policy: T5069: large-community-list regex validator disallows whitespace

* Re-introduce the symbol/whitespace matches ' ' and '_' as allowed
* Perform a general Python regex validity check (not 100% 1003.2, but in combination
  with allowedChars, pretty close)
* Introduce a warning against potentially malformed or over-complex patterns,
  but leave it up to the user to resolve - there are plenty of useful
  expressions we cannot validate easily.

Author: Andrew Topp

src/validators/bgp-large-community-list

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021-2023 VyOS maintainers and contributors
+# Copyright (C) 2021-2025 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -17,18 +17,47 @@
 import re
 import sys
 
-pattern = '(.*):(.*):(.*)'
-allowedChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '.', '+', '*', '?', '^', '$', '(', ')', '[', ']', '{', '}', '|', '\\', ':', '-' }
+def console_warning(txt: str):
+    with open('/dev/tty', 'w') as tty:
+        print(f'WARNING: {txt}', file=tty)
+
+# Regex should:
+# * Require complete 3-tuples, no blank members. Catch missed & doubled colons. 
+# * Permit appropriate community separators (whitespace, underscore)
+# * Permit common regex between tuples while requiring at least one separator
+#   (eg, "1:1:1_.*_4:4:4", matching "1:1:1 4:4:4" and "1:1:1 2:2:2 4:4:4",
+#        but not "1:1:13 24:4:4")
+# * Reject run-on beyond the end of the match - full string match & comply
+pattern = r'([^: _]+):([^: _]+):([^: _]+)([ _]([^:]+):([^: _]+):([^: _]+))*'
+allowedChars = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '.', '+', '*', '?', '^', '$', '(', ')', '[', ']', '{', '}', '|', '\\', ':', '-', '_', ' ' }
 
 if __name__ == '__main__':
     if len(sys.argv) != 2:
         sys.exit(1)
 
-    value = sys.argv[1].split(':')
-    if not len(value) == 3:
+    value = sys.argv[1]
+
+    # Require at least one well-formed large-community tuple in the pattern. 
+    tmp = value.split(':')
+    if len(tmp) < 3:
         sys.exit(1)
 
-    if not (re.match(pattern, sys.argv[1]) and set(sys.argv[1]).issubset(allowedChars)):
+    # Simple guard against invalid community & 1003.2 pattern chars
+    if not set(value).issubset(allowedChars):
         sys.exit(1)
 
+    # Don't feed FRR badly formed regex
+    try:
+        re.compile(value)
+    except re.error:
+        sys.exit(1)
+
+    if not re.fullmatch(pattern, value):
+        # If you know what you're doing, you should be able to do it.
+        # It is, however, very easy to over- or under-restrict compound regex 
+        # logic against communities and ASNs, especially if they change. 
+        # Best practice: stick with basic patterns, mind your wildcards and whitespace.
+        console_warning('Regex does not follow expected form and may not match as expected.')
+        sys.exit(0)
+
     sys.exit(0)