From 6cf044663e737a689429d7095618c99fd25a5826 Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Tue, 10 Sep 2024 00:42:09 +0000
Subject: [PATCH] Added system-characteristi has-security constraints and tests

---
 features/fedramp_extensions.feature           | 15 +++++++++++++
 .../constraints/content/ssp-all-INVALID.xml   | 13 +++++------
 .../fedramp-external-constraints.xml          | 22 +++++++++++++++++++
 .../has-security-impact-level-FAIL.yaml       |  9 ++++++++
 .../has-security-impact-level-PASS.yaml       |  9 ++++++++
 ...-security-objective-availability-FAIL.yaml |  9 ++++++++
 ...-security-objective-availability-PASS.yaml |  9 ++++++++
 ...curity-objective-confidentiality-FAIL.yaml |  9 ++++++++
 ...curity-objective-confidentiality-PASS.yaml |  9 ++++++++
 ...has-security-objective-integrity-FAIL.yaml |  9 ++++++++
 ...has-security-objective-integrity-PASS.yaml |  9 ++++++++
 .../has-security-sensitivity-level-FAIL.yaml  |  9 ++++++++
 .../has-security-sensitivity-level-PASS.yaml  |  9 ++++++++
 13 files changed, 132 insertions(+), 8 deletions(-)
 create mode 100644 src/validations/constraints/unit-tests/has-security-impact-level-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-security-impact-level-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-security-objective-availability-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-security-objective-availability-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-security-objective-confidentiality-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-security-objective-confidentiality-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-security-objective-integrity-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-security-objective-integrity-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-security-sensitivity-level-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-security-sensitivity-level-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index ad786a87a..ae708c504 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -29,6 +29,16 @@ Examples:
   | control-implementation-status-PASS.yaml |
   | deployment-mode-FAIL.yaml |
   | deployment-mode-PASS.yaml |
+  | has-security-impact-level-FAIL.yaml |
+  | has-security-impact-level-PASS.yaml |
+  | has-security-objective-availability-FAIL.yaml |
+  | has-security-objective-availability-PASS.yaml |
+  | has-security-objective-confidentiality-FAIL.yaml |
+  | has-security-objective-confidentiality-PASS.yaml |
+  | has-security-objective-integrity-FAIL.yaml |
+  | has-security-objective-integrity-PASS.yaml |
+  | has-security-sensitivity-level-FAIL.yaml |
+  | has-security-sensitivity-level-PASS.yaml |
   | information-type-system-FAIL.yaml |
   | information-type-system-PASS.yaml |
   | interconnection-direction-FAIL.yaml |
@@ -65,6 +75,11 @@ Examples:
   | component-type |
   | control-implementation-status |
   | deployment-model |
+  | has-security-impact-level |
+  | has-security-objective-availability |
+  | has-security-objective-confidentiality |
+  | has-security-objective-integrity |
+  | has-security-sensitivity-level |
   | information-type-system |
   | interconnection-direction |
   | interconnection-security |
diff --git a/src/validations/constraints/content/ssp-all-INVALID.xml b/src/validations/constraints/content/ssp-all-INVALID.xml
index f02dfc1dd..fad641cb0 100644
--- a/src/validations/constraints/content/ssp-all-INVALID.xml
+++ b/src/validations/constraints/content/ssp-all-INVALID.xml
@@ -59,7 +59,7 @@
     <prop name='cloud-service-model' value='unsupported-model' ns="https://fedramp.gov/ns/oscal"/>
     <prop name='cloud-deployment-model' value='unsupported-value' ns="https://fedramp.gov/ns/oscal"/>
     <prop name='authorization-type' value='unsupported-value' ns="https://fedramp.gov/ns/oscal"/>
-    <security-sensitivity-level>moderate</security-sensitivity-level>
+    <!-- security-sensitivity-level was removed to ensure that test fails correctly. -->
     <system-information>
       <information-type uuid="33333333-0000-4000-9000-000000000003">
         <title>Financial Information</title>
@@ -80,13 +80,10 @@
         </availability-impact>
       </information-type>
     </system-information>
-    
-    <security-impact-level>
-      <security-objective-confidentiality>moderate</security-objective-confidentiality>
-      <security-objective-integrity>moderate</security-objective-integrity>
-      <security-objective-availability>moderate</security-objective-availability>
-    </security-impact-level>
-    
+    <!-- security-impact-level was removed to ensure that test fails correctly. -->
+    <!-- security-objective-confidentiality was removed to ensure that test fails correctly. -->
+    <!-- security-objective-integrity was removed to ensure that test fails correctly. -->
+    <!-- security-objective-availability was removed to ensure that test fails correctly. -->
     <status state="operational"/>
     
     <authorization-boundary>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index f8a7babf9..e7ba18eae 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -19,4 +19,26 @@
              </remarks>
         </constraints>
 </context>
+
+<context>
+    <metapath target="/system-security-plan"/>
+
+    <constraints>
+        <expect id="has-security-sensitivity-level" target="//system-characteristics" test="security-sensitivity-level" level="ERROR">
+            <message>An OSCAL SSP document must specify a FIPS 199 categorization.</message>
+        </expect>
+        <expect id="has-security-impact-level" target="//system-characteristics" test="security-impact-level" level="ERROR">
+            <message>An OSCAL SSP document must specify a security impact level.</message>
+        </expect>
+        <expect id="has-security-objective-confidentiality" target="//system-characteristics"  test="security-impact-level/security-objective-confidentiality" level="ERROR">
+            <message>An OSCAL SSP must specify a confidentiality security objective.</message>
+        </expect>
+        <expect id="has-security-objective-integrity" target="//system-characteristics"  test="security-impact-level/security-objective-integrity" level="ERROR">
+            <message>An OSCAL SSP must specify an integrity security objective.</message>
+        </expect>
+        <expect id="has-security-objective-availability" target="//system-characteristics"  test="security-impact-level/security-objective-availability" level="ERROR">
+            <message>An OSCAL SSP must specify an availability security objective.</message>
+        </expect>
+    </constraints>
+</context>
 </metaschema-meta-constraints>
diff --git a/src/validations/constraints/unit-tests/has-security-impact-level-FAIL.yaml b/src/validations/constraints/unit-tests/has-security-impact-level-FAIL.yaml
new file mode 100644
index 000000000..d4554c2a0
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-security-impact-level-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-security-impact-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-impact-level
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-security-impact-level
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-security-impact-level-PASS.yaml b/src/validations/constraints/unit-tests/has-security-impact-level-PASS.yaml
new file mode 100644
index 000000000..dd112dba4
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-security-impact-level-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-security-impact-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-impact-level
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-security-impact-level
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-security-objective-availability-FAIL.yaml b/src/validations/constraints/unit-tests/has-security-objective-availability-FAIL.yaml
new file mode 100644
index 000000000..3d2cbe5b6
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-security-objective-availability-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-security-objective-availability
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-objective-availability
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-security-objective-availability
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-security-objective-availability-PASS.yaml b/src/validations/constraints/unit-tests/has-security-objective-availability-PASS.yaml
new file mode 100644
index 000000000..44c596ae1
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-security-objective-availability-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-security-objective-availability
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-objective-availability
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-security-objective-availability
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-security-objective-confidentiality-FAIL.yaml b/src/validations/constraints/unit-tests/has-security-objective-confidentiality-FAIL.yaml
new file mode 100644
index 000000000..eece5be1b
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-security-objective-confidentiality-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-security-objective-confidentiality
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-objective-confidentiality
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-security-objective-confidentiality
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-security-objective-confidentiality-PASS.yaml b/src/validations/constraints/unit-tests/has-security-objective-confidentiality-PASS.yaml
new file mode 100644
index 000000000..67bacc8f8
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-security-objective-confidentiality-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-security-objective-confidentiality
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-objective-confidentiality
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-security-objective-confidentiality
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-security-objective-integrity-FAIL.yaml b/src/validations/constraints/unit-tests/has-security-objective-integrity-FAIL.yaml
new file mode 100644
index 000000000..cdbc8be6d
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-security-objective-integrity-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-security-objective-integrity
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-objective-integrity
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-security-objective-integrity
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-security-objective-integrity-PASS.yaml b/src/validations/constraints/unit-tests/has-security-objective-integrity-PASS.yaml
new file mode 100644
index 000000000..c509dc75c
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-security-objective-integrity-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-security-objective-integrity
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-objective-integrity
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-security-objective-integrity
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-security-sensitivity-level-FAIL.yaml b/src/validations/constraints/unit-tests/has-security-sensitivity-level-FAIL.yaml
new file mode 100644
index 000000000..756fc8bdb
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-security-sensitivity-level-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-security-sensitivity-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-sensitivity-level
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-security-sensitivity-level
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-security-sensitivity-level-PASS.yaml b/src/validations/constraints/unit-tests/has-security-sensitivity-level-PASS.yaml
new file mode 100644
index 000000000..be4216b92
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-security-sensitivity-level-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-security-sensitivity-level
+  description: >-
+    This test case validates the behavior of constraint
+    has-security-sensitivity-level
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-security-sensitivity-level
+      result: pass