work in progress commit. Not quite working yet

ahouseholder · ahouseholder · commit 3993da4366d2 · 2025-07-17T12:20:06.000-04:00
diff --git a/src/ssvc/namespaces.py b/src/ssvc/namespaces.py
@@ -36,21 +36,40 @@
 MAX_NS_LENGTH = 1000
 NS_LENGTH_INTERVAL = MAX_NS_LENGTH - MIN_NS_LENGTH
 
+
+# from https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html
+BCP_47_PATTERN = r"(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3}){0,2})?|[A-Za-z]{4,8})(-[A-Za-z]{4})?(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}|[0-9][A-Za-z0-9]{3}))*(-[A-WY-Za-wy-z0-9](-[A-Za-z0-9]{2,8})+)*(-[Xx](-[A-Za-z0-9]{1,8})+)?|[Xx](-[A-Za-z0-9]{1,8})+|[Ii]-[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-[Mm][Ii][Nn][Gg][Oo])"
+
 LENGTH_CHECK_PATTERN = rf"(?=.{{{MIN_NS_LENGTH},{MAX_NS_LENGTH}}}$)"
 """Ensures the string is between MIN_NS_LENGTH and MAX_NS_LENGTH characters long."""
 
-PREFIX_CHECK_PATTERN = rf"(x_)?[a-z0-9]{{{MIN_NS_LENGTH}}}"
-"""Ensures the string starts with an optional prefix followed by at least 3 alphanumeric characters."""
+# Base namespace part (before any extensions) allows . and - with restrictions
+BASE_PATTERN = (
+    r"(?!.*[.-]{2,})"  # no consecutive separators
+    r"[a-z][a-z0-9]{2,}"  # first part starts with a letter, followed by one or more alphanumeric characters
+    r"(?:[.-][a-z0-9]+)*"  # remaining parts can have alphanumeric characters and single . or - separators
+)
+
+X_PFX = "x_"
+EXPERIMENTAL_BASE = rf"{X_PFX}{BASE_PATTERN}"
+BASE_NS_PATTERN = rf"({EXPERIMENTAL_BASE}|{BASE_PATTERN})"
+
+# Extension segment pattern (alphanumeric + limited punctuation, no consecutive punctuation, ends with alphanumeric)
+EXT_SEGMENT_PATTERN = (
+    r"(?!.*[.-]{2,})"  # no consecutive separators
+    r"[a-zA-Z0-9]+"  # first part starts with a letter, followed by one or more alphanumeric characters
+    r"(?:[.-][a-zA-Z0-9]+)*"  # remaining parts can have alphanumeric characters and single ., -, / separators
+)
 
-REMAINDER_CHECK_PATTERN = rf"([/.-]?[a-z0-9]+){{0,{NS_LENGTH_INTERVAL}}}$"
-"""Ensures that the string contains only lowercase alphanumeric characters and limited punctuation characters (`/`, `.`, `-`),"""
+# Language extension pattern (BCP-47 or empty for //)
+LANG_EXT_PATTERN = rf"(/({BCP_47_PATTERN})|/)"
 
+# Subsequent extension segments
+SUBSEQUENT_EXT_PATTERN = rf"(/{EXT_SEGMENT_PATTERN})*"
 
-# pattern to match
-# NOTE: be careful with this regex. We're using f-strings to insert the min and max lengths, so we need to ensure that
-# literal { and } characters are escaped properly (doubled up) so they appear in as single braces in the final regex.
+# Complete pattern with length validation
 NS_PATTERN = re.compile(
-    rf"^{LENGTH_CHECK_PATTERN}{PREFIX_CHECK_PATTERN}{REMAINDER_CHECK_PATTERN}$"
+    rf"^{LENGTH_CHECK_PATTERN}{BASE_NS_PATTERN}({LANG_EXT_PATTERN}{SUBSEQUENT_EXT_PATTERN})?$"
 )
 f"""The regular expression pattern for validating namespaces.
 
@@ -59,10 +78,20 @@
     Namespace values must 
     
     - be {MIN_NS_LENGTH}-{MAX_NS_LENGTH} characters long
-    - contain only lowercase alphanumeric characters and limited punctuation characters (`/`,`.` and `-`)
-    - have only one punctuation character in a row
-    - start with 3 alphanumeric characters after the optional extension prefix
-    - end with an alphanumeric character
+    - optionally start with the experimental/private prefix `{X_PFX}`
+    - after the optional experimental/private prefix, they must:
+        - start with a letter
+        - contain at least 3 alphanumeric characters (longer is permitted)
+        - contain only lowercase alphanumeric characters and limited punctuation characters (`.`, `-`)
+    - extensions are supported and optional, and are delineated by slashes (`/`)
+    - more than one extension segment is allowed, however:
+        - the first extension segment, if present, is reserved for a BCP-47 language tag, otherwise it must be empty
+        - if no BCP-47 tag is present, the first extension segment must be empty (i.e., `//`)
+        - double slashes (`//`) are *only* permitted in the *first segment* to indicate no BCP-47 tag
+    - beyond the first extension segment, subsequent segments must:
+        - contain only alphanumeric characters and limited punctuation characters (`.`, `-`)
+        - have only one punctuation character in a row (no double dashes or dots)
+        - end with an alphanumeric character
     
 """
 
diff --git a/src/ssvc/test/test_namespaces_pattern.py b/src/ssvc/test/test_namespaces_pattern.py
@@ -0,0 +1,197 @@
+#  Copyright (c) 2025 Carnegie Mellon University.
+#  NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+#  ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+#  CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+#  EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+#  NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+#  MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+#  OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+#  ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+#  PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+#  Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+#  permission@sei.cmu.edu for full terms.
+#  [DISTRIBUTION STATEMENT A] This material has been approved for
+#  public release and unlimited distribution. Please see Copyright notice
+#  for non-US Government use and distribution.
+#  This Software includes and/or makes use of Third-Party Software each
+#  subject to its own license.
+#  DM24-0278
+
+import logging
+import re
+import unittest
+
+from ssvc.namespaces import (
+    BASE_NS_PATTERN,
+    BASE_PATTERN,
+    LENGTH_CHECK_PATTERN,
+    MAX_NS_LENGTH,
+    MIN_NS_LENGTH,
+    NS_PATTERN,
+)
+
+logger = logging.getLogger(__name__)
+
+
+class TestNamespacePattern(unittest.TestCase):
+    def setUp(self):
+        self.expect_success = [
+            "ssvc",
+            "cisa",
+            "custom",  # not in enum, but valid for the pattern
+            "x_private-test",  # valid namespace with dash
+            "x_custom",  # valid namespace with x_ prefix
+            "x_custom.with.dots",  # valid namespace with x_ prefix and dots
+            "abc",  # not in enum, but valid for the pattern
+            "x_abc",  # valid namespace with x_ prefix
+            "x_custom//extension",  # double slash is okay when it's the first segment
+            "ssvc/de-DE/reference-arch-1",  # valid BCP-47 tag with dashes
+            "x_test/pl-PL/foo/bar/baz/quux",  # valid BCP-47 tag and multiple segments
+        ]
+        self.expect_fail = [
+            "999",  # invalid namespace, numeric only
+            "99xx",  # invalid namespace, numeric prefix
+            "x__invalid",  # invalid namespace, double underscore
+            "x_-invalid",  # invalid namespace, dash after x_
+            "x_.invalid",  # invalid namespace, dash at end
+            "x_/foo",  # invalid namespace, slash after x_, invalid BCP-47 tag
+            "x_//foo",  # invalid namespace, double slash after x_
+            "x_abc/invalid-bcp-47",  # not a valid BCP-47 tag
+            "abc/invalid-bcp-47",  # not in enum (but that's ok for the pattern), not a valid BCP-47 tag
+            "abc/invalid",  # not in enum (but that's ok for the pattern), not a valid BCP-47 tag
+            "x_custom/extension",  # not a valid BCP-47 tag
+            "x_test/not-bcp-47",  # not a valid BCP-47 tag
+            "x_custom/extension/with/multiple/segments/"
+            + "a" * 990,  # exceeds max length
+            "x_custom.extension.",  # ends with punctuation
+            "x_custom..extension",  # double dot
+            "x_custom/",  # ends with slash
+            "x_custom/extension//",  # double slash at end
+            "x_custom/extension/with//double/slash",  # double slash in middle
+            "x_custom/extension/with..double.dot",  # double dot in middle
+            "x_custom/extension/with--double-dash",  # double dash in middle
+            "ab",  # too short
+            "x_",  # too short after prefix
+        ]
+
+    def test_ns_pattern(self):
+
+        self._test_successes_failures(
+            NS_PATTERN.pattern, self.expect_fail, self.expect_success
+        )
+
+    def test_base_pattern(self):
+        x_success = [
+            "abc",
+            "contains.dot",
+            "contains-dash",
+            "contains-dash-and.dot",
+        ]
+        x_fail = [
+            "a",  # too short
+            "ab",  # too short
+            "9abc",  # starts with a number
+            "x_foo",  # no x_ in base pattern
+            "contains..double.dot",  # double dot
+            "contains--double-dash",  # double dash
+            "contains_underscore",  # underscore not allowed
+            "contains/slash",  # slash not allowed
+            ".starts.with.dot",  # starts with a dot
+            "-starts-with-dash",  # starts with a dash
+            "/starts-with-slash",  # starts with a slash
+            "_starts-with-underscore",  # starts with an underscore
+            "ends-with-dot.",  # ends with a dot
+            "ends-with-dash-",  # ends with a dash
+            "ends-with-slash/",  # ends with a slash
+        ]
+        self._test_successes_failures(BASE_PATTERN, x_fail, x_success)
+
+    def test_experimental_base_pattern(self):
+        x_success = [
+            "x_abc",
+            "x_custom",
+            "x_custom.with.dots",  # dots are allowed in the base pattern
+            "x_custom-with-dashes",  # dashes are allowed in the base pattern
+        ]
+        x_fail = [
+            "9abc",  # does not start with x_
+            "x__invalid",  # double underscore
+            "x_-invalid",  # dash after x_
+            "x_.invalid",  # dash at end
+            "x_9abc",  # starts with a number after x_
+            "x_abc.",  # ends with a dot
+            "x_abc-",  # ends with a dash
+            "x_abc/",  # ends with a slash
+            "x_/foo",  # slashes aren't part of the base pattern
+        ]
+        self._test_successes_failures(BASE_NS_PATTERN, x_fail, x_success)
+
+    def test_base_ns_pattern(self):
+        x_success = [
+            "abc",
+            "x_abc",
+            "x_custom",
+            "x_custom.with.dots",  # dots are allowed in the base pattern
+            "x_custom-with-dashes",  # dashes are allowed in the base pattern
+        ]
+        x_fail = [
+            "9abc",  # starts with a number
+            "x__invalid",  # double underscore
+            "x_-invalid",  # dash after x_
+            "x_.invalid",  # dash at end
+            "x_9abc",  # starts with a number after x_
+            "x_abc.",  # ends with a dot
+            "x_abc-",  # ends with a dash
+            "x_abc/",  # ends with a slash
+            "x_/foo",  # slashes aren't part of the base pattern
+        ]
+        self._test_successes_failures(BASE_NS_PATTERN, x_fail, x_success)
+
+    def _test_successes_failures(
+        self, pattern: str, x_fail: list[str], x_success: list[str]
+    ):
+        successes = []
+        failures = []
+        # if pattern is not anchored, anchor it
+        if not pattern.startswith("^"):
+            pattern = "^" + pattern
+        if not pattern.endswith("$"):
+            pattern = pattern + "$"
+
+        for ns in x_success:
+            expected = f"Should match {ns}"
+            if re.match(pattern, ns) is None:
+                failures.append(expected)
+            else:
+                successes.append(expected)
+        for ns in x_fail:
+            expected = f"Should not match {ns}"
+            if re.match(pattern, ns) is not None:
+                failures.append(expected)
+            else:
+                successes.append(expected)
+        logger.debug(f"Successes: {successes}")
+        self.assertFalse(failures)
+
+    def test_length_check_pattern(self):
+        """
+        Test the length check pattern for namespaces.
+        The pattern should enforce a minimum and maximum length.
+        """
+        min_length = MIN_NS_LENGTH
+        max_length = MAX_NS_LENGTH
+
+        valid_ns = "x_valid_namespace"
+        too_short_ns = "x_v"
+        too_long_ns = "x_" + "a" * (max_length - 2)
+
+        for i in range(0, MIN_NS_LENGTH):
+            # should fail for lengths less than MIN_NS_LENGTH
+            ns = "a" * i
+            self.assertIsNone(
+                re.match(LENGTH_CHECK_PATTERN, ns), f"Should not match: {ns}"
+            )
+
+
+if __name__ == "__main__":
+    unittest.main()
