From c6f8e8ffac0a0c59af6674cfd450e5f23f896b0d Mon Sep 17 00:00:00 2001
From: wandmagic <156969148+wandmagic@users.noreply.github.com>
Date: Tue, 3 Dec 2024 13:08:35 -0500
Subject: [PATCH] implementation point constraint (#936)

* implementation point constraint

* add help uri

* improve constraint

* add extra fail content

* Update src/validations/constraints/content/ssp-all-VALID.xml

Co-authored-by: DimitriZhurkin <dimitri.zhurkin@noblis.org>

* Update fedramp-external-constraints.xml

Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>

* implementation point constraint

* add help uri

* improve constraint

* add extra fail content

* Update src/validations/constraints/content/ssp-all-VALID.xml

Co-authored-by: DimitriZhurkin <dimitri.zhurkin@noblis.org>

* Update fedramp-external-constraints.xml

Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>

* add needed props to all valid

* rebase

Co-Authored-By: A.J. Stein <aj@gsa.gov>

* Update src/validations/constraints/fedramp-external-constraints.xml

Co-authored-by: A.J. Stein <aj@gsa.gov>

---------

Co-authored-by: DimitriZhurkin <dimitri.zhurkin@noblis.org>
Co-authored-by: Rene Tshiteya <rene-claude.tshiteya@gsa.gov>
Co-authored-by: A.J. Stein <aj@gsa.gov>
---
 features/fedramp_extensions.feature           |  3 ++
 .../constraints/content/ssp-all-VALID.xml     | 29 ++++++++++++++--
 ...ent-has-implementation-point-INVALID-2.xml | 33 +++++++++++++++++++
 ...onent-has-implementation-point-INVALID.xml | 25 ++++++++++++++
 .../fedramp-external-constraints.xml          | 20 ++++++++++-
 ...mponent-has-implementation-point-FAIL.yaml | 13 ++++++++
 ...mponent-has-implementation-point-PASS.yaml |  9 +++++
 .../unique-inventory-item-asset-id-FAIL.yaml  |  2 +-
 8 files changed, 130 insertions(+), 4 deletions(-)
 create mode 100644 src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml
 create mode 100644 src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml
 create mode 100644 src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/network-component-has-implementation-point-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index 0887b0375..29eefbf85 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -113,6 +113,7 @@ Examples:
   | leveraged-authorization-nature-of-agreement |
   | marking |
   | missing-response-components |
+  | network-component-has-implementation-point |
   | party-has-name |
   | privilege-level |
   | prop-response-point-has-cardinality-one |
@@ -333,6 +334,8 @@ Examples:
   | marking-PASS.yaml |
   | missing-response-components-FAIL.yaml |
   | missing-response-components-PASS.yaml |
+  | network-component-has-implementation-point-FAIL.yaml |
+  | network-component-has-implementation-point-PASS.yaml |
   | party-has-name-FAIL.yaml |
   | party-has-name-PASS.yaml |
   | privilege-level-FAIL.yaml |
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 013f591e4..adb0d6c42 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -301,17 +301,40 @@
         <p>This is the primary application server for the system.</p>
       </remarks>
     </component>
-
+    <component uuid="66666666-0000-4000-9000-000000000007" type="service">
+      <title>Firebase CLI Connection</title>
+      <description>
+        <p>CLI for updating firebase Secure connection to an external API for data enrichment.</p>
+      </description>
+      <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
+        <remarks>
+          <p>Some description of the authentication method.</p>
+        </remarks>
+      </prop>
+      <prop name="interconnection-security" value="vpn" ns="https://fedramp.gov/ns/oscal"/>
+      <prop name="interconnection-direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>
+      <prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
+      <prop name="asset-type" value="cli"/>
+      <prop name="implementation-point" value="external"/>
+      <status state="operational"/>
+      <responsible-role role-id="system-admin">
+        <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+      </responsible-role>
+      <remarks>
+        <p>This connection is used for secure data exchange with external systems.</p>
+      </remarks>
+    </component>
     <component uuid="6ac88fd2-7c7b-4357-af2e-f22ccd3ead26" type="system">
       <title>An External Leveraged System</title>
       <description>
         <p>An external leveraged system.</p>
       </description>
       <prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
+      <prop name="implementation-point" value="external"/>
       <prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="sla"/>
       <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
         <remarks>
-          <p>Some description of the authentication method.</p>
+          <p>Some description of the external authentication method.</p>
         </remarks>
       </prop>
      <status state="operational"/>
@@ -325,6 +348,7 @@
       <description>
         <p>Secure connection to an external API for data enrichment.</p>
       </description>
+      <prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
       <prop name="interconnection-security" value="vpn" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="interconnection-direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>
       <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
@@ -350,6 +374,7 @@
           <p>Briefly describe the external system.</p>
       </description>
       <prop name="asset-type" value="cli"/>
+      <prop name="implementation-point" value="external"/>
       <prop name="direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="isa"/>
       <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
diff --git a/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml
new file mode 100644
index 000000000..03dc7f5f1
--- /dev/null
+++ b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID-2.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <component uuid="66666666-0000-4000-9000-000000000006" type="service">
+      <title>Firebase CLI Connection</title>
+      <description>
+        <p>CLI for updating firebase Secure connection to an external API for data enrichment.</p>
+      </description>
+      <prop name="asset-type" value="cli"/>
+      <prop name="implementation-point" value="test"/>      
+      <status state="operational"/>
+    </component>
+    <component uuid="66666666-0000-4000-9000-000000000006" type="software">
+      <title>Firebase CLI Connection</title>
+      <description>
+        <p>CLI for updating firebase Secure connection to an external API for data enrichment.</p>
+      </description>
+      <prop name="asset-type" value="cli"/>
+      <status state="operational"/>
+    </component>
+    <component uuid="66666666-0000-4000-9000-000000000006" type="software">
+      <title>nvm CLI Connection</title>
+      <description>
+        <p>CLI for updating nvm Secure connection to an external API for data enrichment.</p>
+      </description>
+      <prop name="asset-type" value="cli"/>
+      <status state="operational"/>
+    </component>
+</system-implementation>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml
new file mode 100644
index 000000000..edf5f534c
--- /dev/null
+++ b/src/validations/constraints/content/ssp-network-component-has-implementation-point-INVALID.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <component uuid="66666666-0000-4000-9000-000000000006" type="service">
+      <title>Firebase CLI Connection</title>
+      <description>
+        <p>CLI for updating firebase Secure connection to an external API for data enrichment.</p>
+      </description>
+      <prop name="asset-type" value="cli"/>
+      <status state="operational"/>
+    </component>
+    <component uuid="66666666-0000-4000-9000-000000000006" type="software">
+      <title>Firebase CLI Connection</title>
+      <description>
+        <p>CLI for updating firebase Secure connection to an external API for data enrichment.</p>
+      </description>
+      <prop name="asset-type" value="cli"/>
+      <status state="operational"/>
+    </component>
+  
+</system-implementation>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 882b2a0c9..956ecbcb7 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -583,5 +583,23 @@
             </expect>
         </constraints>
     </context>
-
+    <context>
+        <metapath target="/system-security-plan/system-implementation"/>
+        <constraints>
+            <is-unique id="unique-inventory-item-asset-id" target="inventory-item/prop[@name='asset-id']">
+                <formal-name>Unique Asset Identifier</formal-name>
+                <description>Ensure each inventory item has a unique asset-id property.</description>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <key-field target="@value"/>
+                <remarks>
+                    <p>A FedRAMP SSP's inventory item MUST have an Asset ID that is unique across all inventory items in the system and its components.</p>
+                </remarks>
+            </is-unique>
+            <expect id="network-component-has-implementation-point" target="component[@type='service' or (@type='software' and ./prop[@name='asset-type' and @value='cli'])]" test="count(./prop[@name='implementation-point']) = 1" level="ERROR">
+                <formal-name>Component Has Implementation Point</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
+                <message>A FedRAMP SSP with service components and CLI software components performing cross-boundary network communication MUST indicate exactly one time if the point of implementation is internal or external to the system.</message>
+            </expect>
+        </constraints>
+    </context>
 </metaschema-meta-constraints>
diff --git a/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml b/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml
new file mode 100644
index 000000000..b14db64a5
--- /dev/null
+++ b/src/validations/constraints/unit-tests/network-component-has-implementation-point-FAIL.yaml
@@ -0,0 +1,13 @@
+test-case:
+  name: Negative Test for network-component-has-implementation-point
+  description: >-
+    This test case validates the behavior of constraint
+    network-component-has-implementation-point
+  content: 
+    - ../content/ssp-network-component-has-implementation-point-INVALID.xml
+    - ../content/ssp-network-component-has-implementation-point-INVALID-2.xml
+  expectations:
+    - constraint-id: network-component-has-implementation-point
+      fail_count:
+        type: "exact"
+        value: 2
\ No newline at end of file
diff --git a/src/validations/constraints/unit-tests/network-component-has-implementation-point-PASS.yaml b/src/validations/constraints/unit-tests/network-component-has-implementation-point-PASS.yaml
new file mode 100644
index 000000000..414bd38cf
--- /dev/null
+++ b/src/validations/constraints/unit-tests/network-component-has-implementation-point-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for network-component-has-implementation-point
+  description: >-
+    This test case validates the behavior of constraint
+    network-component-has-implementation-point
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: network-component-has-implementation-point
+      result: pass
diff --git a/src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml b/src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml
index 806d1ad70..327c9789a 100644
--- a/src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml
+++ b/src/validations/constraints/unit-tests/unique-inventory-item-asset-id-FAIL.yaml
@@ -8,4 +8,4 @@ test-case:
     - constraint-id: unique-inventory-item-asset-id
       fail_count:
         type: "exact"
-        value: 1
\ No newline at end of file
+        value: 2
\ No newline at end of file