in packages/core/src/awsService/accessanalyzer/vue/iamPolicyChecks.ts [166:333]
public async validatePolicy(
documentType: PolicyChecksDocumentType,
policyType: PolicyChecksPolicyType,
cfnParameterPath?: string
) {
const document = IamPolicyChecksWebview.editedDocumentFileName
validatePolicyDiagnosticCollection.clear()
const diagnostics: vscode.Diagnostic[] = []
switch (documentType) {
case 'JSON Policy Language': {
if (isJsonPolicyLanguage(document)) {
telemetry.accessanalyzer_iamPolicyChecksValidatePolicy.run((span) => {
span.record({
documentType,
inputPolicyType: policyType ? policyType : 'None',
})
this.client.config.credentials = new SharedIniFileCredentials({
profile: `${getProfileName()}`,
}) // We need to detect changes in the user's credentials
this.client.validatePolicy(
{
policyDocument: IamPolicyChecksWebview.editedDocument,
policyType: policyType === 'Identity' ? 'IDENTITY_POLICY' : 'RESOURCE_POLICY',
},
(err, data) => {
if (err) {
span.record({
findingsCount: 0,
})
if (err instanceof ExpiredTokenException) {
this.onValidatePolicyResponse.fire([
IamPolicyChecksConstants.InvalidAwsCredentials,
getResultCssColor('Error'),
])
} else {
this.onValidatePolicyResponse.fire([err.message, getResultCssColor('Error')])
}
} else {
if (data.findings.length > 0) {
span.record({
findingsCount: data.findings.length,
})
// eslint-disable-next-line unicorn/no-array-for-each
data.findings.forEach((finding: AccessAnalyzer.ValidatePolicyFinding) => {
const message = `${finding.findingType}: ${finding.issueCode} - ${finding.findingDetails} Learn more: ${finding.learnMoreLink}`
if ((finding.findingType as ValidatePolicyFindingType) === 'ERROR') {
diagnostics.push(
new vscode.Diagnostic(
new vscode.Range(
finding.locations[0].span.start.line,
finding.locations[0].span.start.offset,
finding.locations[0].span.end.line,
finding.locations[0].span.end.offset
),
message,
vscode.DiagnosticSeverity.Error
)
)
validatePolicyDiagnosticCollection.set(
IamPolicyChecksWebview.editedDocumentUri,
diagnostics
)
} else {
diagnostics.push(
new vscode.Diagnostic(
new vscode.Range(
finding.locations[0].span.start.line,
finding.locations[0].span.start.offset,
finding.locations[0].span.end.line,
finding.locations[0].span.end.offset
),
message,
vscode.DiagnosticSeverity.Warning
)
)
validatePolicyDiagnosticCollection.set(
IamPolicyChecksWebview.editedDocumentUri,
diagnostics
)
}
})
this.onValidatePolicyResponse.fire([
IamPolicyChecksConstants.ValidatePolicySuccessWithFindings,
getResultCssColor('Warning'),
])
void vscode.commands.executeCommand('workbench.actions.view.problems')
} else {
this.onValidatePolicyResponse.fire([
IamPolicyChecksConstants.ValidatePolicySuccessNoFindings,
getResultCssColor('Success'),
])
}
}
}
)
})
return
} else {
this.onValidatePolicyResponse.fire([
IamPolicyChecksConstants.IncorrectFileExtension,
getResultCssColor('Error'),
])
return
}
}
case 'Terraform Plan': {
if (isTerraformPlan(document)) {
const command = 'tf-policy-validator'
const args = [
'validate',
'--template-path',
`${document}`,
'--region',
`${this.region}`,
'--config',
`${globals.context.asAbsolutePath(defaultTerraformConfigPath)}`,
'--profile',
`${getProfileName()}`,
]
await this.executeValidatePolicyCommand({
command,
args,
cfnParameterPathExists: !!cfnParameterPath,
documentType,
policyType,
})
return
} else {
this.onValidatePolicyResponse.fire([
IamPolicyChecksConstants.IncorrectFileExtension,
getResultCssColor('Error'),
])
return
}
}
case 'CloudFormation': {
if (isCloudFormationTemplate(document)) {
const command = 'cfn-policy-validator'
const args = [
'validate',
'--template-path',
`${document}`,
'--region',
`${this.region}`,
'--profile',
`${getProfileName()}`,
]
if (cfnParameterPath !== '') {
args.push('--template-configuration-file', `${cfnParameterPath}`)
}
await this.executeValidatePolicyCommand({
command,
args,
cfnParameterPathExists: !!cfnParameterPath,
documentType,
policyType,
})
return
} else {
this.onValidatePolicyResponse.fire([
IamPolicyChecksConstants.IncorrectFileExtension,
getResultCssColor('Error'),
])
return
}
}
}
}