Add constraint 'component-responsible-role-references-party' and tests

GSA · Nov 27, 2024 · 1a7c908 · 1a7c908
1 parent 80eb99c
commit 1a7c908
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 3 deletions.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -35,6 +35,7 @@ Examples:
   | cia-impact-has-selected |
   | cloud-service-model |
   | component-has-authentication-method |
+  | component-responsible-role-references-party |
   | component-type |
   | control-implementation-status |
   | data-center-alternate |
@@ -130,7 +131,6 @@ Examples:
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
   | unique-inventory-item-asset-id |
-  | unique-inventory-item-asset-id |
   | user-authentication |
   | user-has-authorized-privilege |
   | user-has-privilege-level |
@@ -175,6 +175,8 @@ Examples:
   | cloud-service-model-PASS.yaml |
   | component-has-authentication-method-FAIL.yaml |
   | component-has-authentication-method-PASS.yaml |
+  | component-responsible-role-references-party-FAIL.yaml |
+  | component-responsible-role-references-party-PASS.yaml |
   | component-type-FAIL.yaml |
   | component-type-PASS.yaml |
   | control-implementation-status-FAIL.yaml |

diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -309,9 +309,16 @@
       </description>
       <prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
       <prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="sla"/>
-      <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
+        <remarks>
+          <p>Some description of the authentication method.</p>
+        </remarks>
+      </prop>
      <status state="operational"/>
-     </component>
+       <responsible-role role-id="provider">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-role>
+    </component>
 
     <component uuid="66666666-0000-4000-9000-000000000006" type="interconnection">
       <title>External API Connection</title>
@@ -342,6 +349,11 @@
       <prop name="asset-type" value="cli"/>
       <prop name="direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="isa"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
+        <remarks>
+          <p>Some description of the authentication method.</p>
+        </remarks>
+      </prop>
       <status state="operational"/>
     </component>
 

diff --git a/...lidations/constraints/content/ssp-component-responsible-role-references-party-INVALID.xml b/...lidations/constraints/content/ssp-component-responsible-role-references-party-INVALID.xml
@@ -0,0 +1,23 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd" uuid="12345678-1234-4321-8765-123456789012">
+  <metadata>
+  <!-- There are two parties with the same uuid. The count should be 1. -->
+    <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
+      <name>Example Organization</name>
+      <short-name>ExOrg</short-name>
+      <link rel="website" href="https://example.com"/>
+    </party>
+    <party uuid="11111111-0000-4000-9000-000000000001" type="organization">
+      <name>Example Organization</name>
+      <short-name>ExOrg</short-name>
+      <link rel="website" href="https://example.com"/>
+    </party>
+  </metadata>
+  <system-implementation>
+    <component uuid="6ac88fd2-7c7b-4357-af2e-f22ccd3ead26" type="system">
+      <prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
+      <responsible-role role-id="provider">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-role>
+    </component>
+  </system-implementation>
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -76,16 +76,23 @@
     <context>
         <metapath target="/system-security-plan"/>
         <constraints>
+            <let var="all-parties" expression="//party"/>
             <let var="authorization-boundary-link" expression="system-characteristics/authorization-boundary/diagram/link/@href"/>
             <let var="data-flow-link" expression="system-characteristics/data-flow/diagram/link/@href"/>
             <let var="network-architecture-link" expression="system-characteristics/network-architecture/diagram/link/@href"/>
             <let var="import-profile-href" expression="import-profile/@href"/>
+            <let var="provider-role-party-uuid" expression="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]/responsible-role[@role-id='provider']/party-uuid"/>
             <let var="resolved-import-profile-href" expression="if (starts-with($import-profile-href, '#')) then back-matter/resource[@uuid = substring($import-profile-href, 2)]/rlink/@href else $import-profile-href"/>
             <expect id="component-has-authentication-method" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(prop[@ns='https://fedramp.gov/ns/oscal' and @name='authentication-method']) >= 1" level="ERROR">
                 <formal-name>Component Has Authentication Method</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>A FedRAMP SSP MUST include at least one authentication method for each leveraged system.</message>
             </expect>
+            <expect id="component-responsible-role-references-party" target="." test="count($all-parties[@uuid = $provider-role-party-uuid]) = 1" level="ERROR">
+                <formal-name>Component Responsible Role References Party</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
+                <message>Each component dealing with leveraged systems, interconnections, or authorized services MUST have a "provider" responsible-role that references exactly one valid party.</message>
+            </expect>
             <expect id="has-authorization-boundary-diagram-link-href-target" target="." test="not(starts-with(system-characteristics/authorization-boundary/diagram/link/@href, '#')) or exists(//resource[@uuid eq substring-after($authorization-boundary-link, '#')])" level="ERROR">
                 <formal-name>Has Authorization Boundary Diagram Link Href Target</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#authorization-boundary"/>

diff --git a/src/validations/constraints/unit-tests/component-responsible-role-references-party-FAIL.yaml b/src/validations/constraints/unit-tests/component-responsible-role-references-party-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for component-responsible-role-references-party
+  description: >-
+    This test case validates the behavior of constraint
+    component-responsible-role-references-party
+  content: ../content/ssp-component-responsible-role-references-party-INVALID.xml
+  expectations:
+    - constraint-id: component-responsible-role-references-party
+      result: fail
diff --git a/src/validations/constraints/unit-tests/component-responsible-role-references-party-PASS.yaml b/src/validations/constraints/unit-tests/component-responsible-role-references-party-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for component-responsible-role-references-party
+  description: >-
+    This test case validates the behavior of constraint
+    component-responsible-role-references-party
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: component-responsible-role-references-party
+      result: pass