From ddd3a02de288417595c0524566e848a4b40d288e Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Wed, 11 Sep 2024 10:03:11 -0400
Subject: [PATCH] Add back-matter 'has' constraints (#654)

* Added back-matter 'has' constraints

* Set levels to 'ERROR'
---
 features/fedramp_extensions.feature           | 18 ++++
 .../constraints/content/ssp-all-VALID.xml     | 89 ++++++++++++++++++-
 .../fedramp-external-constraints.xml          | 18 ++++
 ...as-configuration-management-plan-FAIL.yaml |  9 ++
 ...as-configuration-management-plan-PASS.yaml |  9 ++
 .../has-incident-response-plan-FAIL.yaml      |  9 ++
 .../has-incident-response-plan-PASS.yaml      |  9 ++
 ...ormation-system-contingency-plan-FAIL.yaml |  9 ++
 ...ormation-system-contingency-plan-PASS.yaml |  9 ++
 .../has-rules-of-behavior-FAIL.yaml           |  7 ++
 .../has-rules-of-behavior-PASS.yaml           |  7 ++
 .../has-separation-of-duties-matrix-FAIL.yaml |  9 ++
 .../has-separation-of-duties-matrix-PASS.yaml |  9 ++
 .../unit-tests/has-user-guide-FAIL.yaml       |  7 ++
 .../unit-tests/has-user-guide-PASS.yaml       |  7 ++
 15 files changed, 224 insertions(+), 1 deletion(-)
 create mode 100644 src/validations/constraints/unit-tests/has-configuration-management-plan-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-configuration-management-plan-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-incident-response-plan-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-incident-response-plan-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-information-system-contingency-plan-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-information-system-contingency-plan-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-rules-of-behavior-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-rules-of-behavior-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-separation-of-duties-matrix-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-separation-of-duties-matrix-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-user-guide-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/has-user-guide-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index cae0d0fc8..a297fc489 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -39,6 +39,18 @@ Examples:
   | data-center-us-PASS.yaml |
   | deployment-mode-FAIL.yaml |
   | deployment-mode-PASS.yaml |
+  | has-configuration-management-plan-FAIL.yaml |
+  | has-configuration-management-plan-PASS.yaml |
+  | has-incident-response-plan-FAIL.yaml |
+  | has-incident-response-plan-PASS.yaml |
+  | has-information-system-contingency-plan-FAIL.yaml |
+  | has-information-system-contingency-plan-PASS.yaml |
+  | has-rules-of-behavior-FAIL.yaml |
+  | has-rules-of-behavior-PASS.yaml |
+  | has-separation-of-duties-matrix-FAIL.yaml |
+  | has-separation-of-duties-matrix-PASS.yaml |
+  | has-user-guide-FAIL.yaml |
+  | has-user-guide-PASS.yaml |
   | information-type-system-FAIL.yaml |
   | information-type-system-PASS.yaml |
   | interconnection-direction-FAIL.yaml |
@@ -84,6 +96,12 @@ Examples:
   | data-center-country-code |
   | data-center-primary |
   | deployment-model |
+  | has-configuration-management-plan |
+  | has-incident-response-plan |
+  | has-information-system-contingency-plan |
+  | has-rules-of-behavior |
+  | has-separation-of-duties-matrix |
+  | has-user-guide |
   | information-type-system |
   | interconnection-direction |
   | interconnection-security |
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index feee85913..4bbcee219 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -205,5 +205,92 @@
       <prop name="type" value="policy" ns="https://fedramp.gov/ns/oscal"/>
       <rlink href="https://example.com/policies/access-control.pdf"/>
     </resource>
+    <resource uuid="90a128ac-c850-48f6-8fff-a55692f80b41">
+      <title>User's Guide</title>
+      <description>
+         <p>User's Guide</p>
+      </description>
+      <prop name="type" value="users-guide"/>
+      <prop name="published" value="2023-01-01T00:00:00Z"/>
+      <rlink href="./documents/guides/sample_guide.pdf"/>
+      <remarks>
+         <p>Table 12-1 Attachments: User's Guide Attachment</p>
+         <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+      </remarks>
+   </resource>
+   <resource uuid="489112e1-57f2-4c29-8dd0-95b1442fbf3b">
+    <title>Document Title</title>
+    <description>
+       <p>Rules of Behavior</p>
+    </description>
+    <prop name="type" value="rules-of-behavior"/>
+    <prop name="published" value="2023-01-01T00:00:00Z"/>
+    <prop name="version" value="Document Version"/>
+    <rlink href="./documents/rob.docx" media-type="application/msword"/>
+    <base64 filename="rob.docx" media-type="application/msword">00000000</base64>
+    <remarks>
+       <p>Table 12-1 Attachments: Rules of Behavior (ROB)</p>
+       <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+    </remarks>
+ </resource>
+ <resource uuid="c7860916-f2f4-43aa-b578-d48cf8e6d381">
+  <title>Document Title</title>
+  <description>
+     <p>Contingency Plan (CP)</p>
+  </description>
+  <prop name="type" value="plan" class="information-system-contingency-plan"/>
+  <prop name="published" value="2023-01-01T00:00:00Z"/>
+  <prop name="version" value="Document Version"/>
+  <rlink href="./documents/cp.docx" media-type="application/msword"/>
+  <base64 filename="cp.docx" media-type="application/msword">00000000</base64>
+  <remarks>
+     <p>Table 12-1 Attachments: Contingency Plan (CP) Attachment</p>
+     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+  </remarks>
+</resource>
+<resource uuid="ab56cf27-0dae-40d6-89b7-d750137309af">
+  <title>Document Title</title>
+  <description>
+     <p>Configuration Management (CM) Plan</p>
+  </description>
+  <prop name="type" value="plan" class="configuration-management-plan"/>
+  <prop name="published" value="2023-01-01T00:00:00Z"/>
+  <prop name="version" value="Document Version"/>
+  <rlink href="./documents/CM_Plan.docx" media-type="application/msword"/>
+  <base64 filename="CM_Plan.docx" media-type="application/msword">00000000</base64>
+  <remarks>
+     <p>Table 12-1 Attachments: Configuration Management (CM) Plan Attachment</p>
+     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+  </remarks>
+</resource>
+<resource uuid="3f771ab5-8016-4571-98d1-f0fb962e15e2">
+  <title>Document Title</title>
+  <description>
+     <p>Incident Response (IR) Plan</p>
+  </description>
+  <prop name="type" value="plan" class="incident-response-plan"/>
+  <prop name="published" value="2023-01-01T00:00:00Z"/>
+  <prop name="version" value="Document Version"/>
+  <rlink href="./documents/IR_Plan.docx" media-type="application/msword"/>
+  <base64 filename="IR_Plan.docx" media-type="application/msword">00000000</base64>
+  <remarks>
+     <p>Table 12-1 Attachments: Incident Response (IR) Plan Attachment</p>
+     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+  </remarks>
+</resource>
+<resource uuid="49fb4631-1da2-41ca-b0b3-e1b1006d4025">
+  <title>Separation of Duties Matrix</title>
+  <description>
+     <p>Separation of Duties Matrix</p>
+  </description>
+  <prop ns="https://fedramp.gov/ns/oscal" name="type" value="separation-of-duties-matrix"/>
+  <prop name="published" value="2023-01-01T00:00:00Z"/>
+  <prop name="version" value="Document Version"/>
+  <rlink href="./documents/Sep_Matrix.docx" media-type="application/msword"/>
+  <base64 filename="Sep_Matrix.docx" media-type="application/msword">00000000</base64>
+  <remarks>
+     <p>May use <code>rlink</code> with a relative path, or embedded as <code>base64</code>.</p>
+  </remarks>
+</resource>
   </back-matter>
-</system-security-plan>
\ No newline at end of file
+</system-security-plan>
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 34b7faa2b..484f6f85a 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -40,6 +40,24 @@
         <expect id="resource-has-base64-or-rlink" target="back-matter/resource" test="count(./rlink) >= 1 or count(./base64) >= 1" level="WARNING">
             <message>Every supporting artifact found in a citation must have at least one base64 or rlink element.</message>
         </expect>
+        <expect id="has-user-guide" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'users-guide']]" level="ERROR">
+            <message>A FedRAMP SSP must have a User Guide attached.</message>
+        </expect>
+        <expect id="has-rules-of-behavior" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'rules-of-behavior']]" level="ERROR">
+            <message>A FedRAMP SSP must have Rules of Behavior.</message>
+        </expect>
+        <expect id="has-information-system-contingency-plan" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'information-system-contingency-plan']]" level="ERROR">
+            <message>A FedRAMP SSP must have a Contingency Plan attached.</message>
+        </expect>
+        <expect id="has-configuration-management-plan" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'configuration-management-plan']]" level="ERROR">
+            <message>A FedRAMP SSP must have a Configuration Management Plan attached.</message>
+        </expect>
+        <expect id="has-incident-response-plan" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'plan' and @class eq 'incident-response-plan']]" level="ERROR">
+            <message>A FedRAMP SSP must have an Incident Response Plan attached.</message>
+        </expect>
+        <expect id="has-separation-of-duties-matrix" target="back-matter" test="resource[prop[@name eq 'type' and @value eq 'separation-of-duties-matrix']]" level="ERROR">
+            <message>A FedRAMP SSP must have a Separation of Duties Matrix attached.</message>
+        </expect>
     </constraints>
 </context>
 <context>
diff --git a/src/validations/constraints/unit-tests/has-configuration-management-plan-FAIL.yaml b/src/validations/constraints/unit-tests/has-configuration-management-plan-FAIL.yaml
new file mode 100644
index 000000000..8690c51cf
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-configuration-management-plan-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-configuration-management-plan
+  description: >-
+    This test case validates the behavior of constraint
+    has-configuration-management-plan
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-configuration-management-plan
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-configuration-management-plan-PASS.yaml b/src/validations/constraints/unit-tests/has-configuration-management-plan-PASS.yaml
new file mode 100644
index 000000000..e0549b2de
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-configuration-management-plan-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-configuration-management-plan
+  description: >-
+    This test case validates the behavior of constraint
+    has-configuration-management-plan
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-configuration-management-plan
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-incident-response-plan-FAIL.yaml b/src/validations/constraints/unit-tests/has-incident-response-plan-FAIL.yaml
new file mode 100644
index 000000000..00571bd54
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-incident-response-plan-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-incident-response-plan
+  description: >-
+    This test case validates the behavior of constraint
+    has-incident-response-plan
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-incident-response-plan
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-incident-response-plan-PASS.yaml b/src/validations/constraints/unit-tests/has-incident-response-plan-PASS.yaml
new file mode 100644
index 000000000..5fc613770
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-incident-response-plan-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-incident-response-plan
+  description: >-
+    This test case validates the behavior of constraint
+    has-incident-response-plan
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-incident-response-plan
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-information-system-contingency-plan-FAIL.yaml b/src/validations/constraints/unit-tests/has-information-system-contingency-plan-FAIL.yaml
new file mode 100644
index 000000000..12829e89d
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-information-system-contingency-plan-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-information-system-contingency-plan
+  description: >-
+    This test case validates the behavior of constraint
+    has-information-system-contingency-plan
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-information-system-contingency-plan
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-information-system-contingency-plan-PASS.yaml b/src/validations/constraints/unit-tests/has-information-system-contingency-plan-PASS.yaml
new file mode 100644
index 000000000..66b92ccff
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-information-system-contingency-plan-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-information-system-contingency-plan
+  description: >-
+    This test case validates the behavior of constraint
+    has-information-system-contingency-plan
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-information-system-contingency-plan
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-rules-of-behavior-FAIL.yaml b/src/validations/constraints/unit-tests/has-rules-of-behavior-FAIL.yaml
new file mode 100644
index 000000000..a8fb5cd39
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-rules-of-behavior-FAIL.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for has-rules-of-behavior
+  description: This test case validates the behavior of constraint has-rules-of-behavior
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-rules-of-behavior
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-rules-of-behavior-PASS.yaml b/src/validations/constraints/unit-tests/has-rules-of-behavior-PASS.yaml
new file mode 100644
index 000000000..674cd2e58
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-rules-of-behavior-PASS.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for has-rules-of-behavior
+  description: This test case validates the behavior of constraint has-rules-of-behavior
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-rules-of-behavior
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-separation-of-duties-matrix-FAIL.yaml b/src/validations/constraints/unit-tests/has-separation-of-duties-matrix-FAIL.yaml
new file mode 100644
index 000000000..f08c71f1c
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-separation-of-duties-matrix-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for has-separation-of-duties-matrix
+  description: >-
+    This test case validates the behavior of constraint
+    has-separation-of-duties-matrix
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-separation-of-duties-matrix
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-separation-of-duties-matrix-PASS.yaml b/src/validations/constraints/unit-tests/has-separation-of-duties-matrix-PASS.yaml
new file mode 100644
index 000000000..25bd5240b
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-separation-of-duties-matrix-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for has-separation-of-duties-matrix
+  description: >-
+    This test case validates the behavior of constraint
+    has-separation-of-duties-matrix
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-separation-of-duties-matrix
+      result: pass
diff --git a/src/validations/constraints/unit-tests/has-user-guide-FAIL.yaml b/src/validations/constraints/unit-tests/has-user-guide-FAIL.yaml
new file mode 100644
index 000000000..bbe09e5ce
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-user-guide-FAIL.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for has-user-guide
+  description: This test case validates the behavior of constraint has-user-guide
+  content: ../content/ssp-all-INVALID.xml
+  expectations:
+    - constraint-id: has-user-guide
+      result: fail
diff --git a/src/validations/constraints/unit-tests/has-user-guide-PASS.yaml b/src/validations/constraints/unit-tests/has-user-guide-PASS.yaml
new file mode 100644
index 000000000..ab5e22bc1
--- /dev/null
+++ b/src/validations/constraints/unit-tests/has-user-guide-PASS.yaml
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for has-user-guide
+  description: This test case validates the behavior of constraint has-user-guide
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: has-user-guide
+      result: pass