Skip to content

Commit

Permalink
Add component-has-authentication-method Constraint (#927)
Browse files Browse the repository at this point in the history 
* add constraint and tests

* trim test data

* add constraint and tests

* trim test data

* fix test data

* change 'http' to 'https'

* Remove extra word

* Edit message

---------

Co-authored-by: ~ . ~ <[email protected]>
  • Loading branch information
@Gabeblis @wandmagic
Gabeblis and wandmagic authored Nov 27, 2024
1 parent 49f152a commit 80eb99c
Show file tree
Hide file tree
Showing 7 changed files with 98 additions and 2 deletions.
3 changes: 3 additions & 0 deletions features/fedramp_extensions.feature
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ Examples:
| cia-impact-has-adjustment-justification |
| cia-impact-has-selected |
| cloud-service-model |
| component-has-authentication-method |
| component-type |
| control-implementation-status |
| data-center-alternate |
Expand Down Expand Up @@ -172,6 +173,8 @@ Examples:
| cia-impact-has-selected-PASS.yaml |
| cloud-service-model-FAIL.yaml |
| cloud-service-model-PASS.yaml |
| component-has-authentication-method-FAIL.yaml |
| component-has-authentication-method-PASS.yaml |
| component-type-FAIL.yaml |
| component-type-PASS.yaml |
| control-implementation-status-FAIL.yaml |
Expand Down
1 change: 1 addition & 0 deletions features/steps/fedramp_extensions_steps.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -421,6 +421,7 @@ async function checkConstraints(
`The content may need adjustment to properly test this constraint.`
);
}
!quiet && console.error(formatSarifOutput(sarifOutput))
errors.push(""); // Add a blank line for readability
}
}
Expand Down
5 changes: 3 additions & 2 deletions src/validations/constraints/content/ssp-all-VALID.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -309,8 +309,9 @@
</description>
<prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
<prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="sla"/>
<status state="operational"/>
</component>
<prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes"/>
<status state="operational"/>
</component>

<component uuid="66666666-0000-4000-9000-000000000006" type="interconnection">
<title>External API Connection</title>
Expand Down
68 changes: 68 additions & 0 deletions src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
uuid="12345678-1234-4321-8765-123456789012">
<system-implementation>
<component uuid="11111111-2222-4000-8000-009000100001" type="system">
<prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/>
<prop name="implementation-point" value="external"/>
<prop ns="https://fedramp.gov/ns/oscal" name="nature-of-agreement" value="sla"/>
<!-- <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
<remarks>
<p>If 'yes', describe the authentication method.</p>
<p>If 'no', explain why no authentication is used.</p>
<p>If 'not-applicable', explain why authentication is not applicable in the remarks.</p>
</remarks>
</prop> -->
</component>
<component uuid="11111111-2222-4000-8000-009000500002" type="service">
<prop name="implementation-point" value="external"/>
<prop name="direction" value="outgoing"/>
<prop ns="https://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
<!-- <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
<remarks>
<p>If 'yes', describe the authentication method.</p>
<p>If 'no', explain why no authentication is used.</p>
<p>If 'not-applicable', explain why authentication is not applicable in the remarks.</p>
</remarks>
</prop> -->
</component>
<component uuid="11111111-2222-4000-8000-009000200001" type="interconnection">
<prop name="direction" value="incoming"/>
<prop name="direction" value="outgoing"/>
<prop ns="https://fedramp.gov/ns/oscal" name="nature-of-agreement" value="contract"/>
<prop ns="https://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
<!-- <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
<remarks>
<p>If 'yes', describe the authentication method in the remarks.</p>
<p>If 'no', explain why no authentication is used in the remarks.</p>
<p>If 'not-applicable', explain why authentication is not applicable in the remarks.</p>
</remarks>
</prop> -->
</component>
<component uuid="11111111-2222-4000-8000-009000500004" type="service">
<prop name="implementation-point" value="internal"/>
<prop name="direction" value="outgoing"/>
<!-- <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
<remarks>
<p>If 'yes', describe the authentication method in the remarks.</p>
<p>If 'no', explain why no authentication is used in the remarks.</p>
<p>If 'not-applicable', explain why authentication is not applicable in the remarks.</p>
</remarks>
</prop> -->
</component>
<component uuid="11111111-2222-4000-8000-009000300001" type="software">
<prop name="asset-type" value="cli"/>
<prop name="implementation-point" value="internal"/>
<prop name="direction" value="outgoing"/>
<!-- <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
<remarks>
<p>If 'yes', describe the authentication method in the remarks.</p>
<p>If 'no', explain why no authentication is used in the remarks.</p>
<p>If 'not-applicable', explain why authentication is not applicable in the remarks.</p>
</remarks>
</prop> -->
</component>
</system-implementation>
</system-security-plan>
5 changes: 5 additions & 0 deletions src/validations/constraints/fedramp-external-constraints.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,11 @@
<let var="network-architecture-link" expression="system-characteristics/network-architecture/diagram/link/@href"/>
<let var="import-profile-href" expression="import-profile/@href"/>
<let var="resolved-import-profile-href" expression="if (starts-with($import-profile-href, '#')) then back-matter/resource[@uuid = substring($import-profile-href, 2)]/rlink/@href else $import-profile-href"/>
<expect id="component-has-authentication-method" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(prop[@ns='https://fedramp.gov/ns/oscal' and @name='authentication-method']) >= 1" level="ERROR">
<formal-name>Component Has Authentication Method</formal-name>
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
<message>A FedRAMP SSP MUST include at least one authentication method for each leveraged system.</message>
</expect>
<expect id="has-authorization-boundary-diagram-link-href-target" target="." test="not(starts-with(system-characteristics/authorization-boundary/diagram/link/@href, '#')) or exists(//resource[@uuid eq substring-after($authorization-boundary-link, '#')])" level="ERROR">
<formal-name>Has Authorization Boundary Diagram Link Href Target</formal-name>
<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
Expand Down
9 changes: 9 additions & 0 deletions src/validations/constraints/unit-tests/component-has-authentication-method-FAIL.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Negative Test for component-has-authentication-method
description: >-
This test case validates the behavior of constraint
component-has-authentication-method
content: ../content/ssp-component-has-authentication-method-INVALID.xml
expectations:
- constraint-id: component-has-authentication-method
result: fail
9 changes: 9 additions & 0 deletions src/validations/constraints/unit-tests/component-has-authentication-method-PASS.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
test-case:
name: Positive Test for component-has-authentication-method
description: >-
This test case validates the behavior of constraint
component-has-authentication-method
content: ../content/ssp-all-VALID.xml
expectations:
- constraint-id: component-has-authentication-method
result: pass

0 comments on commit 80eb99c

Please sign in to comment.