From e021f8fb2b53628b71561c0a6ba958e719cc47a3 Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Tue, 24 Sep 2024 09:34:10 -0400
Subject: [PATCH] re-introduce party has responsibility-constraints

---
 features/fedramp_extensions.feature             | 10 +++++++---
 ...ssp-party-has-one-responsibility-INVALID.xml | 15 +++++++++++++++
 .../ssp-party-has-responsibility-INVALID.xml    | 17 +++++++++++++++++
 .../fedramp-external-constraints.xml            |  7 +++++++
 .../party-has-one-responsibility-FAIL.yaml      |  9 +++++++++
 .../party-has-one-responsibility-PASS.yaml      |  9 +++++++++
 .../party-has-responsibility-FAIL.yaml          |  7 +++++++
 .../party-has-responsibility-PASS.yaml          |  7 +++++++
 8 files changed, 78 insertions(+), 3 deletions(-)
 create mode 100644 src/validations/constraints/content/ssp-party-has-one-responsibility-INVALID.xml
 create mode 100644 src/validations/constraints/content/ssp-party-has-responsibility-INVALID.xml
 create mode 100644 src/validations/constraints/unit-tests/party-has-one-responsibility-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/party-has-one-responsibility-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/party-has-responsibility-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/party-has-responsibility-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index dd8830bfe..581acdc86 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -95,8 +95,10 @@ Examples:
   | interconnection-security-PASS.yaml |
   | missing-response-components-FAIL.yaml |
   | missing-response-components-PASS.yaml |
-  | missing-response-components-test-FAIL.yaml |
-  | missing-response-components-test-PASS.yaml |
+  | party-has-one-responsibility-FAIL.yaml |
+  | party-has-one-responsibility-PASS.yaml |
+  | party-has-responsibility-FAIL.yaml |
+  | party-has-responsibility-PASS.yaml |
   | privilege-level-FAIL.yaml |
   | privilege-level-PASS.yaml |
   | resource-has-base64-or-rlink-FAIL.yaml |
@@ -169,7 +171,9 @@ Examples:
   | information-type-system |
   | interconnection-direction |
   | interconnection-security |
-  | missing-response-components-test |
+  | missing-response-components |
+  | party-has-one-responsibility |
+  | party-has-responsibility |
   | privilege-level |
   | prop-response-point-has-cardinality-one |
   | resource-has-base64-or-rlink |
diff --git a/src/validations/constraints/content/ssp-party-has-one-responsibility-INVALID.xml b/src/validations/constraints/content/ssp-party-has-one-responsibility-INVALID.xml
new file mode 100644
index 000000000..85b8174d1
--- /dev/null
+++ b/src/validations/constraints/content/ssp-party-has-one-responsibility-INVALID.xml
@@ -0,0 +1,15 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+    <party uuid="22222222-0000-4000-9000-000000000002" type="person">
+      <name>Jane Doe</name>
+      <email-address>jane.doe@example.com</email-address>
+      <address type="work"/>
+    </party>
+    <responsible-party role-id="content-approver">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="content-initiator">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
+  </metadata>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-party-has-responsibility-INVALID.xml b/src/validations/constraints/content/ssp-party-has-responsibility-INVALID.xml
new file mode 100644
index 000000000..fb966ac8f
--- /dev/null
+++ b/src/validations/constraints/content/ssp-party-has-responsibility-INVALID.xml
@@ -0,0 +1,17 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+    <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
+      <name>Example Organization</name>
+      <short-name>ExOrg</short-name>
+      <link rel="website" href="https://example.com"/>
+    </party>
+    <party uuid="22222222-0000-4000-9000-000000000002" type="person">
+      <name>Jane Doe</name>
+      <email-address>jane.doe@example.com</email-address>
+      <address type="work"/>
+    </party>
+    <remarks>
+      <p>This SSP is an example for demonstration purposes.</p>
+    </remarks>
+  </metadata>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 2bbefdd89..bfd801473 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -133,6 +133,12 @@
             <expect id="role-defined-information-system-security-officer" target="." test="role[@id eq 'information-system-security-officer']" level="ERROR">
                 <message>A FedRAMP SSP must define a role for the point of contact for an information system security officer.</message>
             </expect>
+            <expect id="party-has-responsibility" target="." test="every $person in //party[@type='person'] satisfies exists(.//responsible-party[party-uuid = $person/@uuid])" level="WARNING">
+                <message>One or more persons do not have any assigned responsibilities.</message>
+            </expect>
+            <expect id="party-has-one-responsibility" target="." test="every $person in //party[@type='person'] satisfies count(.//responsible-party[party-uuid = $person/@uuid]) eq 1" level="WARNING">
+                <message>One or more persons have multiple assigned responsibilities.</message>
+            </expect>
         </constraints>
     </context>
     <context>
@@ -142,5 +148,6 @@
                 <message>Each implemented requirement must have at least one by-component reference to the source component implementing it.</message>
             </expect>
         </constraints>
+        
     </context>
 </metaschema-meta-constraints>
diff --git a/src/validations/constraints/unit-tests/party-has-one-responsibility-FAIL.yaml b/src/validations/constraints/unit-tests/party-has-one-responsibility-FAIL.yaml
new file mode 100644
index 000000000..d2f72644c
--- /dev/null
+++ b/src/validations/constraints/unit-tests/party-has-one-responsibility-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for party-has-one-responsibility
+  description: >-
+    This test case validates the behavior of constraint
+    party-has-one-responsibility
+  content: ../content/ssp-party-has-one-responsibility-INVALID.xml
+  expectations:
+    - constraint-id: party-has-one-responsibility
+      result: fail
diff --git a/src/validations/constraints/unit-tests/party-has-one-responsibility-PASS.yaml b/src/validations/constraints/unit-tests/party-has-one-responsibility-PASS.yaml
new file mode 100644
index 000000000..712441910
--- /dev/null
+++ b/src/validations/constraints/unit-tests/party-has-one-responsibility-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for party-has-one-responsibility
+  description: >-
+    This test case validates the behavior of constraint
+    party-has-one-responsibility
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: party-has-one-responsibility
+      result: pass
diff --git a/src/validations/constraints/unit-tests/party-has-responsibility-FAIL.yaml b/src/validations/constraints/unit-tests/party-has-responsibility-FAIL.yaml
new file mode 100644
index 000000000..4a2b03eba
--- /dev/null
+++ b/src/validations/constraints/unit-tests/party-has-responsibility-FAIL.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for party-has-responsibility
+  description: This test case validates the behavior of constraint party-has-responsibility
+  content: ../content/ssp-party-has-responsibility-INVALID.xml
+  expectations:
+    - constraint-id: party-has-responsibility
+      result: fail
diff --git a/src/validations/constraints/unit-tests/party-has-responsibility-PASS.yaml b/src/validations/constraints/unit-tests/party-has-responsibility-PASS.yaml
new file mode 100644
index 000000000..b00505797
--- /dev/null
+++ b/src/validations/constraints/unit-tests/party-has-responsibility-PASS.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for party-has-responsibility
+  description: This test case validates the behavior of constraint party-has-responsibility
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: party-has-responsibility
+      result: pass