iam-policy-validator 1.7.1__py3-none-any.whl → 1.8.0__py3-none-any.whl

iam_validator/core/config/service_principals.py

@@ -1,8 +1,15 @@
 """
-Default service principals for resource policy validation.
+Service principals utilities for resource policy validation.
 
-These are AWS service principals that are commonly used and considered safe
-in resource-based policies (S3 bucket policies, SNS topic policies, etc.).
+This module provides:
+- Default list of common AWS service principals
+- Utility to check if a principal is any AWS service principal
+- Functions to categorize service principals by type
+
+Configuration:
+- Use "*" in allowed_service_principals to allow ALL AWS service principals
+- Use explicit list to restrict to specific services only
+- AWS service principals end with .amazonaws.com or .amazonaws.com.cn
 """
 
 from typing import Final
@@ -58,6 +65,36 @@ def is_allowed_service_principal(principal: str) -> bool:
     return principal in DEFAULT_SERVICE_PRINCIPALS
 
 
+def is_aws_service_principal(principal: str) -> bool:
+    """
+    Check if a principal is an AWS service principal (any AWS service).
+
+    This checks if the principal matches the AWS service principal pattern.
+    AWS service principals typically end with ".amazonaws.com" or ".amazonaws.com.cn"
+
+    Args:
+        principal: Principal to check (e.g., "lambda.amazonaws.com", "s3.amazonaws.com.cn")
+
+    Returns:
+        True if principal matches AWS service principal pattern
+
+    Examples:
+        >>> is_aws_service_principal("lambda.amazonaws.com")
+        True
+        >>> is_aws_service_principal("s3.amazonaws.com.cn")
+        True
+        >>> is_aws_service_principal("arn:aws:iam::123456789012:root")
+        False
+        >>> is_aws_service_principal("*")
+        False
+    """
+    if not isinstance(principal, str):
+        return False
+
+    # AWS service principals end with .amazonaws.com or .amazonaws.com.cn
+    return principal.endswith(".amazonaws.com") or principal.endswith(".amazonaws.com.cn")
+
+
 def get_service_principals_by_category() -> dict[str, tuple[str, ...]]:
     """
     Get service principals organized by service category.

iam_validator/core/constants.py

@@ -62,6 +62,21 @@ DEFAULT_CONFIG_FILENAMES = [
     ".iam-validator.yml",
 ]
 
+# ============================================================================
+# Severity Levels
+# ============================================================================
+# Severity level groupings for filtering and categorization
+# Used across formatters and report generation
+
+# High severity issues that typically fail validation
+HIGH_SEVERITY_LEVELS = ("error", "critical", "high")
+
+# Medium severity issues (warnings)
+MEDIUM_SEVERITY_LEVELS = ("warning", "medium")
+
+# Low severity issues (informational)
+LOW_SEVERITY_LEVELS = ("info", "low")
+
 # ============================================================================
 # GitHub Integration
 # ============================================================================
@@ -72,3 +87,45 @@ BOT_IDENTIFIER = "🤖 IAM Policy Validator"
 # HTML comment markers for identifying bot-generated content (for cleanup/updates)
 SUMMARY_IDENTIFIER = "<!-- iam-policy-validator-summary -->"
 REVIEW_IDENTIFIER = "<!-- iam-policy-validator-review -->"
+
+# GitHub comment size limits
+# GitHub's actual limit is 65536 characters, but we use a smaller limit for safety
+GITHUB_MAX_COMMENT_LENGTH = 65000  # Maximum single comment length
+GITHUB_COMMENT_SPLIT_LIMIT = 60000  # Target size when splitting into multiple parts
+
+# Comment size estimation parameters (used for multi-part comment splitting)
+COMMENT_BASE_OVERHEAD_CHARS = 2000  # Base overhead for headers/footers
+COMMENT_CHARS_PER_ISSUE_ESTIMATE = 500  # Average characters per issue
+COMMENT_CONTINUATION_OVERHEAD_CHARS = 200  # Overhead for continuation markers
+FORMATTING_SAFETY_BUFFER = 100  # Safety buffer for formatting calculations
+
+# ============================================================================
+# Console Display Settings
+# ============================================================================
+
+# Panel width for formatted console output
+CONSOLE_PANEL_WIDTH = 100
+
+# Rich console color styles
+CONSOLE_HEADER_COLOR = "bright_blue"
+
+# ============================================================================
+# Cache and Timeout Settings
+# ============================================================================
+
+# Cache TTL (Time To Live) - 7 days
+DEFAULT_CACHE_TTL_HOURS = 168  # 7 days in hours
+DEFAULT_CACHE_TTL_SECONDS = 604800  # 7 days in seconds (168 * 3600)
+
+# HTTP request timeout in seconds
+DEFAULT_HTTP_TIMEOUT_SECONDS = 30.0
+
+# Time conversion constants
+SECONDS_PER_HOUR = 3600
+
+# ============================================================================
+# AWS Documentation URLs
+# ============================================================================
+
+# AWS Service Authorization Reference (for finding valid actions, resources, and condition keys)
+AWS_SERVICE_AUTH_REF_URL = "https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html"

iam_validator/core/formatters/console.py

@@ -39,8 +39,17 @@ class ConsoleFormatter(OutputFormatter):
         color = kwargs.get("color", True)
 
         # Capture the output from print_console_report
+        from iam_validator.utils import get_terminal_width
+
         string_buffer = StringIO()
-        console = Console(file=string_buffer, force_terminal=color, width=120)
+        # Get terminal width for proper table column spacing
+        terminal_width = get_terminal_width()
+        console = Console(
+            file=string_buffer,
+            force_terminal=color,
+            width=terminal_width,
+            legacy_windows=False,
+        )
 
         # Create a generator instance with our custom console
         generator = ReportGenerator()

iam_validator/core/formatters/csv.py

@@ -4,6 +4,7 @@ import csv
 import io
 from typing import Any
 
+from iam_validator.core import constants
 from iam_validator.core.formatters.base import OutputFormatter
 from iam_validator.core.models import ValidationReport
 
@@ -58,7 +59,7 @@ class CSVFormatter(OutputFormatter):
             1
             for r in report.results
             for i in r.issues
-            if i.severity in ("error", "critical", "high")
+            if i.severity in constants.HIGH_SEVERITY_LEVELS
         )
         warnings = sum(
             1 for r in report.results for i in r.issues if i.severity in ("warning", "medium")

iam_validator/core/formatters/enhanced.py

@@ -10,6 +10,7 @@ from rich.text import Text
 from rich.tree import Tree
 
 from iam_validator.__version__ import __version__
+from iam_validator.core import constants
 from iam_validator.core.formatters.base import OutputFormatter
 from iam_validator.core.models import PolicyValidationResult, ValidationReport
 
@@ -50,8 +51,14 @@ class EnhancedFormatter(OutputFormatter):
         show_severity_breakdown = kwargs.get("show_severity_breakdown", True)
 
         # Use StringIO to capture Rich console output
+        from iam_validator.utils import get_terminal_width
+
         string_buffer = StringIO()
-        console = Console(file=string_buffer, force_terminal=color, width=120)
+        # Get terminal width for proper text wrapping
+        terminal_width = get_terminal_width()
+        console = Console(
+            file=string_buffer, force_terminal=color, width=terminal_width, legacy_windows=False
+        )
 
         # Header with title
         console.print()
@@ -60,7 +67,14 @@ class EnhancedFormatter(OutputFormatter):
             style="bold cyan",
             justify="center",
         )
-        console.print(Panel(title, border_style="bright_blue", padding=(1, 0)))
+        console.print(
+            Panel(
+                title,
+                border_style=constants.CONSOLE_HEADER_COLOR,
+                padding=(1, 0),
+                width=constants.CONSOLE_PANEL_WIDTH,
+            )
+        )
         console.print()
 
         # Executive Summary with progress bars (optional)
@@ -73,7 +87,7 @@ class EnhancedFormatter(OutputFormatter):
             self._print_severity_breakdown(console, report)
 
         console.print()
-        console.print(Rule(title="[bold]Detailed Results", style="bright_blue"))
+        console.print(Rule(title="[bold]Detailed Results", style=constants.CONSOLE_HEADER_COLOR))
         console.print()
 
         # Detailed results using tree structure
@@ -140,8 +154,9 @@ class EnhancedFormatter(OutputFormatter):
             Panel(
                 metrics_table,
                 title="📊 Executive Summary",
-                border_style="bright_blue",
+                border_style=constants.CONSOLE_HEADER_COLOR,
                 padding=(1, 2),
+                width=constants.CONSOLE_PANEL_WIDTH,
             )
         )
 
@@ -225,7 +240,12 @@ class EnhancedFormatter(OutputFormatter):
             )
 
         console.print(
-            Panel(severity_table, title="🎯 Issue Severity Breakdown", border_style="bright_blue")
+            Panel(
+                severity_table,
+                title="🎯 Issue Severity Breakdown",
+                border_style=constants.CONSOLE_HEADER_COLOR,
+                width=constants.CONSOLE_PANEL_WIDTH,
+            )
         )
 
     def _format_policy_result_modern(
@@ -247,7 +267,7 @@ class EnhancedFormatter(OutputFormatter):
         elif result.is_valid and result.issues:
             # Valid IAM policy but has security findings
             # Check severity to determine the appropriate status
-            has_critical = any(i.severity in ("error", "critical", "high") for i in result.issues)
+            has_critical = any(i.severity in constants.HIGH_SEVERITY_LEVELS for i in result.issues)
             if has_critical:
                 icon = "⚠️"
                 color = "red"
@@ -386,6 +406,13 @@ class EnhancedFormatter(OutputFormatter):
             suggestion_text.append(issue.suggestion, style="italic yellow")
             msg_node.add(suggestion_text)
 
+        # Example (if present, show with indentation)
+        if issue.example:
+            msg_node.add(Text("Example:", style="bold cyan"))
+            # Show example code with syntax highlighting
+            example_text = Text(issue.example, style="dim")
+            msg_node.add(example_text)
+
     def _print_final_status(self, console: Console, report: ValidationReport) -> None:
         """Print final status panel."""
         if report.invalid_policies == 0 and report.total_issues == 0:
@@ -400,7 +427,7 @@ class EnhancedFormatter(OutputFormatter):
             # Valid IAM policies but may have security findings
             # Check if there are critical/high security issues
             has_critical = any(
-                i.severity in ("error", "critical", "high")
+                i.severity in constants.HIGH_SEVERITY_LEVELS
                 for r in report.results
                 for i in r.issues
             )
@@ -437,4 +464,11 @@ class EnhancedFormatter(OutputFormatter):
         final_text.append("\n\n")
         final_text.append(message)
 
-        console.print(Panel(final_text, border_style=border_color, padding=(1, 2)))
+        console.print(
+            Panel(
+                final_text,
+                border_style=border_color,
+                padding=(1, 2),
+                width=constants.CONSOLE_PANEL_WIDTH,
+            )
+        )

iam_validator/core/formatters/markdown.py

@@ -1,5 +1,6 @@
 """Markdown formatter - placeholder for existing functionality."""
 
+from iam_validator.core import constants
 from iam_validator.core.formatters.base import OutputFormatter
 from iam_validator.core.models import ValidationReport
 
@@ -34,7 +35,7 @@ class MarkdownFormatter(OutputFormatter):
             1
             for r in report.results
             for i in r.issues
-            if i.severity in ("error", "critical", "high")
+            if i.severity in constants.HIGH_SEVERITY_LEVELS
         )
         warnings = sum(
             1 for r in report.results for i in r.issues if i.severity in ("warning", "medium")

iam_validator/core/ignore_patterns.py

@@ -0,0 +1,297 @@
+"""
+Centralized ignore patterns utility with caching and performance optimization.
+
+This module provides high-performance pattern matching for ignore_patterns across
+all checks. Uses LRU caching and compiled regex patterns for optimal performance.
+"""
+
+import re
+from functools import lru_cache
+from typing import Any
+
+from iam_validator.core.models import ValidationIssue
+
+
+# Global regex pattern cache (shared across all checks for maximum efficiency)
+@lru_cache(maxsize=512)
+def compile_pattern(pattern: str) -> re.Pattern[str] | None:
+    """
+    Compile and cache regex patterns.
+
+    Uses LRU cache to avoid recompiling the same patterns across multiple calls.
+    This is critical for performance when the same patterns are used repeatedly.
+
+    This is a public API function used across multiple modules for consistent
+    regex caching.
+
+    Args:
+        pattern: Regex pattern string
+
+    Returns:
+        Compiled pattern or None if invalid
+
+    Performance:
+        - First call: O(n) compile time
+        - Cached calls: O(1) lookup
+    """
+    try:
+        return re.compile(str(pattern), re.IGNORECASE)
+    except re.error:
+        return None
+
+
+class IgnorePatternMatcher:
+    """
+    High-performance pattern matcher for ignore_patterns.
+
+    Features:
+    - Cached compiled regex patterns (LRU cache)
+    - Support for new (simple) and old (verbose) field names
+    - Efficient filtering with early exit optimization
+    - Field-specific validation logic
+
+    Thread-safe: Yes (regex compilation is cached globally)
+    """
+
+    # Supported field name mappings (new -> old for backward compatibility)
+    FIELD_ALIASES = {
+        "filepath": "filepath_regex",
+        "action": "action_matches",
+        "resource": "resource_matches",
+        "sid": "statement_sid",
+        "condition_key": "condition_key_matches",
+    }
+
+    @staticmethod
+    def should_ignore_issue(
+        issue: ValidationIssue,
+        filepath: str,
+        ignore_patterns: list[dict[str, Any]],
+    ) -> bool:
+        """
+        Check if a ValidationIssue should be ignored based on patterns.
+
+        Pattern Matching Logic:
+        - Multiple fields in ONE pattern = AND logic (all must match)
+        - Multiple patterns = OR logic (any pattern matches → ignore)
+
+        Args:
+            issue: The validation issue to check
+            filepath: Path to the policy file
+            ignore_patterns: List of pattern dictionaries
+
+        Returns:
+            True if the issue should be ignored
+
+        Performance:
+            - Early exit on first match (OR logic)
+            - Cached regex compilation
+            - O(p * f) where p=patterns, f=fields per pattern
+        """
+        if not ignore_patterns:
+            return False
+
+        for pattern in ignore_patterns:
+            if IgnorePatternMatcher._matches_pattern(pattern, issue, filepath):
+                return True  # Early exit on first match
+
+        return False
+
+    @staticmethod
+    def filter_actions(
+        actions: frozenset[str],
+        ignore_patterns: list[dict[str, Any]],
+    ) -> frozenset[str]:
+        """
+        Filter actions based on action ignore patterns.
+
+        Only considers patterns that contain an "action" or "action_matches" field.
+        This is optimized for the sensitive_action check which needs to filter
+        actions before creating ValidationIssues.
+
+        Supports both single action patterns and lists:
+        - action: "s3:.*"  # Single regex pattern
+        - action: ["s3:GetObject", "s3:PutObject"]  # List of patterns
+
+        Args:
+            actions: Set of actions to filter
+            ignore_patterns: List of pattern dictionaries
+
+        Returns:
+            Filtered set of actions (actions matching patterns removed)
+
+        Performance:
+            - Extracts action patterns once: O(p) where p=patterns
+            - Filters with cached regex: O(a * p) where a=actions, p=patterns
+            - Early exit per action when match found
+        """
+        if not ignore_patterns:
+            return actions
+
+        # Extract action patterns once (cache-friendly)
+        action_patterns = []
+        for pattern in ignore_patterns:
+            # Support both new and old field names
+            action_regex = pattern.get("action") or pattern.get("action_matches")
+            if action_regex:
+                # Support both single string and list of strings
+                if isinstance(action_regex, list):
+                    action_patterns.extend(action_regex)
+                else:
+                    action_patterns.append(action_regex)
+
+        if not action_patterns:
+            return actions
+
+        # Filter actions with compiled patterns (cached)
+        filtered = set()
+        for action in actions:
+            should_keep = True
+            for pattern_str in action_patterns:
+                compiled = compile_pattern(pattern_str)
+                if compiled and compiled.search(str(action)):
+                    should_keep = False
+                    break  # Early exit on first match
+
+            if should_keep:
+                filtered.add(action)
+
+        return frozenset(filtered)
+
+    @staticmethod
+    def _matches_pattern(
+        pattern: dict[str, Any],
+        issue: ValidationIssue,
+        filepath: str,
+    ) -> bool:
+        """
+        Check if issue matches a single ignore pattern.
+
+        All fields in pattern must match (AND logic).
+        For list-based fields (like action), ANY match from the list counts (OR logic).
+
+        Args:
+            pattern: Pattern dict with optional fields
+            issue: ValidationIssue to check
+            filepath: Path to policy file
+
+        Returns:
+            True if all fields in pattern match the issue
+
+        Performance:
+            - Early exit on first non-match (AND logic)
+            - Uses cached compiled patterns
+        """
+        for field_name, regex_pattern in pattern.items():
+            # Get actual value from issue based on field name
+            actual_value = IgnorePatternMatcher._get_field_value(field_name, issue, filepath)
+
+            # Handle special case: SID with exact match (no regex)
+            if field_name in ("sid", "statement_sid"):
+                # Support both single string and list of strings
+                if isinstance(regex_pattern, list):
+                    # List of SIDs - exact match or regex
+                    matched = False
+                    for single_sid in regex_pattern:
+                        if isinstance(single_sid, str) and "*" not in single_sid:
+                            # Exact match
+                            if issue.statement_sid == single_sid:
+                                matched = True
+                                break
+                        else:
+                            # Regex match
+                            compiled = compile_pattern(str(single_sid))
+                            if compiled and compiled.search(str(issue.statement_sid or "")):
+                                matched = True
+                                break
+                    if not matched:
+                        return False
+                    continue
+                elif isinstance(regex_pattern, str) and "*" not in regex_pattern:
+                    # Single SID - exact match (not a regex)
+                    if issue.statement_sid != regex_pattern:
+                        return False  # Early exit on non-match
+                    continue
+
+            # Regex match for all other cases
+            if actual_value is None:
+                return False  # Early exit on missing value
+
+            # Support list of patterns (OR logic - any match succeeds)
+            if isinstance(regex_pattern, list):
+                matched = False
+                for single_pattern in regex_pattern:
+                    compiled = compile_pattern(str(single_pattern))
+                    if compiled and compiled.search(str(actual_value)):
+                        matched = True
+                        break  # Found a match in the list
+                if not matched:
+                    return False  # None of the patterns matched
+            else:
+                # Single pattern
+                compiled = compile_pattern(str(regex_pattern))
+                if not compiled or not compiled.search(str(actual_value)):
+                    return False  # Early exit on non-match
+
+        return True  # All fields matched
+
+    @staticmethod
+    def _get_field_value(
+        field_name: str,
+        issue: ValidationIssue,
+        filepath: str,
+    ) -> str | None:
+        """
+        Extract field value from issue or filepath.
+
+        Supports both new (simple) and old (verbose) field names for
+        backward compatibility.
+
+        Args:
+            field_name: Name of the field to extract
+            issue: ValidationIssue to extract from
+            filepath: Policy file path
+
+        Returns:
+            Field value as string, or None if field not recognized
+        """
+        # Normalize field name (support both old and new names)
+        if field_name in ("filepath", "filepath_regex"):
+            return filepath
+        elif field_name in ("action", "action_matches"):
+            return issue.action or ""
+        elif field_name in ("resource", "resource_matches"):
+            return issue.resource or ""
+        elif field_name in ("sid", "statement_sid"):
+            return issue.statement_sid or ""
+        elif field_name in ("condition_key", "condition_key_matches"):
+            return issue.condition_key or ""
+        else:
+            # Unknown field - skip (don't fail)
+            return None
+
+
+# Convenience functions for backward compatibility
+def should_ignore_issue(
+    issue: ValidationIssue,
+    filepath: str,
+    ignore_patterns: list[dict[str, Any]],
+) -> bool:
+    """
+    Convenience function for checking if an issue should be ignored.
+
+    See IgnorePatternMatcher.should_ignore_issue() for details.
+    """
+    return IgnorePatternMatcher.should_ignore_issue(issue, filepath, ignore_patterns)
+
+
+def filter_actions(
+    actions: frozenset[str],
+    ignore_patterns: list[dict[str, Any]],
+) -> frozenset[str]:
+    """
+    Convenience function for filtering actions.
+
+    See IgnorePatternMatcher.filter_actions() for details.
+    """
+    return IgnorePatternMatcher.filter_actions(actions, ignore_patterns)