Add constraints for fully operational date (issue #853) (#876)

* Add constraints for fully operational date * Fix constraints and add formal names * Update to align with frr103 Co-authored-by: Gabeblis <[email protected]> * Update to comply with frr112 Co-authored-by: Gabeblis <[email protected]> * Move has-fully-operational-date to appropriate context --------- Co-authored-by: Gabeblis <[email protected]>
GSA · Nov 12, 2024 · 6b10783 · 6b10783
1 parent 821ec62
commit 6b10783
Show file tree

Hide file tree

Showing 13 changed files with 133 additions and 0 deletions.
diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
@@ -53,6 +53,10 @@ Examples:
   | deployment-model-PASS.yaml |
   | fedramp-version-FAIL.yaml |
   | fedramp-version-PASS.yaml |
+  | fully-operational-date-is-valid-FAIL.yaml |
+  | fully-operational-date-is-valid-PASS.yaml |
+  | fully-operational-date-type-FAIL.yaml |
+  | fully-operational-date-type-PASS.yaml |
   | has-authenticator-assurance-level-FAIL.yaml |
   | has-authenticator-assurance-level-PASS.yaml |
   | has-authorization-boundary-diagram-FAIL.yaml |
@@ -97,6 +101,8 @@ Examples:
   | has-data-flow-diagram-uuid-PASS.yaml |
   | has-federation-assurance-level-FAIL.yaml |
   | has-federation-assurance-level-PASS.yaml |
+  | has-fully-operational-date-FAIL.yaml |
+  | has-fully-operational-date-PASS.yaml |
   | has-identity-assurance-level-FAIL.yaml |
   | has-identity-assurance-level-PASS.yaml |
   | has-incident-response-plan-FAIL.yaml |
@@ -227,6 +233,8 @@ Examples:
   | data-center-us |
   | deployment-model |
   | fedramp-version |
+  | fully-operational-date-is-valid |
+  | fully-operational-date-type |
   | has-authenticator-assurance-level |
   | has-authorization-boundary-diagram |
   | has-authorization-boundary-diagram-caption |
@@ -249,6 +257,7 @@ Examples:
   | has-data-flow-diagram-link-rel-allowed-value |
   | has-data-flow-diagram-uuid |
   | has-federation-assurance-level |
+  | has-fully-operational-date |
   | has-identity-assurance-level |
   | has-incident-response-plan |
   | has-information-system-contingency-plan |

diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -132,6 +132,7 @@
     <prop name="identity-assurance-level" value="2"/>
     <prop name="authenticator-assurance-level" value="2"/>
     <prop name="federation-assurance-level" value="2"/>
+    <prop ns="https://fedramp.gov/ns/oscal" name="fully-operational-date" value="2023-01-01+00:00"/>
     <security-sensitivity-level>fips-199-moderate</security-sensitivity-level>
     <system-information>
       <information-type  uuid="33333333-0000-4000-9000-000000000003">

diff --git a/src/validations/constraints/content/ssp-fully-operational-date-is-valid-INVALID.xml b/src/validations/constraints/content/ssp-fully-operational-date-is-valid-INVALID.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-characteristics>
+    <prop ns="https://fedramp.gov/ns/oscal" name="fully-operational-date" value="2027-01-01+00:00"/><!-- operational date should not be in future -->
+  </system-characteristics>
+
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-fully-operational-date-type-INVALID-1.xml b/src/validations/constraints/content/ssp-fully-operational-date-type-INVALID-1.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-characteristics>
+    <prop ns="https://fedramp.gov/ns/oscal" name="fully-operational-date" value="2023"/><!-- year only instead of full date -->
+  </system-characteristics>
+
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-fully-operational-date-type-INVALID-2.xml b/src/validations/constraints/content/ssp-fully-operational-date-type-INVALID-2.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-characteristics>
+    <prop ns="https://fedramp.gov/ns/oscal" name="fully-operational-date" value="2023-01-01"/><!-- no timezone -->
+  </system-characteristics>
+
+</system-security-plan>
diff --git a/src/validations/constraints/content/ssp-has-fully-operational-date-INVALID.xml b/src/validations/constraints/content/ssp-has-fully-operational-date-INVALID.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+
+  <system-characteristics>
+    <!-- no prop whatsoever -->
+  </system-characteristics>
+
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
@@ -194,6 +194,30 @@
             </expect>
         </constraints>
     </context>
+
+    <context>
+        <metapath target="/system-security-plan/system-characteristics"/>
+        <constraints>
+            <expect id="fully-operational-date-is-valid" target="prop[@ns='https://fedramp.gov/ns/oscal' and @name='fully-operational-date']/@value" test=". &lt;= current-dateTime()" level="ERROR"><!-- TODO - Need metapath current-date() function -->
+                <formal-name>Fully Operational Date Is Valid</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-status"/>
+                <message>A system MUST be fully implemented prior to submitting the SSP to FedRAMP.</message>
+            </expect>
+            <matches id="fully-operational-date-type" target="prop[@ns='https://fedramp.gov/ns/oscal' and @name='fully-operational-date']/@value" datatype="date-with-timezone" level="ERROR">
+                <formal-name>Fully Operational Date Type</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-status"/>
+                <!-- Todo: add custom error message once Metaschma 'match' constraints support 'message' field. -->
+                <!-- 
+                <message>A FedRAMP SSP MUST specify the system's fully operational data as a "full-date" per RFC3339 with the addition of a timezone.</message>
+                -->
+            </matches> 
+            <expect id="has-fully-operational-date" target="." test="exists(prop[@ns='https://fedramp.gov/ns/oscal' and @name='fully-operational-date'])" level="ERROR">
+                <formal-name>Fully Operational Date</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#system-status"/>
+                <message>A FedRAMP SSP MUST define the system's fully operational date.</message>
+            </expect>
+        </constraints>
+    </context>
 
     <context>
         <metapath target="/system-security-plan/system-characteristics"/>

diff --git a/src/validations/constraints/unit-tests/fully-operational-date-is-valid-FAIL.yaml b/src/validations/constraints/unit-tests/fully-operational-date-is-valid-FAIL.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for fully-operational-date-is-valid
+  description: This test case validates the behavior of constraint fully-operational-date-is-valid
+  content: ../content/ssp-fully-operational-date-is-valid-INVALID.xml
+  expectations:
+    - constraint-id: fully-operational-date-is-valid
+      result: fail
diff --git a/src/validations/constraints/unit-tests/fully-operational-date-is-valid-PASS.yaml b/src/validations/constraints/unit-tests/fully-operational-date-is-valid-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for fully-operational-date-is-valid
+  description: >-
+    This test case validates the behavior of constraint
+    fully-operational-date-is-valid
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: fully-operational-date-is-valid
+      result: pass
diff --git a/src/validations/constraints/unit-tests/fully-operational-date-type-FAIL.yaml b/src/validations/constraints/unit-tests/fully-operational-date-type-FAIL.yaml
@@ -0,0 +1,12 @@
+test-case:
+  name: Negative Test for fully-operational-date-type
+  description: >-
+    This test case validates the behavior of constraint fully-operational-date-type. 
+    Scenario 1 test: just year, not a full date.
+    Scenario 2 test: no timezone.
+  content: 
+    - ../content/ssp-fully-operational-date-type-INVALID-1.xml
+    - ../content/ssp-fully-operational-date-type-INVALID-2.xml
+  expectations:
+    - constraint-id: fully-operational-date-type
+      result: fail
diff --git a/src/validations/constraints/unit-tests/fully-operational-date-type-PASS.yaml b/src/validations/constraints/unit-tests/fully-operational-date-type-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for fully-operational-date-type
+  description: >-
+    This test case validates the behavior of constraint
+    fully-operational-date-type
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: fully-operational-date-type
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-fully-operational-date-FAIL.yaml b/src/validations/constraints/unit-tests/has-fully-operational-date-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-fully-operational-date
+  description: >-
+    This test case validates the behavior of constraint
+    has-fully-operational-date
+  content: ../content/ssp-has-fully-operational-date-INVALID.xml
+  expectations:
+    - constraint-id: has-fully-operational-date
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-fully-operational-date-PASS.yaml b/src/validations/constraints/unit-tests/has-fully-operational-date-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-fully-operational-date
+  description: >-
+    This test case validates the behavior of constraint
+    has-fully-operational-date
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-fully-operational-date
+      result: pass