Add component-has-non-provider-responsible-role and tests

GSA · Dec 3, 2024 · da3ac62 · da3ac62
1 parent 1377478
commit da3ac62
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 0 deletions.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -36,6 +36,7 @@ Examples:
   | cia-impact-has-selected |
   | cloud-service-model |
   | component-has-authentication-method |
+  | component-has-non-provider-responsible-role |
   | component-has-provider-responsible-role |
   | component-type |
   | control-implementation-status |
@@ -179,6 +180,8 @@ Examples:
   | cloud-service-model-PASS.yaml |
   | component-has-authentication-method-FAIL.yaml |
   | component-has-authentication-method-PASS.yaml |
+  | component-has-non-provider-responsible-role-FAIL.yaml |
+  | component-has-non-provider-responsible-role-PASS.yaml |
   | component-responsible-role-references-party-FAIL.yaml |
   | component-responsible-role-references-party-PASS.yaml |
   | component-type-FAIL.yaml |

diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -318,6 +318,9 @@
       <responsible-role role-id="provider">
         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
       </responsible-role>
+     <responsible-role role-id="system-admin">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-role>
     </component>
 
     <component uuid="66666666-0000-4000-9000-000000000006" type="interconnection">
@@ -361,6 +364,9 @@
       <responsible-role role-id="provider">
         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
       </responsible-role>
+      <responsible-role role-id="system-admin">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-role>
     </component>
 
     <inventory-item uuid="77777777-0000-4000-9000-000000000007">

diff --git a/...lidations/constraints/content/ssp-component-has-non-provider-responsible-role-INVALID.xml b/...lidations/constraints/content/ssp-component-has-non-provider-responsible-role-INVALID.xml
@@ -0,0 +1,12 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <component uuid="66666666-0000-4000-9000-000000000006" type="interconnection">
+      <responsible-role role-id="provider">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-role>
+      <!-- <responsible-role role-id="system-admin">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-role> Missing at least 1 responsible role that isn't "provider". -->
+    </component>
+  </system-implementation>
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -516,6 +516,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>Each authentication method in a FedRAMP SSP MUST have a remarks field.</message>
             </expect>
+            <expect id="component-has-non-provider-responsible-role" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(responsible-role[not(@role-id='provider')]) >= 1" level="ERROR">
+                <formal-name>Component Has Non-Provider Responsible Role</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#external-systems-and-services-not-having-fedramp-authorization"/>
+                <message>Each component dealing with leveraged systems, interconnections, or authorized services MUST have at least one responsible role other than "provider".</message>
+            </expect>
 	    <expect id="has-inventory-items" target="." test="count(inventory-item) >= 2" level="ERROR">
 	    	<formal-name>System Implementation Has Inventory Items</formal-name>
 		<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>

diff --git a/src/validations/constraints/unit-tests/component-has-non-provider-responsible-role-FAIL.yaml b/src/validations/constraints/unit-tests/component-has-non-provider-responsible-role-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for component-has-non-provider-responsible-role
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-non-provider-responsible-role
+  content: ../content/ssp-component-has-non-provider-responsible-role-INVALID.xml
+  expectations:
+    - constraint-id: component-has-non-provider-responsible-role
+      result: fail
diff --git a/src/validations/constraints/unit-tests/component-has-non-provider-responsible-role-PASS.yaml b/src/validations/constraints/unit-tests/component-has-non-provider-responsible-role-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for component-has-non-provider-responsible-role
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-non-provider-responsible-role
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: component-has-non-provider-responsible-role
+      result: pass