From 606e3b9d5dd03baec1257878f443ae4b5be9455c Mon Sep 17 00:00:00 2001
From: "A.J. Stein" <aj@gsa.gov>
Date: Tue, 29 Oct 2024 16:17:55 -0400
Subject: [PATCH] Add initial constraint and tests for #833

---
 features/fedramp_extensions.feature           |  3 ++
 ...ersion-matches-fedramp-version-INVALID.xml |  6 ++++
 .../fedramp-external-constraints.xml          | 31 +++++++++++++++++--
 ...-version-matches-fedramp-version-FAIL.yaml |  9 ++++++
 ...-version-matches-fedramp-version-PASS.yaml |  9 ++++++
 5 files changed, 56 insertions(+), 2 deletions(-)
 create mode 100644 src/validations/constraints/content/ssp-oscal-version-matches-fedramp-version-INVALID.xml
 create mode 100644 src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index a077d5966..72467c8b0 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -125,6 +125,8 @@ Examples:
   | inventory-item-virtual-PASS.yaml |
   | missing-response-components-FAIL.yaml |
   | missing-response-components-PASS.yaml |
+  | oscal-version-matches-fedramp-version-FAIL.yaml |
+  | oscal-version-matches-fedramp-version-PASS.yaml |
   | privilege-level-FAIL.yaml |
   | privilege-level-PASS.yaml |
   | resource-has-base64-or-rlink-FAIL.yaml |
@@ -219,6 +221,7 @@ Examples:
   | inventory-item-public |
   | inventory-item-virtual |
   | missing-response-components |
+  | oscal-version-matches-fedramp-version |
   | privilege-level |
   | prop-response-point-has-cardinality-one |
   | resource-has-base64-or-rlink |
diff --git a/src/validations/constraints/content/ssp-oscal-version-matches-fedramp-version-INVALID.xml b/src/validations/constraints/content/ssp-oscal-version-matches-fedramp-version-INVALID.xml
new file mode 100644
index 000000000..2f65b1f64
--- /dev/null
+++ b/src/validations/constraints/content/ssp-oscal-version-matches-fedramp-version-INVALID.xml
@@ -0,0 +1,6 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+    <oscal-version>2.0.0</oscal-version>
+    <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="fedramp-3.0.0rc1-oscal-2.0.0"/>
+  </metadata>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 9058088c6..67066dc0a 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -31,6 +31,33 @@
             </expect>
         </constraints>
     </context>
+    <context>
+        <!-- 
+            TODO refactor like so when metaschema-java 2.0.0 and oscal-cli 2.3.0:
+
+            <metapath target="/(assessment-plan|assessment-results|plan-of-action-and-milestones|system-security-plan)/metadata"/>
+
+            For now, keep it separate from the context above.
+        -->
+        <metapath target="/system-security-plan/metadata"/>
+        <constraints>
+            <let var="fedramp-version-oscal-part" expression="tokenize(prop[@name='fedramp-version'][@ns='https://fedramp.gov/ns/oscal']/@value, '-')[4]"/>
+            <let var="fedramp-oscal-version-subparts" expression="tokenize($fedramp-version-oscal-part, '\.')"/>
+            <let var="oscal-version-subparts" expression="tokenize(oscal-version, '\.')"/>
+            <!-- https://github.com/GSA/fedramp-automation/issues/833#issuecomment-2445516390 -->
+            <let var="major-version-valid" expression="$oscal-version-subparts[1]  = $fedramp-oscal-version-subparts[1]"/>
+            <let var="minor-version-valid" expression="$oscal-version-subparts[2] >= $fedramp-oscal-version-subparts[2]"/>
+            <let var="patch-version-valid" expression="$oscal-version-subparts[3] >= $fedramp-oscal-version-subparts[3]"/>
+            <!-- 
+                TODO:The test is valid but there is some other issue with the evaluation of the valid Metapath in the @test.
+                Review and/or adapt when metaschema-java 2.0.0 and oscal-cli 2.3.0.
+            -->
+            <expect id="oscal-version-matches-fedramp-version" target="prop[@name='fedramp-version'][@ns='https://fedramp.gov/ns/oscal']" test="$major-version-valid and $minor-version-valid and $patch-version-valid" level="WARNING">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://docs.oasis-open.org/sarif/sarif/v2.1.0"/>                
+                <message>A FedRAMP document SHOULD have an OSCAL version that matches the minimally required version for FedRAMP packages, {$fedramp-version-oscal-part}, not {../oscal-version}. DEBUG: {$major-version-valid} {$minor-version-valid} {$patch-version-valid}</message>
+            </expect>           
+        </constraints>
+    </context>
     <context>
         <metapath target="/system-security-plan/metadata/location"/>
         <constraints>
@@ -168,7 +195,7 @@
     </context>
     <context>
         <metapath target="/system-security-plan/metadata"/>
-        <constraints>
+        <constraints>            
             <expect id="data-center-count" target="." test="count(/location/prop[@name eq 'type'][@value eq 'data-center']) &gt; 1">
                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0"  name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#data-centers" />
                 <message>There must be at least two (2) data centers listed.</message>
@@ -199,7 +226,7 @@
             </expect>
             <expect id="role-defined-information-system-security-officer" target="." test="role[@id eq 'information-system-security-officer']" level="ERROR">
                 <message>A FedRAMP SSP must define a role for the point of contact for an information system security officer.</message>
-            </expect>
+            </expect>        
         </constraints>
     </context>
     <context>
diff --git a/src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-FAIL.yaml b/src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-FAIL.yaml
new file mode 100644
index 000000000..b04b36f0c
--- /dev/null
+++ b/src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for oscal-version-matches-fedramp-version
+  description: >-
+    This test case validates the behavior of constraint
+    oscal-version-matches-fedramp-version
+  content: ../content/ssp-oscal-version-matches-fedramp-version-INVALID.xml
+  expectations:
+    - constraint-id: oscal-version-matches-fedramp-version
+      result: fail
diff --git a/src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-PASS.yaml b/src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-PASS.yaml
new file mode 100644
index 000000000..4b2425c1a
--- /dev/null
+++ b/src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for oscal-version-matches-fedramp-version
+  description: >-
+    This test case validates the behavior of constraint
+    oscal-version-matches-fedramp-version
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: oscal-version-matches-fedramp-version
+      result: pass