From 7312686b6cdfe04a13c76f791a54a8c885c4093c Mon Sep 17 00:00:00 2001
From: Kylie Hunter <kylie.hunter@gsa.gov>
Date: Mon, 25 Nov 2024 16:15:01 -0700
Subject: [PATCH] Add connection-security prop constraint for #931

---
 features/fedramp_extensions.feature           |  3 +++
 .../constraints/content/ssp-all-VALID.xml     |  4 ++-
 ...t-has-connection-security-prop-INVALID.xml | 25 +++++++++++++++++++
 .../fedramp-external-constraints.xml          |  5 ++++
 ...ent-has-connection-security-prop-FAIL.yaml |  9 +++++++
 ...ent-has-connection-security-prop-PASS.yaml |  9 +++++++
 6 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 src/validations/constraints/content/ssp-network-component-has-connection-security-prop-INVALID.xml
 create mode 100644 src/validations/constraints/unit-tests/network-component-has-connection-security-prop-FAIL.yaml
 create mode 100644 src/validations/constraints/unit-tests/network-component-has-connection-security-prop-PASS.yaml

diff --git a/features/fedramp_extensions.feature b/features/fedramp_extensions.feature
index dc9ac4de0..b310e2a0d 100644
--- a/features/fedramp_extensions.feature
+++ b/features/fedramp_extensions.feature
@@ -115,6 +115,7 @@ Examples:
   | leveraged-authorization-nature-of-agreement |
   | marking |
   | missing-response-components |
+  | network-component-has-connection-security-prop |
   | network-component-has-implementation-point |
   | non-provider-responsible-role-references-user |
   | party-has-name |
@@ -337,6 +338,8 @@ Examples:
   | marking-PASS.yaml |
   | missing-response-components-FAIL.yaml |
   | missing-response-components-PASS.yaml |
+  | network-component-has-connection-security-prop-FAIL.yaml |
+  | network-component-has-connection-security-prop-PASS.yaml |
   | network-component-has-implementation-point-FAIL.yaml |
   | network-component-has-implementation-point-PASS.yaml |
   | non-provider-responsible-role-references-user-FAIL.yaml |
diff --git a/src/validations/constraints/content/ssp-all-VALID.xml b/src/validations/constraints/content/ssp-all-VALID.xml
index 5eb5b9b0b..715a29c66 100644
--- a/src/validations/constraints/content/ssp-all-VALID.xml
+++ b/src/validations/constraints/content/ssp-all-VALID.xml
@@ -355,6 +355,7 @@
         <p>Secure connection to an external API for data enrichment.</p>
       </description>
       <prop name="leveraged-authorization-uuid" value="233e0f09-fe5e-47e2-bca3-5f32df75e57a"/>
+      <prop name="connection-security" value="vpn" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="interconnection-security" value="vpn" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="interconnection-direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>
       <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
@@ -379,9 +380,10 @@
       <description>
           <p>Briefly describe the external system.</p>
       </description>
+      <prop name="connection-security" value="vpn" ns="https://fedramp.gov/ns/oscal"/>
+      <prop name="direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>      
       <prop name="asset-type" value="cli"/>
       <prop name="implementation-point" value="external"/>
-      <prop name="direction" value="in/out" ns="https://fedramp.gov/ns/oscal"/>
       <prop name="nature-of-agreement" ns="https://fedramp.gov/ns/oscal" value="isa"/>
       <prop ns="https://fedramp.gov/ns/oscal" name="authentication-method" value="yes">
         <remarks>
diff --git a/src/validations/constraints/content/ssp-network-component-has-connection-security-prop-INVALID.xml b/src/validations/constraints/content/ssp-network-component-has-connection-security-prop-INVALID.xml
new file mode 100644
index 000000000..1475cf502
--- /dev/null
+++ b/src/validations/constraints/content/ssp-network-component-has-connection-security-prop-INVALID.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0"
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                      xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/1.0 https://github.com/usnistgov/OSCAL/releases/download/v1.1.2/oscal_ssp_schema.xsd"
+                      uuid="12345678-1234-4321-8765-123456789012">
+    <system-implementation>
+      <component uuid="69988666-0000-4000-9000-000000100006" type="interconnection">
+        <title>External API Connection</title>
+        <description>
+          <p>Secure connection to an external API for data enrichment.</p>
+        </description>
+        <!--Error: connection-security property not defined for an interconnection component-->
+        <!-- <prop name="connection-security" value="vpn" ns="https://fedramp.gov/ns/oscal"/> -->
+        <prop name="direction" value="incoming" ns="https://fedramp.gov/ns/oscal"/>
+        <status state="operational"/>
+        <responsible-role role-id="system-admin">
+          <party-uuid>11111111-0000-4000-9000-000000000001</party-uuid>
+        </responsible-role>
+        <remarks>
+          <p>This connection is used for secure data exchange with external systems.</p>
+        </remarks>
+      </component>
+    </system-implementation>
+  </system-security-plan>
+                      
\ No newline at end of file
diff --git a/src/validations/constraints/fedramp-external-constraints.xml b/src/validations/constraints/fedramp-external-constraints.xml
index 9de641170..f19bd2bf0 100644
--- a/src/validations/constraints/fedramp-external-constraints.xml
+++ b/src/validations/constraints/fedramp-external-constraints.xml
@@ -538,6 +538,11 @@
                 <formal-name>Leveraged Authorization Has System Identifier</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>A FedRAMP SSP MUST define exactly one system identifier for each leveraged authorization entry.</message>
+			</expect>
+            <expect id="network-component-has-connection-security-prop" target="//component[(@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(./prop[@name='connection-security' and @ns='https://fedramp.gov/ns/oscal']) >= 1" level="ERROR">
+				<formal-name>Network Component Has Connection Security Property</formal-name>
+				<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#ports-protocols-and-services"/>
+				<message>All network components in a FedRAMP SSP system implementation MUST define at least one interconnection security property.</message>
             </expect>
             <is-unique id="unique-inventory-item-asset-id" target="inventory-item/prop[@name='asset-id']">
                 <formal-name>Unique Asset Identifier</formal-name>
diff --git a/src/validations/constraints/unit-tests/network-component-has-connection-security-prop-FAIL.yaml b/src/validations/constraints/unit-tests/network-component-has-connection-security-prop-FAIL.yaml
new file mode 100644
index 000000000..bfebea130
--- /dev/null
+++ b/src/validations/constraints/unit-tests/network-component-has-connection-security-prop-FAIL.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for network-component-has-connection-security-prop
+  description: >-
+    This test case validates the behavior of constraint
+    network-component-has-connection-security-prop
+  content: ../content/ssp-network-component-has-connection-security-prop-INVALID.xml
+  expectations:
+    - constraint-id: network-component-has-connection-security-prop
+      result: fail
diff --git a/src/validations/constraints/unit-tests/network-component-has-connection-security-prop-PASS.yaml b/src/validations/constraints/unit-tests/network-component-has-connection-security-prop-PASS.yaml
new file mode 100644
index 000000000..b9987997d
--- /dev/null
+++ b/src/validations/constraints/unit-tests/network-component-has-connection-security-prop-PASS.yaml
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for network-component-has-connection-security-prop
+  description: >-
+    This test case validates the behavior of constraint
+    network-component-has-connection-security-prop
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: network-component-has-connection-security-prop
+      result: pass