iam-policy-validator 1.7.1__py3-none-any.whl → 1.8.0__py3-none-any.whl

iam_validator/checks/wildcard_resource.py

@@ -62,19 +62,14 @@ class WildcardResourceCheck(PolicyCheck):
                     return issues
 
             # Flag the issue if actions are not all allowed or no allowed_wildcards configured
-            message = config.config.get("message", "Statement applies to all resources (*)")
-            suggestion_text = config.config.get(
+            message = config.config.get(
+                "message", 'Statement applies to all resources `"*"` (wildcard resource).'
+            )
+            suggestion = config.config.get(
                 "suggestion", "Replace wildcard with specific resource ARNs"
             )
             example = config.config.get("example", "")
 
-            # Combine suggestion + example
-            suggestion = (
-                f"{suggestion_text}\nExample:\n```json\n{example}\n```"
-                if example
-                else suggestion_text
-            )
-
             issues.append(
                 ValidationIssue(
                     severity=self.get_severity(config),
@@ -83,6 +78,7 @@ class WildcardResourceCheck(PolicyCheck):
                     issue_type="overly_permissive",
                     message=message,
                     suggestion=suggestion,
+                    example=example if example else None,
                     line_number=statement.line_number,
                 )
             )

iam_validator/commands/validate.py

@@ -114,13 +114,17 @@ Examples:
             choices=[
                 "IDENTITY_POLICY",
                 "RESOURCE_POLICY",
+                "TRUST_POLICY",
                 "SERVICE_CONTROL_POLICY",
                 "RESOURCE_CONTROL_POLICY",
             ],
             default="IDENTITY_POLICY",
             help="Type of IAM policy being validated (default: IDENTITY_POLICY). "
-            "Enables policy-type-specific validation (e.g., requiring Principal for resource policies, "
-            "strict RCP requirements for resource control policies)",
+            "IDENTITY_POLICY: Attached to users/groups/roles | "
+            "RESOURCE_POLICY: S3/SNS/SQS policies | "
+            "TRUST_POLICY: Role assumption policies | "
+            "SERVICE_CONTROL_POLICY: AWS Orgs SCPs | "
+            "RESOURCE_CONTROL_POLICY: AWS Orgs RCPs",
         )
 
         parser.add_argument(
@@ -159,12 +163,6 @@ Examples:
             help="Path to directory containing custom checks for auto-discovery",
         )
 
-        parser.add_argument(
-            "--no-registry",
-            action="store_true",
-            help="Use legacy validation (disable check registry system)",
-        )
-
         parser.add_argument(
             "--stream",
             action="store_true",
@@ -242,21 +240,19 @@ Examples:
             logging.info(f"Loaded {len(policies)} policies from {len(args.paths)} path(s)")
 
         # Validate policies
-        use_registry = not getattr(args, "no_registry", False)
         config_path = getattr(args, "config", None)
         custom_checks_dir = getattr(args, "custom_checks_dir", None)
         policy_type = cast(PolicyType, getattr(args, "policy_type", "IDENTITY_POLICY"))
         results = await validate_policies(
             policies,
             config_path=config_path,
-            use_registry=use_registry,
             custom_checks_dir=custom_checks_dir,
             policy_type=policy_type,
         )
 
-        # Generate report
+        # Generate report (include parsing errors if any)
         generator = ReportGenerator()
-        report = generator.generate_report(results)
+        report = generator.generate_report(results, parsing_errors=loader.parsing_errors)
 
         # Output results
         if args.format is None:
@@ -329,7 +325,6 @@ Examples:
         """
         loader = PolicyLoader()
         generator = ReportGenerator()
-        use_registry = not getattr(args, "no_registry", False)
         config_path = getattr(args, "config", None)
         custom_checks_dir = getattr(args, "custom_checks_dir", None)
         policy_type = cast(PolicyType, getattr(args, "policy_type", "IDENTITY_POLICY"))
@@ -354,7 +349,6 @@ Examples:
             results = await validate_policies(
                 [(file_path, policy)],
                 config_path=config_path,
-                use_registry=use_registry,
                 custom_checks_dir=custom_checks_dir,
                 policy_type=policy_type,
             )

iam_validator/core/__init__.py

@@ -1,13 +1,12 @@
 """Core validation modules."""
 
 from iam_validator.core.aws_fetcher import AWSServiceFetcher
-from iam_validator.core.policy_checks import PolicyValidator, validate_policies
+from iam_validator.core.policy_checks import validate_policies
 from iam_validator.core.policy_loader import PolicyLoader
 from iam_validator.core.report import ReportGenerator
 
 __all__ = [
     "AWSServiceFetcher",
-    "PolicyValidator",
     "validate_policies",
     "PolicyLoader",
     "ReportGenerator",

iam_validator/core/access_analyzer.py

@@ -577,7 +577,7 @@ class AccessAnalyzerValidator:
                 )
                 results.append(result)
 
-            except Exception as e:
+            except Exception as e:  # pylint: disable=broad-exception-caught
                 self.logger.error(f"Failed to validate {policy_file}: {e}")
                 result = AccessAnalyzerResult(
                     policy_file=policy_file,

iam_validator/core/access_analyzer_report.py

@@ -259,7 +259,7 @@ class AccessAnalyzerReportFormatter:
             file_path: Path to save JSON report
         """
         json_content = self.generate_json_report(report)
-        with open(file_path, "w") as f:
+        with open(file_path, "w", encoding="utf-8") as f:
             f.write(json_content)
 
     def generate_markdown_report(
@@ -636,5 +636,5 @@ class AccessAnalyzerReportFormatter:
             file_path: Path to save Markdown report
         """
         markdown_content = self.generate_markdown_report(report)
-        with open(file_path, "w") as f:
+        with open(file_path, "w", encoding="utf-8") as f:
             f.write(markdown_content)

iam_validator/core/aws_fetcher.py

@@ -27,11 +27,13 @@ import os
 import re
 import sys
 import time
+from dataclasses import dataclass
 from pathlib import Path
 from typing import Any
 
 import httpx
 
+from iam_validator.core import constants
 from iam_validator.core.config import AWS_SERVICE_REFERENCE_BASE_URL
 from iam_validator.core.models import ServiceDetail, ServiceInfo
 from iam_validator.utils.cache import LRUCache
@@ -39,6 +41,23 @@ from iam_validator.utils.cache import LRUCache
 logger = logging.getLogger(__name__)
 
 
+@dataclass
+class ConditionKeyValidationResult:
+    """Result of condition key validation.
+
+    Attributes:
+        is_valid: True if the condition key is valid for the action
+        error_message: Short error message if invalid (shown prominently)
+        warning_message: Warning message if valid but not recommended
+        suggestion: Detailed suggestion with valid keys (shown in collapsible section)
+    """
+
+    is_valid: bool
+    error_message: str | None = None
+    warning_message: str | None = None
+    suggestion: str | None = None
+
+
 class CompiledPatterns:
     """Pre-compiled regex patterns for validation.
 
@@ -141,7 +160,7 @@ class AWSServiceFetcher:
 
         Public API - Parsing:
             - parse_action: Split action into service and name
-            - _match_wildcard_action: Match wildcard patterns
+            - match_wildcard_action: Match wildcard patterns
 
         Utilities:
             - get_stats: Get cache statistics
@@ -199,10 +218,10 @@ class AWSServiceFetcher:
 
     def __init__(
         self,
-        timeout: float = 30.0,
+        timeout: float = constants.DEFAULT_HTTP_TIMEOUT_SECONDS,
         retries: int = 3,
         enable_cache: bool = True,
-        cache_ttl: int = 604800,
+        cache_ttl: int = constants.DEFAULT_CACHE_TTL_SECONDS,
         memory_cache_size: int = 256,
         connection_pool_size: int = 50,
         keepalive_connections: int = 20,
@@ -303,7 +322,7 @@ class AWSServiceFetcher:
             limits=httpx.Limits(
                 max_keepalive_connections=self.keepalive_connections,
                 max_connections=self.connection_pool_size,
-                keepalive_expiry=30.0,  # Keep connections alive for 30 seconds
+                keepalive_expiry=constants.DEFAULT_HTTP_TIMEOUT_SECONDS,  # Keep connections alive
             ),
             http2=True,  # Enable HTTP/2 for multiplexing
         )
@@ -333,7 +352,7 @@ class AWSServiceFetcher:
             try:
                 await self.fetch_service_by_name(name)
                 self._prefetched_services.add(name)
-            except Exception as e:
+            except Exception as e:  # pylint: disable=broad-exception-caught
                 logger.warning(f"Failed to prefetch service {name}: {e}")
 
         # Fetch in batches to avoid overwhelming the API
@@ -381,7 +400,7 @@ class AWSServiceFetcher:
             logger.debug(f"Disk cache hit for {url}")
             return data
 
-        except Exception as e:
+        except Exception as e:  # pylint: disable=broad-exception-caught
             logger.warning(f"Failed to read cache for {url}: {e}")
             return None
 
@@ -396,7 +415,7 @@ class AWSServiceFetcher:
             with open(cache_path, "w", encoding="utf-8") as f:
                 json.dump(data, f, indent=2)
             logger.debug(f"Written to disk cache: {url}")
-        except Exception as e:
+        except Exception as e:  # pylint: disable=broad-exception-caught
             logger.warning(f"Failed to write cache for {url}: {e}")
 
     async def _make_request_with_batching(self, url: str) -> Any:
@@ -440,7 +459,7 @@ class AWSServiceFetcher:
             if not future.done():
                 future.set_result(result)
             return result
-        except Exception as e:
+        except Exception as e:  # pylint: disable=broad-exception-caught
             if not future.done():
                 future.set_exception(e)
             raise
@@ -485,21 +504,23 @@ class AWSServiceFetcher:
 
                     return data
 
-                except Exception as json_error:
+                except Exception as json_error:  # pylint: disable=broad-exception-caught
                     logger.error(f"Failed to parse response as JSON: {json_error}")
-                    raise ValueError(f"Invalid JSON response from {url}: {json_error}")
+                    raise ValueError(
+                        f"Invalid JSON response from {url}: {json_error}"
+                    ) from json_error
 
             except httpx.HTTPStatusError as e:
                 logger.error(f"HTTP error {e.response.status_code} for {url}")
                 if e.response.status_code == 404:
-                    raise ValueError(f"Service not found: {url}")
+                    raise ValueError(f"Service not found: {url}") from e
                 last_exception = e
 
             except httpx.RequestError as e:
                 logger.error(f"Request error for {url}: {e}")
                 last_exception = e
 
-            except Exception as e:
+            except Exception as e:  # pylint: disable=broad-exception-caught
                 logger.error(f"Unexpected error for {url}: {e}")
                 last_exception = e
 
@@ -528,7 +549,7 @@ class AWSServiceFetcher:
             raise FileNotFoundError(f"_services.json not found in {self.aws_services_dir}")
 
         try:
-            with open(services_file) as f:
+            with open(services_file, encoding="utf-8") as f:
                 data = json.load(f)
 
             if not isinstance(data, list):
@@ -546,7 +567,7 @@ class AWSServiceFetcher:
             return services
 
         except json.JSONDecodeError as e:
-            raise ValueError(f"Invalid JSON in services.json: {e}")
+            raise ValueError(f"Invalid JSON in services.json: {e}") from e
 
     def _load_service_from_file(self, service_name: str) -> ServiceDetail:
         """Load service detail from local JSON file.
@@ -572,7 +593,7 @@ class AWSServiceFetcher:
             raise FileNotFoundError(f"Service file not found: {service_file}")
 
         try:
-            with open(service_file) as f:
+            with open(service_file, encoding="utf-8") as f:
                 data = json.load(f)
 
             service_detail = ServiceDetail.model_validate(data)
@@ -580,7 +601,7 @@ class AWSServiceFetcher:
             return service_detail
 
         except json.JSONDecodeError as e:
-            raise ValueError(f"Invalid JSON in {service_file}: {e}")
+            raise ValueError(f"Invalid JSON in {service_file}: {e}") from e
 
     async def fetch_services(self) -> list[ServiceInfo]:
         """Fetch list of AWS services with caching.
@@ -658,7 +679,9 @@ class AWSServiceFetcher:
                             return service_detail
                         except FileNotFoundError:
                             pass
-                raise ValueError(f"Service '{service_name}' not found in {self.aws_services_dir}")
+                raise ValueError(
+                    f"Service `{service_name}` not found in {self.aws_services_dir}"
+                ) from FileNotFoundError
 
         # Fetch service list and find URL from API
         services = await self.fetch_services()
@@ -676,7 +699,7 @@ class AWSServiceFetcher:
 
                 return service_detail
 
-        raise ValueError(f"Service '{service_name}' not found")
+        raise ValueError(f"Service `{service_name}` not found")
 
     async def fetch_multiple_services(self, service_names: list[str]) -> dict[str, ServiceDetail]:
         """Fetch multiple services concurrently with optimized batching."""
@@ -685,7 +708,7 @@ class AWSServiceFetcher:
             try:
                 detail = await self.fetch_service_by_name(name)
                 return name, detail
-            except Exception as e:
+            except Exception as e:  # pylint: disable=broad-exception-caught
                 logger.error(f"Failed to fetch service {name}: {e}")
                 raise
 
@@ -698,7 +721,7 @@ class AWSServiceFetcher:
             if isinstance(result, Exception):
                 logger.error(f"Failed to fetch service {service_names[i]}: {result}")
                 raise result
-            elif isinstance(result, tuple):
+            if isinstance(result, tuple):
                 name, detail = result
                 services[name] = detail
 
@@ -712,7 +735,7 @@ class AWSServiceFetcher:
 
         return match.group("service").lower(), match.group("action")
 
-    def _match_wildcard_action(self, pattern: str, actions: list[str]) -> tuple[bool, list[str]]:
+    def match_wildcard_action(self, pattern: str, actions: list[str]) -> tuple[bool, list[str]]:
         """Match wildcard pattern against list of actions.
 
         Args:
@@ -755,8 +778,7 @@ class AWSServiceFetcher:
                     # Just verify service exists
                     await self.fetch_service_by_name(service_prefix)
                     return True, None, True
-                else:
-                    return False, "Wildcard actions are not allowed", True
+                return False, "Wildcard actions are not allowed", True
 
             # Fetch service details (will use cache)
             service_detail = await self.fetch_service_by_name(service_prefix)
@@ -767,7 +789,7 @@ class AWSServiceFetcher:
                 if not allow_wildcards:
                     return False, "Wildcard actions are not allowed", True
 
-                has_matches, matched_actions = self._match_wildcard_action(
+                has_matches, matched_actions = self.match_wildcard_action(
                     action_name, available_actions
                 )
 
@@ -780,33 +802,32 @@ class AWSServiceFetcher:
                         examples += f", ... ({match_count - 5} more)"
 
                     return True, None, True
-                else:
-                    # Wildcard doesn't match any actions
-                    return (
-                        False,
-                        f"Action pattern '{action_name}' does not match any actions in service '{service_prefix}'",
-                        True,
-                    )
+                # Wildcard doesn't match any actions
+                return (
+                    False,
+                    f"Action pattern `{action_name}` does not match any actions in service `{service_prefix}`",
+                    True,
+                )
 
             # Check if exact action exists (case-insensitive)
             action_exists = any(a.lower() == action_name.lower() for a in available_actions)
 
             if action_exists:
                 return True, None, False
-            else:
-                # Suggest similar actions
-                similar = [a for a in available_actions if action_name.lower() in a.lower()][:3]
 
-                suggestion = f" Did you mean: {', '.join(similar)}?" if similar else ""
-                return (
-                    False,
-                    f"Action '{action_name}' not found in service '{service_prefix}'.{suggestion}",
-                    False,
-                )
+            # Suggest similar actions
+            similar = [f"`{a}`" for a in available_actions if action_name.lower() in a.lower()][:3]
+
+            suggestion = f" Did you mean: {', '.join(similar)}?" if similar else ""
+            return (
+                False,
+                f"Action `{action_name}` not found in service `{service_prefix}`.{suggestion}",
+                False,
+            )
 
         except ValueError as e:
             return False, str(e), False
-        except Exception as e:
+        except Exception as e:  # pylint: disable=broad-exception-caught
             logger.error(f"Error validating action {action}: {e}")
             return False, f"Failed to validate action: {str(e)}", False
 
@@ -823,7 +844,7 @@ class AWSServiceFetcher:
 
     async def validate_condition_key(
         self, action: str, condition_key: str, resources: list[str] | None = None
-    ) -> tuple[bool, str | None, str | None]:
+    ) -> ConditionKeyValidationResult:
         """
         Validate condition key against action and optionally resource types.
 
@@ -833,13 +854,14 @@ class AWSServiceFetcher:
             resources: Optional list of resource ARNs to validate against
 
         Returns:
-            Tuple of (is_valid, error_message, warning_message)
+            ConditionKeyValidationResult with:
             - is_valid: True if key is valid (even with warning)
-            - error_message: Error message if invalid (is_valid=False)
+            - error_message: Short error message if invalid (shown prominently)
             - warning_message: Warning message if valid but not recommended
+            - suggestion: Detailed suggestion with valid keys (shown in collapsible section)
         """
         try:
-            from iam_validator.core.config.aws_global_conditions import (
+            from iam_validator.core.config.aws_global_conditions import (  # pylint: disable=import-outside-toplevel
                 get_global_conditions,
             )
 
@@ -852,10 +874,9 @@ class AWSServiceFetcher:
                 if global_conditions.is_valid_global_key(condition_key):
                     is_global_key = True
                 else:
-                    return (
-                        False,
-                        f"Invalid AWS global condition key: '{condition_key}'.",
-                        None,
+                    return ConditionKeyValidationResult(
+                        is_valid=False,
+                        error_message=f"Invalid AWS global condition key: `{condition_key}`.",
                     )
 
             # Fetch service detail (cached)
@@ -863,7 +884,7 @@ class AWSServiceFetcher:
 
             # Check service-specific condition keys
             if condition_key in service_detail.condition_keys:
-                return True, None, None
+                return ConditionKeyValidationResult(is_valid=True)
 
             # Check action-specific condition keys
             if action_name in service_detail.actions:
@@ -872,7 +893,7 @@ class AWSServiceFetcher:
                     action_detail.action_condition_keys
                     and condition_key in action_detail.action_condition_keys
                 ):
-                    return True, None, None
+                    return ConditionKeyValidationResult(is_valid=True)
 
                 # Check resource-specific condition keys
                 # Get resource types required by this action
@@ -886,33 +907,107 @@ class AWSServiceFetcher:
                         resource_type = service_detail.resources.get(resource_name)
                         if resource_type and resource_type.condition_keys:
                             if condition_key in resource_type.condition_keys:
-                                return True, None, None
+                                return ConditionKeyValidationResult(is_valid=True)
 
                 # If it's a global key but the action has specific condition keys defined,
                 # AWS allows it but the key may not be available in every request context
                 if is_global_key and action_detail.action_condition_keys is not None:
                     warning_msg = (
-                        f"Global condition key '{condition_key}' is used with action '{action}'. "
+                        f"Global condition key `{condition_key}` is used with action `{action}`. "
                         f"While global condition keys can be used across all AWS services, "
                         f"the key may not be available in every request context. "
-                        f"Verify that '{condition_key}' is available for this specific action's request context. "
-                        f"Consider using '*IfExists' operators (e.g., StringEqualsIfExists) if the key might be missing."
+                        f"Verify that `{condition_key}` is available for this specific action's request context. "
+                        f"Consider using `*IfExists` operators (e.g., `StringEqualsIfExists`) if the key might be missing."
                     )
-                    return True, None, warning_msg
+                    return ConditionKeyValidationResult(is_valid=True, warning_message=warning_msg)
 
             # If it's a global key and action doesn't define specific keys, allow it
             if is_global_key:
-                return True, None, None
+                return ConditionKeyValidationResult(is_valid=True)
 
-            return (
-                False,
-                f"Condition key '{condition_key}' is not valid for action '{action}'",
-                None,
+            # Short error message
+            error_msg = f"Condition key `{condition_key}` is not valid for action `{action}`"
+
+            # Collect valid condition keys for this action
+            valid_keys = set()
+
+            # Add service-level condition keys
+            if service_detail.condition_keys:
+                if isinstance(service_detail.condition_keys, dict):
+                    valid_keys.update(service_detail.condition_keys.keys())
+                elif isinstance(service_detail.condition_keys, list):
+                    valid_keys.update(service_detail.condition_keys)
+
+            # Add action-specific condition keys
+            if action_name in service_detail.actions:
+                action_detail = service_detail.actions[action_name]
+                if action_detail.action_condition_keys:
+                    if isinstance(action_detail.action_condition_keys, dict):
+                        valid_keys.update(action_detail.action_condition_keys.keys())
+                    elif isinstance(action_detail.action_condition_keys, list):
+                        valid_keys.update(action_detail.action_condition_keys)
+
+                # Add resource-specific condition keys
+                if action_detail.resources:
+                    for res_req in action_detail.resources:
+                        resource_name = res_req.get("Name", "")
+                        if resource_name:
+                            resource_type = service_detail.resources.get(resource_name)
+                            if resource_type and resource_type.condition_keys:
+                                if isinstance(resource_type.condition_keys, dict):
+                                    valid_keys.update(resource_type.condition_keys.keys())
+                                elif isinstance(resource_type.condition_keys, list):
+                                    valid_keys.update(resource_type.condition_keys)
+
+            # Build detailed suggestion with valid keys (goes in collapsible section)
+            suggestion_parts = []
+
+            if valid_keys:
+                # Sort and limit to first 10 keys for readability
+                sorted_keys = sorted(valid_keys)
+                suggestion_parts.append("**Valid condition keys for this action:**")
+                if len(sorted_keys) <= 10:
+                    for key in sorted_keys:
+                        suggestion_parts.append(f"- `{key}`")
+                else:
+                    for key in sorted_keys[:10]:
+                        suggestion_parts.append(f"- `{key}`")
+                    suggestion_parts.append(f"- ... and {len(sorted_keys) - 10} more")
+
+                suggestion_parts.append("")
+                suggestion_parts.append(
+                    "**Global condition keys** (e.g., `aws:ResourceOrgID`, `aws:RequestedRegion`, `aws:SourceIp`, `aws:SourceVpce`) "
+                    "can also be used with any AWS action"
+                )
+            else:
+                # No action-specific keys - mention global keys
+                suggestion_parts.append(
+                    "This action does not have specific condition keys defined.\n\n"
+                    "However, you can use **global condition keys** such as:\n"
+                    "- `aws:RequestedRegion`\n"
+                    "- `aws:SourceIp`\n"
+                    "- `aws:SourceVpce`\n"
+                    "- `aws:UserAgent`\n"
+                    "- `aws:CurrentTime`\n"
+                    "- `aws:SecureTransport`\n"
+                    "- `aws:PrincipalArn`\n"
+                    "- And many others"
+                )
+
+            suggestion = "\n".join(suggestion_parts)
+
+            return ConditionKeyValidationResult(
+                is_valid=False,
+                error_message=error_msg,
+                suggestion=suggestion,
             )
 
-        except Exception as e:
+        except Exception as e:  # pylint: disable=broad-exception-caught
             logger.error(f"Error validating condition key {condition_key} for {action}: {e}")
-            return False, f"Failed to validate condition key: {str(e)}", None
+            return ConditionKeyValidationResult(
+                is_valid=False,
+                error_message=f"Failed to validate condition key: {str(e)}",
+            )
 
     async def clear_caches(self) -> None:
         """Clear all caches (memory and disk)."""
@@ -924,7 +1019,7 @@ class AWSServiceFetcher:
             for cache_file in self._cache_dir.glob("*.json"):
                 try:
                     cache_file.unlink()
-                except Exception as e:
+                except Exception as e:  # pylint: disable=broad-exception-caught
                     logger.warning(f"Failed to delete cache file {cache_file}: {e}")
 
         logger.info("Cleared all caches")