iam-policy-validator 1.7.2__py3-none-any.whl → 1.9.0__py3-none-any.whl

iam_validator/checks/action_resource_matching.py

@@ -22,8 +22,9 @@ Example:
 """
 
 import re
+from typing import ClassVar
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 from iam_validator.sdk.arn_matching import (
@@ -42,17 +43,9 @@ class ActionResourceMatchingCheck(PolicyCheck):
     work as intended because the resource ARNs don't match what the action requires.
     """
 
-    @property
-    def check_id(self) -> str:
-        return "action_resource_matching"
-
-    @property
-    def description(self) -> str:
-        return "Validates that resources match required types for actions"
-
-    @property
-    def default_severity(self) -> str:
-        return "medium"  # Security issue, not IAM validity error
+    check_id: ClassVar[str] = "action_resource_matching"
+    description: ClassVar[str] = "Validates that resources match required types for actions"
+    default_severity: ClassVar[str] = "medium"  # Security issue, not IAM validity error
 
     async def execute(
         self,
@@ -88,6 +81,10 @@ class ActionResourceMatchingCheck(PolicyCheck):
         statement_sid = statement.sid
         line_number = statement.line_number
 
+        # Skip if no resources to validate (e.g., trust policies don't have Resource field)
+        if not resources:
+            return issues
+
         # Skip if we have a wildcard resource (handled by other checks)
         if "*" in resources:
             return issues
@@ -135,7 +132,7 @@ class ActionResourceMatchingCheck(PolicyCheck):
                             statement_sid=statement_sid,
                             line_number=line_number,
                             config=config,
-                            reason=f'Action {action} can only use Resource: "*"',
+                            reason=f'Action `{action}` can only use `Resource: "*"`',
                         )
                     )
                 continue
@@ -289,9 +286,9 @@ class ActionResourceMatchingCheck(PolicyCheck):
         # Special case: Wildcard resource
         if required_format == "*":
             return (
-                f'Action `{action}` can only use Resource: "*" (wildcard).\n'
+                f'Action `{action}` can only use `Resource: "*"` (wildcard).\n'
                 f"  This action does not support resource-level permissions.\n"
-                f'  Example: "Resource": "*"'
+                f'  Example: `"Resource": "*"`'
             )
 
         # Build service-specific suggestion with proper markdown formatting

iam_validator/checks/action_validation.py

@@ -9,7 +9,9 @@ validations. However, it can be useful in environments where Access Analyzer is
 not available or for pre-deployment policy validation to catch errors early.
 """
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -17,17 +19,9 @@ from iam_validator.core.models import Statement, ValidationIssue
 class ActionValidationCheck(PolicyCheck):
     """Validates that IAM actions exist in AWS services."""
 
-    @property
-    def check_id(self) -> str:
-        return "action_validation"
-
-    @property
-    def description(self) -> str:
-        return "Validates that actions exist in AWS service definitions"
-
-    @property
-    def default_severity(self) -> str:
-        return "error"
+    check_id: ClassVar[str] = "action_validation"
+    description: ClassVar[str] = "Validates that actions exist in AWS service definitions"
+    default_severity: ClassVar[str] = "error"
 
     async def execute(
         self,
@@ -63,7 +57,7 @@ class ActionValidationCheck(PolicyCheck):
                         statement_sid=statement_sid,
                         statement_index=statement_idx,
                         issue_type="invalid_action",
-                        message=error_msg or f"Invalid action: {action}",
+                        message=error_msg or f"Invalid action: `{action}`",
                         action=action,
                         line_number=line_number,
                     )

iam_validator/checks/condition_key_validation.py

@@ -1,6 +1,8 @@
 """Condition key validation check - validates condition keys against AWS definitions."""
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -8,17 +10,9 @@ from iam_validator.core.models import Statement, ValidationIssue
 class ConditionKeyValidationCheck(PolicyCheck):
     """Validates condition keys against AWS service definitions and global keys."""
 
-    @property
-    def check_id(self) -> str:
-        return "condition_key_validation"
-
-    @property
-    def description(self) -> str:
-        return "Validates condition keys against AWS service definitions"
-
-    @property
-    def default_severity(self) -> str:
-        return "error"  # Invalid condition keys are IAM policy errors
+    check_id: ClassVar[str] = "condition_key_validation"
+    description: ClassVar[str] = "Validates condition keys against AWS service definitions"
+    default_severity: ClassVar[str] = "error"  # Invalid condition keys are IAM policy errors
 
     async def execute(
         self,
@@ -62,7 +56,7 @@ class ConditionKeyValidationCheck(PolicyCheck):
                                 statement_index=statement_idx,
                                 issue_type="invalid_condition_key",
                                 message=result.error_message
-                                or f"Invalid condition key: {condition_key}",
+                                or f"Invalid condition key: `{condition_key}`",
                                 action=action,
                                 condition_key=condition_key,
                                 line_number=line_number,

iam_validator/checks/condition_type_mismatch.py

@@ -3,7 +3,9 @@
 Validates that condition operators match the expected types for condition keys and values.
 """
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.condition_validators import (
     normalize_operator,
@@ -16,20 +18,11 @@ from iam_validator.core.models import Statement, ValidationIssue
 class ConditionTypeMismatchCheck(PolicyCheck):
     """Check for type mismatches between operators, keys, and values."""
 
-    @property
-    def check_id(self) -> str:
-        """Unique identifier for this check."""
-        return "condition_type_mismatch"
-
-    @property
-    def description(self) -> str:
-        """Description of what this check does."""
-        return "Validates condition operator types match key types and value formats"
-
-    @property
-    def default_severity(self) -> str:
-        """Default severity level for issues found by this check."""
-        return "error"
+    check_id: ClassVar[str] = "condition_type_mismatch"
+    description: ClassVar[str] = (
+        "Validates condition operator types match key types and value formats"
+    )
+    default_severity: ClassVar[str] = "error"
 
     async def execute(
         self,
@@ -72,7 +65,7 @@ class ConditionTypeMismatchCheck(PolicyCheck):
         # Check each condition operator and its keys/values
         for operator, conditions in statement.condition.items():
             # Normalize the operator and get its expected type
-            base_operator, operator_type, set_prefix = normalize_operator(operator)
+            base_operator, operator_type, _set_prefix = normalize_operator(operator)
 
             if operator_type is None:
                 # Unknown operator - this will be caught by another check
@@ -108,8 +101,8 @@ class ConditionTypeMismatchCheck(PolicyCheck):
                             severity="warning",
                             message=(
                                 f"Type mismatch (usable but not recommended): Operator `{operator}` expects "
-                                f"{operator_type} values, but condition key `{condition_key}` is type {key_type}. "
-                                f"Consider using an ARN-specific operator like ArnEquals or ArnLike instead."
+                                f"`{operator_type}` values, but condition key `{condition_key}` is type `{key_type}`. "
+                                f"Consider using an ARN-specific operator like `ArnEquals` or `ArnLike` instead."
                             ),
                             statement_sid=statement_sid,
                             statement_index=statement_idx,
@@ -123,8 +116,8 @@ class ConditionTypeMismatchCheck(PolicyCheck):
                         ValidationIssue(
                             severity=self.get_severity(config),
                             message=(
-                                f"Type mismatch: Operator `{operator}` expects {operator_type} values, "
-                                f"but condition key `{condition_key}` is type {key_type}."
+                                f"Type mismatch: Operator `{operator}` expects `{operator_type}` values, "
+                                f"but condition key `{condition_key}` is type `{key_type}`."
                             ),
                             statement_sid=statement_sid,
                             statement_index=statement_idx,
@@ -172,7 +165,7 @@ class ConditionTypeMismatchCheck(PolicyCheck):
         Returns:
             Type string or None if not found
         """
-        from iam_validator.core.config.aws_global_conditions import (
+        from iam_validator.core.config.aws_global_conditions import (  # pylint: disable=import-outside-toplevel
             get_global_conditions,
         )
 
@@ -229,7 +222,7 @@ class ConditionTypeMismatchCheck(PolicyCheck):
                                         if condition_key_obj.types:
                                             return condition_key_obj.types[0]
 
-            except Exception:
+            except Exception:  # pylint: disable=broad-exception-caught
                 # If we can't look up the action, skip it
                 continue
 

iam_validator/checks/full_wildcard.py

@@ -1,6 +1,8 @@
 """Full wildcard check - detects Action: '*' AND Resource: '*' together (critical security risk)."""
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -8,17 +10,11 @@ from iam_validator.core.models import Statement, ValidationIssue
 class FullWildcardCheck(PolicyCheck):
     """Checks for both Action: '*' AND Resource: '*' which grants full administrative access."""
 
-    @property
-    def check_id(self) -> str:
-        return "full_wildcard"
-
-    @property
-    def description(self) -> str:
-        return "Checks for both action and resource wildcards together (critical risk)"
-
-    @property
-    def default_severity(self) -> str:
-        return "critical"
+    check_id: ClassVar[str] = "full_wildcard"
+    description: ClassVar[str] = (
+        "Checks for both action and resource wildcards together (critical risk)"
+    )
+    default_severity: ClassVar[str] = "critical"
 
     async def execute(
         self,
@@ -41,7 +37,7 @@ class FullWildcardCheck(PolicyCheck):
         if "*" in actions and "*" in resources:
             message = config.config.get(
                 "message",
-                "Statement allows all actions on all resources - CRITICAL SECURITY RISK",
+                "Statement allows all actions on all resources - **CRITICAL SECURITY RISK**",
             )
             suggestion = config.config.get(
                 "suggestion",

iam_validator/checks/mfa_condition_check.py

@@ -3,6 +3,8 @@
 Detects dangerous MFA-related condition patterns that may not enforce MFA as intended.
 """
 
+from typing import ClassVar
+
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -10,20 +12,9 @@ from iam_validator.core.models import Statement, ValidationIssue
 class MFAConditionCheck(PolicyCheck):
     """Check for MFA condition anti-patterns."""
 
-    @property
-    def check_id(self) -> str:
-        """Unique identifier for this check."""
-        return "mfa_condition_antipattern"
-
-    @property
-    def description(self) -> str:
-        """Description of what this check does."""
-        return "Detects dangerous MFA-related condition patterns"
-
-    @property
-    def default_severity(self) -> str:
-        """Default severity level for issues found by this check."""
-        return "warning"
+    check_id: ClassVar[str] = "mfa_condition_antipattern"
+    description: ClassVar[str] = "Detects dangerous MFA-related condition patterns"
+    default_severity: ClassVar[str] = "warning"
 
     async def execute(
         self, statement: Statement, statement_idx: int, fetcher, config: CheckConfig
@@ -73,8 +64,8 @@ class MFAConditionCheck(PolicyCheck):
                                 "**Dangerous MFA condition pattern detected.** "
                                 'Using `{"Bool": {"aws:MultiFactorAuthPresent": "false"}}` does not enforce MFA '
                                 "because `aws:MultiFactorAuthPresent` may not exist in the request context. "
-                                'Consider using `{"Bool": {"aws:MultiFactorAuthPresent": "true"}}` in an Allow statement, '
-                                "or use `BoolIfExists` in a Deny statement."
+                                'Consider using `{"Bool": {"aws:MultiFactorAuthPresent": "true"}}` in an `Allow` statement, '
+                                "or use `BoolIfExists` in a `Deny` statement."
                             ),
                             statement_sid=statement_sid,
                             statement_index=statement_idx,
@@ -100,7 +91,7 @@ class MFAConditionCheck(PolicyCheck):
                                 "**Dangerous MFA condition pattern detected.** "
                                 'Using `{"Null": {"aws:MultiFactorAuthPresent": "false"}}` only checks if the key exists, '
                                 "not whether MFA was actually used. This does not enforce MFA. "
-                                'Consider using `{"Bool": {"aws:MultiFactorAuthPresent": "true"}}` in an Allow statement instead.'
+                                'Consider using `{"Bool": {"aws:MultiFactorAuthPresent": "true"}}` in an `Allow` statement instead.'
                             ),
                             statement_sid=statement_sid,
                             statement_index=statement_idx,

iam_validator/checks/policy_size.py

@@ -12,12 +12,12 @@ Note: AWS does not count whitespace when calculating policy size.
 
 import json
 import re
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, ClassVar
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.constants import AWS_POLICY_SIZE_LIMITS
-from iam_validator.core.models import Statement, ValidationIssue
+from iam_validator.core.models import ValidationIssue
 
 if TYPE_CHECKING:
     from iam_validator.core.models import IAMPolicy
@@ -29,42 +29,9 @@ class PolicySizeCheck(PolicyCheck):
     # AWS IAM policy size limits (loaded from constants module)
     DEFAULT_LIMITS = AWS_POLICY_SIZE_LIMITS
 
-    @property
-    def check_id(self) -> str:
-        return "policy_size"
-
-    @property
-    def description(self) -> str:
-        return "Validates that IAM policies don't exceed AWS size limits"
-
-    @property
-    def default_severity(self) -> str:
-        return "error"
-
-    async def execute(
-        self,
-        statement: Statement,
-        statement_idx: int,
-        fetcher: AWSServiceFetcher,
-        config: CheckConfig,
-    ) -> list[ValidationIssue]:
-        """Execute the policy size check at statement level.
-
-        This is a policy-level check, so statement-level execution returns empty.
-        The actual check runs in execute_policy() which has access to the full policy.
-
-        Args:
-            statement: The IAM policy statement (unused)
-            statement_idx: Index of the statement in the policy (unused)
-            fetcher: AWS service fetcher (unused for this check)
-            config: Configuration for this check instance (unused)
-
-        Returns:
-            Empty list (actual check runs in execute_policy())
-        """
-        del statement, statement_idx, fetcher, config  # Unused
-        # This is a policy-level check - execution happens in execute_policy()
-        return []
+    check_id: ClassVar[str] = "policy_size"
+    description: ClassVar[str] = "Validates that IAM policies don't exceed AWS size limits"
+    default_severity: ClassVar[str] = "error"
 
     async def execute_policy(
         self,