Add prepared-by constraints

GSA · Nov 6, 2024 · 8ee9553 · 8ee9553
1 parent 247f99a
commit 8ee9553
Show file tree

Hide file tree

Showing 13 changed files with 158 additions and 1 deletion.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -155,10 +155,16 @@ Examples:
   | response-point-PASS.yaml |
   | responsible-party-is-person-FAIL.yaml |
   | responsible-party-is-person-PASS.yaml |
+  | responsible-party-prepared-by-FAIL.yaml |
+  | responsible-party-prepared-by-PASS.yaml |
+  | responsible-party-prepared-by-location-valid-FAIL.yaml |
+  | responsible-party-prepared-by-location-valid-PASS.yaml |
   | role-defined-authorizing-official-poc-FAIL.yaml |
   | role-defined-authorizing-official-poc-PASS.yaml |
   | role-defined-information-system-security-officer-FAIL.yaml |
   | role-defined-information-system-security-officer-PASS.yaml |
+  | role-defined-prepared-by-FAIL.yaml |
+  | role-defined-prepared-by-PASS.yaml |
   | role-defined-system-owner-FAIL.yaml |
   | role-defined-system-owner-PASS.yaml |
   | scan-type-FAIL.yaml |
@@ -268,8 +274,11 @@ Examples:
   | resource-has-base64-or-rlink |
   | resource-has-title |
   | responsible-party-is-person |
+  | responsible-party-prepared-by |
+  | responsible-party-prepared-by-location-valid |
   | role-defined-authorizing-official-poc |
   | role-defined-information-system-security-officer |
+  | role-defined-prepared-by |
   | role-defined-system-owner |
   | scan-type |
   | security-level |

diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -12,6 +12,12 @@
     <document-id scheme="https://example.com/identifiers">SSP-2024-002</document-id>
     <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="fedramp-3.0.0rc1-oscal-1.1.2"/>
 
+    <role id="prepared-by">
+      <title>Prepared By</title>
+      <description>
+        <p>The organization that prepared this SSP.</p>
+      </description>
+    </role>
     <role id="creator">
       <title>Document Creator</title>
     </role>
@@ -52,6 +58,17 @@
           </description>
       </role>
 
+    <location uuid="27b78960-59ef-4619-82b0-ae20b9c709ac">
+      <title>CSP HQ</title>
+      <address type="work">
+        <addr-line>Suite 0000</addr-line>
+        <addr-line>1234 Some Street</addr-line>
+        <city>Haven</city>
+        <state>ME</state>
+        <postal-code>00000</postal-code>
+        <country>US</country>
+      </address>
+    </location>
     <location uuid="11111112-0000-4000-9001-000000000009">
       <address >
         <country>US</country>
@@ -64,6 +81,15 @@
       </address>
       <prop name="type" value="data-center" class="alternate"/>
     </location>
+    <party uuid="3360e343-9860-4bda-9dfc-ff427c3dfab6" type="person">
+      <name>Person Name 1</name>
+      <prop name="job-title" value="Individual's Title"/>
+      <prop name="mail-stop" value="Mailstop A-1"/>
+      <email-address>[email protected]</email-address>
+      <telephone-number>2020000001</telephone-number>
+      <location-uuid>27b78960-59ef-4619-82b0-ae20b9c709ac</location-uuid>
+      <member-of-organization>6b286b5d-8f07-4fa7-8847-1dd0d88f73fb</member-of-organization>
+    </party>
     <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
       <name>Example Organization</name>
       <short-name>ExOrg</short-name>
@@ -75,6 +101,9 @@
     <address type="work"  />
     </party>
 
+    <responsible-party role-id="prepared-by">
+      <party-uuid>3360e343-9860-4bda-9dfc-ff427c3dfab6</party-uuid>
+    </responsible-party>
     <responsible-party role-id="creator">
       <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
     </responsible-party>

diff --git a/src/validations/constraints/content/ssp-responsible-party-prepared-by-INVALID.xml b/src/validations/constraints/content/ssp-responsible-party-prepared-by-INVALID.xml
@@ -0,0 +1,13 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+    <role id="NOT-prepared-by">
+      <title>Prepared By</title>
+      <description>
+        <p>The organization that prepared this SSP.</p>
+      </description>
+    </role>
+    <responsible-party role-id="NOT-prepared-by">
+      <party-uuid>3360e343-9860-4bda-9dfc-ff427c3dfab6</party-uuid>
+    </responsible-party>
+  </metadata>
+</system-security-plan>
diff --git a/...idations/constraints/content/ssp-responsible-party-prepared-by-location-valid-INVALID.xml b/...idations/constraints/content/ssp-responsible-party-prepared-by-location-valid-INVALID.xml
@@ -0,0 +1,22 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+    <role id="prepared-by">
+    </role>
+      <location uuid="27b78960-59ef-4619-82b0-ae20b9c709ac">
+      <title>CSP HQ</title>
+      <address type="work">
+        <addr-line>Suite 0000</addr-line>
+        <addr-line>1234 Some Street</addr-line>
+        <!-- missing city -->
+        <state>ME</state>
+        <postal-code>00000</postal-code>
+      </address>
+    </location>
+    <party uuid="3360e343-9860-4bda-9dfc-ff427c3dfab6" type="person">
+      <location-uuid>27b78960-59ef-4619-82b0-ae20b9c709ac</location-uuid>
+    </party>
+    <responsible-party role-id="prepared-by">
+      <party-uuid>3360e343-9860-4bda-9dfc-ff427c3dfab6</party-uuid>
+    </responsible-party>
+  </metadata>
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-role-defined-prepared-by-INVALID.xml b/src/validations/constraints/content/ssp-role-defined-prepared-by-INVALID.xml
@@ -0,0 +1,16 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+    <role id="NOT-prepared-by">
+      <title>Prepared By</title>
+      <description>
+        <p>The organization that prepared this SSP. If developed in-house, this is the CSP itself.</p>
+      </description>
+    </role>
+    <responsible-party role-id="NOT-prepared-by">
+      <party-uuid>3360e343-9860-4bda-9dfc-ff427c3dfab6</party-uuid>
+      <remarks>
+        <p>Exactly one</p>
+      </remarks>
+    </responsible-party>
+  </metadata>
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -72,6 +72,9 @@
         <metapath target="/system-security-plan"/>
         <constraints>
             <let var="import-profile-href" expression="import-profile/@href"/>
+            <let var="prepared-by-responsible-party-party-uuid" expression="metadata/responsible-party[@role-id eq 'prepared-by']/party-uuid"/>
+            <let var="prepared-by-party-location-uuid" expression="//party[@uuid eq $prepared-by-responsible-party-party-uuid]/location-uuid"/>
+            <let var="prepared-by-location" expression="//location[@uuid eq $prepared-by-party-location-uuid]"/>
             <let var="resolved-import-profile-href" expression="if (starts-with($import-profile-href, '#')) then back-matter/resource[@uuid = substring($import-profile-href, 2)]/rlink/@href else $import-profile-href"/>
             <let var="security-impact-level" expression=
                 "if (//security-impact-level//* = 'fips-199-high')
@@ -235,6 +238,21 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-name-abbreviation-and-fedramp-unique-identifier"/>
                 <message>A FedRAMP SSP MUST have a short system name.</message>
             </expect>
+            <expect id="role-defined-prepared-by" target="metadata" test="exists(role[@id eq 'prepared-by'])" level="ERROR">
+                <formal-name>Role Defined Prepared By</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#prepared-by-csp-self-prepared"/>
+                <message>A FedRAMP SSP MUST have a role defined as "prepared-by". </message>
+            </expect>
+            <expect id="responsible-party-prepared-by" target="metadata" test="exists(responsible-party[@role-id eq 'prepared-by'])" level="ERROR">
+                <formal-name>Responsible Party Prepared By</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#prepared-by-csp-self-prepared"/>
+                <message>A FedRAMP SSP MUST have a responsible party that references a role defined as "prepared-by". </message>
+            </expect>
+            <expect id="responsible-party-prepared-by-location-valid" target="metadata" test="exists($prepared-by-location) and $prepared-by-location/address[@type='work'] and $prepared-by-location/address/addr-line and $prepared-by-location/address/city and $prepared-by-location/address/state and $prepared-by-location/address/postal-code" level="WARNING">
+                <formal-name>Responsible Party Prepared By Location Valid</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#prepared-by-csp-self-prepared"/>
+                <message>A FedRAMP SSP MUST have a responsible party defined as "prepared-by" that references a party with a valid location. </message>
+            </expect>
         </constraints>
     </context>
     <context>

diff --git a/src/validations/constraints/unit-tests/responsible-party-prepared-by-FAIL.yaml b/src/validations/constraints/unit-tests/responsible-party-prepared-by-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for responsible-party-prepared-by
+  description: >-
+    This test case validates the behavior of constraint
+    responsible-party-prepared-by
+  content: ../content/ssp-responsible-party-prepared-by-INVALID.xml
+  expectations:
+    - constraint-id: responsible-party-prepared-by
+      result: fail
diff --git a/src/validations/constraints/unit-tests/responsible-party-prepared-by-PASS.yaml b/src/validations/constraints/unit-tests/responsible-party-prepared-by-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for responsible-party-prepared-by
+  description: >-
+    This test case validates the behavior of constraint
+    responsible-party-prepared-by
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: responsible-party-prepared-by
+      result: pass
diff --git a/...validations/constraints/unit-tests/responsible-party-prepared-by-location-valid-FAIL.yaml b/...validations/constraints/unit-tests/responsible-party-prepared-by-location-valid-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for responsible-party-prepared-by-location-valid
+  description: >-
+    This test case validates the behavior of constraint
+    responsible-party-prepared-by-location-valid
+  content: ../content/ssp-responsible-party-prepared-by-location-valid-INVALID.xml
+  expectations:
+    - constraint-id: responsible-party-prepared-by-location-valid
+      result: fail
diff --git a/...validations/constraints/unit-tests/responsible-party-prepared-by-location-valid-PASS.yaml b/...validations/constraints/unit-tests/responsible-party-prepared-by-location-valid-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for responsible-party-prepared-by-location-valid
+  description: >-
+    This test case validates the behavior of constraint
+    responsible-party-prepared-by-location-valid
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: responsible-party-prepared-by-location-valid
+      result: pass
diff --git a/src/validations/constraints/unit-tests/role-defined-prepared-by-FAIL.yaml b/src/validations/constraints/unit-tests/role-defined-prepared-by-FAIL.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for role-defined-prepared-by
+  description: This test case validates the behavior of constraint role-defined-prepared-by
+  content: ../content/ssp-role-defined-prepared-by-INVALID.xml
+  expectations:
+    - constraint-id: role-defined-prepared-by
+      result: fail
diff --git a/src/validations/constraints/unit-tests/role-defined-prepared-by-PASS.yaml b/src/validations/constraints/unit-tests/role-defined-prepared-by-PASS.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for role-defined-prepared-by
+  description: This test case validates the behavior of constraint role-defined-prepared-by
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: role-defined-prepared-by
+      result: pass
diff --git a/src/validations/module.mk b/src/validations/module.mk
@@ -18,7 +18,7 @@ init-validations:
 build-validations:
 	@echo "Running Cucumber Tests"
 	$(OSCAL_CLI) server start -bg
-	@npm run test:server
+	@npm run test
 	$(OSCAL_CLI) server stop
 
 clean-validations: