From 7ac54e51207538e597d1de1b2efff7b228d4cacf Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Fri, 22 Nov 2024 05:13:30 +0000
Subject: [PATCH 1/8] add constraint and tests

---
 features/fedramp_extensions.feature           |  5 ++
 .../constraints/content/ssp-all-VALID.xml     |  5 ++
 ...nent-has-authentication-method-INVALID.xml | 82 +++++++++++++++++++
 .../fedramp-external-constraints.xml          |  5 ++
 ...ponent-has-authentication-method-FAIL.yaml |  9 ++
 ...ponent-has-authentication-method-PASS.yaml |  9 ++
 6 files changed, 115 insertions(+)
 create mode 100644 src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
 create mode 100644 src/validations/constraints/unit-tests/component-has-authentication-method-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/component-has-authentication-method-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index b4cd704d0..43b33702e 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -34,6 +34,7 @@ Examples:
   | cia-impact-has-adjustment-justification |
   | cia-impact-has-selected |
   | cloud-service-model |
+  | component-has-authentication-method |
   | component-type |
   | control-implementation-status |
   | data-center-alternate |
@@ -73,6 +74,7 @@ Examples:
   | has-identity-assurance-level |
   | has-incident-response-plan |
   | has-information-system-contingency-plan |
+  | has-inventory-items |
   | has-network-architecture |
   | has-network-architecture-diagram |
   | has-network-architecture-diagram-caption |
@@ -121,6 +123,7 @@ Examples:
   | scan-type |
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
+  | unique-inventory-item-asset-id |
   | user-has-authorized-privilege |
   | user-has-privilege-level |
   | user-has-role-id |
@@ -162,6 +165,8 @@ Examples:
   | cia-impact-has-selected-PASS.yaml |
   | cloud-service-model-FAIL.yaml |
   | cloud-service-model-PASS.yaml |
+  | component-has-authentication-method-FAIL.yaml |
+  | component-has-authentication-method-PASS.yaml |
   | component-type-FAIL.yaml |
   | component-type-PASS.yaml |
   | control-implementation-status-FAIL.yaml |
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 7f7baf22b..3678a0d4f 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -295,6 +295,11 @@
       </description>
       <prop name="interconnection-security" value="vpn" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="interconnection-direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
+        <remarks>
+          <p>Some description of the authentication method.</p>
+        </remarks>
+      </prop>
       <status state="operational"/>
       <responsible-role role-id="system-admin">
         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
diff --git a/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
new file mode 100644
index 000000000..386750b93
--- /dev/null
+++ b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000100001" type="system">
+      <prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/>
+      <prop name="implementation-point" value="external"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="sla"/>
+      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+        <remarks>
+          <p>If 'yes', describe the authentication method.</p>
+          <p>If 'no', explain why no authentication is used.</p>
+          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+        </remarks>
+      </prop> -->
+    </component>
+    <component uuid="11111111-2222-4000-8000-009000500002" type="service">
+      <title>Service B</title>
+      <description>
+        <p>An non-authorized service provided by the Awesome Cloud leveraged authorization.</p>
+        <p>Describe the service and what it is used for.</p>
+      </description>
+      <prop name="implementation-point" value="external"/>
+      <prop name="direction" value="outgoing"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
+      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+        <remarks>
+          <p>If 'yes', describe the authentication method.</p>
+          <p>If 'no', explain why no authentication is used.</p>
+          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+        </remarks>
+      </prop> -->
+    </component>
+    <component uuid="11111111-2222-4000-8000-009000200001" type="interconnection">
+      <prop name="direction" value="incoming"/>
+      <prop name="direction" value="outgoing"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="contract"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
+      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+        <remarks>
+          <p>If 'yes', describe the authentication method in the remarks.</p>
+          <p>If 'no', explain why no authentication is used in the remarks.</p>
+          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+        </remarks>
+      </prop> -->
+    </component>
+    <component uuid="11111111-2222-4000-8000-009000500004" type="service">
+      <title>Service C</title>
+        <description>
+          <p>A service provided by an external system other than the leveraged system.</p>
+          <p>Describe the service and what it is used for.</p>
+        </description>
+        <prop name="implementation-point" value="internal"/>
+        <prop name="direction" value="outgoing"/>
+        <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+          <remarks>
+            <p>If 'yes', describe the authentication method in the remarks.</p>
+            <p>If 'no', explain why no authentication is used in the remarks.</p>
+            <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+          </remarks>
+        </prop> -->
+    </component>
+    <component uuid="11111111-2222-4000-8000-009000300001" type="software">
+      <title>Management CLI</title>
+      <description>
+        <p>None</p>
+      </description>
+      <prop name="asset-type" value="cli"/>
+      <prop name="implementation-point" value="internal"/>
+      <prop name="direction" value="outgoing"/>
+      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+        <remarks>
+          <p>If 'yes', describe the authentication method in the remarks.</p>
+          <p>If 'no', explain why no authentication is used in the remarks.</p>
+          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+        </remarks>
+      </prop> -->
+    </component>
+  </system-implementation>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index ad58b98e4..850b54c8a 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -81,6 +81,11 @@
             <let var="network-architecture-link" expression="system-characteristics/network-architecture/diagram/link/@href"/>
             <let var="import-profile-href" expression="import-profile/@href"/>
             <let var="resolved-import-profile-href" expression="if (starts-with($import-profile-href, '#')) then back-matter/resource[@uuid = substring($import-profile-href, 2)]/rlink/@href else $import-profile-href"/>
+            <expect id="component-has-authentication-method" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(prop[@ns='http://fedramp.gov/ns/oscal' and @name='authentication-method']) >= 1" level="ERROR">
+                <formal-name>Component Has Authentication Method</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
+                <message>A FedRAMP SSP MUST include an authentication method for each leveraged system.</message>
+            </expect>
             <expect id="has-authorization-boundary-diagram-link-href-target" target="." test="not(starts-with(system-characteristics/authorization-boundary/diagram/link/@href, '#')) or exists(//resource[@uuid eq substring-after($authorization-boundary-link, '#')])" level="ERROR">
                 <formal-name>Has Authorization Boundary Diagram Link Href Target</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
diff --git a/src/validations/constraints/unit-tests/component-has-authentication-method-FAIL.yaml b/src/validations/constraints/unit-tests/component-has-authentication-method-FAIL.yaml
new file mode 100644
index 000000000..1b7355f71
--- /dev/null
+++ b/src/validations/constraints/unit-tests/component-has-authentication-method-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for component-has-authentication-method
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-authentication-method
+  content: ../content/ssp-component-has-authentication-method-INVALID.xml
+  expectations:
+    - constraint-id: component-has-authentication-method
+      result: fail
diff --git a/src/validations/constraints/unit-tests/component-has-authentication-method-PASS.yaml b/src/validations/constraints/unit-tests/component-has-authentication-method-PASS.yaml
new file mode 100644
index 000000000..76f5b7ef6
--- /dev/null
+++ b/src/validations/constraints/unit-tests/component-has-authentication-method-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for component-has-authentication-method
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-authentication-method
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: component-has-authentication-method
+      result: pass

From 5d496bc9ee02c980a32e85e10362139d8773e354 Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Fri, 22 Nov 2024 16:08:52 +0000
Subject: [PATCH 2/8] trim test data

---
 ...component-has-authentication-method-INVALID.xml | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
index 386750b93..87167f538 100644
--- a/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
+++ b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
@@ -17,11 +17,6 @@
       </prop> -->
     </component>
     <component uuid="11111111-2222-4000-8000-009000500002" type="service">
-      <title>Service B</title>
-      <description>
-        <p>An non-authorized service provided by the Awesome Cloud leveraged authorization.</p>
-        <p>Describe the service and what it is used for.</p>
-      </description>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="outgoing"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
@@ -47,11 +42,6 @@
       </prop> -->
     </component>
     <component uuid="11111111-2222-4000-8000-009000500004" type="service">
-      <title>Service C</title>
-        <description>
-          <p>A service provided by an external system other than the leveraged system.</p>
-          <p>Describe the service and what it is used for.</p>
-        </description>
         <prop name="implementation-point" value="internal"/>
         <prop name="direction" value="outgoing"/>
         <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
@@ -63,10 +53,6 @@
         </prop> -->
     </component>
     <component uuid="11111111-2222-4000-8000-009000300001" type="software">
-      <title>Management CLI</title>
-      <description>
-        <p>None</p>
-      </description>
       <prop name="asset-type" value="cli"/>
       <prop name="implementation-point" value="internal"/>
       <prop name="direction" value="outgoing"/>

From 8d869e70141924ceb2eba61ea75d7622a071cb47 Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Fri, 22 Nov 2024 05:13:30 +0000
Subject: [PATCH 3/8] add constraint and tests

---
 features/fedramp_extensions.feature           |  3 +
 .../constraints/content/ssp-all-VALID.xml     |  5 ++
 ...nent-has-authentication-method-INVALID.xml | 82 +++++++++++++++++++
 .../fedramp-external-constraints.xml          |  5 ++
 ...ponent-has-authentication-method-FAIL.yaml |  9 ++
 ...ponent-has-authentication-method-PASS.yaml |  9 ++
 6 files changed, 113 insertions(+)
 create mode 100644 src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
 create mode 100644 src/validations/constraints/unit-tests/component-has-authentication-method-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/component-has-authentication-method-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index cf7407a31..9bafdff57 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -34,6 +34,7 @@ Examples:
   | cia-impact-has-adjustment-justification |
   | cia-impact-has-selected |
   | cloud-service-model |
+  | component-has-authentication-method |
   | component-type |
   | control-implementation-status |
   | data-center-alternate |
@@ -165,6 +166,8 @@ Examples:
   | cia-impact-has-selected-PASS.yaml |
   | cloud-service-model-FAIL.yaml |
   | cloud-service-model-PASS.yaml |
+  | component-has-authentication-method-FAIL.yaml |
+  | component-has-authentication-method-PASS.yaml |
   | component-type-FAIL.yaml |
   | component-type-PASS.yaml |
   | control-implementation-status-FAIL.yaml |
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 65bfbc915..9b0d45188 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -319,6 +319,11 @@
       </description>
       <prop name="interconnection-security" value="vpn" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="interconnection-direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
+        <remarks>
+          <p>Some description of the authentication method.</p>
+        </remarks>
+      </prop>
       <status state="operational"/>
       <responsible-role role-id="system-admin">
         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
diff --git a/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
new file mode 100644
index 000000000..386750b93
--- /dev/null
+++ b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000100001" type="system">
+      <prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/>
+      <prop name="implementation-point" value="external"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="sla"/>
+      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+        <remarks>
+          <p>If 'yes', describe the authentication method.</p>
+          <p>If 'no', explain why no authentication is used.</p>
+          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+        </remarks>
+      </prop> -->
+    </component>
+    <component uuid="11111111-2222-4000-8000-009000500002" type="service">
+      <title>Service B</title>
+      <description>
+        <p>An non-authorized service provided by the Awesome Cloud leveraged authorization.</p>
+        <p>Describe the service and what it is used for.</p>
+      </description>
+      <prop name="implementation-point" value="external"/>
+      <prop name="direction" value="outgoing"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
+      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+        <remarks>
+          <p>If 'yes', describe the authentication method.</p>
+          <p>If 'no', explain why no authentication is used.</p>
+          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+        </remarks>
+      </prop> -->
+    </component>
+    <component uuid="11111111-2222-4000-8000-009000200001" type="interconnection">
+      <prop name="direction" value="incoming"/>
+      <prop name="direction" value="outgoing"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="contract"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
+      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+        <remarks>
+          <p>If 'yes', describe the authentication method in the remarks.</p>
+          <p>If 'no', explain why no authentication is used in the remarks.</p>
+          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+        </remarks>
+      </prop> -->
+    </component>
+    <component uuid="11111111-2222-4000-8000-009000500004" type="service">
+      <title>Service C</title>
+        <description>
+          <p>A service provided by an external system other than the leveraged system.</p>
+          <p>Describe the service and what it is used for.</p>
+        </description>
+        <prop name="implementation-point" value="internal"/>
+        <prop name="direction" value="outgoing"/>
+        <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+          <remarks>
+            <p>If 'yes', describe the authentication method in the remarks.</p>
+            <p>If 'no', explain why no authentication is used in the remarks.</p>
+            <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+          </remarks>
+        </prop> -->
+    </component>
+    <component uuid="11111111-2222-4000-8000-009000300001" type="software">
+      <title>Management CLI</title>
+      <description>
+        <p>None</p>
+      </description>
+      <prop name="asset-type" value="cli"/>
+      <prop name="implementation-point" value="internal"/>
+      <prop name="direction" value="outgoing"/>
+      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+        <remarks>
+          <p>If 'yes', describe the authentication method in the remarks.</p>
+          <p>If 'no', explain why no authentication is used in the remarks.</p>
+          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+        </remarks>
+      </prop> -->
+    </component>
+  </system-implementation>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index ad58b98e4..850b54c8a 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -81,6 +81,11 @@
             <let var="network-architecture-link" expression="system-characteristics/network-architecture/diagram/link/@href"/>
             <let var="import-profile-href" expression="import-profile/@href"/>
             <let var="resolved-import-profile-href" expression="if (starts-with($import-profile-href, '#')) then back-matter/resource[@uuid = substring($import-profile-href, 2)]/rlink/@href else $import-profile-href"/>
+            <expect id="component-has-authentication-method" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(prop[@ns='http://fedramp.gov/ns/oscal' and @name='authentication-method']) >= 1" level="ERROR">
+                <formal-name>Component Has Authentication Method</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
+                <message>A FedRAMP SSP MUST include an authentication method for each leveraged system.</message>
+            </expect>
             <expect id="has-authorization-boundary-diagram-link-href-target" target="." test="not(starts-with(system-characteristics/authorization-boundary/diagram/link/@href, '#')) or exists(//resource[@uuid eq substring-after($authorization-boundary-link, '#')])" level="ERROR">
                 <formal-name>Has Authorization Boundary Diagram Link Href Target</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>
diff --git a/src/validations/constraints/unit-tests/component-has-authentication-method-FAIL.yaml b/src/validations/constraints/unit-tests/component-has-authentication-method-FAIL.yaml
new file mode 100644
index 000000000..1b7355f71
--- /dev/null
+++ b/src/validations/constraints/unit-tests/component-has-authentication-method-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for component-has-authentication-method
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-authentication-method
+  content: ../content/ssp-component-has-authentication-method-INVALID.xml
+  expectations:
+    - constraint-id: component-has-authentication-method
+      result: fail
diff --git a/src/validations/constraints/unit-tests/component-has-authentication-method-PASS.yaml b/src/validations/constraints/unit-tests/component-has-authentication-method-PASS.yaml
new file mode 100644
index 000000000..76f5b7ef6
--- /dev/null
+++ b/src/validations/constraints/unit-tests/component-has-authentication-method-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for component-has-authentication-method
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-authentication-method
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: component-has-authentication-method
+      result: pass

From 9b22aae6981271aa3748a425a0a899cd2c487a60 Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Fri, 22 Nov 2024 16:08:52 +0000
Subject: [PATCH 4/8] trim test data

---
 ...component-has-authentication-method-INVALID.xml | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
index 386750b93..87167f538 100644
--- a/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
+++ b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
@@ -17,11 +17,6 @@
       </prop> -->
     </component>
     <component uuid="11111111-2222-4000-8000-009000500002" type="service">
-      <title>Service B</title>
-      <description>
-        <p>An non-authorized service provided by the Awesome Cloud leveraged authorization.</p>
-        <p>Describe the service and what it is used for.</p>
-      </description>
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="outgoing"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
@@ -47,11 +42,6 @@
       </prop> -->
     </component>
     <component uuid="11111111-2222-4000-8000-009000500004" type="service">
-      <title>Service C</title>
-        <description>
-          <p>A service provided by an external system other than the leveraged system.</p>
-          <p>Describe the service and what it is used for.</p>
-        </description>
         <prop name="implementation-point" value="internal"/>
         <prop name="direction" value="outgoing"/>
         <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
@@ -63,10 +53,6 @@
         </prop> -->
     </component>
     <component uuid="11111111-2222-4000-8000-009000300001" type="software">
-      <title>Management CLI</title>
-      <description>
-        <p>None</p>
-      </description>
       <prop name="asset-type" value="cli"/>
       <prop name="implementation-point" value="internal"/>
       <prop name="direction" value="outgoing"/>

From e9f1f97ab5d0ad19f33b2f894aed3d46583754ac Mon Sep 17 00:00:00 2001
From: "~ . ~" <paul.n.wand@gsa.gov>
Date: Fri, 22 Nov 2024 13:29:47 -0500
Subject: [PATCH 5/8] fix test data

---
 features/steps/fedramp_extensions_steps.ts            | 1 +
 src/validations/constraints/content/ssp-all-VALID.xml | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/features/steps/fedramp_extensions_steps.ts b/features/steps/fedramp_extensions_steps.ts
index 424d1b1a6..84338650c 100644
--- a/features/steps/fedramp_extensions_steps.ts
+++ b/features/steps/fedramp_extensions_steps.ts
@@ -421,6 +421,7 @@ async function checkConstraints(
               `The content may need adjustment to properly test this constraint.`
           );
         }
+        !quiet && console.error(formatSarifOutput(sarifOutput))
         errors.push(""); // Add a blank line for readability
       }
     }
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 9b0d45188..691814657 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -309,8 +309,9 @@
       </description>
       <prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
       <prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="sla"/>
-      <status state="operational"/>
-    </component>
+      <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes"/>
+     <status state="operational"/>
+     </component>
 
     <component uuid="66666666-0000-4000-9000-000000000006" type="interconnection">
       <title>External API Connection</title>

From a4e11253cf095ec3e79b54028c30991337920327 Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Mon, 25 Nov 2024 14:45:05 +0000
Subject: [PATCH 6/8] change 'http' to 'https'

---
 .../constraints/content/ssp-all-VALID.xml      |  4 ++--
 ...onent-has-authentication-method-INVALID.xml | 18 +++++++++---------
 .../fedramp-external-constraints.xml           |  2 +-
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 691814657..d52ca4e20 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -309,7 +309,7 @@
       </description>
       <prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
       <prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="sla"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes"/>
      <status state="operational"/>
      </component>
 
@@ -320,7 +320,7 @@
       </description>
       <prop name="interconnection-security" value="vpn" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="interconnection-direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
+      <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
         <remarks>
           <p>Some description of the authentication method.</p>
         </remarks>
diff --git a/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
index 87167f538..b7ac60b58 100644
--- a/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
+++ b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
@@ -7,8 +7,8 @@
     <component uuid="11111111-2222-4000-8000-009000100001" type="system">
       <prop name="leveraged-authorization-uuid" value="11111111-2222-4000-8000-019000000001"/>
       <prop name="implementation-point" value="external"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="sla"/>
-      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+      <prop ns="https://fedramp.gov/ns/oscal" name="nature-of-agreement" value="sla"/>
+      <!-- <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
         <remarks>
           <p>If 'yes', describe the authentication method.</p>
           <p>If 'no', explain why no authentication is used.</p>
@@ -19,8 +19,8 @@
     <component uuid="11111111-2222-4000-8000-009000500002" type="service">
       <prop name="implementation-point" value="external"/>
       <prop name="direction" value="outgoing"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
-      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+      <prop ns="https://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
+      <!-- <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
         <remarks>
           <p>If 'yes', describe the authentication method.</p>
           <p>If 'no', explain why no authentication is used.</p>
@@ -31,9 +31,9 @@
     <component uuid="11111111-2222-4000-8000-009000200001" type="interconnection">
       <prop name="direction" value="incoming"/>
       <prop name="direction" value="outgoing"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="nature-of-agreement" value="contract"/>
-      <prop ns="http://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
-      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+      <prop ns="https://fedramp.gov/ns/oscal" name="nature-of-agreement" value="contract"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="still-supported" value="yes"/>
+      <!-- <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
         <remarks>
           <p>If 'yes', describe the authentication method in the remarks.</p>
           <p>If 'no', explain why no authentication is used in the remarks.</p>
@@ -44,7 +44,7 @@
     <component uuid="11111111-2222-4000-8000-009000500004" type="service">
         <prop name="implementation-point" value="internal"/>
         <prop name="direction" value="outgoing"/>
-        <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+        <!-- <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
           <remarks>
             <p>If 'yes', describe the authentication method in the remarks.</p>
             <p>If 'no', explain why no authentication is used in the remarks.</p>
@@ -56,7 +56,7 @@
       <prop name="asset-type" value="cli"/>
       <prop name="implementation-point" value="internal"/>
       <prop name="direction" value="outgoing"/>
-      <!-- <prop ns="http://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
+      <!-- <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="INVALID"> Missing authentication-method
         <remarks>
           <p>If 'yes', describe the authentication method in the remarks.</p>
           <p>If 'no', explain why no authentication is used in the remarks.</p>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 850b54c8a..2acf36302 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -81,7 +81,7 @@
             <let var="network-architecture-link" expression="system-characteristics/network-architecture/diagram/link/@href"/>
             <let var="import-profile-href" expression="import-profile/@href"/>
             <let var="resolved-import-profile-href" expression="if (starts-with($import-profile-href, '#')) then back-matter/resource[@uuid = substring($import-profile-href, 2)]/rlink/@href else $import-profile-href"/>
-            <expect id="component-has-authentication-method" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(prop[@ns='http://fedramp.gov/ns/oscal' and @name='authentication-method']) >= 1" level="ERROR">
+            <expect id="component-has-authentication-method" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(prop[@ns='https://fedramp.gov/ns/oscal' and @name='authentication-method']) >= 1" level="ERROR">
                 <formal-name>Component Has Authentication Method</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>A FedRAMP SSP MUST include an authentication method for each leveraged system.</message>

From 76ab004b498ac6809a3238ef8faf6b6ba892d9d3 Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Mon, 25 Nov 2024 16:12:24 +0000
Subject: [PATCH 7/8] Remove extra word

---
 ...ssp-component-has-authentication-method-INVALID.xml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
index b7ac60b58..41bba60e6 100644
--- a/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
+++ b/src/validations/constraints/content/ssp-component-has-authentication-method-INVALID.xml
@@ -12,7 +12,7 @@
         <remarks>
           <p>If 'yes', describe the authentication method.</p>
           <p>If 'no', explain why no authentication is used.</p>
-          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+          <p>If 'not-applicable', explain why authentication is not applicable in the remarks.</p>
         </remarks>
       </prop> -->
     </component>
@@ -24,7 +24,7 @@
         <remarks>
           <p>If 'yes', describe the authentication method.</p>
           <p>If 'no', explain why no authentication is used.</p>
-          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+          <p>If 'not-applicable', explain why authentication is not applicable in the remarks.</p>
         </remarks>
       </prop> -->
     </component>
@@ -37,7 +37,7 @@
         <remarks>
           <p>If 'yes', describe the authentication method in the remarks.</p>
           <p>If 'no', explain why no authentication is used in the remarks.</p>
-          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+          <p>If 'not-applicable', explain why authentication is not applicable in the remarks.</p>
         </remarks>
       </prop> -->
     </component>
@@ -48,7 +48,7 @@
           <remarks>
             <p>If 'yes', describe the authentication method in the remarks.</p>
             <p>If 'no', explain why no authentication is used in the remarks.</p>
-            <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+            <p>If 'not-applicable', explain why authentication is not applicable in the remarks.</p>
           </remarks>
         </prop> -->
     </component>
@@ -60,7 +60,7 @@
         <remarks>
           <p>If 'yes', describe the authentication method in the remarks.</p>
           <p>If 'no', explain why no authentication is used in the remarks.</p>
-          <p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
+          <p>If 'not-applicable', explain why authentication is not applicable in the remarks.</p>
         </remarks>
       </prop> -->
     </component>

From 599880a69e54fbbf0280b3006243c41ac285f734 Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Mon, 25 Nov 2024 21:54:19 +0000
Subject: [PATCH 8/8] Edit message

---
 src/validations/constraints/fedramp-external-constraints.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 2acf36302..29238ea01 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -84,7 +84,7 @@
             <expect id="component-has-authentication-method" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(prop[@ns='https://fedramp.gov/ns/oscal' and @name='authentication-method']) >= 1" level="ERROR">
                 <formal-name>Component Has Authentication Method</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
-                <message>A FedRAMP SSP MUST include an authentication method for each leveraged system.</message>
+                <message>A FedRAMP SSP MUST include at least one authentication method for each leveraged system.</message>
             </expect>
             <expect id="has-authorization-boundary-diagram-link-href-target" target="." test="not(starts-with(system-characteristics/authorization-boundary/diagram/link/@href, '#')) or exists(//resource[@uuid eq substring-after($authorization-boundary-link, '#')])" level="ERROR">
                 <formal-name>Has Authorization Boundary Diagram Link Href Target</formal-name>