Skip to content

Commit

Permalink
Add component-responsible-role-references-party constraint (#945)
Browse files Browse the repository at this point in the history
* Add constraint 'component-responsible-role-references-party' and tests

* correct test

* Rename constraint and adjust help-url

* Edit message

Co-authored-by: A.J. Stein <[email protected]>

---------

Co-authored-by: A.J. Stein <[email protected]>
  • Loading branch information
Gabeblis and aj-stein-gsa authored Dec 3, 2024
1 parent a8461fb commit 1377478
Show file tree
Hide file tree
Showing 6 changed files with 48 additions and 1 deletion.
3 changes: 3 additions & 0 deletions features/fedramp_extensions.feature
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ Examples:
| cia-impact-has-selected |
| cloud-service-model |
| component-has-authentication-method |
| component-has-provider-responsible-role |
| component-type |
| control-implementation-status |
| data-center-alternate |
Expand Down Expand Up @@ -178,6 +179,8 @@ Examples:
| cloud-service-model-PASS.yaml |
| component-has-authentication-method-FAIL.yaml |
| component-has-authentication-method-PASS.yaml |
| component-responsible-role-references-party-FAIL.yaml |
| component-responsible-role-references-party-PASS.yaml |
| component-type-FAIL.yaml |
| component-type-PASS.yaml |
| control-implementation-status-FAIL.yaml |
Expand Down
11 changes: 10 additions & 1 deletion src/validations/constraints/content/ssp-all-VALID.xml
Original file line number Diff line number Diff line change
Expand Up @@ -315,7 +315,10 @@
</remarks>
</prop>
<status state="operational"/>
</component>
<responsible-role role-id="provider">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-role>
</component>

<component uuid="66666666-0000-4000-9000-000000000006" type="interconnection">
<title>External API Connection</title>
Expand All @@ -330,6 +333,9 @@
</remarks>
</prop>
<status state="operational"/>
<responsible-role role-id="provider">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-role>
<responsible-role role-id="system-admin">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-role>
Expand All @@ -352,6 +358,9 @@
</remarks>
</prop>
<status state="operational"/>
<responsible-role role-id="provider">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-role>
</component>

<inventory-item uuid="77777777-0000-4000-9000-000000000007">
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012">
<system-implementation>
<component uuid="6ac88fd2-7c7b-4357-af2e-f22ccd3ead26" type="system">
<prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
<responsible-role role-id="provider">
<!-- There are two parties referenced. The count should be 1. -->
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
<party-uuid>11111111-0000-4000-9000-000000000002</party-uuid>
</responsible-role>
</component>
</system-implementation>
</system-security-plan>
5 changes: 5 additions & 0 deletions src/validations/constraints/fedramp-external-constraints.xml
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,11 @@
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
<message>A FedRAMP SSP MUST include at least one authentication method for each leveraged system.</message>
</expect>
<expect id="component-has-provider-responsible-role" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(responsible-role[@role-id='provider']/party-uuid) = 1" level="ERROR">
<formal-name>Component Has Provider Responsible Role</formal-name>
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>
<message>A FedRAMP SSP MUST have each component describing leveraged systems, interconnections, or authorized services identify a "provider" role that references one responsible party.</message>
</expect>
<expect id="has-authorization-boundary-diagram-link-href-target" target="." test="not(starts-with(system-characteristics/authorization-boundary/diagram/link/@href, '#')) or exists(//resource[@uuid eq substring-after($authorization-boundary-link, '#')])" level="ERROR">
<formal-name>Has Authorization Boundary Diagram Link Href Target</formal-name>
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Negative Test for component-has-provider-responsible-role
description: >-
This test case validates the behavior of constraint
component-has-provider-responsible-role
content: ../content/ssp-component-has-provider-responsible-role-INVALID.xml
expectations:
- constraint-id: component-has-provider-responsible-role
result: fail
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Positive Test for component-has-provider-responsible-role
description: >-
This test case validates the behavior of constraint
component-has-provider-responsible-role
content: ../content/ssp-all-VALID.xml
expectations:
- constraint-id: component-has-provider-responsible-role
result: pass

0 comments on commit 1377478

Please sign in to comment.