in cfn_policy_validator/validation/validator.py [0:0]
def validate_roles(self, roles):
"""
Validate policies attached to roles
"""
previews_to_await = []
for role in roles:
LOGGER.info(f'Validating trust policy for role {role.RoleName}..')
response = self.client.validate_policy(
policyType='RESOURCE_POLICY',
policyDocument=json.dumps(role.TrustPolicy)
)
LOGGER.info(f'ValidatePolicy response: {response}')
validation_findings = response['findings']
self.findings.add_validation_finding(validation_findings, role.RoleName, 'TrustPolicy')
# use access previews to validate a role's trust policy
preview = self.__validate_role_trust_policy(role, validation_findings)
previews_to_await.append(preview)
# validate identity policies attached to the role
for policy in role.Policies:
LOGGER.info(f'Validating identity policy for {role.RoleName} with name {policy.Name}')
response = self.client.validate_policy(
policyType='IDENTITY_POLICY',
policyDocument=json.dumps(policy.Policy)
)
LOGGER.info(f'ValidatePolicy response: {response}')
self.findings.add_validation_finding(response['findings'], role.RoleName, policy.Name)
access_preview_findings = self._wait_for_findings(previews_to_await)
for access_preview_finding in access_preview_findings:
self.findings.add_trust_policy_finding(access_preview_finding.findings, access_preview_finding.resource.RoleName)