iam-policy-validator 1.7.1__py3-none-any.whl → 1.7.2__py3-none-any.whl

iam_validator/core/formatters/console.py

@@ -39,8 +39,17 @@ class ConsoleFormatter(OutputFormatter):
         color = kwargs.get("color", True)
 
         # Capture the output from print_console_report
+        from iam_validator.utils import get_terminal_width
+
         string_buffer = StringIO()
-        console = Console(file=string_buffer, force_terminal=color, width=120)
+        # Get terminal width for proper table column spacing
+        terminal_width = get_terminal_width()
+        console = Console(
+            file=string_buffer,
+            force_terminal=color,
+            width=terminal_width,
+            legacy_windows=False,
+        )
 
         # Create a generator instance with our custom console
         generator = ReportGenerator()

iam_validator/core/formatters/csv.py

@@ -4,6 +4,7 @@ import csv
 import io
 from typing import Any
 
+from iam_validator.core import constants
 from iam_validator.core.formatters.base import OutputFormatter
 from iam_validator.core.models import ValidationReport
 
@@ -58,7 +59,7 @@ class CSVFormatter(OutputFormatter):
             1
             for r in report.results
             for i in r.issues
-            if i.severity in ("error", "critical", "high")
+            if i.severity in constants.HIGH_SEVERITY_LEVELS
         )
         warnings = sum(
             1 for r in report.results for i in r.issues if i.severity in ("warning", "medium")

iam_validator/core/formatters/enhanced.py

@@ -10,6 +10,7 @@ from rich.text import Text
 from rich.tree import Tree
 
 from iam_validator.__version__ import __version__
+from iam_validator.core import constants
 from iam_validator.core.formatters.base import OutputFormatter
 from iam_validator.core.models import PolicyValidationResult, ValidationReport
 
@@ -50,8 +51,14 @@ class EnhancedFormatter(OutputFormatter):
         show_severity_breakdown = kwargs.get("show_severity_breakdown", True)
 
         # Use StringIO to capture Rich console output
+        from iam_validator.utils import get_terminal_width
+
         string_buffer = StringIO()
-        console = Console(file=string_buffer, force_terminal=color, width=120)
+        # Get terminal width for proper text wrapping
+        terminal_width = get_terminal_width()
+        console = Console(
+            file=string_buffer, force_terminal=color, width=terminal_width, legacy_windows=False
+        )
 
         # Header with title
         console.print()
@@ -60,7 +67,14 @@ class EnhancedFormatter(OutputFormatter):
             style="bold cyan",
             justify="center",
         )
-        console.print(Panel(title, border_style="bright_blue", padding=(1, 0)))
+        console.print(
+            Panel(
+                title,
+                border_style=constants.CONSOLE_HEADER_COLOR,
+                padding=(1, 0),
+                width=constants.CONSOLE_PANEL_WIDTH,
+            )
+        )
         console.print()
 
         # Executive Summary with progress bars (optional)
@@ -73,7 +87,7 @@ class EnhancedFormatter(OutputFormatter):
             self._print_severity_breakdown(console, report)
 
         console.print()
-        console.print(Rule(title="[bold]Detailed Results", style="bright_blue"))
+        console.print(Rule(title="[bold]Detailed Results", style=constants.CONSOLE_HEADER_COLOR))
         console.print()
 
         # Detailed results using tree structure
@@ -140,8 +154,9 @@ class EnhancedFormatter(OutputFormatter):
             Panel(
                 metrics_table,
                 title="📊 Executive Summary",
-                border_style="bright_blue",
+                border_style=constants.CONSOLE_HEADER_COLOR,
                 padding=(1, 2),
+                width=constants.CONSOLE_PANEL_WIDTH,
             )
         )
 
@@ -225,7 +240,12 @@ class EnhancedFormatter(OutputFormatter):
             )
 
         console.print(
-            Panel(severity_table, title="🎯 Issue Severity Breakdown", border_style="bright_blue")
+            Panel(
+                severity_table,
+                title="🎯 Issue Severity Breakdown",
+                border_style=constants.CONSOLE_HEADER_COLOR,
+                width=constants.CONSOLE_PANEL_WIDTH,
+            )
         )
 
     def _format_policy_result_modern(
@@ -247,7 +267,7 @@ class EnhancedFormatter(OutputFormatter):
         elif result.is_valid and result.issues:
             # Valid IAM policy but has security findings
             # Check severity to determine the appropriate status
-            has_critical = any(i.severity in ("error", "critical", "high") for i in result.issues)
+            has_critical = any(i.severity in constants.HIGH_SEVERITY_LEVELS for i in result.issues)
             if has_critical:
                 icon = "⚠️"
                 color = "red"
@@ -386,6 +406,13 @@ class EnhancedFormatter(OutputFormatter):
             suggestion_text.append(issue.suggestion, style="italic yellow")
             msg_node.add(suggestion_text)
 
+        # Example (if present, show with indentation)
+        if issue.example:
+            msg_node.add(Text("Example:", style="bold cyan"))
+            # Show example code with syntax highlighting
+            example_text = Text(issue.example, style="dim")
+            msg_node.add(example_text)
+
     def _print_final_status(self, console: Console, report: ValidationReport) -> None:
         """Print final status panel."""
         if report.invalid_policies == 0 and report.total_issues == 0:
@@ -400,7 +427,7 @@ class EnhancedFormatter(OutputFormatter):
             # Valid IAM policies but may have security findings
             # Check if there are critical/high security issues
             has_critical = any(
-                i.severity in ("error", "critical", "high")
+                i.severity in constants.HIGH_SEVERITY_LEVELS
                 for r in report.results
                 for i in r.issues
             )
@@ -437,4 +464,11 @@ class EnhancedFormatter(OutputFormatter):
         final_text.append("\n\n")
         final_text.append(message)
 
-        console.print(Panel(final_text, border_style=border_color, padding=(1, 2)))
+        console.print(
+            Panel(
+                final_text,
+                border_style=border_color,
+                padding=(1, 2),
+                width=constants.CONSOLE_PANEL_WIDTH,
+            )
+        )

iam_validator/core/formatters/markdown.py

@@ -1,5 +1,6 @@
 """Markdown formatter - placeholder for existing functionality."""
 
+from iam_validator.core import constants
 from iam_validator.core.formatters.base import OutputFormatter
 from iam_validator.core.models import ValidationReport
 
@@ -34,7 +35,7 @@ class MarkdownFormatter(OutputFormatter):
             1
             for r in report.results
             for i in r.issues
-            if i.severity in ("error", "critical", "high")
+            if i.severity in constants.HIGH_SEVERITY_LEVELS
         )
         warnings = sum(
             1 for r in report.results for i in r.issues if i.severity in ("warning", "medium")

iam_validator/core/models.py

@@ -8,6 +8,8 @@ from typing import Any, ClassVar, Literal
 
 from pydantic import BaseModel, ConfigDict, Field
 
+from iam_validator.core import constants
+
 # Policy Type Constants
 PolicyType = Literal[
     "IDENTITY_POLICY",
@@ -89,9 +91,8 @@ class ServiceDetail(BaseModel):
     resources_list: list[ResourceType] = Field(default_factory=list, alias="Resources")
     condition_keys_list: list[ConditionKey] = Field(default_factory=list, alias="ConditionKeys")
 
-    def model_post_init(self, __context: Any) -> None:
+    def model_post_init(self, __context: Any, /) -> None:
         """Convert lists to dictionaries for easier lookup."""
-        del __context  # Unused
         # Convert actions list to dict
         self.actions = {action.name: action for action in self.actions_list}
         # Convert resources list to dict
@@ -104,7 +105,7 @@ class ServiceDetail(BaseModel):
 class Statement(BaseModel):
     """IAM policy statement."""
 
-    model_config = ConfigDict(populate_by_name=True)
+    model_config = ConfigDict(populate_by_name=True, extra="forbid")
 
     sid: str | None = Field(default=None, alias="Sid")
     effect: str = Field(alias="Effect")
@@ -134,7 +135,7 @@ class Statement(BaseModel):
 class IAMPolicy(BaseModel):
     """IAM policy document."""
 
-    model_config = ConfigDict(populate_by_name=True)
+    model_config = ConfigDict(populate_by_name=True, extra="forbid")
 
     version: str = Field(alias="Version")
     statement: list[Statement] = Field(alias="Statement")
@@ -161,6 +162,7 @@ class ValidationIssue(BaseModel):
     resource: str | None = None
     condition_key: str | None = None
     suggestion: str | None = None
+    example: str | None = None  # Code example (JSON/YAML) - formatted separately for GitHub
     line_number: int | None = None  # Line number in the policy file (if available)
 
     # Severity level constants (ClassVar to avoid Pydantic treating them as fields)
@@ -225,8 +227,8 @@ class ValidationIssue(BaseModel):
 
         # Add identifier for bot comment cleanup (HTML comment - not visible to users)
         if include_identifier:
-            parts.append("<!-- iam-policy-validator-review -->\n")
-            parts.append("🤖 **IAM Policy Validator**\n")
+            parts.append(f"{constants.REVIEW_IDENTIFIER}\n")
+            parts.append(f"{constants.BOT_IDENTIFIER}\n")
 
         # Build statement context for better navigation
         statement_context = f"Statement[{self.statement_index}]"
@@ -241,7 +243,9 @@ class ValidationIssue(BaseModel):
         parts.append(self.message)
 
         # Put additional details in collapsible section if there are any
-        has_details = bool(self.action or self.resource or self.condition_key or self.suggestion)
+        has_details = bool(
+            self.action or self.resource or self.condition_key or self.suggestion or self.example
+        )
 
         if has_details:
             parts.append("")
@@ -266,6 +270,14 @@ class ValidationIssue(BaseModel):
                 parts.append("**💡 Suggested Fix:**")
                 parts.append("")
                 parts.append(self.suggestion)
+                parts.append("")
+
+            # Add example if present (formatted as JSON code block for GitHub)
+            if self.example:
+                parts.append("**Example:**")
+                parts.append("```json")
+                parts.append(self.example)
+                parts.append("```")
 
             parts.append("")
             parts.append("</details>")
@@ -298,6 +310,9 @@ class ValidationReport(BaseModel):
     validity_issues: int = 0  # Count of IAM validity issues (error/warning/info)
     security_issues: int = 0  # Count of security issues (critical/high/medium/low)
     results: list[PolicyValidationResult] = Field(default_factory=list)
+    parsing_errors: list[tuple[str, str]] = Field(
+        default_factory=list
+    )  # (file_path, error_message)
 
     def get_summary(self) -> str:
         """Generate a human-readable summary."""

iam_validator/core/policy_checks.py

@@ -12,6 +12,7 @@ import logging
 import re
 from pathlib import Path
 
+from iam_validator.core import constants
 from iam_validator.core.aws_fetcher import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckRegistry
 from iam_validator.core.models import (
@@ -495,10 +496,10 @@ async def validate_policies(
 
         config = ConfigLoader.load_config(explicit_path=config_path, allow_missing=True)
         cache_enabled = config.get_setting("cache_enabled", True)
-        cache_ttl_hours = config.get_setting("cache_ttl_hours", 168)
+        cache_ttl_hours = config.get_setting("cache_ttl_hours", constants.DEFAULT_CACHE_TTL_HOURS)
         cache_directory = config.get_setting("cache_directory", None)
         aws_services_dir = config.get_setting("aws_services_dir", None)
-        cache_ttl_seconds = cache_ttl_hours * 3600
+        cache_ttl_seconds = cache_ttl_hours * constants.SECONDS_PER_HOUR
 
         async with AWSServiceFetcher(
             enable_cache=cache_enabled,
@@ -566,10 +567,10 @@ async def validate_policies(
 
     # Get cache settings from config
     cache_enabled = config.get_setting("cache_enabled", True)
-    cache_ttl_hours = config.get_setting("cache_ttl_hours", 168)  # 7 days default
+    cache_ttl_hours = config.get_setting("cache_ttl_hours", constants.DEFAULT_CACHE_TTL_HOURS)
     cache_directory = config.get_setting("cache_directory", None)
     aws_services_dir = config.get_setting("aws_services_dir", None)
-    cache_ttl_seconds = cache_ttl_hours * 3600
+    cache_ttl_seconds = cache_ttl_hours * constants.SECONDS_PER_HOUR
 
     # Validate policies using registry
     async with AWSServiceFetcher(

iam_validator/core/policy_loader.py

@@ -31,6 +31,7 @@ from collections.abc import Generator
 from pathlib import Path
 
 import yaml
+from pydantic import ValidationError
 
 from iam_validator.core.models import IAMPolicy
 
@@ -53,6 +54,8 @@ class PolicyLoader:
         """
         self.loaded_policies: list[tuple[str, IAMPolicy]] = []
         self.max_file_size_bytes = max_file_size_mb * 1024 * 1024
+        # Track parsing/validation errors for reporting
+        self.parsing_errors: list[tuple[str, str]] = []  # (file_path, error_message)
 
     @staticmethod
     def _find_statement_line_numbers(file_content: str) -> list[int]:
@@ -142,7 +145,7 @@ class PolicyLoader:
                 return False
             return True
         except OSError as e:
-            logger.error(f"Failed to check file size for {path}: {e}")
+            logger.error("Failed to check file size for %s: %s", path, e)
             return False
 
     def load_from_file(self, file_path: str) -> IAMPolicy | None:
@@ -157,11 +160,11 @@ class PolicyLoader:
         path = Path(file_path)
 
         if not path.exists():
-            logger.error(f"File not found: {file_path}")
+            logger.error("File not found: %s", file_path)
             return None
 
         if not path.is_file():
-            logger.error(f"Not a file: {file_path}")
+            logger.error("Not a file: %s", file_path)
             return None
 
         if path.suffix.lower() not in self.SUPPORTED_EXTENSIONS:
@@ -197,17 +200,48 @@ class PolicyLoader:
                     if idx < len(statement_line_numbers):
                         statement.line_number = statement_line_numbers[idx]
 
-            logger.info(f"Successfully loaded policy from {file_path}")
+            logger.info("Successfully loaded policy from %s", file_path)
             return policy
 
         except json.JSONDecodeError as e:
-            logger.error(f"Invalid JSON in {file_path}: {e}")
+            error_msg = f"Invalid JSON: {e}"
+            logger.error("Invalid JSON in %s: %s", file_path, e)
+            self.parsing_errors.append((file_path, error_msg))
             return None
         except yaml.YAMLError as e:
-            logger.error(f"Invalid YAML in {file_path}: {e}")
+            error_msg = f"Invalid YAML: {e}"
+            logger.error("Invalid YAML in %s: %s", file_path, e)
+            self.parsing_errors.append((file_path, error_msg))
+            return None
+        except ValidationError as e:
+            # Handle Pydantic validation errors with helpful messages
+            error_messages = []
+            for error in e.errors():
+                loc = ".".join(str(x) for x in error["loc"])
+                error_type = error["type"]
+
+                # Provide user-friendly messages for common errors
+                if error_type == "extra_forbidden":
+                    # Extract the field name that has a typo
+                    field_name = error["loc"][-1] if error["loc"] else "unknown"
+                    error_messages.append(
+                        f"Unknown field '{field_name}' at {loc}. "
+                        f"This might be a typo. Did you mean 'Condition', 'Action', or 'Resource'?"
+                    )
+                else:
+                    error_messages.append(f"{loc}: {error['msg']}")
+
+            error_summary = "\n  ".join(error_messages)
+            logger.error(
+                "Policy validation failed for %s:\n  %s",
+                file_path,
+                error_summary,
+            )
+            # Track parsing error for GitHub reporting
+            self.parsing_errors.append((file_path, error_summary))
             return None
         except Exception as e:
-            logger.error(f"Failed to load policy from {file_path}: {e}")
+            logger.error("Failed to load policy from %s: %s", file_path, e)
             return None
 
     def load_from_directory(
@@ -225,11 +259,11 @@ class PolicyLoader:
         path = Path(directory_path)
 
         if not path.exists():
-            logger.error(f"Directory not found: {directory_path}")
+            logger.error("Directory not found: %s", directory_path)
             return []
 
         if not path.is_dir():
-            logger.error(f"Not a directory: {directory_path}")
+            logger.error("Not a directory: %s", directory_path)
             return []
 
         policies: list[tuple[str, IAMPolicy]] = []
@@ -241,7 +275,7 @@ class PolicyLoader:
                 if policy:
                     policies.append((str(file_path), policy))
 
-        logger.info(f"Loaded {len(policies)} policies from {directory_path}")
+        logger.info("Loaded %d policies from %s", len(policies), directory_path)
         return policies
 
     def load_from_path(self, path: str, recursive: bool = True) -> list[tuple[str, IAMPolicy]]:
@@ -262,7 +296,7 @@ class PolicyLoader:
         elif path_obj.is_dir():
             return self.load_from_directory(path, recursive)
         else:
-            logger.error(f"Path not found: {path}")
+            logger.error("Path not found: %s", path)
             return []
 
     def load_from_paths(
@@ -283,7 +317,7 @@ class PolicyLoader:
             policies = self.load_from_path(path.strip(), recursive)
             all_policies.extend(policies)
 
-        logger.info(f"Loaded {len(all_policies)} total policies from {len(paths)} path(s)")
+        logger.info("Loaded %d total policies from %d path(s)", len(all_policies), len(paths))
         return all_policies
 
     def _get_policy_files(self, path: str, recursive: bool = True) -> Generator[Path, None, None]:
@@ -310,7 +344,7 @@ class PolicyLoader:
                 if file_path.is_file() and file_path.suffix.lower() in self.SUPPORTED_EXTENSIONS:
                     yield file_path
         else:
-            logger.error(f"Path not found: {path}")
+            logger.error("Path not found: %s", path)
 
     def stream_from_path(
         self, path: str, recursive: bool = True
@@ -391,6 +425,29 @@ class PolicyLoader:
             policy = IAMPolicy.model_validate(data)
             logger.info("Successfully parsed policy from string")
             return policy
+        except json.JSONDecodeError as e:
+            logger.error("Invalid JSON: %s", e)
+            return None
+        except ValidationError as e:
+            # Handle Pydantic validation errors with helpful messages
+            error_messages = []
+            for error in e.errors():
+                loc = ".".join(str(x) for x in error["loc"])
+                error_type = error["type"]
+
+                # Provide user-friendly messages for common errors
+                if error_type == "extra_forbidden":
+                    # Extract the field name that has a typo
+                    field_name = error["loc"][-1] if error["loc"] else "unknown"
+                    error_messages.append(
+                        f"Unknown field '{field_name}' at {loc}. "
+                        f"This might be a typo. Did you mean 'Condition', 'Action', or 'Resource'?"
+                    )
+                else:
+                    error_messages.append(f"{loc}: {error['msg']}")
+
+            logger.error("Policy validation failed:\n  %s", "\n  ".join(error_messages))
+            return None
         except Exception as e:
-            logger.error(f"Failed to parse policy string: {e}")
+            logger.error("Failed to parse policy string: %s", e)
             return None