern: str) -> bool:
+    """
+    Check if a wildcard pattern is in the allowed list.
+
+    Args:
+        pattern: Action pattern to check (e.g., "s3:List*")
+
+    Returns:
+        True if pattern is in allowed wildcards
+
+    Performance: O(n) but typically small list (~25 items)
+    """
+    return pattern in DEFAULT_ALLOWED_WILDCARDS
+
+
+def is_allowed_service_wildcard(service: str) -> bool:
+    """
+    Check if a service is allowed to use service-level wildcards.
+
+    Args:
+        service: Service name (e.g., "logs", "s3")
+
+    Returns:
+        True if service is in allowed list
+
+    Performance: O(n) but very small list (~3 items)
+    """
+    return service in DEFAULT_SERVICE_WILDCARDS

iam_validator/core/config_loader.py

@@ -15,7 +15,7 @@ from typing import Any
 import yaml
 
 from iam_validator.core.check_registry import CheckConfig, CheckRegistry, PolicyCheck
-from iam_validator.core.defaults import get_default_config
+from iam_validator.core.config.defaults import get_default_config
 
 logger = logging.getLogger(__name__)
 
@@ -68,18 +68,38 @@ class ValidatorConfig:
             self.config_dict = config_dict or {}
 
         # Support both nested and flat structure
-        # New flat structure: each check is a top-level key ending with "_check"
-        # Old nested structure: all checks under "checks" key
+        # 1. Old nested structure: all checks under "checks" key
+        # 2. New flat structure: each check is a top-level key ending with "_check"
+        # 3. Default config structure: check IDs directly at top level (without "_check" suffix)
         if "checks" in self.config_dict:
             # Old nested structure
             self.checks_config = self.config_dict.get("checks", {})
         else:
-            # New flat structure - extract all keys ending with "_check"
-            self.checks_config = {
-                key.replace("_check", ""): value
-                for key, value in self.config_dict.items()
-                if key.endswith("_check") and isinstance(value, dict)
-            }
+            # New flat structure and default config structure
+            # Extract all keys ending with "_check" OR that look like check configurations
+            self.checks_config = {}
+
+            # First, add keys ending with "_check"
+            for key, value in self.config_dict.items():
+                if key.endswith("_check") and isinstance(value, dict):
+                    self.checks_config[key.replace("_check", "")] = value
+
+            # Then, add top-level keys that look like check configurations
+            # (they have dict values and contain typical check config keys like enabled, severity, etc.)
+            for key, value in self.config_dict.items():
+                if (
+                    key
+                    not in [
+                        "settings",
+                        "custom_checks",
+                        "custom_checks_dir",
+                    ]  # Skip special config keys
+                    and not key.endswith("_check")  # Skip if already processed above
+                    and isinstance(value, dict)  # Must be a dict
+                    and key not in self.checks_config  # Not already added
+                ):
+                    # This looks like a check configuration
+                    self.checks_config[key] = value
 
         self.custom_checks = self.config_dict.get("custom_checks", [])
         self.custom_checks_dir = self.config_dict.get("custom_checks_dir")

iam_validator/core/formatters/enhanced.py

@@ -36,13 +36,18 @@ class EnhancedFormatter(OutputFormatter):
 
         Args:
             report: Validation report to format
-            **kwargs: Additional options (color: bool = True)
+            **kwargs: Additional options:
+                - color (bool): Enable color output (default: True)
+                - show_summary (bool): Show Executive Summary panel (default: True)
+                - show_severity_breakdown (bool): Show Issue Severity Breakdown panel (default: True)
 
         Returns:
             Formatted string with ANSI codes for console display
         """
         # Allow disabling color for plain text output
         color = kwargs.get("color", True)
+        show_summary = kwargs.get("show_summary", True)
+        show_severity_breakdown = kwargs.get("show_severity_breakdown", True)
 
         # Use StringIO to capture Rich console output
         string_buffer = StringIO()
@@ -58,11 +63,12 @@ class EnhancedFormatter(OutputFormatter):
         console.print(Panel(title, border_style="bright_blue", padding=(1, 0)))
         console.print()
 
-        # Executive Summary with progress bars
-        self._print_summary_panel(console, report)
+        # Executive Summary with progress bars (optional)
+        if show_summary:
+            self._print_summary_panel(console, report)
 
-        # Severity breakdown if there are issues
-        if report.total_issues > 0:
+        # Severity breakdown if there are issues (optional)
+        if show_severity_breakdown and report.total_issues > 0:
             console.print()
             self._print_severity_breakdown(console, report)
 

iam_validator/core/formatters/sarif.py

@@ -100,7 +100,7 @@ class SARIFFormatter(OutputFormatter):
                     "text": "The specified condition key is not valid for this action"
                 },
                 "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html",
-                "defaultConfiguration": {"level": "warning"},
+                "defaultConfiguration": {"level": "error"},
             },
             {
                 "id": "invalid-resource",
@@ -110,18 +110,55 @@ class SARIFFormatter(OutputFormatter):
                 "defaultConfiguration": {"level": "error"},
             },
             {
-                "id": "security-wildcard",
-                "shortDescription": {"text": "Overly Permissive Wildcard"},
+                "id": "duplicate-sid",
+                "shortDescription": {"text": "Duplicate Statement ID"},
+                "fullDescription": {
+                    "text": "Multiple statements use the same Statement ID (Sid), which can cause confusion"
+                },
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html",
+                "defaultConfiguration": {"level": "error"},
+            },
+            {
+                "id": "overly-permissive",
+                "shortDescription": {"text": "Overly Permissive Policy"},
                 "fullDescription": {
-                    "text": "Using wildcards in actions or resources can be a security risk"
+                    "text": "Policy grants overly broad permissions using wildcards in actions or resources"
                 },
-                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege",
                 "defaultConfiguration": {"level": "warning"},
             },
             {
-                "id": "security-sensitive-action",
-                "shortDescription": {"text": "Sensitive Action Without Conditions"},
-                "fullDescription": {"text": "Sensitive actions should have condition restrictions"},
+                "id": "missing-condition",
+                "shortDescription": {"text": "Missing Condition Restrictions"},
+                "fullDescription": {
+                    "text": "Sensitive actions should include condition restrictions to limit when they can be used"
+                },
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-policy-conditions",
+                "defaultConfiguration": {"level": "warning"},
+            },
+            {
+                "id": "missing-required-condition",
+                "shortDescription": {"text": "Missing Required Condition"},
+                "fullDescription": {
+                    "text": "Specific actions require certain conditions to prevent privilege escalation or security issues"
+                },
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html",
+                "defaultConfiguration": {"level": "error"},
+            },
+            {
+                "id": "invalid-principal",
+                "shortDescription": {"text": "Invalid Principal"},
+                "fullDescription": {
+                    "text": "The specified principal is invalid or improperly formatted"
+                },
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html",
+                "defaultConfiguration": {"level": "error"},
+            },
+            {
+                "id": "general-issue",
+                "shortDescription": {"text": "IAM Policy Issue"},
+                "fullDescription": {"text": "General IAM policy validation issue"},
+                "helpUri": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html",
                 "defaultConfiguration": {"level": "warning"},
             },
         ]
@@ -170,18 +207,45 @@ class SARIFFormatter(OutputFormatter):
         return results
 
     def _get_rule_id(self, issue: ValidationIssue) -> str:
-        """Map issue to SARIF rule ID."""
+        """Map issue to SARIF rule ID.
+
+        Uses the issue_type field directly, converting underscores to hyphens
+        for SARIF rule ID format. Falls back to heuristic matching for unknown types.
+        """
+        # Map common issue types directly
+        issue_type_map = {
+            "invalid_action": "invalid-action",
+            "invalid_condition_key": "invalid-condition-key",
+            "invalid_resource": "invalid-resource",
+            "duplicate_sid": "duplicate-sid",
+            "overly_permissive": "overly-permissive",
+            "missing_condition": "missing-condition",
+            "missing_required_condition": "missing-required-condition",
+            "invalid_principal": "invalid-principal",
+        }
+
+        # Try direct mapping from issue_type
+        if issue.issue_type in issue_type_map:
+            return issue_type_map[issue.issue_type]
+
+        # Fallback: heuristic matching based on message
         message_lower = issue.message.lower()
 
         if "action" in message_lower and "not found" in message_lower:
             return "invalid-action"
         elif "condition key" in message_lower:
             return "invalid-condition-key"
-        elif "arn" in message_lower or "resource" in message_lower:
+        elif "duplicate" in message_lower and "sid" in message_lower:
+            return "duplicate-sid"
+        elif "wildcard" in message_lower or "overly permissive" in message_lower:
+            return "overly-permissive"
+        elif "missing" in message_lower and "condition" in message_lower:
+            if "required" in message_lower:
+                return "missing-required-condition"
+            return "missing-condition"
+        elif "principal" in message_lower:
+            return "invalid-principal"
+        elif "resource" in message_lower or "arn" in message_lower:
             return "invalid-resource"
-        elif "wildcard" in message_lower or "*" in issue.message:
-            return "security-wildcard"
-        elif "sensitive" in message_lower:
-            return "security-sensitive-action"
         else:
             return "general-issue"