marque_ism/

attrs.rs

//! `IsmAttributes` — the canonical in-memory representation of a classification marking.
//!
//! Mirrors the IC ISM XML attribute model. Every source format (free text, XML, web forms)
//! normalizes into this struct before rule validation.
//!
//! # Type design
//! Multi-value fields use `Box<[T]>` rather than `Vec<T>` to avoid over-allocation
//! after parsing. Most markings have 0–4 values per field.
//!
//! # Code generation
//! CVE enum variants (`SciControl`, `DissemControl`, `DeclassExemption`, `SarIdentifier`)
//! are generated by `build.rs` from ODNI CVE XML files and re-exported from
//! `crate::generated::values`.

use crate::generated::values;
use crate::span::Span;

// Re-export generated enum types for convenience.
pub use values::{DeclassExemption, DissemControl, SarIdentifier, SciControl};

/// Canonical in-memory representation of an IC classification marking.
///
/// Produced by `marque-core::parser` from scanner candidates.
/// Consumed by `marque-rules::Rule` implementations for validation.
#[non_exhaustive]
#[derive(Debug, Clone, Default, PartialEq, Eq)]
pub struct IsmAttributes {
    /// Primary classification level. `None` means parsing failed to identify one.
    pub classification: Option<Classification>,

    /// SCI controls (e.g., SI, TK, HCS). Ordered per CAPCO block ordering rules.
    pub sci_controls: Box<[SciControl]>,

    /// Special Access Required identifiers.
    pub sar_identifiers: Box<[SarIdentifier]>,

    /// Dissemination controls (e.g., NOFORN, RELIDO, ORCON, FISA).
    pub dissem_controls: Box<[DissemControl]>,

    /// REL TO country trigraphs. USA must be present and first if non-empty.
    pub rel_to: Box<[Trigraph]>,

    /// Declassification date from CAB (free text, e.g., "20331231").
    pub declassify_on: Option<Box<str>>,

    /// Free-text "Classified By" identifier from CAB.
    pub classified_by: Option<Box<str>>,

    /// Free-text "Derived From" source from CAB.
    pub derived_from: Option<Box<str>>,

    /// Declassification exemption code from CAB (e.g., 25X1, 50X1-HUM).
    pub declass_exemption: Option<DeclassExemption>,

    /// Per-token byte spans into the *original source buffer*, recorded by
    /// the parser as it walks the marking string. Phase 3 added this so
    /// rules can point at the exact offending byte range instead of the
    /// whole marking. Empty for CAB markings (CAB parsing is line-structured
    /// and doesn't go through the token-walking path).
    ///
    /// Indexing convention: `token_spans` is in document order. To find the
    /// span for the Nth `DissemControl`, walk the slice and pick the Nth
    /// entry whose `kind == TokenKind::DissemControl`.
    pub token_spans: Box<[TokenSpan]>,
}

/// One parser-recognized token plus its byte span in the original source.
///
/// Used by Phase 3 rules to surface byte-precise diagnostic spans without
/// re-parsing the source. The `text` field carries the literal token bytes
/// so rules that need the source content (E006, E007, E008 against migration
/// keys) can look up entries without threading `&[u8] source` through every
/// `Rule::check` signature.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct TokenSpan {
    pub kind: TokenKind,
    pub span: Span,
    pub text: Box<str>,
}

/// Discriminant for `TokenSpan`. Phase 3 rules read these to filter
/// token-span lookups by category.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum TokenKind {
    /// Classification level token (S, SECRET, TS, TOP SECRET, ...).
    Classification,
    /// SCI control token (SI, TK, HCS, ...).
    SciControl,
    /// SAR identifier token.
    SarIdentifier,
    /// Dissemination control token (NOFORN, NF, ORCON, OC, RELIDO, ...).
    DissemControl,
    /// REL TO country trigraph (USA, GBR, AUS, ...). One per token, not the
    /// whole REL TO list.
    RelToTrigraph,
    /// Declassification exemption code in CAB or banner (25X1, 50X1-HUM).
    DeclassExemption,
    /// Declassification date in CAB or banner (YYYYMMDD or YYYY).
    DeclassDate,
    /// `//` separator between blocks. Recorded so E004 can detect extra/
    /// missing separator runs.
    Separator,
    /// A non-empty block that did not match any known token kind. E008 fires
    /// one diagnostic per `Unknown` entry.
    Unknown,
}

/// Classification level. These values are stable across CAPCO schema versions.
/// Hand-written rather than generated because the CVE uses abbreviations (R/C/S/TS/U)
/// while the tool needs both abbreviated and full-word forms.
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub enum Classification {
    Unclassified,
    Confidential,
    Secret,
    TopSecret,
}

impl Classification {
    /// Banner form (full words, no abbreviations).
    pub fn banner_str(self) -> &'static str {
        match self {
            Self::Unclassified => "UNCLASSIFIED",
            Self::Confidential => "CONFIDENTIAL",
            Self::Secret => "SECRET",
            Self::TopSecret => "TOP SECRET",
        }
    }

    /// Portion form (abbreviation used in portion markings).
    pub fn portion_str(self) -> &'static str {
        match self {
            Self::Unclassified => "U",
            Self::Confidential => "C",
            Self::Secret => "S",
            Self::TopSecret => "TS",
        }
    }
}

/// A 3-character country trigraph (e.g., USA, GBR, AUS).
/// Validated against CVE country code list at rule-check time.
///
/// The inner bytes are private; construction goes through [`Trigraph::try_new`]
/// which enforces ASCII-uppercase invariants so that [`Trigraph::as_str`] can
/// return a `&str` infallibly without panicking at runtime.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub struct Trigraph([u8; 3]);

impl Trigraph {
    /// The always-valid `USA` trigraph constant.
    pub const USA: Self = Self(*b"USA");

    /// Attempt to construct a trigraph from 3 bytes.
    ///
    /// Returns `None` unless every byte is an ASCII uppercase letter
    /// (`A`–`Z`), which is the invariant enforced by CAPCO for all valid
    /// country/entity codes.
    #[inline]
    pub const fn try_new(bytes: [u8; 3]) -> Option<Self> {
        let mut i = 0;
        while i < 3 {
            if !bytes[i].is_ascii_uppercase() {
                return None;
            }
            i += 1;
        }
        Some(Self(bytes))
    }

    /// Return the trigraph as a string slice.
    ///
    /// Infallible because construction via [`Trigraph::try_new`] (or the
    /// [`Trigraph::USA`] constant) guarantees ASCII-uppercase bytes, which
    /// are always valid UTF-8.
    #[inline]
    pub fn as_str(&self) -> &str {
        // SAFETY: `Trigraph` can only be constructed via `try_new` or the
        // `USA` constant, both of which require ASCII uppercase letters.
        // ASCII is a subset of valid UTF-8.
        unsafe { std::str::from_utf8_unchecked(&self.0) }
    }
}

impl std::fmt::Display for Trigraph {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.write_str(self.as_str())
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn trigraph_usa_constant_is_valid() {
        assert_eq!(Trigraph::USA.as_str(), "USA");
    }

    #[test]
    fn trigraph_try_new_accepts_uppercase() {
        let t = Trigraph::try_new(*b"GBR").unwrap();
        assert_eq!(t.as_str(), "GBR");
    }

    #[test]
    fn trigraph_try_new_rejects_lowercase() {
        assert!(Trigraph::try_new(*b"usa").is_none());
    }

    #[test]
    fn trigraph_try_new_rejects_digits() {
        assert!(Trigraph::try_new(*b"US1").is_none());
    }

    #[test]
    fn trigraph_try_new_rejects_high_bytes() {
        assert!(Trigraph::try_new([0xFF, 0xFF, 0xFF]).is_none());
    }

    #[test]
    fn classification_round_trip() {
        for c in [
            Classification::Unclassified,
            Classification::Confidential,
            Classification::Secret,
            Classification::TopSecret,
        ] {
            assert!(!c.banner_str().is_empty());
            assert!(!c.portion_str().is_empty());
        }
    }
}