Skip to content

Commit

Permalink
Fix conflicting negative test case content
Browse files Browse the repository at this point in the history
  • Loading branch information
@Rene2mt
Rene2mt committed Sep 19, 2024
1 parent 9a9b8fd commit 4829962
Show file tree
Hide file tree
Showing 3 changed files with 273 additions and 25 deletions.
24 changes: 0 additions & 24 deletions src/validations/constraints/content/ssp-all-INVALID.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,24 +23,6 @@
<role id="asset-owner">
<title>Asset Owner</title>
</role>
<role id="system-owner">
<title>Information System Owner</title>
<description>
<p>The individual within the CSP who is ultimately accountable for everything related to this system.</p>
</description>
</role>
<role id="authorizing-official">
<title>Authorizing Official</title>
<description>
<p>The individual or individuals who must grant this system an authorization to operate.</p>
</description>
</role>
<role id="authorizing-official-poc">
<title>Authorizing Official's Point of Contact</title>
<description>
<p>The individual representing the authorizing official.</p>
</description>
</role>
<role id="system-poc-management">
<title>Information System Management Point of Contact (POC)</title>
<description>
Expand All @@ -58,12 +40,6 @@
<description>
<p>A general point of contact for the system, designated by the system owner.</p>
</description>
</role>
<role id="information-system-security-officer">
<title>System Information System Security Officer (or Equivalent)</title>
<description>
<p>The individual accountable for the security posture of the system on behalf of the system owner.</p>
</description>
</role>
<location uuid="11111112-0000-4000-9001-000000000009">
<address >
Expand Down
272 changes: 272 additions & 0 deletions src/validations/constraints/content/ssp-responsible-party-is-person-INVALID.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,272 @@
<?xml version="1.0" encoding="UTF-8"?>
<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
uuid="12345678-1234-4321-8765-123456789012">
<metadata>
<title>Enhanced Example System Security Plan</title>
<published>2024-08-01T14:30:00Z</published>
<last-modified>2024-08-01T14:30:00Z</last-modified>
<version>1.1</version>
<oscal-version>1.0.0</oscal-version>
<document-id scheme="https://example.com/identifiers">SSP-2024-002</document-id>

<role id="creator">
<title>Document Creator</title>
</role>
<role id="content-approver">
<title>Content Approver</title>
</role>
<role id="system-admin">
<title>System Administrator</title>
</role>
<role id="asset-owner">
<title>Asset Owner</title>
</role>
<role id="system-owner">
<title>Information System Owner</title>
<description>
<p>The individual within the CSP who is ultimately accountable for everything related to this system.</p>
</description>
</role>
<role id="authorizing-official">
<title>Authorizing Official</title>
<description>
<p>The individual or individuals who must grant this system an authorization to operate.</p>
</description>
</role>
<role id="authorizing-official-poc">
<title>Authorizing Official's Point of Contact</title>
<description>
<p>The individual representing the authorizing official.</p>
</description>
</role>
<role id="system-poc-management">
<title>Information System Management Point of Contact (POC)</title>
<description>
<p>The highest level manager who responsible for system operation on behalf of the System Owner.</p>
</description>
</role>
<role id="system-poc-technical">
<title>Information System Technical Point of Contact</title>
<description>
<p>The individual or individuals leading the technical operation of the system.</p>
</description>
</role>
<role id="system-poc-other">
<title>General Point of Contact (POC)</title>
<description>
<p>A general point of contact for the system, designated by the system owner.</p>
</description>
</role>
<role id="information-system-security-officer">
<title>System Information System Security Officer (or Equivalent)</title>
<description>
<p>The individual accountable for the security posture of the system on behalf of the system owner.</p>
</description>
</role>
<location uuid="11111112-0000-4000-9001-000000000009">
<address >
<country>WRONG</country>
</address>
<prop name='data-center' value='dc-zone-1' class='tertiary' ns="https://fedramp.gov/ns/oscal"/>
</location>
<party uuid="11111111-0000-4000-9000-000000000001" type="organization">
<name>Example Organization</name>
<short-name>ExOrg</short-name>
<link rel="website" href="https://example.com"/>
<address type="unsupported-type" />
</party>
<party uuid="22222222-0000-4000-9000-000000000002" type="person">
<name>Jane Doe</name>
<email-address>[email protected]</email-address>
<address type="unsupported-type" />
</party>

<responsible-party role-id="creator">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-party>
<responsible-party role-id="content-approver">
<party-uuid>22222222-0000-4000-9000-000000000002</party-uuid>
</responsible-party>

<responsible-party role-id="system-owner">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-party>
<responsible-party role-id="authorizing-official">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-party>
<responsible-party role-id="authorizing-official-poc">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-party>
<responsible-party role-id="system-poc-management">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-party>
<responsible-party role-id="system-poc-technical">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-party>
<responsible-party role-id="system-poc-other">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-party>
<responsible-party role-id="information-system-security-officer">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-party>

<remarks>
<p>This SSP is an example for demonstration purposes.</p>
</remarks>
</metadata>

<import-profile href="https://raw.githubusercontent.com/GSA/fedramp-automation/master/dist/content/rev5/baselines/xml/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.xml"/>

<system-characteristics>
<system-id identifier-type="https://fedramp.gov">F00000001</system-id>
<system-name>Enhanced Example System</system-name>
<description>
<p>This is an enhanced example system for demonstration purposes, incorporating more FedRAMP-specific elements.</p>
</description>
<prop name='cloud-service-model' value='unsupported-model' ns="https://fedramp.gov/ns/oscal"/>
<prop name='cloud-deployment-model' value='unsupported-value' ns="https://fedramp.gov/ns/oscal"/>
<prop name='authorization-type' value='unsupported-value' ns="https://fedramp.gov/ns/oscal"/>
<security-sensitivity-level>moderate</security-sensitivity-level>
<system-information>
<information-type uuid="33333333-0000-4000-9000-000000000003">
<title>Financial Information</title>
<description>
<p>Contains sensitive financial data related to organizational operations.</p>
</description>
<categorization system="https://unsupported-system.com">
<!-- Removed information-type-id to ensure that categorization-has-information-type-id fails correctly. -->
</categorization>
<confidentiality-impact>
<base>high</base>
</confidentiality-impact>
<integrity-impact>
<base>moderate</base>
</integrity-impact>
<availability-impact>
<base>low</base>
</availability-impact>
</information-type>
</system-information>

<security-impact-level>
<security-objective-confidentiality>moderate</security-objective-confidentiality>
<security-objective-integrity>moderate</security-objective-integrity>
<security-objective-availability>moderate</security-objective-availability>
</security-impact-level>

<status state="operational"/>

<authorization-boundary>
<description>
<p>The authorization boundary includes all components within the main data center and the disaster recovery site.</p>
</description>
</authorization-boundary>
</system-characteristics>

<system-implementation>
<user uuid="44444444-0000-4000-9000-000000000004">
<title>System Administrator</title>
<prop name="type" value="unsupported-type"/>
<prop name="privilege-level" value="unsupported-access-type"/>
<role-id>system-admin</role-id>
</user>

<component uuid="55555555-0000-4000-9000-000000000005" type="unsupported-component-type">
<title>Primary Application Server</title>
<description>
<p>Main application server hosting the core system functionality.</p>
</description>
<purpose>main line</purpose>
<status state="operational"/>
<responsible-role role-id="system-admin">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-role>
<remarks>
<p>This is the primary application server for the system.</p>
</remarks>
</component>

<component uuid="66666666-0000-4000-9000-000000000006" type="interconnection">
<title>External API Connection</title>
<description>
<p>Secure connection to an external API for data enrichment.</p>
</description>
<prop name="interconnection-direction" value="unsupported-direction" ns="https://fedramp.gov/ns/oscal"/>
<prop name="interconnection-security" value="unsupported-security" ns="https://fedramp.gov/ns/oscal"/>
<status state="operational"/>
<responsible-role role-id="system-admin">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-role>
<remarks>
<p>This connection is used for secure data exchange with external systems.</p>
</remarks>
</component>

<inventory-item uuid="77777777-0000-4000-9000-000000000007">
<description>
<p>Primary database server</p>
</description>
<prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
<prop name="asset-type" value="database"/>
<prop name="allows-authenticated-scan" value="unsupported-scan"/>
<prop name="public" value="unsupported-public"/>
<prop name="virtual" value="unsupported-virtual"/>
<prop name="scan-type" value="unsupported-scan-type" ns="https://fedramp.gov/ns/oscal"/>
<responsible-party role-id="asset-owner">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-party>
<implemented-component component-uuid="55555555-0000-4000-9000-000000000005">
<prop name="asset-id" value="DB-001" ns="http://csrc.nist.gov/ns/oscal"/>
</implemented-component>
</inventory-item>
</system-implementation>

<control-implementation>
<description>
<p>Implementation of controls for the Enhanced Example System</p>
</description>
<implemented-requirement uuid="88888888-0000-4000-9000-000000000008" control-id="ac-1">
<prop name="control-origination" value="unsupported-origination" ns="https://fedramp.gov/ns/oscal"/>
<prop name="implementation-status" value="unsupported-status" ns="https://fedramp.gov/ns/oscal"/>
<statement statement-id="ac-1_stmt.a" uuid="99999999-0000-4000-9000-000000000009">
</statement>
<by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="aaaaaaaa-0000-4000-9000-00000000000a">
<description>
<p>Access Control Policy and Procedures (AC-1) is fully implemented in our system.</p>
</description>
<prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="unsupported-status"/>
<responsible-role role-id="system-admin">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-role>
</by-component>
</implemented-requirement>

<implemented-requirement uuid="bbbbbbbb-0000-4000-9000-00000000000b" control-id="cm-8">
<prop name="control-origination" value="unsupported-origination" ns="https://fedramp.gov/ns/oscal"/>
<statement statement-id="cm-8_stmt.a" uuid="cccccccc-0000-4000-9000-00000000000c">
</statement>
<by-component component-uuid="55555555-0000-4000-9000-000000000005" uuid="dddddddd-0000-4000-9000-00000000000d">
<description>
<p>Information System Component Inventory (CM-8) is partially implemented.</p>
</description>
<prop ns="https://fedramp.gov/ns/oscal" name="implementation-status" value="unsupported-status"/>
<responsible-role role-id="system-admin">
<party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
</responsible-role>
</by-component>
</implemented-requirement>
</control-implementation>

<back-matter>
<resource uuid="eeeeeeee-0000-4000-9000-00000000000e">
<!-- There is no <title/> to purposefully to trigger an error for negative testing. -->
<description>
<p>Detailed access control policy document</p>
</description>
<prop name="type" value="unsupported-type" ns="https://fedramp.gov/ns/oscal"/>
<!-- There is no <rlink/> to purposefully to trigger an error for negative testing. -->
</resource>
</back-matter>
</system-security-plan>
2 changes: 1 addition & 1 deletion src/validations/constraints/unit-tests/responsible-party-is-person-FAIL.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
test-case:
name: Negative Test for responsible-party-is-person
description: This test case validates the behavior of constraint responsible-party-is-person
content: ssp-all-INVALID.xml
content: ssp-responsible-party-is-person-INVALID.xml
expectations:
- constraint-id: responsible-party-is-person
result: fail

0 comments on commit 4829962

Please sign in to comment.