iam-policy-validator 1.7.2__py3-none-any.whl → 1.8.0__py3-none-any.whl

iam_validator/checks/utils/sensitive_action_matcher.py

@@ -5,15 +5,13 @@ configurations, supporting exact matches, regex patterns, and any_of/all_of logi
 
 Performance optimizations:
 - Uses frozenset for O(1) lookups
-- LRU cache for compiled regex patterns
+- Centralized LRU cache for compiled regex patterns (from ignore_patterns module)
 - Lazy loading of default actions from modular data structure
 """
 
-import re
-from functools import lru_cache
-
 from iam_validator.core.check_registry import CheckConfig
 from iam_validator.core.config.sensitive_actions import get_sensitive_actions
+from iam_validator.core.ignore_patterns import compile_pattern
 
 # Lazy-loaded default set of sensitive actions
 # This will be loaded only when first accessed
@@ -37,7 +35,9 @@ def _get_default_sensitive_actions() -> frozenset[str]:
     return _DEFAULT_SENSITIVE_ACTIONS_CACHE
 
 
-def get_sensitive_actions_by_categories(categories: list[str] | None = None) -> frozenset[str]:
+def get_sensitive_actions_by_categories(
+    categories: list[str] | None = None,
+) -> frozenset[str]:
     """
     Get sensitive actions filtered by categories.
 
@@ -66,25 +66,10 @@ def get_sensitive_actions_by_categories(categories: list[str] | None = None) ->
 DEFAULT_SENSITIVE_ACTIONS = _get_default_sensitive_actions()
 
 
-# Global regex pattern cache for performance
-@lru_cache(maxsize=256)
-def compile_pattern(pattern: str) -> re.Pattern[str] | None:
-    """Compile and cache regex patterns.
-
-    Args:
-        pattern: Regex pattern string
-
-    Returns:
-        Compiled pattern or None if invalid
-    """
-    try:
-        return re.compile(pattern)
-    except re.error:
-        return None
-
-
 def check_sensitive_actions(
-    actions: list[str], config: CheckConfig, default_actions: frozenset[str] | None = None
+    actions: list[str],
+    config: CheckConfig,
+    default_actions: frozenset[str] | None = None,
 ) -> tuple[bool, list[str]]:
     """
     Check if actions match sensitive action criteria with any_of/all_of support.
@@ -115,6 +100,10 @@ def check_sensitive_actions(
         # Use all categories if no specific categories configured
         default_actions = _get_default_sensitive_actions()
 
+    # Apply ignore_patterns to filter out default actions
+    # This allows users to exclude specific actions from the default 490 actions
+    default_actions = config.filter_actions(default_actions)
+
     # Filter out wildcards
     filtered_actions = [a for a in actions if a != "*"]
     if not filtered_actions:
@@ -141,6 +130,17 @@ def check_sensitive_actions(
     matched_set = set(actions_matched) | set(patterns_matched)
     matched_actions = list(matched_set)
 
+    # Apply ignore_patterns to filter the final matched actions
+    # This ensures ignore_patterns work for:
+    # 1. Default actions (490 actions from Python modules)
+    # 2. Custom sensitive_actions configuration
+    # 3. Custom sensitive_action_patterns configuration
+    if matched_actions and config.ignore_patterns:
+        filtered_matched = config.filter_actions(frozenset(matched_actions))
+        matched_actions = list(filtered_matched)
+        # Update is_sensitive based on filtered results
+        is_sensitive = len(matched_actions) > 0
+
     return is_sensitive, matched_actions
 
 
@@ -243,7 +243,7 @@ def check_patterns_config(actions: list[str], config) -> tuple[bool, list[str]]:
             # Each item can be a string pattern, or a dict with any_of/all_of
             if isinstance(item, str):
                 # Simple string pattern - check if any action matches
-                # Use cached compiled pattern
+                # Use cached compiled pattern from centralized ignore_patterns module
                 compiled = compile_pattern(item)
                 if compiled:
                     for action in actions:
@@ -262,7 +262,7 @@ def check_patterns_config(actions: list[str], config) -> tuple[bool, list[str]]:
         # any_of: at least one action must match at least one pattern
         if "any_of" in config:
             matched = set()
-            # Pre-compile all patterns
+            # Pre-compile all patterns using centralized cache
             compiled_patterns = [compile_pattern(p) for p in config["any_of"]]
 
             for action in actions:
@@ -274,7 +274,7 @@ def check_patterns_config(actions: list[str], config) -> tuple[bool, list[str]]:
 
         # all_of: at least one action must match ALL patterns
         if "all_of" in config:
-            # Pre-compile all patterns
+            # Pre-compile all patterns using centralized cache
             compiled_patterns = [compile_pattern(p) for p in config["all_of"]]
             # Filter out invalid patterns
             compiled_patterns = [p for p in compiled_patterns if p]

iam_validator/checks/utils/wildcard_expansion.py

@@ -72,7 +72,7 @@ async def expand_wildcard_actions(actions: list[str], fetcher: AWSServiceFetcher
             available_actions = list(service_detail.actions.keys())
 
             # Match wildcard pattern against available actions
-            _, matched_actions = fetcher._match_wildcard_action(action_name, available_actions)
+            _, matched_actions = fetcher.match_wildcard_action(action_name, available_actions)
 
             # Add expanded actions with service prefix
             for matched_action in matched_actions:

iam_validator/checks/wildcard_action.py

@@ -38,7 +38,9 @@ class WildcardActionCheck(PolicyCheck):
 
         # Check for wildcard action (Action: "*")
         if "*" in actions:
-            message = config.config.get("message", "Statement allows all actions (*)")
+            message = config.config.get(
+                "message", 'Statement allows all actions `"*"` (wildcard action).'
+            )
             suggestion = config.config.get(
                 "suggestion",
                 "Replace wildcard with specific actions needed for your use case",

iam_validator/checks/wildcard_resource.py

@@ -62,7 +62,9 @@ class WildcardResourceCheck(PolicyCheck):
                     return issues
 
             # Flag the issue if actions are not all allowed or no allowed_wildcards configured
-            message = config.config.get("message", "Statement applies to all resources (*)")
+            message = config.config.get(
+                "message", 'Statement applies to all resources `"*"` (wildcard resource).'
+            )
             suggestion = config.config.get(
                 "suggestion", "Replace wildcard with specific resource ARNs"
             )

iam_validator/commands/validate.py

@@ -114,13 +114,17 @@ Examples:
             choices=[
                 "IDENTITY_POLICY",
                 "RESOURCE_POLICY",
+                "TRUST_POLICY",
                 "SERVICE_CONTROL_POLICY",
                 "RESOURCE_CONTROL_POLICY",
             ],
             default="IDENTITY_POLICY",
             help="Type of IAM policy being validated (default: IDENTITY_POLICY). "
-            "Enables policy-type-specific validation (e.g., requiring Principal for resource policies, "
-            "strict RCP requirements for resource control policies)",
+            "IDENTITY_POLICY: Attached to users/groups/roles | "
+            "RESOURCE_POLICY: S3/SNS/SQS policies | "
+            "TRUST_POLICY: Role assumption policies | "
+            "SERVICE_CONTROL_POLICY: AWS Orgs SCPs | "
+            "RESOURCE_CONTROL_POLICY: AWS Orgs RCPs",
         )
 
         parser.add_argument(
@@ -159,12 +163,6 @@ Examples:
             help="Path to directory containing custom checks for auto-discovery",
         )
 
-        parser.add_argument(
-            "--no-registry",
-            action="store_true",
-            help="Use legacy validation (disable check registry system)",
-        )
-
         parser.add_argument(
             "--stream",
             action="store_true",
@@ -242,14 +240,12 @@ Examples:
             logging.info(f"Loaded {len(policies)} policies from {len(args.paths)} path(s)")
 
         # Validate policies
-        use_registry = not getattr(args, "no_registry", False)
         config_path = getattr(args, "config", None)
         custom_checks_dir = getattr(args, "custom_checks_dir", None)
         policy_type = cast(PolicyType, getattr(args, "policy_type", "IDENTITY_POLICY"))
         results = await validate_policies(
             policies,
             config_path=config_path,
-            use_registry=use_registry,
             custom_checks_dir=custom_checks_dir,
             policy_type=policy_type,
         )
@@ -329,7 +325,6 @@ Examples:
         """
         loader = PolicyLoader()
         generator = ReportGenerator()
-        use_registry = not getattr(args, "no_registry", False)
         config_path = getattr(args, "config", None)
         custom_checks_dir = getattr(args, "custom_checks_dir", None)
         policy_type = cast(PolicyType, getattr(args, "policy_type", "IDENTITY_POLICY"))
@@ -354,7 +349,6 @@ Examples:
             results = await validate_policies(
                 [(file_path, policy)],
                 config_path=config_path,
-                use_registry=use_registry,
                 custom_checks_dir=custom_checks_dir,
                 policy_type=policy_type,
             )

iam_validator/core/__init__.py

@@ -1,13 +1,12 @@
 """Core validation modules."""
 
 from iam_validator.core.aws_fetcher import AWSServiceFetcher
-from iam_validator.core.policy_checks import PolicyValidator, validate_policies
+from iam_validator.core.policy_checks import validate_policies
 from iam_validator.core.policy_loader import PolicyLoader
 from iam_validator.core.report import ReportGenerator
 
 __all__ = [
     "AWSServiceFetcher",
-    "PolicyValidator",
     "validate_policies",
     "PolicyLoader",
     "ReportGenerator",

iam_validator/core/access_analyzer.py

@@ -577,7 +577,7 @@ class AccessAnalyzerValidator:
                 )
                 results.append(result)
 
-            except Exception as e:
+            except Exception as e:  # pylint: disable=broad-exception-caught
                 self.logger.error(f"Failed to validate {policy_file}: {e}")
                 result = AccessAnalyzerResult(
                     policy_file=policy_file,

iam_validator/core/access_analyzer_report.py

@@ -259,7 +259,7 @@ class AccessAnalyzerReportFormatter:
             file_path: Path to save JSON report
         """
         json_content = self.generate_json_report(report)
-        with open(file_path, "w") as f:
+        with open(file_path, "w", encoding="utf-8") as f:
             f.write(json_content)
 
     def generate_markdown_report(
@@ -636,5 +636,5 @@ class AccessAnalyzerReportFormatter:
             file_path: Path to save Markdown report
         """
         markdown_content = self.generate_markdown_report(report)
-        with open(file_path, "w") as f:
+        with open(file_path, "w", encoding="utf-8") as f:
             f.write(markdown_content)

iam_validator/core/aws_fetcher.py

@@ -160,7 +160,7 @@ class AWSServiceFetcher:
 
         Public API - Parsing:
             - parse_action: Split action into service and name
-            - _match_wildcard_action: Match wildcard patterns
+            - match_wildcard_action: Match wildcard patterns
 
         Utilities:
             - get_stats: Get cache statistics
@@ -352,7 +352,7 @@ class AWSServiceFetcher:
             try:
                 await self.fetch_service_by_name(name)
                 self._prefetched_services.add(name)
-            except Exception as e:
+            except Exception as e:  # pylint: disable=broad-exception-caught
                 logger.warning(f"Failed to prefetch service {name}: {e}")
 
         # Fetch in batches to avoid overwhelming the API
@@ -400,7 +400,7 @@ class AWSServiceFetcher:
             logger.debug(f"Disk cache hit for {url}")
             return data
 
-        except Exception as e:
+        except Exception as e:  # pylint: disable=broad-exception-caught
             logger.warning(f"Failed to read cache for {url}: {e}")
             return None
 
@@ -415,7 +415,7 @@ class AWSServiceFetcher:
             with open(cache_path, "w", encoding="utf-8") as f:
                 json.dump(data, f, indent=2)
             logger.debug(f"Written to disk cache: {url}")
-        except Exception as e:
+        except Exception as e:  # pylint: disable=broad-exception-caught
             logger.warning(f"Failed to write cache for {url}: {e}")
 
     async def _make_request_with_batching(self, url: str) -> Any:
@@ -459,7 +459,7 @@ class AWSServiceFetcher:
             if not future.done():
                 future.set_result(result)
             return result
-        except Exception as e:
+        except Exception as e:  # pylint: disable=broad-exception-caught
             if not future.done():
                 future.set_exception(e)
             raise
@@ -504,21 +504,23 @@ class AWSServiceFetcher:
 
                     return data
 
-                except Exception as json_error:
+                except Exception as json_error:  # pylint: disable=broad-exception-caught
                     logger.error(f"Failed to parse response as JSON: {json_error}")
-                    raise ValueError(f"Invalid JSON response from {url}: {json_error}")
+                    raise ValueError(
+                        f"Invalid JSON response from {url}: {json_error}"
+                    ) from json_error
 
             except httpx.HTTPStatusError as e:
                 logger.error(f"HTTP error {e.response.status_code} for {url}")
                 if e.response.status_code == 404:
-                    raise ValueError(f"Service not found: {url}")
+                    raise ValueError(f"Service not found: {url}") from e
                 last_exception = e
 
             except httpx.RequestError as e:
                 logger.error(f"Request error for {url}: {e}")
                 last_exception = e
 
-            except Exception as e:
+            except Exception as e:  # pylint: disable=broad-exception-caught
                 logger.error(f"Unexpected error for {url}: {e}")
                 last_exception = e
 
@@ -547,7 +549,7 @@ class AWSServiceFetcher:
             raise FileNotFoundError(f"_services.json not found in {self.aws_services_dir}")
 
         try:
-            with open(services_file) as f:
+            with open(services_file, encoding="utf-8") as f:
                 data = json.load(f)
 
             if not isinstance(data, list):
@@ -565,7 +567,7 @@ class AWSServiceFetcher:
             return services
 
         except json.JSONDecodeError as e:
-            raise ValueError(f"Invalid JSON in services.json: {e}")
+            raise ValueError(f"Invalid JSON in services.json: {e}") from e
 
     def _load_service_from_file(self, service_name: str) -> ServiceDetail:
         """Load service detail from local JSON file.
@@ -591,7 +593,7 @@ class AWSServiceFetcher:
             raise FileNotFoundError(f"Service file not found: {service_file}")
 
         try:
-            with open(service_file) as f:
+            with open(service_file, encoding="utf-8") as f:
                 data = json.load(f)
 
             service_detail = ServiceDetail.model_validate(data)
@@ -599,7 +601,7 @@ class AWSServiceFetcher:
             return service_detail
 
         except json.JSONDecodeError as e:
-            raise ValueError(f"Invalid JSON in {service_file}: {e}")
+            raise ValueError(f"Invalid JSON in {service_file}: {e}") from e
 
     async def fetch_services(self) -> list[ServiceInfo]:
         """Fetch list of AWS services with caching.
@@ -677,7 +679,9 @@ class AWSServiceFetcher:
                             return service_detail
                         except FileNotFoundError:
                             pass
-                raise ValueError(f"Service `{service_name}` not found in {self.aws_services_dir}")
+                raise ValueError(
+                    f"Service `{service_name}` not found in {self.aws_services_dir}"
+                ) from FileNotFoundError
 
         # Fetch service list and find URL from API
         services = await self.fetch_services()
@@ -704,7 +708,7 @@ class AWSServiceFetcher:
             try:
                 detail = await self.fetch_service_by_name(name)
                 return name, detail
-            except Exception as e:
+            except Exception as e:  # pylint: disable=broad-exception-caught
                 logger.error(f"Failed to fetch service {name}: {e}")
                 raise
 
@@ -717,7 +721,7 @@ class AWSServiceFetcher:
             if isinstance(result, Exception):
                 logger.error(f"Failed to fetch service {service_names[i]}: {result}")
                 raise result
-            elif isinstance(result, tuple):
+            if isinstance(result, tuple):
                 name, detail = result
                 services[name] = detail
 
@@ -731,7 +735,7 @@ class AWSServiceFetcher:
 
         return match.group("service").lower(), match.group("action")
 
-    def _match_wildcard_action(self, pattern: str, actions: list[str]) -> tuple[bool, list[str]]:
+    def match_wildcard_action(self, pattern: str, actions: list[str]) -> tuple[bool, list[str]]:
         """Match wildcard pattern against list of actions.
 
         Args:
@@ -774,8 +778,7 @@ class AWSServiceFetcher:
                     # Just verify service exists
                     await self.fetch_service_by_name(service_prefix)
                     return True, None, True
-                else:
-                    return False, "Wildcard actions are not allowed", True
+                return False, "Wildcard actions are not allowed", True
 
             # Fetch service details (will use cache)
             service_detail = await self.fetch_service_by_name(service_prefix)
@@ -786,7 +789,7 @@ class AWSServiceFetcher:
                 if not allow_wildcards:
                     return False, "Wildcard actions are not allowed", True
 
-                has_matches, matched_actions = self._match_wildcard_action(
+                has_matches, matched_actions = self.match_wildcard_action(
                     action_name, available_actions
                 )
 
@@ -799,33 +802,32 @@ class AWSServiceFetcher:
                         examples += f", ... ({match_count - 5} more)"
 
                     return True, None, True
-                else:
-                    # Wildcard doesn't match any actions
-                    return (
-                        False,
-                        f"Action pattern '{action_name}' does not match any actions in service '{service_prefix}'",
-                        True,
-                    )
+                # Wildcard doesn't match any actions
+                return (
+                    False,
+                    f"Action pattern `{action_name}` does not match any actions in service `{service_prefix}`",
+                    True,
+                )
 
             # Check if exact action exists (case-insensitive)
             action_exists = any(a.lower() == action_name.lower() for a in available_actions)
 
             if action_exists:
                 return True, None, False
-            else:
-                # Suggest similar actions
-                similar = [a for a in available_actions if action_name.lower() in a.lower()][:3]
 
-                suggestion = f" Did you mean: {', '.join(similar)}?" if similar else ""
-                return (
-                    False,
-                    f"Action '{action_name}' not found in service '{service_prefix}'.{suggestion}",
-                    False,
-                )
+            # Suggest similar actions
+            similar = [f"`{a}`" for a in available_actions if action_name.lower() in a.lower()][:3]
+
+            suggestion = f" Did you mean: {', '.join(similar)}?" if similar else ""
+            return (
+                False,
+                f"Action `{action_name}` not found in service `{service_prefix}`.{suggestion}",
+                False,
+            )
 
         except ValueError as e:
             return False, str(e), False
-        except Exception as e:
+        except Exception as e:  # pylint: disable=broad-exception-caught
             logger.error(f"Error validating action {action}: {e}")
             return False, f"Failed to validate action: {str(e)}", False
 
@@ -859,7 +861,7 @@ class AWSServiceFetcher:
             - suggestion: Detailed suggestion with valid keys (shown in collapsible section)
         """
         try:
-            from iam_validator.core.config.aws_global_conditions import (
+            from iam_validator.core.config.aws_global_conditions import (  # pylint: disable=import-outside-toplevel
                 get_global_conditions,
             )
 
@@ -911,11 +913,11 @@ class AWSServiceFetcher:
                 # AWS allows it but the key may not be available in every request context
                 if is_global_key and action_detail.action_condition_keys is not None:
                     warning_msg = (
-                        f"Global condition key '{condition_key}' is used with action '{action}'. "
+                        f"Global condition key `{condition_key}` is used with action `{action}`. "
                         f"While global condition keys can be used across all AWS services, "
                         f"the key may not be available in every request context. "
-                        f"Verify that '{condition_key}' is available for this specific action's request context. "
-                        f"Consider using '*IfExists' operators (e.g., StringEqualsIfExists) if the key might be missing."
+                        f"Verify that `{condition_key}` is available for this specific action's request context. "
+                        f"Consider using `*IfExists` operators (e.g., `StringEqualsIfExists`) if the key might be missing."
                     )
                     return ConditionKeyValidationResult(is_valid=True, warning_message=warning_msg)
 
@@ -1000,7 +1002,7 @@ class AWSServiceFetcher:
                 suggestion=suggestion,
             )
 
-        except Exception as e:
+        except Exception as e:  # pylint: disable=broad-exception-caught
             logger.error(f"Error validating condition key {condition_key} for {action}: {e}")
             return ConditionKeyValidationResult(
                 is_valid=False,
@@ -1017,7 +1019,7 @@ class AWSServiceFetcher:
             for cache_file in self._cache_dir.glob("*.json"):
                 try:
                     cache_file.unlink()
-                except Exception as e:
+                except Exception as e:  # pylint: disable=broad-exception-caught
                     logger.warning(f"Failed to delete cache file {cache_file}: {e}")
 
         logger.info("Cleared all caches")