From 4180e7dba45486e06df1d2bb23df141c293873c1 Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Fri, 20 Sep 2024 10:17:52 -0400
Subject: [PATCH] Add system-characteristics 'has-network-architecture'
 constraints (#707)

* Added   constraints & tests

* Corrected message
---
 features/fedramp_extensions.feature           | 27 ++++++++++++++++++
 .../constraints/content/ssp-all-VALID.xml     | 12 ++++++++
 .../fedramp-external-constraints.xml          | 28 +++++++++++++++++++
 .../has-network-architecture-FAIL.yaml        |  7 +++++
 .../has-network-architecture-PASS.yaml        |  7 +++++
 ...network-architecture-description-FAIL.yaml |  9 ++++++
 ...network-architecture-description-PASS.yaml |  9 ++++++
 ...has-network-architecture-diagram-FAIL.yaml |  9 ++++++
 ...has-network-architecture-diagram-PASS.yaml |  9 ++++++
 ...ork-architecture-diagram-caption-FAIL.yaml |  9 ++++++
 ...ork-architecture-diagram-caption-PASS.yaml |  9 ++++++
 ...architecture-diagram-description-FAIL.yaml |  9 ++++++
 ...architecture-diagram-description-PASS.yaml |  9 ++++++
 ...etwork-architecture-diagram-link-FAIL.yaml |  9 ++++++
 ...etwork-architecture-diagram-link-PASS.yaml |  9 ++++++
 ...rk-architecture-diagram-link-rel-FAIL.yaml |  9 ++++++
 ...rk-architecture-diagram-link-rel-PASS.yaml |  9 ++++++
 ...e-diagram-link-rel-allowed-value-FAIL.yaml |  9 ++++++
 ...e-diagram-link-rel-allowed-value-PASS.yaml |  9 ++++++
 ...etwork-architecture-diagram-uuid-FAIL.yaml |  9 ++++++
 ...etwork-architecture-diagram-uuid-PASS.yaml |  9 ++++++
 21 files changed, 225 insertions(+)
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-description-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-description-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-caption-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-caption-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-description-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-description-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-link-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-link-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-uuid-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-network-architecture-diagram-uuid-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index cff5d4a8b..3ecc2440f 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -55,6 +55,24 @@ Examples:
   | has-incident-response-plan-PASS.yaml |
   | has-information-system-contingency-plan-FAIL.yaml |
   | has-information-system-contingency-plan-PASS.yaml |
+  | has-network-architecture-FAIL.yaml |
+  | has-network-architecture-PASS.yaml |
+  | has-network-architecture-description-FAIL.yaml |
+  | has-network-architecture-description-PASS.yaml |
+  | has-network-architecture-diagram-FAIL.yaml |
+  | has-network-architecture-diagram-PASS.yaml |
+  | has-network-architecture-diagram-caption-FAIL.yaml |
+  | has-network-architecture-diagram-caption-PASS.yaml |
+  | has-network-architecture-diagram-description-FAIL.yaml |
+  | has-network-architecture-diagram-description-PASS.yaml |
+  | has-network-architecture-diagram-link-FAIL.yaml |
+  | has-network-architecture-diagram-link-PASS.yaml |
+  | has-network-architecture-diagram-link-rel-FAIL.yaml |
+  | has-network-architecture-diagram-link-rel-PASS.yaml |
+  | has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml |
+  | has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml |
+  | has-network-architecture-diagram-uuid-FAIL.yaml |
+  | has-network-architecture-diagram-uuid-PASS.yaml |
   | has-rules-of-behavior-FAIL.yaml |
   | has-rules-of-behavior-PASS.yaml |
   | has-separation-of-duties-matrix-FAIL.yaml |
@@ -122,6 +140,15 @@ Examples:
   | has-identity-assurance-level |
   | has-incident-response-plan |
   | has-information-system-contingency-plan |
+  | has-network-architecture |
+  | has-network-architecture-description |
+  | has-network-architecture-diagram |
+  | has-network-architecture-diagram-caption |
+  | has-network-architecture-diagram-description |
+  | has-network-architecture-diagram-link |
+  | has-network-architecture-diagram-link-rel |
+  | has-network-architecture-diagram-link-rel-allowed-value |
+  | has-network-architecture-diagram-uuid |
   | has-rules-of-behavior |
   | has-separation-of-duties-matrix |
   | has-user-guide |
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 3a7d30d66..b6d3a1f1c 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -113,6 +113,18 @@
         <p>The authorization boundary includes all components within the main data center and the disaster recovery site.</p>
       </description>
     </authorization-boundary>
+    <network-architecture>
+         <description>
+            <p>A holistic, top-level explanation of the network architecture.</p>
+         </description>
+         <diagram uuid="e97c3395-433a-48c1-8cc7-dd1e1555941c">
+            <description>
+               <p>A diagram-specific explanation.</p>
+            </description>
+            <link href="#61081e81-850b-43c1-bf43-1ecbddcb9e7f" rel="diagram"/>
+            <caption>Network Diagram</caption>
+         </diagram>
+      </network-architecture>
   </system-characteristics>
   
   <system-implementation>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index a5b90dcf6..688e286f2 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -71,6 +71,34 @@
             <expect id="has-federation-assurance-level" target="./system-characteristics" test="prop[@name eq 'federation-assurance-level']" level="INFORMATIONAL">
             <message>This FedRAMP SSP does define its NIST SP 800-63 federation assurance level (IAL).</message>
             </expect>
+            <expect id="has-network-architecture" target="./system-characteristics" test="network-architecture" level="ERROR">
+                <message>A FedRAMP SSP must include a network architecture.</message>
+            </expect>
+            <expect id="has-network-architecture-diagram" target="./system-characteristics" test="network-architecture/diagram" level="WARNING">
+                <message>A FedRAMP SSP must have at least one network architecture diagram.</message>
+            </expect>
+            <expect id="has-network-architecture-diagram-uuid" target="./system-characteristics" test="network-architecture/diagram/@uuid" level="ERROR">
+                <message>Each FedRAMP SSP network architecture diagram must have a unique identifier.</message>
+            </expect>
+            <expect id="has-network-architecture-diagram-description" target="./system-characteristics" test="network-architecture/diagram/description" level="ERROR">
+                <message>Each FedRAMP SSP network architecture diagram must have a description.</message>
+            </expect>
+            <expect id="has-network-architecture-diagram-link" target="./system-characteristics" test="network-architecture/diagram/link" level="ERROR">
+                <message>Each FedRAMP SSP network architecture diagram must have a link.</message>
+            </expect>
+            <expect id="has-network-architecture-diagram-caption" target="./system-characteristics" test="network-architecture/diagram/caption" level="ERROR">
+                <message>Each FedRAMP SSP network architecture diagram must have a caption.</message>
+            </expect>
+            <expect id="has-network-architecture-diagram-link-rel" target="./system-characteristics" test="network-architecture/diagram/link/@rel" level="ERROR">
+                <message>Each FedRAMP SSP network architecture diagram must have a link rel attribute.</message>
+            </expect>
+            <expect id="has-network-architecture-diagram-link-rel-allowed-value" target="./system-characteristics" test="network-architecture/diagram/link/@rel eq 'diagram'" level="ERROR">
+                <message>Each FedRAMP SSP network architecture diagram must have a link rel attribute with the value "diagram".</message>
+            </expect>
+            <expect id="has-network-architecture-description" target="./system-characteristics" test="network-architecture/description" level="ERROR">
+                <message>A FedRAMP SSP must have a network architecture description.</message>
+            </expect>
+
         </constraints>
     </context>
     <context>
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-FAIL.yaml b/src/validations/constraints/unit-tests/has-network-architecture-FAIL.yaml
new file mode 100644
index 000000000..355eeb17c
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-FAIL.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for has-network-architecture
+  description: This test case validates the behavior of constraint has-network-architecture
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-network-architecture
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-PASS.yaml b/src/validations/constraints/unit-tests/has-network-architecture-PASS.yaml
new file mode 100644
index 000000000..4a237ee58
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-PASS.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for has-network-architecture
+  description: This test case validates the behavior of constraint has-network-architecture
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-network-architecture
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-description-FAIL.yaml b/src/validations/constraints/unit-tests/has-network-architecture-description-FAIL.yaml
new file mode 100644
index 000000000..9fdc197c9
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-description-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-network-architecture-description
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-description
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-description
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-description-PASS.yaml b/src/validations/constraints/unit-tests/has-network-architecture-description-PASS.yaml
new file mode 100644
index 000000000..b2c68331b
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-description-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-network-architecture-description
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-description
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-description
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-FAIL.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-FAIL.yaml
new file mode 100644
index 000000000..e17936904
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-network-architecture-diagram
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-PASS.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-PASS.yaml
new file mode 100644
index 000000000..410a0664d
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-network-architecture-diagram
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-caption-FAIL.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-caption-FAIL.yaml
new file mode 100644
index 000000000..5a5c4e8d7
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-caption-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-network-architecture-diagram-caption
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram-caption
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram-caption
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-caption-PASS.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-caption-PASS.yaml
new file mode 100644
index 000000000..be0e7371e
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-caption-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-network-architecture-diagram-caption
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram-caption
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram-caption
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-description-FAIL.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-description-FAIL.yaml
new file mode 100644
index 000000000..4efc9805f
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-description-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-network-architecture-diagram-description
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram-description
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram-description
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-description-PASS.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-description-PASS.yaml
new file mode 100644
index 000000000..d6519fb07
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-description-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-network-architecture-diagram-description
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram-description
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram-description
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-FAIL.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-FAIL.yaml
new file mode 100644
index 000000000..5b442f807
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-network-architecture-diagram-link
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram-link
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram-link
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-PASS.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-PASS.yaml
new file mode 100644
index 000000000..1f373e859
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-network-architecture-diagram-link
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram-link
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram-link
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-FAIL.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-FAIL.yaml
new file mode 100644
index 000000000..87c86f690
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-network-architecture-diagram-link-rel
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram-link-rel
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram-link-rel
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-PASS.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-PASS.yaml
new file mode 100644
index 000000000..249b911e8
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-network-architecture-diagram-link-rel
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram-link-rel
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram-link-rel
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml
new file mode 100644
index 000000000..2d4eb9a0c
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-allowed-value-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-network-architecture-diagram-link-rel-allowed-value
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram-link-rel-allowed-value
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram-link-rel-allowed-value
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml
new file mode 100644
index 000000000..8bb5c4a0f
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-link-rel-allowed-value-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-network-architecture-diagram-link-rel-allowed-value
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram-link-rel-allowed-value
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram-link-rel-allowed-value
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-uuid-FAIL.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-uuid-FAIL.yaml
new file mode 100644
index 000000000..13ce112f9
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-uuid-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-network-architecture-diagram-uuid
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram-uuid
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram-uuid
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-network-architecture-diagram-uuid-PASS.yaml b/src/validations/constraints/unit-tests/has-network-architecture-diagram-uuid-PASS.yaml
new file mode 100644
index 000000000..f32bac3b5
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-network-architecture-diagram-uuid-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-network-architecture-diagram-uuid
+  description: >-
+    This test case validates the behavior of constraint
+    has-network-architecture-diagram-uuid
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-network-architecture-diagram-uuid
+      result: pass