Feature/data center constraints (GSA#639)

* introduce data center constraints

* complete data center constraints

* Update src/validations/constraints/content/ssp-all-INVALID.xml

Co-authored-by: A.J. Stein <[email protected]>

* Update src/validations/constraints/content/ssp-all-VALID.xml

Co-authored-by: A.J. Stein <[email protected]>

* Update src/validations/constraints/content/ssp-location-INVALID.xml

Co-authored-by: A.J. Stein <[email protected]>

* remove allowed-type data center country code

* Late review feedback: align country code example with constraint

* Fix the correction that broke negative testing, sorry Paul

---------

Co-authored-by: A.J. Stein <[email protected]>

features/fedramp_extensions.feature

@@ -27,6 +27,16 @@ Examples:
   | component-type-PASS.yaml |
   | control-implementation-status-FAIL.yaml |
   | control-implementation-status-PASS.yaml |
+  | data-center-alternate-FAIL.yaml |
+  | data-center-alternate-PASS.yaml |
+  | data-center-count-FAIL.yaml |
+  | data-center-count-PASS.yaml |
+  | data-center-country-code-FAIL.yaml |
+  | data-center-country-code-PASS.yaml |
+  | data-center-primary-FAIL.yaml |
+  | data-center-primary-PASS.yaml |
+  | data-center-us-FAIL.yaml |
+  | data-center-us-PASS.yaml |
   | deployment-mode-FAIL.yaml |
   | deployment-mode-PASS.yaml |
   | information-type-system-FAIL.yaml |
@@ -68,6 +78,11 @@ Examples:
   | cloud-service-model |
   | component-type |
   | control-implementation-status |
+  | data-center-US |
+  | data-center-alternate |
+  | data-center-count |
+  | data-center-country-code |
+  | data-center-primary |
   | deployment-model |
   | information-type-system |
   | interconnection-direction |

src/validations/constraints/content/ssp-all-INVALID.xml

@@ -23,7 +23,12 @@
     <role id="asset-owner">
       <title>Asset Owner</title>
     </role>
-
+    <location uuid="11111112-0000-4000-9001-000000000009">
+      <address >
+        <country>WRONG</country>
+      </address>
+      <prop name='data-center' value='dc-zone-1' class='tertiary' ns="https://fedramp.gov/ns/oscal"/>
+    </location>
     <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
       <name>Example Organization</name>
       <short-name>ExOrg</short-name>

src/validations/constraints/content/ssp-all-VALID.xml

@@ -23,7 +23,18 @@
     <role id="asset-owner">
       <title>Asset Owner</title>
     </role>
-
+    <location uuid="11111112-0000-4000-9001-000000000009">
+      <address >
+        <country>US</country>
+      </address>
+      <prop name='data-center' value='dc-zone-1' class='primary' ns="https://fedramp.gov/ns/oscal"/>
+    </location>
+    <location uuid="11111112-0000-4000-9000-000000000003">
+      <address >
+        <country>US</country>
+      </address>
+      <prop name='data-center' value='aws-us-west-1' class='alternate' ns="https://fedramp.gov/ns/oscal"/>
+    </location>
     <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
       <name>Example Organization</name>
       <short-name>ExOrg</short-name>
@@ -34,14 +45,13 @@
       <email-address>[email protected]</email-address>
     <address type="work"  />
     </party>
-    
+
     <responsible-party role-id="creator">
       <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
     </responsible-party>
     <responsible-party role-id="content-approver">
       <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
     </responsible-party>
-
     <remarks>
       <p>This SSP is an example for demonstration purposes.</p>
     </remarks>

src/validations/constraints/content/ssp-location-INVALID.xml

@@ -0,0 +1,207 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+    <title>Enhanced Example System Security Plan</title>
+    <published>2024-08-01T14:30:00Z</published>
+    <last-modified>2024-08-01T14:30:00Z</last-modified>
+    <version>1.1</version>
+    <oscal-version>1.0.0</oscal-version>
+    <document-id scheme="https://example.com/identifiers">SSP-2024-002</document-id>
+
+    <role id="creator">
+      <title>Document Creator</title>
+    </role>
+    <role id="content-approver">
+      <title>Content Approver</title>
+    </role>
+    <role id="system-admin">
+      <title>System Administrator</title>
+    </role>
+    <role id="asset-owner">
+      <title>Asset Owner</title>
+    </role>
+    <location uuid="11111112-0000-4000-9001-000000000009">
+      <address >
+      </address>
+      <prop name='data-center' value='dc-zone-1' class='tertiary' ns="https://fedramp.gov/ns/oscal"/>
+    </location>
+    <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
+      <name>Example Organization</name>
+      <short-name>ExOrg</short-name>
+      <link rel="website" href="https://example.com"/>
+      <address type="unsupported-type"  />
+    </party>
+    <party uuid="22222222-0000-4000-9000-000000000002" type="person">
+      <name>Jane Doe</name>
+      <email-address>[email protected]</email-address>
+      <address type="unsupported-type"  />
+    </party>
+
+    <responsible-party role-id="creator">
+      <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+    </responsible-party>
+    <responsible-party role-id="content-approver">
+      <party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
+    </responsible-party>
+
+    <remarks>
+      <p>This SSP is an example for demonstration purposes.</p>
+    </remarks>
+  </metadata>
+
+  <import-profile href="https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xml"/>
+
+  <system-characteristics>
+    <system-id identifier-type="https://fedramp.gov">F00000001</system-id>
+    <system-name>Enhanced Example System</system-name>
+    <description>
+      <p>This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.</p>
+    </description>
+    <prop name='cloud-service-model' value='unsupported-model' ns="https://fedramp.gov/ns/oscal"/>
+    <prop name='cloud-deployment-model' value='unsupported-value' ns="https://fedramp.gov/ns/oscal"/>
+    <prop name='authorization-type' value='unsupported-value' ns="https://fedramp.gov/ns/oscal"/>
+    <security-sensitivity-level>moderate</security-sensitivity-level>
+    <system-information>
+      <information-type uuid="33333333-0000-4000-9000-000000000003">
+        <title>Financial Information</title>
+        <description>
+          <p>Contains sensitive financial data related to organizational operations.</p>
+        </description>
+        <categorization system="https://unsupported-system.com">
+          <information-type-id>C.2.8.12</information-type-id>
+        </categorization>
+        <confidentiality-impact>
+          <base>high</base>
+        </confidentiality-impact>
+        <integrity-impact>
+          <base>moderate</base>
+        </integrity-impact>
+        <availability-impact>
+          <base>low</base>
+        </availability-impact>
+      </information-type>
+    </system-information>
+
+    <security-impact-level>
+      <security-objective-confidentiality>moderate</security-objective-confidentiality>
+      <security-objective-integrity>moderate</security-objective-integrity>
+      <security-objective-availability>moderate</security-objective-availability>
+    </security-impact-level>
+
+    <status state="operational"/>
+
+    <authorization-boundary>
+      <description>
+        <p>The authorization boundary includes all components within the main data center and the disaster recovery site.</p>
+      </description>
+    </authorization-boundary>
+  </system-characteristics>
+
+  <system-implementation>
+    <user uuid="44444444-0000-4000-9000-000000000004">
+      <title>System Administrator</title>
+      <prop name="type" value="unsupported-type"/>
+      <prop name="privilege-level" value="unsupported-access-type"/>
+      <role-id>system-admin</role-id>
+    </user>
+
+    <component uuid="55555555-0000-4000-9000-000000000005" type="unsupported-component-type">
+      <title>Primary Application Server</title>
+      <description>
+        <p>Main application server hosting the core system functionality.</p>
+      </description>
+      <purpose>main line</purpose>
+      <status state="operational"/>
+      <responsible-role role-id="system-admin">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-role>
+      <remarks>
+        <p>This is the primary application server for the system.</p>
+      </remarks>
+    </component>
+
+    <component uuid="66666666-0000-4000-9000-000000000006" type="interconnection">
+      <title>External API Connection</title>
+      <description>
+        <p>Secure connection to an external API for data enrichment.</p>
+      </description>
+      <prop name="interconnection-direction" value="unsupported-direction" ns="https://fedramp.gov/ns/oscal"/>
+      <prop name="interconnection-security" value="unsupported-security" ns="https://fedramp.gov/ns/oscal"/>
+      <status state="operational"/>
+      <responsible-role role-id="system-admin">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-role>
+      <remarks>
+        <p>This connection is used for secure data exchange with external systems.</p>
+      </remarks>
+    </component>
+
+    <inventory-item uuid="77777777-0000-4000-9000-000000000007">
+      <description>
+        <p>Primary database server</p>
+      </description>
+      <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
+      <prop name="asset-type" value="database"/>
+      <prop name="allows-authenticated-scan" value="unsupported-scan"/>
+      <prop name="public" value="unsupported-public"/>
+      <prop name="virtual" value="unsupported-virtual"/>
+      <prop name="scan-type" value="unsupported-scan-type" ns="https://fedramp.gov/ns/oscal"/>
+      <responsible-party role-id="asset-owner">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-party>
+      <implemented-component component-uuid="55555555-0000-4000-9000-000000000005">
+        <prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
+      </implemented-component>
+    </inventory-item>
+  </system-implementation>
+
+  <control-implementation>
+    <description>
+      <p>Implementation of controls for the Enhanced Example System</p>
+    </description>
+    <implemented-requirement uuid="88888888-0000-4000-9000-000000000008" control-id="ac-1">
+      <prop name="control-origination" value="unsupported-origination" ns="https://fedramp.gov/ns/oscal"/>
+      <prop name="implementation-status" value="unsupported-status" ns="https://fedramp.gov/ns/oscal"/>
+      <statement statement-id="ac-1_stmt.a" uuid="99999999-0000-4000-9000-000000000009">
+      </statement>
+      <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="aaaaaaaa-0000-4000-9000-00000000000a">
+        <description>
+          <p>Access Control Policy and Procedures (AC-1) is fully implemented in our system.</p>
+        </description>
+        <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="unsupported-status"/>
+        <responsible-role role-id="system-admin">
+          <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+        </responsible-role>
+      </by-component>
+    </implemented-requirement>
+
+    <implemented-requirement uuid="bbbbbbbb-0000-4000-9000-00000000000b" control-id="cm-8">
+      <prop name="control-origination" value="unsupported-origination" ns="https://fedramp.gov/ns/oscal"/>
+      <statement statement-id="cm-8_stmt.a" uuid="cccccccc-0000-4000-9000-00000000000c">
+      </statement>
+      <by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="dddddddd-0000-4000-9000-00000000000d">
+        <description>
+          <p>Information System Component Inventory (CM-8) is partially implemented.</p>
+        </description>
+        <prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="unsupported-status"/>
+        <responsible-role role-id="system-admin">
+          <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+        </responsible-role>
+      </by-component>
+    </implemented-requirement>
+  </control-implementation>
+
+  <back-matter>
+    <resource uuid="eeeeeeee-0000-4000-9000-00000000000e">
+      <title>Access Control Policy</title>
+      <description>
+        <p>Detailed access control policy document</p>
+      </description>
+      <prop name="type" value="unsupported-type" ns="https://fedramp.gov/ns/oscal"/>
+      <rlink href="https://example.com/policies/access-control.pdf"/>
+    </resource>
+  </back-matter>
+</system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -19,10 +19,20 @@
              </remarks>
         </constraints>
 </context>
+<context>
+    <metapath target="/system-security-plan/metadata/location"/>
+    <constraints>
+        <expect id="data-center-country-code" target="." test="count(address/country) eq 1">
+            <message>Each data center address must contain a country code.</message>
+        </expect>
+        <expect id="data-center-US" target="." test="address/country eq 'US'">
+            <message>Each data center must have an address that is within the United States.</message>
+        </expect>
+    </constraints>
 
+</context>
 <context>
     <metapath target="/system-security-plan"/>
-
     <constraints>
         <expect id="resource-has-title" target="back-matter/resource" test="title" level="WARNING">
             <message>Every supporting artifact found in a citation should have a title.</message>
@@ -31,6 +41,20 @@
             <message>Every supporting artifact found in a citation must have at least one base64 or rlink element.</message>
         </expect>
     </constraints>
-
 </context>
-</metaschema-meta-constraints>
+<context>
+    <metapath target="/system-security-plan/metadata"/>
+    <constraints>
+        <expect id="data-center-count" target="." test="count(/location/prop[@name eq 'data-center']) &gt; 1">
+            <message>There must be at least two (2) data centers listed.</message>
+        </expect>
+
+        <expect id="data-center-primary" target="." test="count(/location/prop[@name eq 'data-center'][@class eq 'primary']) = 1">
+            <message>There must be a single primary data center.</message>
+        </expect>
+        <expect id="data-center-alternate" target="." test="count(/location/prop[@name eq 'data-center'][@class eq 'alternate']) &gt; 0">
+            <message>There must be one or more alternate data center(s).</message>
+        </expect>
+    </constraints>
+</context>
+</metaschema-meta-constraints>

src/validations/constraints/unit-tests/data-center-alternate-FAIL.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for data-center-alternate
+  description: This test case validates the behavior of constraint data-center-alternate
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: data-center-alternate
+      result: fail

src/validations/constraints/unit-tests/data-center-alternate-PASS.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for data-center-alternate
+  description: This test case validates the behavior of constraint data-center-alternate
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: data-center-alternate
+      result: pass

src/validations/constraints/unit-tests/data-center-count-FAIL.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for data-center-count
+  description: This test case validates the behavior of constraint data-center-count
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: data-center-count
+      result: fail

src/validations/constraints/unit-tests/data-center-count-PASS.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for data-center-count
+  description: This test case validates the behavior of constraint data-center-count
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: data-center-count
+      result: pass

src/validations/constraints/unit-tests/data-center-country-code-FAIL.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for data-center-country-code
+  description: This test case validates the behavior of constraint data-center-country-code
+  content: ../content/ssp-location-INVALID.xml
+  expectations:
+    - constraint-id: data-center-country-code
+      result: fail

src/validations/constraints/unit-tests/data-center-country-code-PASS.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for data-center-country-code
+  description: This test case validates the behavior of constraint data-center-country-code
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: data-center-country-code
+      result: pass

src/validations/constraints/unit-tests/data-center-primary-FAIL.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for data-center-primary
+  description: This test case validates the behavior of constraint data-center-primary
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: data-center-primary
+      result: fail

src/validations/constraints/unit-tests/data-center-primary-PASS.yaml

@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for data-center-primary
+  description: This test case validates the behavior of constraint data-center-primary
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: data-center-primary
+      result: pass