iam-policy-validator 1.7.0__py3-none-any.whl → 1.7.2__py3-none-any.whl

iam_validator/core/policy_checks.py

@@ -12,6 +12,7 @@ import logging
 import re
 from pathlib import Path
 
+from iam_validator.core import constants
 from iam_validator.core.aws_fetcher import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckRegistry
 from iam_validator.core.models import (
@@ -495,10 +496,10 @@ async def validate_policies(
 
         config = ConfigLoader.load_config(explicit_path=config_path, allow_missing=True)
         cache_enabled = config.get_setting("cache_enabled", True)
-        cache_ttl_hours = config.get_setting("cache_ttl_hours", 168)
+        cache_ttl_hours = config.get_setting("cache_ttl_hours", constants.DEFAULT_CACHE_TTL_HOURS)
         cache_directory = config.get_setting("cache_directory", None)
         aws_services_dir = config.get_setting("aws_services_dir", None)
-        cache_ttl_seconds = cache_ttl_hours * 3600
+        cache_ttl_seconds = cache_ttl_hours * constants.SECONDS_PER_HOUR
 
         async with AWSServiceFetcher(
             enable_cache=cache_enabled,
@@ -566,10 +567,10 @@ async def validate_policies(
 
     # Get cache settings from config
     cache_enabled = config.get_setting("cache_enabled", True)
-    cache_ttl_hours = config.get_setting("cache_ttl_hours", 168)  # 7 days default
+    cache_ttl_hours = config.get_setting("cache_ttl_hours", constants.DEFAULT_CACHE_TTL_HOURS)
     cache_directory = config.get_setting("cache_directory", None)
     aws_services_dir = config.get_setting("aws_services_dir", None)
-    cache_ttl_seconds = cache_ttl_hours * 3600
+    cache_ttl_seconds = cache_ttl_hours * constants.SECONDS_PER_HOUR
 
     # Validate policies using registry
     async with AWSServiceFetcher(

iam_validator/core/policy_loader.py

@@ -31,6 +31,7 @@ from collections.abc import Generator
 from pathlib import Path
 
 import yaml
+from pydantic import ValidationError
 
 from iam_validator.core.models import IAMPolicy
 
@@ -53,6 +54,8 @@ class PolicyLoader:
         """
         self.loaded_policies: list[tuple[str, IAMPolicy]] = []
         self.max_file_size_bytes = max_file_size_mb * 1024 * 1024
+        # Track parsing/validation errors for reporting
+        self.parsing_errors: list[tuple[str, str]] = []  # (file_path, error_message)
 
     @staticmethod
     def _find_statement_line_numbers(file_content: str) -> list[int]:
@@ -142,7 +145,7 @@ class PolicyLoader:
                 return False
             return True
         except OSError as e:
-            logger.error(f"Failed to check file size for {path}: {e}")
+            logger.error("Failed to check file size for %s: %s", path, e)
             return False
 
     def load_from_file(self, file_path: str) -> IAMPolicy | None:
@@ -157,11 +160,11 @@ class PolicyLoader:
         path = Path(file_path)
 
         if not path.exists():
-            logger.error(f"File not found: {file_path}")
+            logger.error("File not found: %s", file_path)
             return None
 
         if not path.is_file():
-            logger.error(f"Not a file: {file_path}")
+            logger.error("Not a file: %s", file_path)
             return None
 
         if path.suffix.lower() not in self.SUPPORTED_EXTENSIONS:
@@ -197,17 +200,48 @@ class PolicyLoader:
                     if idx < len(statement_line_numbers):
                         statement.line_number = statement_line_numbers[idx]
 
-            logger.info(f"Successfully loaded policy from {file_path}")
+            logger.info("Successfully loaded policy from %s", file_path)
             return policy
 
         except json.JSONDecodeError as e:
-            logger.error(f"Invalid JSON in {file_path}: {e}")
+            error_msg = f"Invalid JSON: {e}"
+            logger.error("Invalid JSON in %s: %s", file_path, e)
+            self.parsing_errors.append((file_path, error_msg))
             return None
         except yaml.YAMLError as e:
-            logger.error(f"Invalid YAML in {file_path}: {e}")
+            error_msg = f"Invalid YAML: {e}"
+            logger.error("Invalid YAML in %s: %s", file_path, e)
+            self.parsing_errors.append((file_path, error_msg))
+            return None
+        except ValidationError as e:
+            # Handle Pydantic validation errors with helpful messages
+            error_messages = []
+            for error in e.errors():
+                loc = ".".join(str(x) for x in error["loc"])
+                error_type = error["type"]
+
+                # Provide user-friendly messages for common errors
+                if error_type == "extra_forbidden":
+                    # Extract the field name that has a typo
+                    field_name = error["loc"][-1] if error["loc"] else "unknown"
+                    error_messages.append(
+                        f"Unknown field '{field_name}' at {loc}. "
+                        f"This might be a typo. Did you mean 'Condition', 'Action', or 'Resource'?"
+                    )
+                else:
+                    error_messages.append(f"{loc}: {error['msg']}")
+
+            error_summary = "\n  ".join(error_messages)
+            logger.error(
+                "Policy validation failed for %s:\n  %s",
+                file_path,
+                error_summary,
+            )
+            # Track parsing error for GitHub reporting
+            self.parsing_errors.append((file_path, error_summary))
             return None
         except Exception as e:
-            logger.error(f"Failed to load policy from {file_path}: {e}")
+            logger.error("Failed to load policy from %s: %s", file_path, e)
             return None
 
     def load_from_directory(
@@ -225,11 +259,11 @@ class PolicyLoader:
         path = Path(directory_path)
 
         if not path.exists():
-            logger.error(f"Directory not found: {directory_path}")
+            logger.error("Directory not found: %s", directory_path)
             return []
 
         if not path.is_dir():
-            logger.error(f"Not a directory: {directory_path}")
+            logger.error("Not a directory: %s", directory_path)
             return []
 
         policies: list[tuple[str, IAMPolicy]] = []
@@ -241,7 +275,7 @@ class PolicyLoader:
                 if policy:
                     policies.append((str(file_path), policy))
 
-        logger.info(f"Loaded {len(policies)} policies from {directory_path}")
+        logger.info("Loaded %d policies from %s", len(policies), directory_path)
         return policies
 
     def load_from_path(self, path: str, recursive: bool = True) -> list[tuple[str, IAMPolicy]]:
@@ -262,7 +296,7 @@ class PolicyLoader:
         elif path_obj.is_dir():
             return self.load_from_directory(path, recursive)
         else:
-            logger.error(f"Path not found: {path}")
+            logger.error("Path not found: %s", path)
             return []
 
     def load_from_paths(
@@ -283,7 +317,7 @@ class PolicyLoader:
             policies = self.load_from_path(path.strip(), recursive)
             all_policies.extend(policies)
 
-        logger.info(f"Loaded {len(all_policies)} total policies from {len(paths)} path(s)")
+        logger.info("Loaded %d total policies from %d path(s)", len(all_policies), len(paths))
         return all_policies
 
     def _get_policy_files(self, path: str, recursive: bool = True) -> Generator[Path, None, None]:
@@ -310,7 +344,7 @@ class PolicyLoader:
                 if file_path.is_file() and file_path.suffix.lower() in self.SUPPORTED_EXTENSIONS:
                     yield file_path
         else:
-            logger.error(f"Path not found: {path}")
+            logger.error("Path not found: %s", path)
 
     def stream_from_path(
         self, path: str, recursive: bool = True
@@ -391,6 +425,29 @@ class PolicyLoader:
             policy = IAMPolicy.model_validate(data)
             logger.info("Successfully parsed policy from string")
             return policy
+        except json.JSONDecodeError as e:
+            logger.error("Invalid JSON: %s", e)
+            return None
+        except ValidationError as e:
+            # Handle Pydantic validation errors with helpful messages
+            error_messages = []
+            for error in e.errors():
+                loc = ".".join(str(x) for x in error["loc"])
+                error_type = error["type"]
+
+                # Provide user-friendly messages for common errors
+                if error_type == "extra_forbidden":
+                    # Extract the field name that has a typo
+                    field_name = error["loc"][-1] if error["loc"] else "unknown"
+                    error_messages.append(
+                        f"Unknown field '{field_name}' at {loc}. "
+                        f"This might be a typo. Did you mean 'Condition', 'Action', or 'Resource'?"
+                    )
+                else:
+                    error_messages.append(f"{loc}: {error['msg']}")
+
+            logger.error("Policy validation failed:\n  %s", "\n  ".join(error_messages))
+            return None
         except Exception as e:
-            logger.error(f"Failed to parse policy string: {e}")
+            logger.error("Failed to parse policy string: %s", e)
             return None

iam_validator/core/report.py

@@ -12,6 +12,7 @@ from rich.table import Table
 from rich.text import Text
 
 from iam_validator.__version__ import __version__
+from iam_validator.core import constants
 from iam_validator.core.formatters import (
     ConsoleFormatter,
     CSVFormatter,
@@ -71,11 +72,16 @@ class ReportGenerator:
         """
         return self.formatter_registry.format_report(report, format_id, **kwargs)
 
-    def generate_report(self, results: list[PolicyValidationResult]) -> ValidationReport:
+    def generate_report(
+        self,
+        results: list[PolicyValidationResult],
+        parsing_errors: list[tuple[str, str]] | None = None,
+    ) -> ValidationReport:
         """Generate a validation report from results.
 
         Args:
             results: List of policy validation results
+            parsing_errors: Optional list of (file_path, error_message) for files that failed to parse
 
         Returns:
             ValidationReport
@@ -106,6 +112,7 @@ class ReportGenerator:
             validity_issues=validity_issues,
             security_issues=security_issues,
             results=results,
+            parsing_errors=parsing_errors or [],
         )
 
     def print_console_report(self, report: ValidationReport) -> None:
@@ -150,6 +157,7 @@ class ReportGenerator:
                 summary_text,
                 title=f"Validation Summary (iam-validator v{__version__})",
                 border_style="blue",
+                width=constants.CONSOLE_PANEL_WIDTH,
             )
         )
 
@@ -177,11 +185,12 @@ class ReportGenerator:
             self.console.print("  [dim]No issues found[/dim]")
             return
 
-        # Create issues table with adjusted column widths for better readability
-        table = Table(show_header=True, header_style="bold", box=None, padding=(0, 1))
-        table.add_column("Severity", style="cyan", width=12, no_wrap=False)
-        table.add_column("Type", style="magenta", width=25, no_wrap=False)
-        table.add_column("Message", style="white", no_wrap=False)
+        # Create issues table with flexible column widths
+        # Use wider columns and more padding to better utilize terminal width
+        table = Table(show_header=True, header_style="bold", box=None, padding=(0, 2), expand=True)
+        table.add_column("Severity", style="cyan", no_wrap=True, min_width=12)
+        table.add_column("Type", style="magenta", no_wrap=False, min_width=32)
+        table.add_column("Message", style="white", no_wrap=False, ratio=3)
 
         for issue in result.issues:
             severity_style = {
@@ -207,6 +216,8 @@ class ReportGenerator:
             message = f"{location}: {issue.message}"
             if issue.suggestion:
                 message += f"\n  → {issue.suggestion}"
+            if issue.example:
+                message += f"\n[dim]Example:[/dim]\n[dim]{issue.example}[/dim]"
 
             table.add_row(severity_style, issue.issue_type, message)
 
@@ -224,13 +235,15 @@ class ReportGenerator:
         return report.model_dump_json(indent=2)
 
     def generate_github_comment_parts(
-        self, report: ValidationReport, max_length_per_part: int = 60000
+        self,
+        report: ValidationReport,
+        max_length_per_part: int = constants.GITHUB_COMMENT_SPLIT_LIMIT,
     ) -> list[str]:
         """Generate GitHub PR comment(s), splitting into multiple parts if needed.
 
         Args:
             report: Validation report
-            max_length_per_part: Maximum character length per comment part (default 60000)
+            max_length_per_part: Maximum character length per comment part (default from GITHUB_COMMENT_SPLIT_LIMIT)
 
         Returns:
             List of comment parts (each under max_length_per_part)
@@ -260,9 +273,9 @@ class ReportGenerator:
             Estimated character count
         """
         # Rough estimate: ~500 chars per issue + overhead
-        base_overhead = 2000  # Header + footer
-        chars_per_issue = 500
-        return base_overhead + (report.total_issues * chars_per_issue)
+        return constants.COMMENT_BASE_OVERHEAD_CHARS + (
+            report.total_issues * constants.COMMENT_CHARS_PER_ISSUE_ESTIMATE
+        )
 
     def _generate_split_comments(self, report: ValidationReport, max_length: int) -> list[str]:
         """Split a large report into multiple comment parts.
@@ -289,13 +302,13 @@ class ReportGenerator:
         # - Part indicator: "**(Part N/M)**\n\n" (estimated ~20 chars)
         # - HTML comment identifier: "<!-- iam-policy-validator -->\n" (~35 chars)
         # - Safety buffer for formatting
-        continuation_overhead = 200
+        continuation_overhead = constants.COMMENT_CONTINUATION_OVERHEAD_CHARS
 
         # Sort results to prioritize errors - support both IAM validity and security severities
         sorted_results = sorted(
             [(idx, r) for idx, r in enumerate(report.results, 1) if r.issues],
             key=lambda x: (
-                -sum(1 for i in x[1].issues if i.severity in ("error", "critical", "high")),
+                -sum(1 for i in x[1].issues if i.severity in constants.HIGH_SEVERITY_LEVELS),
                 -len(x[1].issues),
             ),
         )
@@ -410,7 +423,7 @@ class ReportGenerator:
                 1
                 for r in report.results
                 for i in r.issues
-                if i.severity in ("error", "critical", "high")
+                if i.severity in constants.HIGH_SEVERITY_LEVELS
             )
             warnings = sum(
                 1 for r in report.results for i in r.issues if i.severity in ("warning", "medium")
@@ -456,9 +469,9 @@ class ReportGenerator:
         lines.append("")
 
         # Group issues by severity - support both IAM validity and security severities
-        errors = [i for i in result.issues if i.severity in ("error", "critical", "high")]
-        warnings = [i for i in result.issues if i.severity in ("warning", "medium")]
-        infos = [i for i in result.issues if i.severity in ("info", "low")]
+        errors = [i for i in result.issues if i.severity in constants.HIGH_SEVERITY_LEVELS]
+        warnings = [i for i in result.issues if i.severity in constants.MEDIUM_SEVERITY_LEVELS]
+        infos = [i for i in result.issues if i.severity in constants.LOW_SEVERITY_LEVELS]
 
         if errors:
             lines.append("### 🔴 Errors")
@@ -510,12 +523,16 @@ class ReportGenerator:
 
         return "\n".join(parts)
 
-    def generate_github_comment(self, report: ValidationReport, max_length: int = 65000) -> str:
+    def generate_github_comment(
+        self,
+        report: ValidationReport,
+        max_length: int = constants.GITHUB_MAX_COMMENT_LENGTH,
+    ) -> str:
         """Generate a GitHub-flavored markdown comment for PR reviews.
 
         Args:
             report: Validation report
-            max_length: Maximum character length (GitHub limit is 65536, we use 65000 for safety)
+            max_length: Maximum character length (default from GITHUB_MAX_COMMENT_LENGTH constant)
 
         Returns:
             Markdown formatted string
@@ -523,7 +540,8 @@ class ReportGenerator:
         lines = []
 
         # Header with emoji and status badge
-        if report.invalid_policies == 0:
+        has_parsing_errors = len(report.parsing_errors) > 0
+        if report.invalid_policies == 0 and not has_parsing_errors:
             lines.append("# 🎉 IAM Policy Validation Passed!")
             status_badge = (
                 "![Status](https://img.shields.io/badge/status-passed-success?style=flat-square)"
@@ -558,7 +576,7 @@ class ReportGenerator:
                 1
                 for r in report.results
                 for i in r.issues
-                if i.severity in ("error", "critical", "high")
+                if i.severity in constants.HIGH_SEVERITY_LEVELS
             )
             warnings = sum(
                 1 for r in report.results for i in r.issues if i.severity in ("warning", "medium")
@@ -579,6 +597,29 @@ class ReportGenerator:
                 lines.append(f"| 🔵 **Info** | {infos} |")
             lines.append("")
 
+        # Parsing errors section (if any)
+        if report.parsing_errors:
+            lines.append("### ⚠️ Parsing Errors")
+            lines.append("")
+            lines.append(
+                f"**{len(report.parsing_errors)} file(s) failed to parse** and were excluded from validation:"
+            )
+            lines.append("")
+            for file_path, error_msg in report.parsing_errors:
+                # Extract just the filename for cleaner display
+                from pathlib import Path
+
+                filename = Path(file_path).name
+                lines.append(f"- **`{filename}`**")
+                lines.append("  ```")
+                lines.append(f"  {error_msg}")
+                lines.append("  ```")
+            lines.append("")
+            lines.append(
+                "> **Note:** Fix these parsing errors first before validation can proceed on these files."
+            )
+            lines.append("")
+
         # Store header for later (we always include this)
         header_content = "\n".join(lines)
 
@@ -594,7 +635,7 @@ class ReportGenerator:
         footer_content = "\n".join(footer_lines)
 
         # Calculate remaining space for details
-        base_length = len(header_content) + len(footer_content) + 100  # 100 for safety
+        base_length = len(header_content) + len(footer_content) + constants.FORMATTING_SAFETY_BUFFER
         available_length = max_length - base_length
 
         # Detailed findings
@@ -611,7 +652,7 @@ class ReportGenerator:
             sorted_results = sorted(
                 [(idx, r) for idx, r in enumerate(report.results, 1) if r.issues],
                 key=lambda x: (
-                    -sum(1 for i in x[1].issues if i.severity in ("error", "critical", "high")),
+                    -sum(1 for i in x[1].issues if i.severity in constants.HIGH_SEVERITY_LEVELS),
                     -len(x[1].issues),
                 ),
             )
@@ -623,7 +664,7 @@ class ReportGenerator:
                 policy_lines = []
 
                 # Group issues by severity - support both IAM validity and security severities
-                errors = [i for i in result.issues if i.severity in ("error", "critical", "high")]
+                errors = [i for i in result.issues if i.severity in constants.HIGH_SEVERITY_LEVELS]
                 warnings = [i for i in result.issues if i.severity in ("warning", "medium")]
                 infos = [i for i in result.issues if i.severity in ("info", "low")]
 

iam_validator/integrations/github_integration.py

@@ -6,11 +6,14 @@ including posting PR comments, line comments, labels, and retrieving PR informat
 
 import logging
 import os
+import re
 from enum import Enum
 from typing import Any
 
 import httpx
 
+from iam_validator.core import constants
+
 logger = logging.getLogger(__name__)
 
 
@@ -134,8 +137,6 @@ class GitHubIntegration:
 
         # Basic sanitization - alphanumeric, hyphens, underscores, dots
         # GitHub allows these characters in usernames and repo names
-        import re
-
         valid_pattern = re.compile(r"^[a-zA-Z0-9._-]+$")
         if not valid_pattern.match(owner) or not valid_pattern.match(repo):
             logger.warning(
@@ -199,8 +200,6 @@ class GitHubIntegration:
             return "https://api.github.com"
 
         # Basic URL validation
-        import re
-
         # Simple URL pattern check
         url_pattern = re.compile(r"^https://[a-zA-Z0-9.-]+(?:/.*)?$")
         if not url_pattern.match(api_url):
@@ -506,7 +505,7 @@ class GitHubIntegration:
             return True
         return False
 
-    async def cleanup_bot_review_comments(self, identifier: str = "🤖 IAM Policy Validator") -> int:
+    async def cleanup_bot_review_comments(self, identifier: str = constants.BOT_IDENTIFIER) -> int:
         """Delete all review comments from the bot (from previous runs).
 
         This ensures old/outdated comments are removed before posting new ones.

iam_validator/utils/__init__.py

@@ -10,6 +10,7 @@ see iam_validator.checks.utils instead.
 Organization:
     - cache.py: Generic caching implementations (LRUCache with TTL)
     - regex.py: Regex pattern caching and compilation utilities
+    - terminal.py: Terminal width detection utilities
 """
 
 from iam_validator.utils.cache import LRUCache
@@ -19,6 +20,7 @@ from iam_validator.utils.regex import (
     compile_and_cache,
     get_cached_pattern,
 )
+from iam_validator.utils.terminal import get_terminal_width
 
 __all__ = [
     # Cache utilities
@@ -28,4 +30,6 @@ __all__ = [
     "compile_and_cache",
     "get_cached_pattern",
     "clear_pattern_cache",
+    # Terminal utilities
+    "get_terminal_width",
 ]

iam_validator/utils/regex.py

@@ -13,13 +13,12 @@ Performance benefits:
 import re
 from collections.abc import Callable
 from functools import wraps
-from re import Pattern
 
 
 def cached_pattern(
     flags: int = 0,
     maxsize: int = 128,
-) -> Callable[[Callable[[], str]], Callable[[], Pattern]]:
+) -> Callable[[Callable[[], str]], Callable[[], re.Pattern]]:
     r"""Decorator that caches compiled regex patterns.
 
     This decorator transforms a function that returns a regex pattern string
@@ -60,12 +59,12 @@ def cached_pattern(
         Cached calls: ~0.1-0.5μs (cache lookup) → 20-100x faster
     """
 
-    def decorator(func: Callable[[], str]) -> Callable[[], Pattern]:
+    def decorator(func: Callable[[], str]) -> Callable[[], re.Pattern]:
         # Use a cache per function to avoid key collisions
         cache = {}
 
         @wraps(func)
-        def wrapper() -> Pattern:
+        def wrapper() -> re.Pattern:
             # Use function name as cache key (since each decorated function
             # returns the same pattern string)
             cache_key = func.__name__
@@ -84,7 +83,7 @@ def cached_pattern(
     return decorator
 
 
-def compile_and_cache(pattern: str, flags: int = 0, maxsize: int = 512) -> Pattern:
+def compile_and_cache(pattern: str, flags: int = 0, maxsize: int = 512) -> re.Pattern:
     """Compile a regex pattern with automatic caching.
 
     This is a functional interface (not a decorator) that compiles and caches
@@ -116,17 +115,17 @@ def compile_and_cache(pattern: str, flags: int = 0, maxsize: int = 512) -> Patte
     from functools import lru_cache
 
     @lru_cache(maxsize=maxsize)
-    def _compile(pattern_str: str, flags: int) -> Pattern:
+    def _compile(pattern_str: str, flags: int) -> re.Pattern:
         return re.compile(pattern_str, flags)
 
     return _compile(pattern, flags)
 
 
 # Singleton instance for shared pattern compilation
-_pattern_cache: dict[tuple[str, int], Pattern] = {}
+_pattern_cache: dict[tuple[str, int], re.Pattern] = {}
 
 
-def get_cached_pattern(pattern: str, flags: int = 0) -> Pattern:
+def get_cached_pattern(pattern: str, flags: int = 0) -> re.Pattern:
     """Get a compiled pattern from the shared cache.
 
     This provides a simple, stateless way to get cached patterns without

iam_validator/utils/terminal.py

@@ -0,0 +1,22 @@
+"""Terminal utilities for console output formatting."""
+
+import shutil
+
+
+def get_terminal_width(min_width: int = 80, max_width: int = 150, fallback: int = 100) -> int:
+    """Get the current terminal width with reasonable bounds.
+
+    Args:
+        min_width: Minimum width to return (default: 80)
+        max_width: Maximum width to return (default: 150)
+        fallback: Fallback width if detection fails (default: 100)
+
+    Returns:
+        Terminal width within the specified bounds
+    """
+    try:
+        terminal_width = shutil.get_terminal_size().columns
+        # Ensure width is within reasonable bounds
+        return max(min(terminal_width, max_width), min_width)
+    except Exception:
+        return fallback