iam-policy-validator 1.7.2__py3-none-any.whl → 1.9.0__py3-none-any.whl

iam_validator/checks/wildcard_resource.py

@@ -1,7 +1,9 @@
 """Wildcard resource check - detects Resource: '*' in IAM policies."""
 
+from typing import ClassVar
+
 from iam_validator.checks.utils.wildcard_expansion import expand_wildcard_actions
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -9,17 +11,9 @@ from iam_validator.core.models import Statement, ValidationIssue
 class WildcardResourceCheck(PolicyCheck):
     """Checks for wildcard resources (Resource: '*') which grant access to all resources."""
 
-    @property
-    def check_id(self) -> str:
-        return "wildcard_resource"
-
-    @property
-    def description(self) -> str:
-        return "Checks for wildcard resources (*)"
-
-    @property
-    def default_severity(self) -> str:
-        return "medium"
+    check_id: ClassVar[str] = "wildcard_resource"
+    description: ClassVar[str] = "Checks for wildcard resources (*)"
+    default_severity: ClassVar[str] = "medium"
 
     async def execute(
         self,
@@ -62,7 +56,9 @@ class WildcardResourceCheck(PolicyCheck):
                     return issues
 
             # Flag the issue if actions are not all allowed or no allowed_wildcards configured
-            message = config.config.get("message", "Statement applies to all resources (*)")
+            message = config.config.get(
+                "message", 'Statement applies to all resources `"*"` (wildcard resource).'
+            )
             suggestion = config.config.get(
                 "suggestion", "Replace wildcard with specific resource ARNs"
             )

iam_validator/commands/cache.py

@@ -8,7 +8,8 @@ from rich.console import Console
 from rich.table import Table
 
 from iam_validator.commands.base import Command
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
+from iam_validator.core.aws_service.storage import ServiceFileStorage
 from iam_validator.core.config.config_loader import ConfigLoader
 
 logger = logging.getLogger(__name__)
@@ -130,7 +131,7 @@ Examples:
         cache_ttl_seconds = cache_ttl_hours * 3600
 
         # Get cache directory (even if caching is disabled, for info purposes)
-        cache_dir = AWSServiceFetcher._get_cache_directory(cache_directory)
+        cache_dir = ServiceFileStorage.get_cache_directory(cache_directory)
 
         action = args.cache_action
 
@@ -226,7 +227,7 @@ Examples:
             services.append({"name": name, "size": size, "file": f.name, "mtime": mtime})
 
         # Sort by service name
-        services.sort(key=lambda x: x["name"])
+        services.sort(key=lambda x: str(x["name"]))
 
         if output_format == "table":
             self._print_services_table(services)

iam_validator/commands/validate.py

@@ -44,6 +44,9 @@ Examples:
   # Use custom checks from a directory
   iam-validator validate --path ./policies/ --custom-checks-dir ./my-checks
 
+  # Use offline mode with pre-downloaded AWS service definitions
+  iam-validator validate --path ./policies/ --aws-services-dir ./aws_services
+
   # Generate JSON output
   iam-validator validate --path ./policies/ --format json --output report.json
 
@@ -114,13 +117,17 @@ Examples:
             choices=[
                 "IDENTITY_POLICY",
                 "RESOURCE_POLICY",
+                "TRUST_POLICY",
                 "SERVICE_CONTROL_POLICY",
                 "RESOURCE_CONTROL_POLICY",
             ],
             default="IDENTITY_POLICY",
             help="Type of IAM policy being validated (default: IDENTITY_POLICY). "
-            "Enables policy-type-specific validation (e.g., requiring Principal for resource policies, "
-            "strict RCP requirements for resource control policies)",
+            "IDENTITY_POLICY: Attached to users/groups/roles | "
+            "RESOURCE_POLICY: S3/SNS/SQS policies | "
+            "TRUST_POLICY: Role assumption policies | "
+            "SERVICE_CONTROL_POLICY: AWS Orgs SCPs | "
+            "RESOURCE_CONTROL_POLICY: AWS Orgs RCPs",
         )
 
         parser.add_argument(
@@ -160,9 +167,10 @@ Examples:
         )
 
         parser.add_argument(
-            "--no-registry",
-            action="store_true",
-            help="Use legacy validation (disable check registry system)",
+            "--aws-services-dir",
+            help="Path to directory containing pre-downloaded AWS service definitions "
+            "(enables offline mode, avoids API rate limiting). "
+            "Use 'iam-validator download-services' to create this directory.",
         )
 
         parser.add_argument(
@@ -242,16 +250,16 @@ Examples:
             logging.info(f"Loaded {len(policies)} policies from {len(args.paths)} path(s)")
 
         # Validate policies
-        use_registry = not getattr(args, "no_registry", False)
         config_path = getattr(args, "config", None)
         custom_checks_dir = getattr(args, "custom_checks_dir", None)
+        aws_services_dir = getattr(args, "aws_services_dir", None)
         policy_type = cast(PolicyType, getattr(args, "policy_type", "IDENTITY_POLICY"))
         results = await validate_policies(
             policies,
             config_path=config_path,
-            use_registry=use_registry,
             custom_checks_dir=custom_checks_dir,
             policy_type=policy_type,
+            aws_services_dir=aws_services_dir,
         )
 
         # Generate report (include parsing errors if any)
@@ -329,7 +337,6 @@ Examples:
         """
         loader = PolicyLoader()
         generator = ReportGenerator()
-        use_registry = not getattr(args, "no_registry", False)
         config_path = getattr(args, "config", None)
         custom_checks_dir = getattr(args, "custom_checks_dir", None)
         policy_type = cast(PolicyType, getattr(args, "policy_type", "IDENTITY_POLICY"))
@@ -354,7 +361,6 @@ Examples:
             results = await validate_policies(
                 [(file_path, policy)],
                 config_path=config_path,
-                use_registry=use_registry,
                 custom_checks_dir=custom_checks_dir,
                 policy_type=policy_type,
             )

iam_validator/core/__init__.py

@@ -1,13 +1,12 @@
 """Core validation modules."""
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
-from iam_validator.core.policy_checks import PolicyValidator, validate_policies
+from iam_validator.core.aws_service import AWSServiceFetcher
+from iam_validator.core.policy_checks import validate_policies
 from iam_validator.core.policy_loader import PolicyLoader
 from iam_validator.core.report import ReportGenerator
 
 __all__ = [
     "AWSServiceFetcher",
-    "PolicyValidator",
     "validate_policies",
     "PolicyLoader",
     "ReportGenerator",

iam_validator/core/access_analyzer.py

@@ -577,7 +577,7 @@ class AccessAnalyzerValidator:
                 )
                 results.append(result)
 
-            except Exception as e:
+            except Exception as e:  # pylint: disable=broad-exception-caught
                 self.logger.error(f"Failed to validate {policy_file}: {e}")
                 result = AccessAnalyzerResult(
                     policy_file=policy_file,

iam_validator/core/access_analyzer_report.py

@@ -259,7 +259,7 @@ class AccessAnalyzerReportFormatter:
             file_path: Path to save JSON report
         """
         json_content = self.generate_json_report(report)
-        with open(file_path, "w") as f:
+        with open(file_path, "w", encoding="utf-8") as f:
             f.write(json_content)
 
     def generate_markdown_report(
@@ -636,5 +636,5 @@ class AccessAnalyzerReportFormatter:
             file_path: Path to save Markdown report
         """
         markdown_content = self.generate_markdown_report(report)
-        with open(file_path, "w") as f:
+        with open(file_path, "w", encoding="utf-8") as f:
             f.write(markdown_content)