From 1db5f97fdbea3edd47a25e81293f4b1a992765a3 Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Mon, 2 Dec 2024 13:13:17 -0500 Subject: [PATCH 1/5] Constraints/cleanup constraints file (#946) * clean up fedramp-external-constraints.xml * fix * Add message to fully-operational-date-type --- .../fedramp-external-constraints.xml | 134 ++++++++---------- 1 file changed, 59 insertions(+), 75 deletions(-) diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index eebb1b89a..a452a3f5a 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -4,26 +4,6 @@ - - - - - Fedramp Version - - A FedRAMP document's metadata MUST define a valid FedRAMP version. - -

All documents in a digital authorization package for FedRAMP must specify the version that identifies which FedRAMP policies, guidance, and technical specifications its authors used during the creation and maintenance of the package.

-

FedRAMP maintains an official list of the versions on the fedramp-automation releases page. Unless noted otherwise, a valid version is a published tag name.

-
-
- - FedRAMP data sensitivity classification identifier. - - A FedRAMP document MUST have a marking that defines its data classification. - -
-
- @@ -270,30 +250,6 @@ - - - - - - Fully Operational Date Is Valid - - A system MUST be fully implemented prior to submitting the SSP to FedRAMP. - - - Fully Operational Date Type - - - - - - Fully Operational Date - - A FedRAMP SSP MUST define the system's fully operational date. - - - @@ -325,6 +281,16 @@ A FedRAMP SSP information type confidentiality, integrity, or availability impact MUST specify the selected impact. + + Fully Operational Date Is Valid + + A system MUST be fully implemented prior to submitting the SSP to FedRAMP. + + + Fully Operational Date Type + + A FedRAMP SSP MUST specify the system's fully operational data as a "full-date" per RFC3339 with the addition of a timezone. + Has Authenticator Assurance Level @@ -433,6 +399,11 @@ A FedRAMP SSP MUST define its NIST SP 800-63 federation assurance level (FAL). + + Fully Operational Date + + A FedRAMP SSP MUST define the system's fully operational date. + Has Identity Assurance Level @@ -520,14 +491,20 @@ - - - - - System Implementation Has Inventory Items - - A FedRAMP SSP system implementation section MUST have at least two inventory items. - + + + + + + Authentication Method Has Remarks + + Each authentication method in a FedRAMP SSP MUST have a remarks field. + + + System Implementation Has Inventory Items + + A FedRAMP SSP system implementation section MUST have at least two inventory items. + Leveraged Authorization Has Authorization Type @@ -543,18 +520,43 @@ A FedRAMP SSP MUST define exactly one system identifier for each leveraged authorization entry. - - + + Unique Asset Identifier + Ensure each inventory item has a unique asset-id property. + + + +

A FedRAMP SSP's inventory item MUST have an Asset ID that is unique across all inventory items in the system and its components.

+
+
+
+
+ + + Fedramp Version + + A FedRAMP document's metadata MUST define a valid FedRAMP version. + +

All documents in a digital authorization package for FedRAMP must specify the version that identifies which FedRAMP policies, guidance, and technical specifications its authors used during the creation and maintenance of the package.

+

FedRAMP maintains an official list of the versions on the fedramp-automation releases page. Unless noted otherwise, a valid version is a published tag name.

+
+
Has Published Date All documents submitted to FedRAMP MUST define a valid publication date. + + FedRAMP data sensitivity classification identifier. + + A FedRAMP document MUST have a marking that defines its data classification. +
-
+ + @@ -565,23 +567,5 @@ - - - - - Authentication Method Has Remarks - - Each authentication method in a FedRAMP SSP MUST have a remarks field. - - - Unique Asset Identifier - Ensure each inventory item has a unique asset-id property. - - - -

A FedRAMP SSP's inventory item MUST have an Asset ID that is unique across all inventory items in the system and its components.

-
-
-
-
- \ No newline at end of file + + From b82c4171316525374e35a0eea0024d42e64aa3ff Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Mon, 2 Dec 2024 14:07:05 -0500 Subject: [PATCH 2/5] Add `leveraged-authorization-has-valid-impact-level` Constraint (#913) * Add leveraged-authorization constraint * rename constraint * fix constraint test * correct constraint test * Change 'http' to 'https' * Add level --- features/fedramp_extensions.feature | 3 + .../constraints/content/ssp-all-VALID.xml | 2 +- ...ization-has-valid-impact-level-INVALID.xml | 10 + ...orization-has-valid-impact-level-VALID.xml | 532 ++++++++++++++++++ .../fedramp-external-constraints.xml | 13 +- ...orization-has-valid-impact-level-FAIL.yaml | 9 + ...orization-has-valid-impact-level-PASS.yaml | 12 + 7 files changed, 579 insertions(+), 2 deletions(-) create mode 100644 src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml create mode 100644 src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml create mode 100644 src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-FAIL.yaml create mode 100644 src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-PASS.yaml diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index a59781806..afa32cbb5 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -108,6 +108,7 @@ Examples: | leveraged-authorization-has-authorization-type | | leveraged-authorization-has-impact-level | | leveraged-authorization-has-system-identifier | + | leveraged-authorization-has-valid-impact-level | | leveraged-authorization-nature-of-agreement | | marking | | missing-response-components | @@ -321,6 +322,8 @@ Examples: | leveraged-authorization-has-impact-level-PASS.yaml | | leveraged-authorization-has-system-identifier-FAIL.yaml | | leveraged-authorization-has-system-identifier-PASS.yaml | + | leveraged-authorization-has-valid-impact-level-FAIL.yaml | + | leveraged-authorization-has-valid-impact-level-PASS.yaml | | leveraged-authorization-nature-of-agreement-FAIL.yaml | | leveraged-authorization-nature-of-agreement-PASS.yaml | | marking-FAIL.yaml | diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml index 521cc3b0a..f4a77d5cd 100644 --- a/src/validations/constraints/content/ssp-all-VALID.xml +++ b/src/validations/constraints/content/ssp-all-VALID.xml @@ -264,7 +264,7 @@ GovCloud - + f0bc13a4-3303-47dd-80d3-380e159c8362 2015-01-01 diff --git a/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml b/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml new file mode 100644 index 000000000..13bf1f266 --- /dev/null +++ b/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml @@ -0,0 +1,10 @@ + + + fips-199-moderate + + + + + + + \ No newline at end of file diff --git a/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml b/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml new file mode 100644 index 000000000..f3c9ec506 --- /dev/null +++ b/src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml @@ -0,0 +1,532 @@ + + + + Enhanced Example System Security Plan + 2024-08-01T14:30:00Z + 2024-08-01T14:30:00Z + 1.1 + 1.1.2 + SSP-2024-002 + + + + Authorizing Official + +

Senior official with authority to formally assume responsibility for operating a system at an acceptable level of risk.

+
+
+ + Prepared By + +

This party prepared the SSP.

+
+
+ + Prepared For + +

The organization for which this SSP was prepared. Typically the CSP.

+
+
+ + Document Creator + + + Content Approver + + + System Administrator + + + Asset Owner + + + System Owner + + + Authorizing Official Point of Contact + + + Information System Security Officer (or Equivalent) + + + Information System Management Point of Contact (POC) + +

The highest level manager who is responsible for system operation on behalf of the System Owner.

+
+
+ + Information System Technical Point of Contact + +

The individual or individuals leading the technical operation of the system.

+
+
+ + General Point of Contact (POC) + +

A general point of contact for the system, designated by the system owner.

+
+
+ + + CSP HQ +
+ Suite 0000 + 1234 Some Street + Haven + ME + 00000 + US +
+
+ +
+ US +
+ +
+ +
+ US +
+ +
+ + Person Name 1 + + + name@example.com + 2020000001 + 27b78960-59ef-4619-82b0-ae20b9c709ac + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + Cloud Service Provider (CSP) Name + CSP Acronym/Short Name + + 27b78960-59ef-4619-82b0-ae20b9c709ac + + + Example Organization + ExOrg + + + + Jane Doe + jane.doe@example.com +
+ + + + 3360e343-9860-4bda-9dfc-ff427c3dfab6 + + + 6b286b5d-8f07-4fa7-8847-1dd0d88f73fb + + + 11111111-0000-4000-9000-000000000001 + + + 22222222-0000-4000-9000-000000000002 + + + + 22222222-0000-4000-9000-000000000002 + + + 22222222-0000-4000-9000-000000000002 + + + 22222222-0000-4000-9000-000000000002 + + + 22222222-0000-4000-9000-000000000002 + + + 22222222-0000-4000-9000-000000000002 + + + 22222222-0000-4000-9000-000000000002 + + + 22222222-0000-4000-9000-000000000002 + + + +

This SSP is an example for demonstration purposes.

+
+ + + + + + F00000001 + Enhanced Example System + System's Short Name or Acronym + +

This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.

+
+ + +

Remarks are required if deployment model is "hybrid-cloud" or "other". Optional otherwise.

+
+
+ + +

Remarks are required if service model is "other". Optional otherwise.

+
+
+ + + + + + fips-199-moderate + + + Financial Information + +

Contains sensitive financial data related to organizational operations.

+
+ + C.2.8.12 + + + fips-199-high + fips-199-high + + + + fips-199-moderate + fips-199-low + +

Required if the base and selected values do not match.

+
+
+ + fips-199-high + fips-199-low + +

Required if the base and selected values do not match.

+
+
+
+
+ + fips-199-moderate + fips-199-moderate + fips-199-moderate + + + + +

The authorization boundary includes all components within the main data center and the disaster recovery site.

+
+ + +

A diagram-specific explanation.

+
+ + Authorization Boundary Diagram +
+
+ + +

A holistic, top-level explanation of the network architecture.

+
+ + +

A diagram-specific explanation.

+
+ + Network Diagram +
+
+ + +

A holistic, top-level explanation of the system's data flows.

+
+ + +

A diagram-specific explanation.

+
+ + Data Flow Diagram +
+
+
+ + + + GovCloud + + + + f0bc13a4-3303-47dd-80d3-380e159c8362 + 2020-01-01 + + + System Administrator + + + + system-admin + + Admin +

admin user

+ administration +
+ +
+ + + Primary Application Server + +

Main application server hosting the core system functionality.

+
+ main line + + + 11111111-0000-4000-9000-000000000001 + + +

This is the primary application server for the system.

+
+
+ + + External API Connection + +

Secure connection to an external API for data enrichment.

+
+ + + + + 11111111-0000-4000-9000-000000000001 + + +

This connection is used for secure data exchange with external systems.

+
+
+ + + +

Primary database server

+
+ + + + + + + + 11111111-0000-4000-9000-000000000001 + + + + +
+ + + +

Secondary database server

+
+ + + + + + + + 11111111-0000-4000-9000-000000000001 + + + + +
+ +
+ + + +

Implementation of controls for the Enhanced Example System

+
+ + + + + + + +

Access Control Policy and Procedures (AC-1) is fully implemented in our system.

+
+ + + 11111111-0000-4000-9000-000000000001 + +
+
+ + + + + + + +

Information System Component Inventory (CM-8) is partially implemented.

+
+ + + 11111111-0000-4000-9000-000000000001 + +
+
+
+ + + + Access Control Policy + +

Detailed access control policy document

+
+ + +
+ + User's Guide + +

User's Guide

+
+ + + + +

Table 12-1 Attachments: User's Guide Attachment

+

May use rlink with a relative path, or embedded as base64.

+
+
+ + Document Title + +

Rules of Behavior

+
+ + + + + 00000000 + +

Table 12-1 Attachments: Rules of Behavior (ROB)

+

May use rlink with a relative path, or embedded as base64.

+
+
+ + Document Title + +

Contingency Plan (CP)

+
+ + + + + 00000000 + +

Table 12-1 Attachments: Contingency Plan (CP) Attachment

+

May use rlink with a relative path, or embedded as base64.

+
+
+ + Document Title + +

Configuration Management (CM) Plan

+
+ + + + + 00000000 + +

Table 12-1 Attachments: Configuration Management (CM) Plan Attachment

+

May use rlink with a relative path, or embedded as base64.

+
+
+ + Document Title + +

Incident Response (IR) Plan

+
+ + + + + 00000000 + +

Table 12-1 Attachments: Incident Response (IR) Plan Attachment

+

May use rlink with a relative path, or embedded as base64.

+
+
+ + Separation of Duties Matrix + +

Separation of Duties Matrix

+
+ + + + + 00000000 + +

May use rlink with a relative path, or embedded as base64.

+
+
+ + + + Authorization Boundary + +

Authorization Boundary Diagram

+
+ + + + + 00000000 + +

May use rlink with a relative path, or embedded as base64.

+
+
+ + + Network Architecture + +

Network Architecture Diagram

+
+ + + + + 00000000 + +

May use rlink with a relative path, or embedded as base64.

+
+
+ + + Data Flow + +

Data flow Diagram

+
+ + + + + 00000000 + +

May use rlink with a relative path, or embedded as base64.

+
+
+
+ \ No newline at end of file diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index a452a3f5a..ba6ba7509 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -61,6 +61,12 @@ + Component Has Authentication Method @@ -93,7 +99,12 @@

A FedRAMP SSP MUST use a valid FedRAMP catalog to reference security controls. It MUST NOT reference controls from a non-FedRAMP catalog.

-
+ + + Leveraged Authorization Has Valid Impact Level + + A FedRAMP SSP MUST define the appropriate FIPS-199 impact level (low, moderate, or high) for each leveraged authorization. + diff --git a/src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-FAIL.yaml b/src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-FAIL.yaml new file mode 100644 index 000000000..e627b71ee --- /dev/null +++ b/src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-FAIL.yaml @@ -0,0 +1,9 @@ +test-case: + name: Negative Test for leveraged-authorization-has-valid-impact-level + description: >- + This test case validates the behavior of constraint + leveraged-authorization-matches-impact-level + content: ../content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml + expectations: + - constraint-id: leveraged-authorization-has-valid-impact-level + result: fail diff --git a/src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-PASS.yaml b/src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-PASS.yaml new file mode 100644 index 000000000..4bedfcc9a --- /dev/null +++ b/src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-PASS.yaml @@ -0,0 +1,12 @@ +test-case: + name: Positive Test for leveraged-authorization-has-valid-impact-level + description: >- + This test case validates the behavior of constraint leveraged-authorization-has-valid-impact-level. + Scenario 1: Security-sensitivity-level = 'fips-199-moderate' and leveraged-authorization impact-level = 'fips-199-moderate'. + Scenario 2: Security-sensitivity-level = 'fips-199-moderate' and leveraged-authorization impact-level = 'fips-199-high'. + content: + - ../content/ssp-all-VALID.xml + - ../content/ssp-leveraged-authorization-has-valid-impact-level-VALID.xml + expectations: + - constraint-id: leveraged-authorization-has-valid-impact-level + result: pass From a8461fb3a4a40e83c40e0e9b9a60800ab6e39f3e Mon Sep 17 00:00:00 2001 From: "~ . ~" Date: Mon, 2 Dec 2024 11:09:13 -0500 Subject: [PATCH 3/5] pin server + update oscal-js version --- .tool-versions | 3 ++- package-lock.json | 8 ++++---- package.json | 2 +- src/validations/module.mk | 3 ++- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.tool-versions b/.tool-versions index 7e05263d3..c1bdf69c1 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1 +1,2 @@ -oscal-cli 2.4.0 \ No newline at end of file +oscal-cli 2.4.0 +oscal-server v1.0.0-SNAPSHOT-6363f60-20241202160440 \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index 698520ddb..60f071366 100644 --- a/package-lock.json +++ b/package-lock.json @@ -15,7 +15,7 @@ "inquirer": "^10.1.8", "js-yaml": "^4.1.0", "jsdom": "^25.0.0", - "oscal": "2.0.6", + "oscal": "2.0.7", "ts-node": "^10.9.2", "xml-formatter": "^3.6.3", "xml2js": "^0.6.2" @@ -2694,9 +2694,9 @@ } }, "node_modules/oscal": { - "version": "2.0.6", - "resolved": "https://registry.npmjs.org/oscal/-/oscal-2.0.6.tgz", - "integrity": "sha512-+hSDqr7Ddi3qqvAaSN8XRsrrgxrsORfvLVZIpgrTz/AzWum0R+PnCFlxQ9+KMuptxXW9kAcfAwyXmhdIjaZV8g==", + "version": "2.0.7", + "resolved": "https://registry.npmjs.org/oscal/-/oscal-2.0.7.tgz", + "integrity": "sha512-V924hmb+QZDuBJGLH63RZui7yzrpVvSQAq9TvWCt2XacrpXqiYwEst0ZyyWza9wrt4zEXJrhAP3wzz1oj38pHA==", "license": "MIT", "dependencies": { "@terascope/fetch-github-release": "^0.8.10", diff --git a/package.json b/package.json index 91480fb81..c78d588e4 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,7 @@ "inquirer": "^10.1.8", "js-yaml": "^4.1.0", "jsdom": "^25.0.0", - "oscal": "2.0.6", + "oscal": "2.0.7", "ts-node": "^10.9.2", "xml-formatter": "^3.6.3", "xml2js": "^0.6.2" diff --git a/src/validations/module.mk b/src/validations/module.mk index 96c289f4b..679c12500 100644 --- a/src/validations/module.mk +++ b/src/validations/module.mk @@ -1,6 +1,7 @@ # Variables OSCAL_VERSION = $(shell jq -r .dependencies.oscal package.json) OSCAL_CLI_VERSION = $(shell awk '/^oscal-cli/ {print $$2}' .tool-versions) +OSCAL_SERVER_VERSION = $(shell awk '/^oscal-server/ {print $$2}' .tool-versions) OSCAL_CLI = npx oscal@$(OSCAL_VERSION) SRC_DIR = ./src DIST_DIR = ./dist @@ -13,7 +14,7 @@ init-validations: @echo "Installing node modules..." npm install $(OSCAL_CLI) use $(OSCAL_CLI_VERSION) - $(OSCAL_CLI) server update + $(OSCAL_CLI) server update $(OSCAL_SERVER_VERSION) # Style lint .PHONY: lint-style From 137747848b30a24d934da2a66f19bfcc555fa3de Mon Sep 17 00:00:00 2001 From: Gabeblis Date: Tue, 3 Dec 2024 08:57:37 -0500 Subject: [PATCH 4/5] Add `component-responsible-role-references-party` constraint (#945) * Add constraint 'component-responsible-role-references-party' and tests * correct test * Rename constraint and adjust help-url * Edit message Co-authored-by: A.J. Stein --------- Co-authored-by: A.J. Stein --- features/fedramp_extensions.feature | 3 +++ .../constraints/content/ssp-all-VALID.xml | 11 ++++++++++- ...mponent-has-provider-responsible-role-INVALID.xml | 12 ++++++++++++ .../constraints/fedramp-external-constraints.xml | 5 +++++ ...onent-responsible-role-references-party-FAIL.yaml | 9 +++++++++ ...onent-responsible-role-references-party-PASS.yaml | 9 +++++++++ 6 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 src/validations/constraints/content/ssp-component-has-provider-responsible-role-INVALID.xml create mode 100644 src/validations/constraints/unit-tests/component-responsible-role-references-party-FAIL.yaml create mode 100644 src/validations/constraints/unit-tests/component-responsible-role-references-party-PASS.yaml diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index afa32cbb5..0887b0375 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -36,6 +36,7 @@ Examples: | cia-impact-has-selected | | cloud-service-model | | component-has-authentication-method | + | component-has-provider-responsible-role | | component-type | | control-implementation-status | | data-center-alternate | @@ -178,6 +179,8 @@ Examples: | cloud-service-model-PASS.yaml | | component-has-authentication-method-FAIL.yaml | | component-has-authentication-method-PASS.yaml | + | component-responsible-role-references-party-FAIL.yaml | + | component-responsible-role-references-party-PASS.yaml | | component-type-FAIL.yaml | | component-type-PASS.yaml | | control-implementation-status-FAIL.yaml | diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml index f4a77d5cd..013f591e4 100644 --- a/src/validations/constraints/content/ssp-all-VALID.xml +++ b/src/validations/constraints/content/ssp-all-VALID.xml @@ -315,7 +315,10 @@ - + + 11111111-0000-4000-9000-000000000001 + + External API Connection @@ -330,6 +333,9 @@ + + 11111111-0000-4000-9000-000000000001 + 11111111-0000-4000-9000-000000000001 @@ -352,6 +358,9 @@ + + 11111111-0000-4000-9000-000000000001 + diff --git a/src/validations/constraints/content/ssp-component-has-provider-responsible-role-INVALID.xml b/src/validations/constraints/content/ssp-component-has-provider-responsible-role-INVALID.xml new file mode 100644 index 000000000..32eef91e2 --- /dev/null +++ b/src/validations/constraints/content/ssp-component-has-provider-responsible-role-INVALID.xml @@ -0,0 +1,12 @@ + + + + + + + 11111111-0000-4000-9000-000000000001 + 11111111-0000-4000-9000-000000000002 + + + + \ No newline at end of file diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index ba6ba7509..882b2a0c9 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -72,6 +72,11 @@ A FedRAMP SSP MUST include at least one authentication method for each leveraged system. + + Component Has Provider Responsible Role + + A FedRAMP SSP MUST have each component describing leveraged systems, interconnections, or authorized services identify a "provider" role that references one responsible party. + Has Authorization Boundary Diagram Link Href Target diff --git a/src/validations/constraints/unit-tests/component-responsible-role-references-party-FAIL.yaml b/src/validations/constraints/unit-tests/component-responsible-role-references-party-FAIL.yaml new file mode 100644 index 000000000..6411e2393 --- /dev/null +++ b/src/validations/constraints/unit-tests/component-responsible-role-references-party-FAIL.yaml @@ -0,0 +1,9 @@ +test-case: + name: Negative Test for component-has-provider-responsible-role + description: >- + This test case validates the behavior of constraint + component-has-provider-responsible-role + content: ../content/ssp-component-has-provider-responsible-role-INVALID.xml + expectations: + - constraint-id: component-has-provider-responsible-role + result: fail diff --git a/src/validations/constraints/unit-tests/component-responsible-role-references-party-PASS.yaml b/src/validations/constraints/unit-tests/component-responsible-role-references-party-PASS.yaml new file mode 100644 index 000000000..40990f9b8 --- /dev/null +++ b/src/validations/constraints/unit-tests/component-responsible-role-references-party-PASS.yaml @@ -0,0 +1,9 @@ +test-case: + name: Positive Test for component-has-provider-responsible-role + description: >- + This test case validates the behavior of constraint + component-has-provider-responsible-role + content: ../content/ssp-all-VALID.xml + expectations: + - constraint-id: component-has-provider-responsible-role + result: pass From c6f8e8ffac0a0c59af6674cfd450e5f23f896b0d Mon Sep 17 00:00:00 2001 From: wandmagic <156969148+wandmagic@users.noreply.github.com> Date: Tue, 3 Dec 2024 13:08:35 -0500 Subject: [PATCH 5/5] implementation point constraint (#936) * implementation point constraint * add help uri * improve constraint * add extra fail content * Update src/validations/constraints/content/ssp-all-VALID.xml Co-authored-by: DimitriZhurkin * Update fedramp-external-constraints.xml Co-authored-by: Rene Tshiteya * implementation point constraint * add help uri * improve constraint * add extra fail content * Update src/validations/constraints/content/ssp-all-VALID.xml Co-authored-by: DimitriZhurkin * Update fedramp-external-constraints.xml Co-authored-by: Rene Tshiteya * add needed props to all valid * rebase Co-Authored-By: A.J. Stein * Update src/validations/constraints/fedramp-external-constraints.xml Co-authored-by: A.J. Stein --------- Co-authored-by: DimitriZhurkin Co-authored-by: Rene Tshiteya Co-authored-by: A.J. Stein --- features/fedramp_extensions.feature | 3 ++ .../constraints/content/ssp-all-VALID.xml | 29 ++++++++++++++-- ...ent-has-implementation-point-INVALID-2.xml | 33 +++++++++++++++++++ ...onent-has-implementation-point-INVALID.xml | 25 ++++++++++++++ .../fedramp-external-constraints.xml | 20 ++++++++++- ...mponent-has-implementation-point-FAIL.yaml | 13 ++++++++ ...mponent-has-implementation-point-PASS.yaml | 9 +++++ .../unique-inventory-item-asset-id-FAIL.yaml | 2 +- 8 files changed, 130 insertions(+), 4 deletions(-) create mode 100644 src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml create mode 100644 src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml create mode 100644 src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml create mode 100644 src/validations/constraints/unit-tests/network-component-has-implementation-point-PASS.yaml diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature index 0887b0375..29eefbf85 100644 --- a/features/fedramp_extensions.feature +++ b/features/fedramp_extensions.feature @@ -113,6 +113,7 @@ Examples: | leveraged-authorization-nature-of-agreement | | marking | | missing-response-components | + | network-component-has-implementation-point | | party-has-name | | privilege-level | | prop-response-point-has-cardinality-one | @@ -333,6 +334,8 @@ Examples: | marking-PASS.yaml | | missing-response-components-FAIL.yaml | | missing-response-components-PASS.yaml | + | network-component-has-implementation-point-FAIL.yaml | + | network-component-has-implementation-point-PASS.yaml | | party-has-name-FAIL.yaml | | party-has-name-PASS.yaml | | privilege-level-FAIL.yaml | diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml index 013f591e4..adb0d6c42 100644 --- a/src/validations/constraints/content/ssp-all-VALID.xml +++ b/src/validations/constraints/content/ssp-all-VALID.xml @@ -301,17 +301,40 @@

This is the primary application server for the system.

- + + Firebase CLI Connection + +

CLI for updating firebase Secure connection to an external API for data enrichment.

+
+ + +

Some description of the authentication method.

+
+
+ + + + + + + + 11111111-0000-4000-9000-000000000001 + + +

This connection is used for secure data exchange with external systems.

+
+
An External Leveraged System

An external leveraged system.

+ -

Some description of the authentication method.

+

Some description of the external authentication method.

@@ -325,6 +348,7 @@

Secure connection to an external API for data enrichment.

+ @@ -350,6 +374,7 @@

Briefly describe the external system.

+ diff --git a/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml new file mode 100644 index 000000000..03dc7f5f1 --- /dev/null +++ b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml @@ -0,0 +1,33 @@ + + + + + Firebase CLI Connection + +

CLI for updating firebase Secure connection to an external API for data enrichment.

+
+ + + +
+ + Firebase CLI Connection + +

CLI for updating firebase Secure connection to an external API for data enrichment.

+
+ + +
+ + nvm CLI Connection + +

CLI for updating nvm Secure connection to an external API for data enrichment.

+
+ + +
+
+
\ No newline at end of file diff --git a/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml new file mode 100644 index 000000000..edf5f534c --- /dev/null +++ b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml @@ -0,0 +1,25 @@ + + + + + Firebase CLI Connection + +

CLI for updating firebase Secure connection to an external API for data enrichment.

+
+ + +
+ + Firebase CLI Connection + +

CLI for updating firebase Secure connection to an external API for data enrichment.

+
+ + +
+ +
+
\ No newline at end of file diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml index 882b2a0c9..956ecbcb7 100644 --- a/src/validations/constraints/fedramp-external-constraints.xml +++ b/src/validations/constraints/fedramp-external-constraints.xml @@ -583,5 +583,23 @@
- + + + + + Unique Asset Identifier + Ensure each inventory item has a unique asset-id property. + + + +

A FedRAMP SSP's inventory item MUST have an Asset ID that is unique across all inventory items in the system and its components.

+
+
+ + Component Has Implementation Point + + A FedRAMP SSP with service components and CLI software components performing cross-boundary network communication MUST indicate exactly one time if the point of implementation is internal or external to the system. + +
+
diff --git a/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml b/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml new file mode 100644 index 000000000..b14db64a5 --- /dev/null +++ b/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml @@ -0,0 +1,13 @@ +test-case: + name: Negative Test for network-component-has-implementation-point + description: >- + This test case validates the behavior of constraint + network-component-has-implementation-point + content: + - ../content/ssp-network-component-has-implementation-point-INVALID.xml + - ../content/ssp-network-component-has-implementation-point-INVALID-2.xml + expectations: + - constraint-id: network-component-has-implementation-point + fail_count: + type: "exact" + value: 2 \ No newline at end of file diff --git a/src/validations/constraints/unit-tests/network-component-has-implementation-point-PASS.yaml b/src/validations/constraints/unit-tests/network-component-has-implementation-point-PASS.yaml new file mode 100644 index 000000000..414bd38cf --- /dev/null +++ b/src/validations/constraints/unit-tests/network-component-has-implementation-point-PASS.yaml @@ -0,0 +1,9 @@ +test-case: + name: Positive Test for network-component-has-implementation-point + description: >- + This test case validates the behavior of constraint + network-component-has-implementation-point + content: ../content/ssp-all-VALID.xml + expectations: + - constraint-id: network-component-has-implementation-point + result: pass diff --git a/src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml b/src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml index 806d1ad70..327c9789a 100644 --- a/src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml +++ b/src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml @@ -8,4 +8,4 @@ test-case: - constraint-id: unique-inventory-item-asset-id fail_count: type: "exact" - value: 1 \ No newline at end of file + value: 2 \ No newline at end of file