Add oscal and FR version constraint for GSA#833

kyhu65867 · Dec 5, 2024 · 871da38 · 871da38
1 parent c3db2b2
commit 871da38
Show file tree

Hide file tree

Showing 9 changed files with 217 additions and 4 deletions.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -347,6 +347,8 @@ Examples:
   | non-provider-responsible-role-references-user-PASS.yaml |
   | party-has-name-FAIL.yaml |
   | party-has-name-PASS.yaml |
+  | oscal-version-matches-fedramp-version-FAIL.yaml |
+  | oscal-version-matches-fedramp-version-PASS.yaml |
   | privilege-level-FAIL.yaml |
   | privilege-level-PASS.yaml |
   | resource-has-base64-or-rlink-FAIL.yaml |
@@ -400,3 +402,124 @@ Examples:
   | user-type-FAIL.yaml |
   | user-type-PASS.yaml |
 #END_DYNAMIC_TEST_CASES
+
+@full-coverage
+Scenario: Preparing constraint coverage analysis
+Given I have loaded all Metaschema extensions documents
+And I have collected all YAML test files in the test directory
+When I extract all constraint IDs from the Metaschema extensions
+And I analyze the YAML test files for each constraint ID
+
+@full-coverage
+Scenario Outline: Ensuring full test coverage for "<constraint_id>"
+Then I should have both FAIL and PASS tests for constraint ID "<constraint_id>"
+Examples:
+| constraint_id |
+#BEGIN_DYNAMIC_CONSTRAINT_IDS
+  | address-type |
+  | attachment-type |
+  | authorization-type |
+  | categorization-has-correct-system-attribute |
+  | categorization-has-information-type-id |
+  | cia-impact-has-adjustment-justification |
+  | cia-impact-has-selected |
+  | cloud-service-model |
+  | component-type |
+  | control-implementation-status |
+  | data-center-alternate |
+  | data-center-count |
+  | data-center-country-code |
+  | data-center-primary |
+  | data-center-us |
+  | deployment-model |
+  | fedramp-version |
+  | fully-operational-date-is-valid |
+  | fully-operational-date-type |
+  | has-authenticator-assurance-level |
+  | has-authorization-boundary-diagram |
+  | has-authorization-boundary-diagram-caption |
+  | has-authorization-boundary-diagram-description |
+  | has-authorization-boundary-diagram-link |
+  | has-authorization-boundary-diagram-link-href-target |
+  | has-authorization-boundary-diagram-link-rel |
+  | has-authorization-boundary-diagram-link-rel-allowed-value |
+  | has-cloud-deployment-model |
+  | has-cloud-deployment-model-remarks |
+  | has-cloud-service-model |
+  | has-cloud-service-model-remarks |
+  | has-configuration-management-plan |
+  | has-data-flow |
+  | has-data-flow-description |
+  | has-data-flow-diagram |
+  | has-data-flow-diagram-caption |
+  | has-data-flow-diagram-description |
+  | has-data-flow-diagram-link |
+  | has-data-flow-diagram-link-href-target |
+  | has-data-flow-diagram-link-rel |
+  | has-data-flow-diagram-link-rel-allowed-value |
+  | has-data-flow-diagram-uuid |
+  | has-federation-assurance-level |
+  | has-fully-operational-date |
+  | has-identity-assurance-level |
+  | has-incident-response-plan |
+  | has-information-system-contingency-plan |
+  | has-inventory-items |  
+  | has-network-architecture |
+  | has-network-architecture-diagram |
+  | has-network-architecture-diagram-caption |
+  | has-network-architecture-diagram-description |
+  | has-network-architecture-diagram-link |
+  | has-network-architecture-diagram-link-href-target |
+  | has-network-architecture-diagram-link-rel |
+  | has-network-architecture-diagram-link-rel-allowed-value |
+  | has-published-date |
+  | has-rules-of-behavior |
+  | has-security-impact-level |
+  | has-security-sensitivity-level |
+  | has-separation-of-duties-matrix |
+  | has-system-id |
+  | has-system-name-short |
+  | has-user-guide |
+  | import-profile-has-available-document |
+  | import-profile-resolves-to-fedramp-content |
+  | information-type-800-60-v2r1 |
+  | information-type-has-availability-impact |
+  | information-type-has-confidentiality-impact |
+  | information-type-has-integrity-impact |
+  | information-type-system |
+  | interconnection-direction |
+  | interconnection-security |
+  | inventory-item-allows-authenticated-scan |
+  | inventory-item-public |
+  | inventory-item-virtual |
+  | marking |
+  | missing-response-components |
+  | party-has-name |
+  | oscal-version-matches-fedramp-version |
+  | privilege-level |
+  | prop-response-point-has-cardinality-one |
+  | resource-has-base64-or-rlink |
+  | resource-has-title |
+  | responsible-party-is-person |
+  | responsible-party-prepared-by |
+  | responsible-party-prepared-by-location-valid |
+  | responsible-party-prepared-for |
+  | responsible-party-prepared-for-location-valid |
+  | role-defined-authorizing-official-poc |
+  | role-defined-information-system-security-officer |
+  | role-defined-prepared-by |
+  | role-defined-prepared-for |
+  | role-defined-system-owner |
+  | scan-type |
+  | security-level |
+  | security-sensitivity-level-matches-security-impact-level |
+  | unique-inventory-item-asset-id |
+  | user-has-authorized-privilege |
+  | user-has-privilege-level |
+  | user-has-role-id |
+  | user-has-sensitivity-level |
+  | user-has-user-type |
+  | user-privilege-level |
+  | user-sensitivity-level |
+  | user-type |
+#END_DYNAMIC_CONSTRAINT_IDS
diff --git a/...idations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml b/...idations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml
@@ -10,14 +10,14 @@
     <version>1.1</version>
     <oscal-version>1.1.2</oscal-version>
     <document-id scheme="https://example.com/identifiers">SSP-2024-002</document-id>
-    <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="fedramp-3.0.0rc1-oscal-1.1.2"/>
-    <prop name="marking" value="cui"/>
+    <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="3.0.0-rc1"/>    
+    <prop name="marking" value="cui"/>  
     <role id="authorizing-official">
       <title>Authorizing Official</title>
       <description>
         <p>Senior official with authority to formally assume responsibility for operating a system at an acceptable level of risk.</p>
       </description>
-    </role>
+    </role>  
     <role id="prepared-by">
       <title>Prepared By</title>
       <description>

diff --git a/src/validations/constraints/content/ssp-oscal-version-matches-fedramp-version-INVALID-1.xml b/src/validations/constraints/content/ssp-oscal-version-matches-fedramp-version-INVALID-1.xml
@@ -0,0 +1,9 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+    <oscal-version>1.0.4</oscal-version>
+    <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="3.0.0-rc1"/>
+  </metadata>
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-oscal-version-matches-fedramp-version-INVALID-2.xml b/src/validations/constraints/content/ssp-oscal-version-matches-fedramp-version-INVALID-2.xml
@@ -0,0 +1,9 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+    <oscal-version>2.0.0</oscal-version>
+    <prop name="fedramp-version" ns="https://fedramp.gov/ns/oscal" value="3.0.0-rc1"/>
+  </metadata>
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-oscal-version-matches-fedramp-version-INVALID-3.xml b/src/validations/constraints/content/ssp-oscal-version-matches-fedramp-version-INVALID-3.xml
@@ -0,0 +1,9 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+    <oscal-version>1.0.4</oscal-version>
+    <!-- prop[@name="fedramp-version"] is missing, so we have to test falling through to default version-->
+  </metadata>
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-allowed-values.xml b/src/validations/constraints/fedramp-external-allowed-values.xml
@@ -143,7 +143,7 @@
             <allowed-values id="fedramp-version" target="metadata/prop[@name='fedramp-version'][@ns='https://fedramp.gov/ns/oscal']/@value" allow-other="no" level="ERROR">
                 <formal-name>FedRAMP Version</formal-name>
                 <description>Identifies the FedRAMP version of the document.</description>
-                <enum value="fedramp-3.0.0rc1-oscal-1.1.2">FedRAMP Version</enum>
+                <enum value="3.0.0-rc1">FedRAMP Version 3.0.0 Release Candidate 1</enum>
             </allowed-values>
 
             <allowed-values id="information-type-800-60-v2r1" target="system-characteristics/system-information/information-type/categorization[@system='https://doi.org/10.6028/NIST.SP.800-60v2r1']/information-type-id" allow-other="no" level="ERROR">

diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -4,6 +4,46 @@
     <!-- FedRAMP Extensions -->
     <!-- ================== -->
 
+    <context>
+    	<metapath target="/(assessment-plan|assessment-results|plan-of-action-and-milestones|system-security-plan)/metadata"/>
+        <constraints>
+            <let var="preferred-version" expression="'3.0.0-rc1'"/>
+            <let var="fedramp-minimum-oscal-versions" expression="map{'3.0.0-rc1': '1.1.2'}"/>
+            <let var="doc-fedramp-version" expression="prop[@name='fedramp-version'][@ns='https://fedramp.gov/ns/oscal']"/>
+            <let var="fedramp-required-minimum-version" 
+                expression="if (empty($doc-fedramp-version/@value))
+                    then map:get($fedramp-minimum-oscal-versions, $preferred-version)
+                    else map:get($fedramp-minimum-oscal-versions, $doc-fedramp-version/@value)"/>
+            <let var="required-doc-oscal-version-parts" expression="tokenize($fedramp-required-minimum-version, '\.')"/>
+            <let var="doc-oscal-version-parts" expression="tokenize(oscal-version, '\.')"/>
+            <let var="major-version-valid" expression="$doc-oscal-version-parts[1]  = $required-doc-oscal-version-parts[1]">
+                <remarks>
+                    <p>FedRAMP considers every major version as a possible source of backwards-compatible changes. FedRAMP only accepts versions with the same major version, but not newer.</p>
+                </remarks>
+            </let>
+            <let var="minor-version-valid" expression="$doc-oscal-version-parts[2] >= $required-doc-oscal-version-parts[2]"/>
+            <let var="patch-version-valid" expression="$doc-oscal-version-parts[3] >= $required-doc-oscal-version-parts[3]"/>
+            <expect id="fedramp-version" target="." test="prop[@name='fedramp-version'][@ns='https://fedramp.gov/ns/oscal']">
+                <formal-name>Fedramp Version</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/#fedramp-version"/>
+                <message>A FedRAMP document's metadata MUST define a valid FedRAMP version.</message>
+                <remarks>
+                    <p>All documents in a digital authorization package for FedRAMP must specify the version that identifies which FedRAMP policies, guidance, and technical specifications its authors used during the creation and maintenance of the package.</p>
+                    <p>FedRAMP maintains an official list of the versions on <a href="https://github.com/GSA/fedramp-automation/releases">the fedramp-automation releases page</a>. Unless noted otherwise, a valid version is <a href="https://github.com/GSA/fedramp-automation/tags">a published tag name</a>.</p>
+                </remarks>
+            </expect>
+            <expect id="marking" target="." test="prop[@name='marking']" level="ERROR">
+                <formal-name>FedRAMP data sensitivity classification identifier.</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/general-concepts/4-expressing-common-fedramp-template-elements-in-oscal/"/>
+            	<message>A FedRAMP document MUST have a marking that defines its data classification.</message>
+            </expect>
+            <expect id="oscal-version-matches-fedramp-version" target="oscal-version" level="ERROR"
+                test="$major-version-valid and $minor-version-valid and $patch-version-valid">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://docs.oasis-open.org/sarif/sarif/v2.1.0"/>                
+                <message>A FedRAMP document SHOULD have an OSCAL version that matches the minimally required version for FedRAMP packages ({$fedramp-required-minimum-version} not {.}).</message>
+            </expect>        
+        </constraints>
+    </context>
     <context>
         <metapath target="//user"/>
         <constraints>

diff --git a/src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-FAIL.yaml b/src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-FAIL.yaml
@@ -0,0 +1,14 @@
+test-case:
+  name: Positive Test for import-profile-has-available-document
+  description: >-
+    This test case validates the behavior of constraint import-profile-has-available-document.
+    Scenario 1 tests: an invalid match below the minimum required version threshold.
+    Scenario 2 tests: an invalid match above the implied maximum required version threshold, a major version greater than required.
+    Scenario 3 tests: an invalid match because the fedramp-version prop is missing, so a fallthrough default is required.
+  content: 
+    - ../content/ssp-oscal-version-matches-fedramp-version-INVALID-1.xml
+    - ../content/ssp-oscal-version-matches-fedramp-version-INVALID-2.xml
+    - ../content/ssp-oscal-version-matches-fedramp-version-INVALID-3.xml
+  expectations:
+    - constraint-id: oscal-version-matches-fedramp-version
+      result: fail
diff --git a/src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-PASS.yaml b/src/validations/constraints/unit-tests/oscal-version-matches-fedramp-version-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for oscal-version-matches-fedramp-version
+  description: >-
+    This test case validates the behavior of constraint
+    oscal-version-matches-fedramp-version
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: oscal-version-matches-fedramp-version
+      result: pass