From b1995eec81c9a2ba286025c0d0eedf2ee7d7d939 Mon Sep 17 00:00:00 2001
From: Rene Tshiteya <rene-claude.tshiteya@noblis.org>
Date: Mon, 18 Nov 2024 15:02:24 -0500
Subject: [PATCH] Add constraint leveraged-authorization-has-authorized-users

---
 features/fedramp_extensions.feature           |  3 ++
 .../constraints/content/ssp-all-VALID.xml     | 16 +++++++-
 ...orization-has-authorized-users-INVALID.xml | 41 +++++++++++++++++++
 .../fedramp-external-constraints.xml          |  5 +++
 ...thorization-has-authorized-users-FAIL.yaml |  8 ++++
 ...thorization-has-authorized-users-PASS.yaml |  9 ++++
 6 files changed, 80 insertions(+), 2 deletions(-)
 create mode 100644 src/validations/constraints/content/ssp-leveraged-authorization-has-authorized-users-INVALID.xml
 create mode 100644 src/validations/constraints/unit-tests/leveraged-authorization-has-authorized-users-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/leveraged-authorization-has-authorized-users-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index a7016432d9..aeebbc6f41 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -171,6 +171,8 @@ Examples:
   | inventory-item-public-PASS.yaml |
   | inventory-item-virtual-FAIL.yaml |
   | inventory-item-virtual-PASS.yaml |
+  | leveraged-authorization-has-authorized-users-FAIL.yaml |
+  | leveraged-authorization-has-authorized-users-PASS.yaml |
   | leveraged-authorization-has-component-FAIL.yaml |
   | leveraged-authorization-has-component-PASS.yaml |
   | leveraged-authorization-has-implementation-point-FAIL.yaml |
@@ -326,6 +328,7 @@ Examples:
   | inventory-item-allows-authenticated-scan |
   | inventory-item-public |
   | inventory-item-virtual |
+  | leveraged-authorization-has-authorized-users |
   | leveraged-authorization-has-component |
   | leveraged-authorization-has-implementation-point |
   | leveraged-authorization-has-information-type |
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 806eb3b9aa..e1126685b1 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -320,11 +320,17 @@
       </description>
       <prop name="leveraged-authorization-uuid" 
             value="94d678fb-6d33-4eef-a17a-897bb4809487" />
-            <prop name="nature-of-agreement"  ns="http://fedramp.gov/ns/oscal" value="SLA" />
-            <prop name="information-type"  ns="http://fedramp.gov/ns/oscal" value="C.3.5.8" />
+      <prop name="nature-of-agreement"  ns="http://fedramp.gov/ns/oscal" value="SLA" />
+      <prop name="information-type"  ns="http://fedramp.gov/ns/oscal" value="C.3.5.8" />
       <!-- <prop name="inherited-uuid" value="11111111-0000-4000-9001-000000000001" /> -->
       <prop name="implementation-point" value="external"/>
       <status state="operational"/>
+      <responsible-role role-id="system-admin">
+        <party-uuid>6b286b5d-8f07-4fa7-8847-1dd0d88f73fb</party-uuid>
+        <remarks>
+          <p>Using responsible-role to represent the CSPs "authorized users" who have access the leveraged authorization service.</p>
+        </remarks>
+      </responsible-role>
   </component>
 
   <component uuid="58350560-dbf7-4f43-9d86-bd0e15555e50" type="system">
@@ -337,6 +343,12 @@
     <prop name="information-type"  ns="http://fedramp.gov/ns/oscal" value="C.3.5.4" />
     <prop name="implementation-point" value="external"/>
     <status state="operational"/>
+    <responsible-role role-id="asset-administrator">
+      <party-uuid>6b286b5d-8f07-4fa7-8847-1dd0d88f73fb</party-uuid>
+      <remarks>
+        <p>Using responsible-role to represent the CSPs "authorized users" who have access the leveraged authorization service.</p>
+      </remarks>
+    </responsible-role>
   </component>
     
     <component uuid="55555555-0000-4000-9000-000000000005" type="this-system">
diff --git a/src/validations/constraints/content/ssp-leveraged-authorization-has-authorized-users-INVALID.xml b/src/validations/constraints/content/ssp-leveraged-authorization-has-authorized-users-INVALID.xml
new file mode 100644
index 0000000000..a3a9446fbf
--- /dev/null
+++ b/src/validations/constraints/content/ssp-leveraged-authorization-has-authorized-users-INVALID.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <leveraged-authorization uuid="94d678fb-6d33-4eef-a17a-897bb4809487" >
+      <title>Name of Underlying System</title>
+      <!-- FedRAMP Package ID -->
+      <prop name="leveraged-system-identifier" 
+          ns="https://fedramp.gov/ns/oscal" 
+          value="F9999999999" />
+      <prop ns="https://fedramp.gov/ns/oscal" name="authorization-type" 
+            value="fedramp-agency"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="impact-level" value="moderate"/>
+      <link href="//path/to/leveraged_system_legacy_crm.xslt" />
+      <link href="//path/to/leveraged_system_responsibility_and_inheritance.xml" />
+      <party-uuid>11111111-0000-4000-9000-000000000003</party-uuid>
+      <date-authorized>2019-01-01</date-authorized>
+      <remarks>
+        <p>Sample leveraged authorization (e.g., underlying IaaS).</p>
+      </remarks>
+    </leveraged-authorization>
+
+    <!-- Leveraged authorization has associcated service component BUT missing "authorized users"-->
+    <component uuid="7622fb94-ac33-498a-a955-fb3501f02d83" type="system">
+      <title>Name of Leveraged System</title>
+      <description>
+          <p>Briefly describe leveraged system.</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" value="94d678fb-6d33-4eef-a17a-897bb4809487" />
+      <prop name="nature-of-agreement"  ns="http://fedramp.gov/ns/oscal" value="eula" />
+      <prop name="implementation-point" value="external"/>
+      <status state="operational"/>
+      <!-- missing responsible-role / role-id to indidate "authorized users" -->
+  </component>
+
+  </system-implementation>
+
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index a7ebf26dd1..3a70eb4138 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -543,6 +543,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>Each leveraged authorization system component MUST have exactly one implementation point property.  The leveraged authorization with uuid '{ $leveraged-authorization-uuid }' has a "system" component with { count(../component[@type='system'][prop[@name='leveraged-authorization-uuid' and @value=$leveraged-authorization-uuid]]/prop[@name='implementation-point' and @value='external']) } defined "implementation-point" props.</message>
             </expect>
+            <expect id="leveraged-authorization-has-authorized-users" target="." test="count(../component[@type='system'][prop[@name='leveraged-authorization-uuid' and @value=$leveraged-authorization-uuid]]/responsible-role/@role-id) gte 1" level="WARNING">
+                <formal-name>Leveraged Authorization Has System Component</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
+                <message>Each leveraged authorization system component SHOULD have at least one role for authorized users.  The leveraged authorization with uuid '{ $leveraged-authorization-uuid }' has a "system" component with { count(../component[@type='system'][prop[@name='leveraged-authorization-uuid' and @value=$leveraged-authorization-uuid]]/responsible-role/@role-id) } roles specified.</message>
+            </expect>
         </constraints>
     </context>
     <context>
diff --git a/src/validations/constraints/unit-tests/leveraged-authorization-has-authorized-users-FAIL.yaml b/src/validations/constraints/unit-tests/leveraged-authorization-has-authorized-users-FAIL.yaml
new file mode 100644
index 0000000000..e98bcd6dbe
--- /dev/null
+++ b/src/validations/constraints/unit-tests/leveraged-authorization-has-authorized-users-FAIL.yaml
@@ -0,0 +1,8 @@
+test-case:
+  name: Negative Test for leveraged-authorization-has-authorized-users
+  description: >-
+    This test case validates the behavior of constraint leveraged-authorization-has-authorized-users
+  content: ../content/ssp-leveraged-authorization-has-authorized-users-INVALID.xml
+  expectations:
+    - constraint-id: leveraged-authorization-has-authorized-users
+      result: fail
diff --git a/src/validations/constraints/unit-tests/leveraged-authorization-has-authorized-users-PASS.yaml b/src/validations/constraints/unit-tests/leveraged-authorization-has-authorized-users-PASS.yaml
new file mode 100644
index 0000000000..8a61e93a5f
--- /dev/null
+++ b/src/validations/constraints/unit-tests/leveraged-authorization-has-authorized-users-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for leveraged-authorization-has-authorized-users
+  description: >-
+    This test case validates the behavior of constraint
+    leveraged-authorization-has-authorized-users
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: leveraged-authorization-has-authorized-users
+      result: pass