Add constraints and tests

GSA · Dec 3, 2024 · 03dd2ee · 03dd2ee
1 parent da3ac62
commit 03dd2ee
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 15 deletions.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -114,6 +114,7 @@ Examples:
   | leveraged-authorization-nature-of-agreement |
   | marking |
   | missing-response-components |
+  | non-provider-responsible-role-references-user |
   | party-has-name |
   | privilege-level |
   | prop-response-point-has-cardinality-one |
@@ -336,6 +337,8 @@ Examples:
   | marking-PASS.yaml |
   | missing-response-components-FAIL.yaml |
   | missing-response-components-PASS.yaml |
+  | non-provider-responsible-role-references-user-FAIL.yaml |
+  | non-provider-responsible-role-references-user-PASS.yaml |
   | party-has-name-FAIL.yaml |
   | party-has-name-PASS.yaml |
   | privilege-level-FAIL.yaml |

diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -314,13 +314,16 @@
           <p>Some description of the authentication method.</p>
         </remarks>
       </prop>
-     <status state="operational"/>
+      <status state="operational"/>
       <responsible-role role-id="provider">
         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
       </responsible-role>
-     <responsible-role role-id="system-admin">
+      <responsible-role role-id="system-admin">
         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
       </responsible-role>
+      <responsible-role role-id="administrator">
+        <prop name="privilege-uuid" value="44444444-0000-4000-9000-000000000004" ns="https://fedramp.gov/ns/oscal" />
+      </responsible-role>
     </component>
 
     <component uuid="66666666-0000-4000-9000-000000000006" type="interconnection">

diff --git a/...dations/constraints/content/ssp-non-provider-responsible-role-references-user-INVALID.xml b/...dations/constraints/content/ssp-non-provider-responsible-role-references-user-INVALID.xml
@@ -0,0 +1,14 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <user uuid="44444444-0000-4000-9000-000000000004">
+      <authorized-privilege>
+        <!-- <function-performed>administration</function-performed> Missing at least one function performed-->
+      </authorized-privilege>
+    </user>
+    <component uuid="6ac88fd2-7c7b-4357-af2e-f22ccd3ead26" type="system">
+      <responsible-role role-id="administrator">
+        <prop name="privilege-uuid" value="44444444-0000-4000-9000-000000000004" ns="https://fedramp.gov/ns/oscal"/>
+      </responsible-role>
+    </component>
+  </system-implementation>
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -67,11 +67,19 @@
                 else if (system-characteristics/security-sensitivity-level = 'fips-199-moderate')
                     then ('fips-199-moderate', 'fips-199-high')
                 else ('fips-199-low', 'fips-199-moderate', 'fips-199-high')"/>
+            <let var="non-authorized-components" expression="system-implementation/component[(@type='system' and prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(prop[@name='leveraged-authorization-uuid']) and prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and prop[@name='implementation-point' and @value='internal'] and prop[@name='direction']) or (@type='software' and prop[@name='asset-type' and @value='cli'] and prop[@name='direction'])]"/>
+            <let var="system-implementation-users" expression="system-implementation/user"/>
+            <let var="non-provider-user-has-function-performed" expression="count($system-implementation-users[@uuid = $non-authorized-components/responsible-role/prop[@name='privilege-uuid' and @ns='https://fedramp.gov/ns/oscal']/@value]/authorized-privilege/function-performed) >= 1"/>
             <expect id="component-has-authentication-method" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(prop[@ns='https://fedramp.gov/ns/oscal' and @name='authentication-method']) >= 1" level="ERROR">
                 <formal-name>Component Has Authentication Method</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>A FedRAMP SSP MUST include at least one authentication method for each leveraged system.</message>
             </expect>
+            <expect id="component-has-non-provider-responsible-role" target="//component[(@type='system' and prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(prop[@name='leveraged-authorization-uuid']) and prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and prop[@name='implementation-point' and @value='internal'] and prop[@name='direction']) or (@type='software' and prop[@name='asset-type' and @value='cli'] and prop[@name='direction'])]" test="count(responsible-role[not(@role-id='provider')]) >= 1" level="ERROR">
+                <formal-name>Component Has Non-Provider Responsible Role</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>
+                <message>Each component dealing with leveraged systems, interconnections, or authorized services MUST have at least one responsible role other than "provider".</message>
+            </expect>
             <expect id="component-has-provider-responsible-role" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(responsible-role[@role-id='provider']/party-uuid) = 1" level="ERROR">
                 <formal-name>Component Has Provider Responsible Role</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>
@@ -109,7 +117,12 @@
                 <formal-name>Leveraged Authorization Has Valid Impact Level</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>A FedRAMP SSP MUST define the appropriate FIPS-199 impact level (low, moderate, or high) for each leveraged authorization.</message>
-            </expect>             
+            </expect>    
+            <expect id="non-provider-responsible-role-references-user" target="." test="$non-provider-user-has-function-performed" level="ERROR">
+                <formal-name>Non-Provider Responsible Role References User</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>
+                <message>Each non-provider responsible role MUST reference at least one user with an authorized privilege and function performed via the "privilege-uuid" property.</message>
+            </expect>         
         </constraints>
     </context>
 
@@ -510,22 +523,17 @@
 
     <context>
 	<metapath target="/system-security-plan/system-implementation"/>
-	<constraints>
+	    <constraints>
             <expect id="authentication-method-has-remarks" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]"  test="count(./prop[@name='authentication-method' and @ns='https://fedramp.gov/ns/oscal'])  = count(./prop[@name='authentication-method' and @ns='https://fedramp.gov/ns/oscal']/remarks)" level="ERROR">
                 <formal-name>Authentication Method Has Remarks</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>Each authentication method in a FedRAMP SSP MUST have a remarks field.</message>
             </expect>
-            <expect id="component-has-non-provider-responsible-role" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(responsible-role[not(@role-id='provider')]) >= 1" level="ERROR">
-                <formal-name>Component Has Non-Provider Responsible Role</formal-name>
-                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>
-                <message>Each component dealing with leveraged systems, interconnections, or authorized services MUST have at least one responsible role other than "provider".</message>
-            </expect>
-	    <expect id="has-inventory-items" target="." test="count(inventory-item) >= 2" level="ERROR">
-	    	<formal-name>System Implementation Has Inventory Items</formal-name>
-		<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
-		<message>A FedRAMP SSP system implementation section MUST have at least two inventory items.</message>
-	    </expect>
+	        <expect id="has-inventory-items" target="." test="count(inventory-item) >= 2" level="ERROR">
+	    	    <formal-name>System Implementation Has Inventory Items</formal-name>
+		        <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+		        <message>A FedRAMP SSP system implementation section MUST have at least two inventory items.</message>
+	        </expect>
             <expect id="leveraged-authorization-has-authorization-type" target="leveraged-authorization" test="count(prop[@name='authorization-type'][@ns='https://fedramp.gov/ns/oscal']) = 1" level="ERROR">
                 <formal-name>Leveraged Authorization Has Authorization Type</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
@@ -550,7 +558,7 @@
                     <p>A FedRAMP SSP's inventory item MUST have an Asset ID that is unique across all inventory items in the system and its components.</p>
                 </remarks>
             </is-unique>
-	</constraints>
+	    </constraints>
     </context>   
 
     <context>

diff --git a/...alidations/constraints/unit-tests/non-provider-responsible-role-references-user-FAIL.yaml b/...alidations/constraints/unit-tests/non-provider-responsible-role-references-user-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for non-provider-responsible-role-references-user
+  description: >-
+    This test case validates the behavior of constraint
+    non-provider-responsible-role-references-user
+  content: ../content/ssp-non-provider-responsible-role-references-user-INVALID.xml
+  expectations:
+    - constraint-id: non-provider-responsible-role-references-user
+      result: fail
diff --git a/...alidations/constraints/unit-tests/non-provider-responsible-role-references-user-PASS.yaml b/...alidations/constraints/unit-tests/non-provider-responsible-role-references-user-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for non-provider-responsible-role-references-user
+  description: >-
+    This test case validates the behavior of constraint
+    non-provider-responsible-role-references-user
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: non-provider-responsible-role-references-user
+      result: pass