From 156f428913cacbadfa36ce6bd8e49a5ac39cd0c5 Mon Sep 17 00:00:00 2001
From: Gabeblis <gabriel.rodriguez@gsa.gov>
Date: Wed, 15 Jan 2025 14:20:29 +0000
Subject: [PATCH] Add issue-1032 constraints and tests

---
 features/fedramp_extensions.feature              |  6 ++++++
 .../ssp/xml/fedramp-ssp-example.oscal.xml        | 13 +++++++++++--
 ...-component-has-authenticated-scan-INVALID.xml |  8 ++++++++
 ...ntory-item-has-authenticated-scan-INVALID.xml | 12 ++++++++++++
 .../constraints/fedramp-external-constraints.xml | 16 +++++++++++++++-
 .../component-has-authenticated-scan-FAIL.yaml   |  9 +++++++++
 .../component-has-authenticated-scan-PASS.yaml   |  9 +++++++++
 ...ventory-item-has-authenticated-scan-FAIL.yaml |  9 +++++++++
 ...ventory-item-has-authenticated-scan-PASS.yaml |  9 +++++++++
 9 files changed, 88 insertions(+), 3 deletions(-)
 create mode 100644 src/validations/constraints/content/ssp-component-has-authenticated-scan-INVALID.xml
 create mode 100644 src/validations/constraints/content/ssp-inventory-item-has-authenticated-scan-INVALID.xml
 create mode 100644 src/validations/constraints/unit-tests/component-has-authenticated-scan-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/component-has-authenticated-scan-PASS.yaml
 create mode 100644 src/validations/constraints/unit-tests/inventory-item-has-authenticated-scan-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/inventory-item-has-authenticated-scan-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index a0622b610..abeffc8e9 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -37,6 +37,7 @@ Examples:
   | cia-impact-has-adjustment-justification |
   | cia-impact-has-selected |
   | cloud-service-model |
+  | component-has-authenticated-scan |
   | component-has-authentication-method |
   | component-has-diagram-label |
   | component-has-non-provider-responsible-role |
@@ -126,6 +127,7 @@ Examples:
   | inventory-item-allows-authenticated-scan |
   | inventory-item-and-component-has-public |
   | inventory-item-has-asset-type |
+  | inventory-item-has-authenticated-scan |
   | inventory-item-has-diagram-label |
   | inventory-item-has-function |
   | inventory-item-has-is-scanned |
@@ -219,6 +221,8 @@ Examples:
   | cia-impact-has-selected-PASS.yaml |
   | cloud-service-model-FAIL.yaml |
   | cloud-service-model-PASS.yaml |
+  | component-has-authenticated-scan-FAIL.yaml |
+  | component-has-authenticated-scan-PASS.yaml |
   | component-has-authentication-method-FAIL.yaml |
   | component-has-authentication-method-PASS.yaml |
   | component-has-diagram-label-FAIL.yaml |
@@ -397,6 +401,8 @@ Examples:
   | inventory-item-and-component-has-public-PASS.yaml |
   | inventory-item-has-asset-type-FAIL.yaml |
   | inventory-item-has-asset-type-PASS.yaml |
+  | inventory-item-has-authenticated-scan-FAIL.yaml |
+  | inventory-item-has-authenticated-scan-PASS.yaml |
   | inventory-item-has-diagram-label-FAIL.yaml |
   | inventory-item-has-diagram-label-PASS.yaml |
   | inventory-item-has-function-FAIL.yaml |
diff --git a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
index aa1e61687..ebfed4fef 100644
--- a/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+++ b/src/content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
@@ -1528,6 +1528,7 @@ leveraged-authorization assembly:</p>
       </description>
       <prop name='diagram-label' ns='http://fedramp.gov/ns/oscal' value='label'/>
       <prop name="implementation-point" value="internal"/>
+      <prop name="allows-authenticated-scan" value="yes"/>
       <prop name="public" value="no"/>
       <prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="provider" value="self"/>
@@ -1661,6 +1662,7 @@ property.</p>
         <p>Describe the service and what it is used for.</p>
       </description>
       <prop name="implementation-point" value="internal"/>
+      <prop name="allows-authenticated-scan" value="yes"/>
       <prop name="public" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <status state="operational"/>
@@ -2433,6 +2435,7 @@ approved.</p>
       <!-- Todo: check why schematron validation is indicating that this is not a valid ipv4 value -->
       <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a03:0303"/>
       <prop name="is-scanned" value="yes"/>
+      <prop name="allows-authenticated-scan" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
 
@@ -2455,6 +2458,7 @@ approved.</p>
       <prop name="ipv4-address" value="10.4.4.4"/>
       <prop name="ipv6-address" value="0000:0000:0000:0000:0000:ffff:0a04:0404"/>
       <prop name="is-scanned" value="yes"/>
+      <prop name="allows-authenticated-scan" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="other">
         <remarks><p>a different kind of scan</p></remarks>
@@ -2473,6 +2477,7 @@ approved.</p>
       <prop name="virtual" value="no"/>
       <prop name="public" value="yes"/>
       <prop name="is-scanned" value="yes"/>
+      <prop name="allows-authenticated-scan" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
  
@@ -2500,6 +2505,7 @@ approved.</p>
           <p>Asset wasn't running at time of scan.</p>
         </remarks>
       </prop>
+      <prop name="allows-authenticated-scan" value="yes"/>
       <prop name="function" value="Required brief, text-based description.">
         <remarks>
           <p>Required, longer, formatted description.</p>
@@ -2521,6 +2527,7 @@ approved.</p>
       <prop name="virtual" value="no"/>
       <prop name="public" value="no"/>
       <prop name="is-scanned" value="yes"/>
+      <prop name="allows-authenticated-scan" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop name="function" value="Required brief, text-based description.">
@@ -2547,6 +2554,7 @@ approved.</p>
           <p>Asset wasn't running at time of scan.</p>
         </remarks>
       </prop>
+      <prop name="allows-authenticated-scan" value="yes"/>
       <prop name="function" value="Required brief, text-based description.">
         <remarks>
           <p>Optional, longer, formatted description.</p>
@@ -2567,6 +2575,7 @@ approved.</p>
       <prop name="virtual" value="yes"/>
       <prop name="public" value="no"/>
       <prop name="is-scanned" value="yes"/>
+      <prop name="allows-authenticated-scan" value="yes"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="vendor-name" value="Vendor"/>
       <prop ns="http://fedramp.gov/ns/oscal" name="scan-type" value="infrastructure"/>
       <prop name='function' value='virtual'><remarks><p>virtual function</p></remarks></prop>
@@ -2643,7 +2652,7 @@ SSP authors must add implmentations for all required controls.
           </description>
           <link href="#11111111-2222-4000-8000-001000000005" rel="policy"/>
           <link href="#11111111-2222-4000-8000-001000000023" rel="procedure"/>
-          <implementation-status state="operational"/>
+          <implementation-status state="implemented"/>
                     <responsible-role role-id="system-admin">
                         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
                     </responsible-role>
@@ -2658,7 +2667,7 @@ SSP authors must add implmentations for all required controls.
             <p>Component approach. This links to a component representing the Identity Management and Access Control Policy.</p>
             <p>That component contains a link to the policy, so it does not have to be linked here too.</p>
           </description>
-          <implementation-status state="operational"/>
+          <implementation-status state="implemented"/>
                     <responsible-role role-id="system-admin">
                         <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
                     </responsible-role>
diff --git a/src/validations/constraints/content/ssp-component-has-authenticated-scan-INVALID.xml b/src/validations/constraints/content/ssp-component-has-authenticated-scan-INVALID.xml
new file mode 100644
index 000000000..d831bef9c
--- /dev/null
+++ b/src/validations/constraints/content/ssp-component-has-authenticated-scan-INVALID.xml
@@ -0,0 +1,8 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component uuid="11111111-2222-4000-8000-009000500004" type="service">
+      <!-- <prop name="allows-authenticated-scan" value="yes"/> Missing allows-authenticated-scan prop. -->
+      <prop name="implementation-point" value="internal"/>
+    </component>
+  </system-implementation>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/content/ssp-inventory-item-has-authenticated-scan-INVALID.xml b/src/validations/constraints/content/ssp-inventory-item-has-authenticated-scan-INVALID.xml
new file mode 100644
index 000000000..8f5a1b05c
--- /dev/null
+++ b/src/validations/constraints/content/ssp-inventory-item-has-authenticated-scan-INVALID.xml
@@ -0,0 +1,12 @@
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="11111111-2222-4000-8000-000000000000">
+  <system-implementation>
+    <component type="service" uuid="11111111-2222-4000-8000-009000000007">
+      <!-- <prop name="allows-authenticated-scan" value="yes"/> Missing allows-authenticated-scan prop. -->
+    </component>
+    <inventory-item uuid="11111111-2222-4000-8000-011000000001">
+      <!-- <prop name="allows-authenticated-scan" value="yes"/> Missing allows-authenticated-scan prop. -->
+      <implemented-component component-uuid="11111111-2222-4000-8000-009000000007">
+      </implemented-component>
+    </inventory-item>
+  </system-implementation>
+</system-security-plan>
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 3b5cb2d20..e8ca0398e 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -671,10 +671,19 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#ports-protocols-and-services"/>
                 <message>A FedRAMP SSP's component MUST reference the existing component(s) that use it via network communication. However, component "{../@uuid}" references a nonexistent component "{@href}".</message>
             </expect>
-
         </constraints>
     </context>
 
+    <context>
+        <metapath target="/system-security-plan/system-implementation/component"/>
+        <constraints>
+            <expect id="component-has-authenticated-scan" target=".[@type='service' and prop[@name='implementation-point' and @value='internal']]" test="count(prop[@name='allows-authenticated-scan']) = 1" level="ERROR">
+                <formal-name>Component Has Authenticated Scan</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each internal service component MUST state whether it allows authenticated scans.</message>
+            </expect>
+        </constraints>
+    </context>
 
     <context>
         <metapath target="/system-security-plan/system-implementation/inventory-item"/>
@@ -699,6 +708,11 @@
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
                 <message>In a FedRAMP SSP, each inventory item MUST define the asset type either in the inventory item itself or within the linked component.</message>
             </expect>
+            <expect id="inventory-item-has-authenticated-scan" target="." test="count(prop[@name='allows-authenticated-scan']) >= 1 or count(../component[@uuid=$component-uuid]/prop[@name='allows-authenticated-scan']) = 1" level="ERROR">
+                <formal-name>Inventory Item Has Authenticated Scan</formal-name>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
+                <message>In a FedRAMP SSP, each inventory item MUST state whether it allows authenticated scans in the inventory item itself or within the linked component.</message>
+            </expect>
             <expect id="inventory-item-has-diagram-label" target="." test="count(prop[@name='diagram-label' and @ns='http://fedramp.gov/ns/oscal']) >= 1 or count(../component[@uuid=$component-uuid]/prop[@name='diagram-label' and @ns='http://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
                 <formal-name>Inventory Item Has Diagram Label</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/#system-inventory-approach"/>
diff --git a/src/validations/constraints/unit-tests/component-has-authenticated-scan-FAIL.yaml b/src/validations/constraints/unit-tests/component-has-authenticated-scan-FAIL.yaml
new file mode 100644
index 000000000..9640ee3c6
--- /dev/null
+++ b/src/validations/constraints/unit-tests/component-has-authenticated-scan-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for component-has-authenticated-scan
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-authenticated-scan
+  content: ../content/ssp-component-has-authenticated-scan-INVALID.xml
+  expectations:
+    - constraint-id: component-has-authenticated-scan
+      result: fail
diff --git a/src/validations/constraints/unit-tests/component-has-authenticated-scan-PASS.yaml b/src/validations/constraints/unit-tests/component-has-authenticated-scan-PASS.yaml
new file mode 100644
index 000000000..489f96149
--- /dev/null
+++ b/src/validations/constraints/unit-tests/component-has-authenticated-scan-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for component-has-authenticated-scan
+  description: >-
+    This test case validates the behavior of constraint
+    component-has-authenticated-scan
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: component-has-authenticated-scan
+      result: pass
diff --git a/src/validations/constraints/unit-tests/inventory-item-has-authenticated-scan-FAIL.yaml b/src/validations/constraints/unit-tests/inventory-item-has-authenticated-scan-FAIL.yaml
new file mode 100644
index 000000000..218802efc
--- /dev/null
+++ b/src/validations/constraints/unit-tests/inventory-item-has-authenticated-scan-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for inventory-item-has-authenticated-scan
+  description: >-
+    This test case validates the behavior of constraint
+    inventory-item-has-authenticated-scan
+  content: ../content/ssp-inventory-item-has-authenticated-scan-INVALID.xml
+  expectations:
+    - constraint-id: inventory-item-has-authenticated-scan
+      result: fail
diff --git a/src/validations/constraints/unit-tests/inventory-item-has-authenticated-scan-PASS.yaml b/src/validations/constraints/unit-tests/inventory-item-has-authenticated-scan-PASS.yaml
new file mode 100644
index 000000000..13a912a94
--- /dev/null
+++ b/src/validations/constraints/unit-tests/inventory-item-has-authenticated-scan-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for inventory-item-has-authenticated-scan
+  description: >-
+    This test case validates the behavior of constraint
+    inventory-item-has-authenticated-scan
+  content: ../../../content/rev5/examples/ssp/xml/fedramp-ssp-example.oscal.xml
+  expectations:
+    - constraint-id: inventory-item-has-authenticated-scan
+      result: pass