duo-labs · blarghmatey · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025
diff --git a/.travis.yml b/.travis.yml
@@ -1,6 +1,9 @@
 language: python
 python:
-    - "3.7"
-    - "3.8"
+    - "3.10"
+    - "3.11"
+    - "3.12"
+    - "3.13"
+    - "3.14"
 install: make setup
 script: make test
diff --git a/parliament/__init__.py b/parliament/__init__.py
@@ -10,16 +10,18 @@
 import jsoncfg
 import re
 
-import pkg_resources
+from importlib.resources import files
 import yaml
 
 # On initialization, load the IAM data
-iam_definition_path = pkg_resources.resource_filename(__name__, "iam_definition.json")
-iam_definition = json.load(open(iam_definition_path, "r"))
+iam_definition_file = files(__package__).joinpath("iam_definition.json")
+with iam_definition_file.open("r") as f:
+    iam_definition = json.load(f)
 
 # And the config data
-config_path = pkg_resources.resource_filename(__name__, "config.yaml")
-config = yaml.safe_load(open(config_path, "r"))
+config_file = files(__package__).joinpath("config.yaml")
+with config_file.open("r") as f:
+    config = yaml.safe_load(f)
 
 
 def override_config(override_config_path):
@@ -279,7 +281,16 @@ def expand_action(action, raise_exceptions=True):
             "Unknown action {}:{}".format(prefix, unexpanded_action)
         )
 
-    return actions
+    # Deduplicate actions since some services appear multiple times in iam_definition
+    seen = set()
+    deduplicated_actions = []
+    for action in actions:
+        key = (action["service"], action["action"])
+        if key not in seen:
+            seen.add(key)
+            deduplicated_actions.append(action)
+
+    return deduplicated_actions
 
 
 def get_resource_type_matches_from_arn(arn):

diff --git a/parliament/community_auditors/tests/test_advanced_policy_elements.py b/parliament/community_auditors/tests/test_advanced_policy_elements.py
@@ -21,7 +21,7 @@ def test_notresource_allow(self):
         }"""
 
         policy = analyze_policy_string(policystr, include_community_auditors=True)
-        assert_equal(policy.finding_ids, set())
+        assert policy.finding_ids == set()
 
         # According to AWS documentation, "This statement is very dangerous,
         # because it allows all actions in AWS on all resources except the
@@ -41,7 +41,7 @@ def test_notresource_allow(self):
 
         policy = analyze_policy_string(policystr, include_community_auditors=True)
 
-        assert_equal(policy.finding_ids, S3_STAR_FINDINGS | {"NOTRESOURCE_WITH_ALLOW"})
+        assert policy.finding_ids == S3_STAR_FINDINGS | {"NOTRESOURCE_WITH_ALLOW"}
 
     def test_notprincipal_allow(self):
         # NotPrincipal is OK with Effect: Deny. This explcitly omits these
@@ -65,7 +65,7 @@ def test_notprincipal_allow(self):
 
         policy = analyze_policy_string(policystr, include_community_auditors=True)
 
-        assert_equal(policy.finding_ids, set())
+        assert policy.finding_ids == set()
 
         # This implicitly allows everyone _except_ Bob to access BUCKETNAME!
         policystr = """{
@@ -85,4 +85,4 @@ def test_notprincipal_allow(self):
 
         policy = analyze_policy_string(policystr, include_community_auditors=True)
 
-        assert_equal(policy.finding_ids, S3_STAR_FINDINGS | {"NOTPRINCIPAL_WITH_ALLOW"})
+        assert policy.finding_ids == S3_STAR_FINDINGS | {"NOTPRINCIPAL_WITH_ALLOW"}
diff --git a/parliament/community_auditors/tests/test_credentials_exposure.py b/parliament/community_auditors/tests/test_credentials_exposure.py
@@ -24,13 +24,10 @@ def test_credentials_management(self):
             example_policy_string, include_community_auditors=True
         )
 
-        assert_equal(
-            policy.finding_ids,
-            set(
-                [
-                    "CREDENTIALS_EXPOSURE",
-                    "PERMISSIONS_MANAGEMENT_ACTIONS",
-                    "RESOURCE_STAR",
-                ]
-            ),
+        assert policy.finding_ids == set(
+            [
+                "CREDENTIALS_EXPOSURE",
+                "PERMISSIONS_MANAGEMENT_ACTIONS",
+                "RESOURCE_STAR",
+            ]
         )
diff --git a/parliament/community_auditors/tests/test_permissions_management.py b/parliament/community_auditors/tests/test_permissions_management.py
@@ -25,13 +25,10 @@ def test_permissions_management(self):
             example_policy_string, include_community_auditors=True
         )
 
-        assert_equal(
-            policy.finding_ids,
-            set(
-                [
-                    "PERMISSIONS_MANAGEMENT_ACTIONS",
-                    "RESOURCE_POLICY_PRIVILEGE_ESCALATION",
-                    "RESOURCE_STAR",
-                ]
-            ),
+        assert policy.finding_ids == set(
+            [
+                "PERMISSIONS_MANAGEMENT_ACTIONS",
+                "RESOURCE_POLICY_PRIVILEGE_ESCALATION",
+                "RESOURCE_STAR",
+            ]
         )
diff --git a/parliament/community_auditors/tests/test_privilege_escalation.py b/parliament/community_auditors/tests/test_privilege_escalation.py
@@ -23,4 +23,4 @@ def test_privilege_escalation(self):
         policy = analyze_policy_string(
             example_policy_string, include_community_auditors=True
         )
-        assert_equal(policy.finding_ids, set(["PRIVILEGE_ESCALATION", "RESOURCE_STAR"]))
+        assert policy.finding_ids == set(["PRIVILEGE_ESCALATION", "RESOURCE_STAR"])
diff --git a/parliament/community_auditors/tests/test_sensitive_access.py b/parliament/community_auditors/tests/test_sensitive_access.py
@@ -34,7 +34,7 @@ def test_sensitive_access(self):
         policy = analyze_policy_string(
             example_policy_string, include_community_auditors=True, config=config
         )
-        assert_equal(policy.finding_ids, set(["SENSITIVE_ACCESS"]))
+        assert policy.finding_ids == set(["SENSITIVE_ACCESS"])
 
         # Ensure nothing triggers when we change the bucket location
         config = {
@@ -45,7 +45,7 @@ def test_sensitive_access(self):
         policy = analyze_policy_string(
             example_policy_string, include_community_auditors=True, config=config
         )
-        assert_equal(policy.finding_ids, set([]))
+        assert policy.finding_ids == set([])
 
         # Ensure we can test multiple actions
         config = {
@@ -65,7 +65,7 @@ def test_sensitive_access(self):
         policy = analyze_policy_string(
             example_policy_string, include_community_auditors=True, config=config
         )
-        assert_equal(policy.finding_ids, set(["SENSITIVE_ACCESS"]))
+        assert policy.finding_ids == set(["SENSITIVE_ACCESS"])
 
         # Ensure multiple actions with none matching works
         config = {
@@ -79,4 +79,4 @@ def test_sensitive_access(self):
         policy = analyze_policy_string(
             example_policy_string, include_community_auditors=True, config=config
         )
-        assert_equal(policy.finding_ids, set([]))
+        assert policy.finding_ids == set([])
diff --git a/parliament/community_auditors/tests/test_single_value_condition_too_permissive.py b/parliament/community_auditors/tests/test_single_value_condition_too_permissive.py
@@ -4,7 +4,8 @@
 class TestSensitiveAccess:
     """Test class for single value condition too permissive auditor"""
 
-    example_policy_string = """
+    def test_single_value_condition_too_permissive(self):
+        example_policy_string = """
         {
           "Version": "2012-10-17",
           "Statement": [
@@ -25,8 +26,8 @@ class TestSensitiveAccess:
             }
           ]
         }
-    """
-    policy = analyze_policy_string(
-        example_policy_string, include_community_auditors=True
-    )
-    assert_equal(policy.finding_ids, set(["SINGLE_VALUE_CONDITION_TOO_PERMISSIVE"]))
+        """
+        policy = analyze_policy_string(
+            example_policy_string, include_community_auditors=True
+        )
+        assert policy.finding_ids == set(["SINGLE_VALUE_CONDITION_TOO_PERMISSIVE"])