A set of cleanup fixes (#4014)

* A set of cleanup fixes
* Limit where github actions run

Author: kddejong

.github/workflows/cd-pypi.yaml

@@ -7,6 +7,7 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    if: github.repository == 'aws-cloudformation/cfn-lint'
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python

.github/workflows/cd-release.yaml

@@ -7,6 +7,7 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    if: github.repository == 'aws-cloudformation/cfn-lint'
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/maintenance-v0.yaml

@@ -6,6 +6,7 @@ on:
 jobs:
   job:
     runs-on: ubuntu-latest
+    if: github.repository == 'aws-cloudformation/cfn-lint'
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/maintenance-v1.yaml

@@ -6,6 +6,7 @@ on:
 jobs:
   job:
     runs-on: ubuntu-latest
+    if: github.repository == 'aws-cloudformation/cfn-lint'
     steps:
       - uses: actions/checkout@v4
         with:

scripts/update_schemas_manually.py

@@ -593,11 +593,11 @@
                     path="/definitions/StageDeclaration/properties/Actions",
                 ),
                 Patch(
-                    values={"pattern": "^[0-9A-Za-z_-]{1,9}$"},
+                    values={"pattern": "^[0-9A-Za-z_\-]{1,9}$"},
                     path="/definitions/ActionTypeId/properties/Version",
                 ),
                 Patch(
-                    values={"pattern": "^[A-Za-z0-9.@-_]{1,100}$"},
+                    values={"pattern": "^[A-Za-z0-9.@\-_]{1,100}$"},
                     path="/definitions/ActionDeclaration/properties/Name",
                 ),
             ],

src/cfnlint/data/schemas/patches/extensions/all/aws_codepipeline_pipeline/manual.json

@@ -10,12 +10,12 @@
  {
   "op": "add",
   "path": "/definitions/ActionDeclaration/properties/Name/pattern",
-  "value": "^[A-Za-z0-9.@-_]{1,100}$"
+  "value": "^[A-Za-z0-9.@\\-_]{1,100}$"
  },
  {
   "op": "add",
   "path": "/definitions/ActionTypeId/properties/Version/pattern",
-  "value": "^[0-9A-Za-z_-]{1,9}$"
+  "value": "^[0-9A-Za-z_\\-]{1,9}$"
  },
  {
   "op": "add",

src/cfnlint/data/schemas/providers/ap_southeast_5/aws-codepipeline-pipeline.json

@@ -25,7 +25,7 @@
      "uniqueItems": true
     },
     "Name": {
-     "pattern": "^[A-Za-z0-9.@-_]{1,100}$",
+     "pattern": "^[A-Za-z0-9.@\\-_]{1,100}$",
      "type": "string"
     },
     "Namespace": {
@@ -76,7 +76,7 @@
      "type": "string"
     },
     "Version": {
-     "pattern": "^[0-9A-Za-z_-]{1,9}$",
+     "pattern": "^[0-9A-Za-z_\\-]{1,9}$",
      "type": "string"
     }
    },

src/cfnlint/data/schemas/providers/ap_southeast_7/aws-codepipeline-pipeline.json

@@ -25,7 +25,7 @@
      "uniqueItems": true
     },
     "Name": {
-     "pattern": "^[A-Za-z0-9.@-_]{1,100}$",
+     "pattern": "^[A-Za-z0-9.@\\-_]{1,100}$",
      "type": "string"
     },
     "Namespace": {
@@ -76,7 +76,7 @@
      "type": "string"
     },
     "Version": {
-     "pattern": "^[0-9A-Za-z_-]{1,9}$",
+     "pattern": "^[0-9A-Za-z_\\-]{1,9}$",
      "type": "string"
     }
    },

src/cfnlint/data/schemas/providers/ca_west_1/aws-codepipeline-pipeline.json

@@ -25,7 +25,7 @@
      "uniqueItems": true
     },
     "Name": {
-     "pattern": "^[A-Za-z0-9.@-_]{1,100}$",
+     "pattern": "^[A-Za-z0-9.@\\-_]{1,100}$",
      "type": "string"
     },
     "Namespace": {
@@ -76,7 +76,7 @@
      "type": "string"
     },
     "Version": {
-     "pattern": "^[0-9A-Za-z_-]{1,9}$",
+     "pattern": "^[0-9A-Za-z_\\-]{1,9}$",
      "type": "string"
     }
    },

src/cfnlint/data/schemas/providers/us_east_1/aws-codepipeline-pipeline.json

@@ -32,7 +32,7 @@
      "uniqueItems": true
     },
     "Name": {
-     "pattern": "^[A-Za-z0-9.@-_]{1,100}$",
+     "pattern": "^[A-Za-z0-9.@\\-_]{1,100}$",
      "type": "string"
     },
     "Namespace": {
@@ -100,7 +100,7 @@
      "type": "string"
     },
     "Version": {
-     "pattern": "^[0-9A-Za-z_-]{1,9}$",
+     "pattern": "^[0-9A-Za-z_\\-]{1,9}$",
      "type": "string"
     }
    },

src/cfnlint/rules/resources/iam/ResourcePolicy.py

@@ -3,6 +3,9 @@
 SPDX-License-Identifier: MIT-0
 """
 
+from typing import Any
+
+from cfnlint.jsonschema import ValidationResult, Validator
 from cfnlint.rules.resources.iam.Policy import Policy
 
 
@@ -30,3 +33,16 @@ def __init__(self):
             "resource",
             "policy_resource.json",
         )
+
+    def validate(
+        self,
+        validator: Validator,
+        policy_type: Any,
+        policy: Any,
+        schema: dict[str, Any],
+    ) -> ValidationResult:
+        for err in super().validate(validator, policy_type, policy, schema):
+            if validator.context.path.cfn_path[1] == "AWS::S3::BucketPolicy":
+                if err.validator == "uniqueKeys" and err.schema_path[-2] == "Statement":
+                    continue
+            yield err

test/integration/test_schema_files.py

@@ -40,6 +40,7 @@ class TestSchemaFiles(TestCase):
         "Outputs/*/Value",
         "Parameters",
         "Parameters/*",
+        "Parameters/*/AllowedPattern",
         "Resources",
         "Resources/*",
         "Resources/*/Condition",

test/unit/rules/resources/iam/test_resource_policy.py

@@ -3,11 +3,12 @@
 SPDX-License-Identifier: MIT-0
 """
 
+from collections import deque
 from unittest import TestCase
 
-from cfnlint.context import Context
+from cfnlint.context import Context, Path
 from cfnlint.helpers import FUNCTIONS
-from cfnlint.jsonschema import CfnTemplateValidator
+from cfnlint.jsonschema import CfnTemplateValidator, ValidationError
 from cfnlint.rules.resources.iam.ResourcePolicy import ResourcePolicy
 
 
@@ -20,7 +21,13 @@ def setUp(self):
 
     def test_object_basic(self):
         """Test Positive"""
-        validator = CfnTemplateValidator()
+        validator = CfnTemplateValidator({}).evolve(
+            context=Context(
+                path=Path(
+                    cfn_path=deque(["Resources", "AWS::S3::BucketPolicy", "Properties"])
+                )
+            )
+        )
 
         policy = {"Version": "2012-10-18"}
 
@@ -30,15 +37,21 @@ def test_object_basic(self):
             )
         )
         self.assertEqual(len(errs), 2, errs)
-        self.assertEqual(errs[0].message, "'Statement' is a required property")
-        self.assertListEqual(list(errs[0].path), [])
         self.assertEqual(
-            errs[1].message, "'2012-10-18' is not one of ['2008-10-17', '2012-10-17']"
+            errs[0].message, "'2012-10-18' is not one of ['2008-10-17', '2012-10-17']"
         )
-        self.assertListEqual(list(errs[1].path), ["Version"])
+        self.assertListEqual(list(errs[0].path), ["Version"])
+        self.assertEqual(errs[1].message, "'Statement' is a required property")
+        self.assertListEqual(list(errs[1].path), [])
 
     def test_object_multiple_effect(self):
-        validator = CfnTemplateValidator()
+        validator = CfnTemplateValidator({}).evolve(
+            context=Context(
+                path=Path(
+                    cfn_path=deque(["Resources", "AWS::S3::BucketPolicy", "Properties"])
+                )
+            )
+        )
 
         policy = {
             "Version": "2012-10-17",
@@ -91,7 +104,12 @@ def test_object_multiple_effect(self):
 
     def test_object_statements(self):
         validator = CfnTemplateValidator({}).evolve(
-            context=Context(functions=FUNCTIONS)
+            context=Context(
+                functions=FUNCTIONS,
+                path=Path(
+                    cfn_path=deque(["Resources", "AWS::S3::BucketPolicy", "Properties"])
+                ),
+            )
         )
 
         policy = {
@@ -138,7 +156,13 @@ def test_object_statements(self):
 
     def test_string_statements(self):
         """Test Positive"""
-        validator = CfnTemplateValidator()
+        validator = CfnTemplateValidator({}).evolve(
+            context=Context(
+                path=Path(
+                    cfn_path=deque(["Resources", "AWS::S3::BucketPolicy", "Properties"])
+                )
+            )
+        )
 
         # ruff: noqa: E501
         policy = """
@@ -183,7 +207,12 @@ def test_string_statements(self):
 
     def test_principal_wildcard(self):
         validator = CfnTemplateValidator({}).evolve(
-            context=Context(functions=FUNCTIONS)
+            context=Context(
+                functions=FUNCTIONS,
+                path=Path(
+                    cfn_path=deque(["Resources", "AWS::S3::BucketPolicy", "Properties"])
+                ),
+            )
         )
 
         policy = {
@@ -227,13 +256,59 @@ def test_principal_wildcard(self):
 
     def test_assumed_role(self):
         validator = CfnTemplateValidator({}).evolve(
-            context=Context(functions=FUNCTIONS)
+            context=Context(
+                functions=FUNCTIONS,
+                path=Path(
+                    cfn_path=deque(["Resources", "AWS::S3::BucketPolicy", "Properties"])
+                ),
+            )
+        )
+
+        policy = {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Action": "*",
+                    "Resource": "arn:aws:s3:::bucket",
+                    "Principal": {
+                        "AWS": "arn:aws:sts::123456789012:assumed-role/rolename/rolesessionname"
+                    },
+                },
+            ],
+        }
+
+        errs = list(
+            self.rule.validate(
+                validator=validator, policy=policy, schema={}, policy_type=None
+            )
+        )
+        self.assertListEqual(errs, [])
+
+    def test_duplicate_sid(self):
+        validator = CfnTemplateValidator({}).evolve(
+            context=Context(
+                functions=FUNCTIONS,
+                path=Path(
+                    cfn_path=deque(["Resources", "AWS::S3::BucketPolicy", "Properties"])
+                ),
+            )
         )
 
         policy = {
             "Version": "2012-10-17",
             "Statement": [
                 {
+                    "Sid": "A",
+                    "Effect": "Allow",
+                    "Action": "*",
+                    "Resource": "arn:aws:s3:::bucket",
+                    "Principal": {
+                        "AWS": "arn:aws:sts::123456789012:assumed-role/rolename/rolesessionname"
+                    },
+                },
+                {
+                    "Sid": "A",
                     "Effect": "Allow",
                     "Action": "*",
                     "Resource": "arn:aws:s3:::bucket",
@@ -250,3 +325,30 @@ def test_assumed_role(self):
             )
         )
         self.assertListEqual(errs, [])
+
+        # Fail on SNS topic
+        validator = CfnTemplateValidator({}).evolve(
+            context=Context(
+                functions=FUNCTIONS,
+                path=Path(
+                    cfn_path=deque(["Resources", "AWS::SNS::TopicPolicy", "Properties"])
+                ),
+            )
+        )
+        errs = list(
+            self.rule.validate(
+                validator=validator, policy=policy, schema={}, policy_type=None
+            )
+        )
+        self.assertListEqual(
+            errs,
+            [
+                ValidationError(
+                    "array items are not unique for keys ['Sid']",
+                    validator="uniqueKeys",
+                    schema_path=deque(["properties", "Statement", "uniqueKeys"]),
+                    path=deque(["Statement"]),
+                    rule=ResourcePolicy(),
+                )
+            ],
+        )