PR for leveraged authorization constraints (issue #898) (#911)

* Add leveraged-authorization-has-component constraint * Update metapath expression for leveraged-authorization constraint * Add constraint leveraged-authorization-has-nature-of-agreement * Add constraint leveraged-authorization-has-information-type * Add constraint leveraged-authorization-has-implementation-point * Add constraint leveraged-authorization-has-authorized-users * Apply suggestions from code review Co-authored-by: Gabeblis <[email protected]> * Update sorting constraints alphabetically * Update refactoring leveraged authorization system component constraints * Add user-friendly error message for index-has-key constraint * Fix miscellaneous minor issues --------- Co-authored-by: Gabeblis <[email protected]>
GSA · Feb 13, 2025 · cc8491b · cc8491b
1 parent c382cd6
commit cc8491b
Show file tree

Hide file tree

Showing 25 changed files with 557 additions and 1 deletion.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -148,8 +148,14 @@ Examples:
   | inventory-item-public |
   | inventory-item-virtual |
   | last-accessed-is-datetime |
+  | leveraged-authorization-component-has-valid-reference |
   | leveraged-authorization-has-authorization-type |
+  | leveraged-authorization-has-authorized-users |
   | leveraged-authorization-has-impact-level |
+  | leveraged-authorization-has-implementation-point |
+  | leveraged-authorization-has-information-type |
+  | leveraged-authorization-has-nature-of-agreement |
+  | leveraged-authorization-has-one-system-component |
   | leveraged-authorization-has-system-identifier |
   | leveraged-authorization-has-valid-impact-level |
   | leveraged-authorization-nature-of-agreement |
@@ -452,10 +458,22 @@ Examples:
   | iventory-item-or-component-has-virtual-PASS.yaml |
   | last-accessed-is-datetime-FAIL.yaml |
   | last-accessed-is-datetime-PASS.yaml |
+  | leveraged-authorization-component-has-valid-reference-FAIL.yaml |
+  | leveraged-authorization-component-has-valid-reference-PASS.yaml |
   | leveraged-authorization-has-authorization-type-FAIL.yaml |
   | leveraged-authorization-has-authorization-type-PASS.yaml |
+  | leveraged-authorization-has-authorized-users-FAIL.yaml |
+  | leveraged-authorization-has-authorized-users-PASS.yaml |
   | leveraged-authorization-has-impact-level-FAIL.yaml |
   | leveraged-authorization-has-impact-level-PASS.yaml |
+  | leveraged-authorization-has-implementation-point-FAIL.yaml |
+  | leveraged-authorization-has-implementation-point-PASS.yaml |
+  | leveraged-authorization-has-information-type-FAIL.yaml |
+  | leveraged-authorization-has-information-type-PASS.yaml |
+  | leveraged-authorization-has-nature-of-agreement-FAIL.yaml |
+  | leveraged-authorization-has-nature-of-agreement-PASS.yaml |
+  | leveraged-authorization-has-one-system-component-FAIL.yaml |
+  | leveraged-authorization-has-one-system-component-PASS.yaml |
   | leveraged-authorization-has-system-identifier-FAIL.yaml |
   | leveraged-authorization-has-system-identifier-PASS.yaml |
   | leveraged-authorization-has-valid-impact-level-FAIL.yaml |

diff --git a/...ons/constraints/content/leveraged-authorization-component-has-valid-reference-INVALID.xml b/...ons/constraints/content/leveraged-authorization-component-has-valid-reference-INVALID.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <leveraged-authorization uuid="94d678fb-6d33-4eef-a17a-897bb4809487" >
+      <title>Name of Underlying System</title>
+      <!-- FedRAMP Package ID -->
+      <prop name="leveraged-system-identifier" 
+          ns="https://fedramp.gov/ns/oscal" 
+          value="F9999999999" />
+      <prop ns="https://fedramp.gov/ns/oscal" name="authorization-type" 
+            value="fedramp-agency"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="impact-level" value="moderate"/>
+      <link href="//path/to/leveraged_system_legacy_crm.xslt" />
+      <link href="//path/to/leveraged_system_responsibility_and_inheritance.xml" />
+      <party-uuid>11111111-0000-4000-9000-000000000003</party-uuid>
+      <date-authorized>2019-01-01</date-authorized>
+      <remarks>
+        <p>Sample leveraged authorization (e.g., underlying IaaS).</p>
+      </remarks>
+    </leveraged-authorization>
+
+    <!-- Leveraged authorization has more than one associated service components -->
+    <component uuid="7622fb94-ac33-498a-a955-fb3501f02d83" type="system">
+      <title>Name of Leveraged System</title>
+      <description>
+          <p>Briefly describe leveraged system.</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" 
+            value="94d678fb-6d33-4eef-a17a-000000000000" />
+      <prop name="implementation-point" value="external"/>
+      <status state="operational"/>
+    </component>
+
+  </system-implementation>
+
+</system-security-plan>
diff --git a/...aints/content/ssp-leveraged-authorization-component-has-nature-of-agreement-INVALID-1.xml b/...aints/content/ssp-leveraged-authorization-component-has-nature-of-agreement-INVALID-1.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <leveraged-authorization uuid="94d678fb-6d33-4eef-a17a-897bb4809487" >
+      <title>Name of Underlying System</title>
+      <!-- FedRAMP Package ID -->
+      <prop name="leveraged-system-identifier" 
+          ns="https://fedramp.gov/ns/oscal" 
+          value="F9999999999" />
+      <prop ns="https://fedramp.gov/ns/oscal" name="authorization-type" 
+            value="fedramp-agency"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="impact-level" value="moderate"/>
+      <link href="//path/to/leveraged_system_legacy_crm.xslt" />
+      <link href="//path/to/leveraged_system_responsibility_and_inheritance.xml" />
+      <party-uuid>11111111-0000-4000-9000-000000000003</party-uuid>
+      <date-authorized>2019-01-01</date-authorized>
+      <remarks>
+        <p>Sample leveraged authorization (e.g., underlying IaaS).</p>
+      </remarks>
+    </leveraged-authorization>
+
+    <!-- Leveraged authorization has associcated service component BUT with more than one "nature-of-agreement" prop-->
+    <component uuid="7622fb94-ac33-498a-a955-fb3501f02d83" type="system">
+      <title>Name of Leveraged System</title>
+      <description>
+          <p>Briefly describe leveraged system.</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" 
+            value="94d678fb-6d33-4eef-a17a-897bb4809487" />
+      <!-- componet missing "nature-of-agreement" prop-->
+      <prop name="nature-of-agreement"  ns="http://fedramp.gov/ns/oscal" value="EULA" />
+      <prop name="nature-of-agreement"  ns="http://fedramp.gov/ns/oscal" value="Contract" />
+      <prop name="implementation-point" value="external"/>
+      <status state="operational"/>
+  </component>
+
+  </system-implementation>
+
+</system-security-plan>
diff --git a/...traints/content/ssp-leveraged-authorization-component-has-nature-of-agreement-INVALID.xml b/...traints/content/ssp-leveraged-authorization-component-has-nature-of-agreement-INVALID.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <leveraged-authorization uuid="94d678fb-6d33-4eef-a17a-897bb4809487" >
+      <title>Name of Underlying System</title>
+      <!-- FedRAMP Package ID -->
+      <prop name="leveraged-system-identifier" 
+          ns="https://fedramp.gov/ns/oscal" 
+          value="F9999999999" />
+      <prop ns="https://fedramp.gov/ns/oscal" name="authorization-type" 
+            value="fedramp-agency"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="impact-level" value="moderate"/>
+      <link href="//path/to/leveraged_system_legacy_crm.xslt" />
+      <link href="//path/to/leveraged_system_responsibility_and_inheritance.xml" />
+      <party-uuid>11111111-0000-4000-9000-000000000003</party-uuid>
+      <date-authorized>2019-01-01</date-authorized>
+      <remarks>
+        <p>Sample leveraged authorization (e.g., underlying IaaS).</p>
+      </remarks>
+    </leveraged-authorization>
+
+    <!-- Leveraged authorization has associcated service component BUT without "nature-of-agreement" prop-->
+    <component uuid="7622fb94-ac33-498a-a955-fb3501f02d83" type="system">
+      <title>Name of Leveraged System</title>
+      <description>
+          <p>Briefly describe leveraged system.</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" 
+            value="94d678fb-6d33-4eef-a17a-897bb4809487" />
+      <!-- componet missing "nature-of-agreement" prop-->
+      <!-- <prop name="nature-of-agreement"  ns="http://fedramp.gov/ns/oscal" value="SLA" /> -->
+      <prop name="implementation-point" value="external"/>
+      <status state="operational"/>
+  </component>
+
+  </system-implementation>
+
+</system-security-plan>
diff --git a/...constraints/content/ssp-leveraged-authorization-component-has-valid-reference-INVALID.xml b/...constraints/content/ssp-leveraged-authorization-component-has-valid-reference-INVALID.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <leveraged-authorization uuid="94d678fb-6d33-4eef-a17a-897bb4809487" >
+      <title>Name of Underlying System</title>
+      <!-- FedRAMP Package ID -->
+      <prop name="leveraged-system-identifier" 
+          ns="https://fedramp.gov/ns/oscal" 
+          value="F9999999999" />
+      <prop ns="https://fedramp.gov/ns/oscal" name="authorization-type" 
+            value="fedramp-agency"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="impact-level" value="moderate"/>
+      <link href="//path/to/leveraged_system_legacy_crm.xslt" />
+      <link href="//path/to/leveraged_system_responsibility_and_inheritance.xml" />
+      <party-uuid>11111111-0000-4000-9000-000000000003</party-uuid>
+      <date-authorized>2019-01-01</date-authorized>
+      <remarks>
+        <p>Sample leveraged authorization (e.g., underlying IaaS).</p>
+      </remarks>
+    </leveraged-authorization>
+
+    <!-- Leveraged authorization component has invalid "leveraged-authorization-uuid" -->
+    <component uuid="7622fb94-ac33-498a-a955-fb3501f02d83" type="system">
+      <title>Name of Leveraged System</title>
+      <description>
+          <p>Briefly describe leveraged system.</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" 
+            value="94d678fb-6d33-4eef-a17a-897bb4800000" />
+      <prop name="implementation-point" value="external"/>
+      <status state="operational"/>
+    </component>
+
+  </system-implementation>
+
+</system-security-plan>
diff --git a/...idations/constraints/content/ssp-leveraged-authorization-has-authorized-users-INVALID.xml b/...idations/constraints/content/ssp-leveraged-authorization-has-authorized-users-INVALID.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <leveraged-authorization uuid="94d678fb-6d33-4eef-a17a-897bb4809487" >
+      <title>Name of Underlying System</title>
+      <!-- FedRAMP Package ID -->
+      <prop name="leveraged-system-identifier" 
+          ns="https://fedramp.gov/ns/oscal" 
+          value="F9999999999" />
+      <prop ns="https://fedramp.gov/ns/oscal" name="authorization-type" 
+            value="fedramp-agency"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="impact-level" value="moderate"/>
+      <link href="//path/to/leveraged_system_legacy_crm.xslt" />
+      <link href="//path/to/leveraged_system_responsibility_and_inheritance.xml" />
+      <party-uuid>11111111-0000-4000-9000-000000000003</party-uuid>
+      <date-authorized>2019-01-01</date-authorized>
+      <remarks>
+        <p>Sample leveraged authorization (e.g., underlying IaaS).</p>
+      </remarks>
+    </leveraged-authorization>
+
+    <!-- Leveraged authorization has associcated service component BUT missing "authorized users"-->
+    <component uuid="7622fb94-ac33-498a-a955-fb3501f02d83" type="system">
+      <title>Name of Leveraged System</title>
+      <description>
+          <p>Briefly describe leveraged system.</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" value="94d678fb-6d33-4eef-a17a-897bb4809487" />
+      <prop name="nature-of-agreement"  ns="http://fedramp.gov/ns/oscal" value="eula" />
+      <prop name="implementation-point" value="external"/>
+      <status state="operational"/>
+      <!-- missing responsible-role / role-id to indidate "authorized users" -->
+  </component>
+
+  </system-implementation>
+
+</system-security-plan>
diff --git a/...ions/constraints/content/ssp-leveraged-authorization-has-implementation-point-INVALID.xml b/...ions/constraints/content/ssp-leveraged-authorization-has-implementation-point-INVALID.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <leveraged-authorization uuid="94d678fb-6d33-4eef-a17a-897bb4809487" >
+      <title>Name of Underlying System</title>
+      <!-- FedRAMP Package ID -->
+      <prop name="leveraged-system-identifier" 
+          ns="https://fedramp.gov/ns/oscal" 
+          value="F9999999999" />
+      <prop ns="https://fedramp.gov/ns/oscal" name="authorization-type" 
+            value="fedramp-agency"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="impact-level" value="moderate"/>
+      <link href="//path/to/leveraged_system_legacy_crm.xslt" />
+      <link href="//path/to/leveraged_system_responsibility_and_inheritance.xml" />
+      <party-uuid>11111111-0000-4000-9000-000000000003</party-uuid>
+      <date-authorized>2019-01-01</date-authorized>
+      <remarks>
+        <p>Sample leveraged authorization (e.g., underlying IaaS).</p>
+      </remarks>
+    </leveraged-authorization>
+
+    <!-- Leveraged authorization has associcated service component BUT without "implementation-point" prop-->
+    <component uuid="7622fb94-ac33-498a-a955-fb3501f02d83" type="system">
+      <title>Name of Leveraged System</title>
+      <description>
+          <p>Briefly describe leveraged system.</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" 
+            value="94d678fb-6d33-4eef-a17a-897bb4809487" />
+      <prop name="nature-of-agreement"  ns="http://fedramp.gov/ns/oscal" value="SLA" />
+      <!-- componet missing "implementation-point" prop-->
+      <!-- <prop name="implementation-point" value="external" /> -->
+      <status state="operational"/>
+  </component>
+
+  </system-implementation>
+
+</system-security-plan>
diff --git a/...idations/constraints/content/ssp-leveraged-authorization-has-information-type-INVALID.xml b/...idations/constraints/content/ssp-leveraged-authorization-has-information-type-INVALID.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <leveraged-authorization uuid="94d678fb-6d33-4eef-a17a-897bb4809487" >
+      <title>Name of Underlying System</title>
+      <!-- FedRAMP Package ID -->
+      <prop name="leveraged-system-identifier" 
+          ns="https://fedramp.gov/ns/oscal" 
+          value="F9999999999" />
+      <prop ns="https://fedramp.gov/ns/oscal" name="authorization-type" 
+            value="fedramp-agency"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="impact-level" value="moderate"/>
+      <link href="//path/to/leveraged_system_legacy_crm.xslt" />
+      <link href="//path/to/leveraged_system_responsibility_and_inheritance.xml" />
+      <party-uuid>11111111-0000-4000-9000-000000000003</party-uuid>
+      <date-authorized>2019-01-01</date-authorized>
+      <remarks>
+        <p>Sample leveraged authorization (e.g., underlying IaaS).</p>
+      </remarks>
+    </leveraged-authorization>
+
+    <!-- Leveraged authorization has associcated service component BUT without "information-type" prop-->
+    <component uuid="7622fb94-ac33-498a-a955-fb3501f02d83" type="system">
+      <title>Name of Leveraged System</title>
+      <description>
+          <p>Briefly describe leveraged system.</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" 
+            value="94d678fb-6d33-4eef-a17a-897bb4809487" />
+      <prop name="nature-of-agreement"  ns="http://fedramp.gov/ns/oscal" value="SLA" />
+      <!-- componet missing "information-type" prop-->
+      <!-- <prop name="information-type"  ns="http://fedramp.gov/ns/oscal" value="C.3.5.4" /> -->
+      <prop name="implementation-point" value="external"/>
+      <status state="operational"/>
+  </component>
+
+  </system-implementation>
+
+</system-security-plan>
diff --git a/...ns/constraints/content/ssp-leveraged-authorization-has-one-system-component-INVALID-1.xml b/...ns/constraints/content/ssp-leveraged-authorization-has-one-system-component-INVALID-1.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-implementation>
+    <leveraged-authorization uuid="94d678fb-6d33-4eef-a17a-897bb4809487" >
+      <title>Name of Underlying System</title>
+      <!-- FedRAMP Package ID -->
+      <prop name="leveraged-system-identifier" 
+          ns="https://fedramp.gov/ns/oscal" 
+          value="F9999999999" />
+      <prop ns="https://fedramp.gov/ns/oscal" name="authorization-type" 
+            value="fedramp-agency"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="impact-level" value="moderate"/>
+      <link href="//path/to/leveraged_system_legacy_crm.xslt" />
+      <link href="//path/to/leveraged_system_responsibility_and_inheritance.xml" />
+      <party-uuid>11111111-0000-4000-9000-000000000003</party-uuid>
+      <date-authorized>2019-01-01</date-authorized>
+      <remarks>
+        <p>Sample leveraged authorization (e.g., underlying IaaS).</p>
+      </remarks>
+    </leveraged-authorization>
+
+    <!-- Leveraged authorization has more than one associated service components -->
+    <component uuid="7622fb94-ac33-498a-a955-fb3501f02d83" type="system">
+      <title>Name of Leveraged System</title>
+      <description>
+          <p>Briefly describe leveraged system.</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" 
+            value="94d678fb-6d33-4eef-a17a-897bb4809487" />
+      <prop name="implementation-point" value="external"/>
+      <status state="operational"/>
+    </component>
+
+    <component uuid="58350560-dbf7-4f43-9d86-bd0e15555e50" type="system">
+      <title>Duplicated Leveraged System</title>
+      <description>
+          <p>Duplicate leveraged system.</p>
+      </description>
+      <prop name="leveraged-authorization-uuid" 
+            value="94d678fb-6d33-4eef-a17a-897bb4809487" />
+      <prop name="implementation-point" value="external"/>
+      <status state="operational"/>
+    </component>
+
+  </system-implementation>
+
+</system-security-plan>