[DONOTMERGE] Add the interconnection-component-has-remote-protocol constraint

[DimitriZhurkin]

Committer Notes

This constraint tests the following scenario:
An interconnection component has at least one remote IPv4 Address, IPv6 Address, URI, or FQDN.

IMPORTANT: This constraint is blocked until OSCAL adds the following props:

1. fqdn
2. uri

Related issues:

1. #930
2. #2092

All Submissions:

• Have you selected the correct base branch per Contributing guidance?
• Have you set "Allow edits and access to secrets by maintainers"?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Have you squashed any non-relevant commits and commit messages? [instructions]
• Have you added an explanation of what your changes do and why you'd like us to include them?
• If applicable, have all FedRAMP Documents Related to OSCAL Adoption affected by the changes in this issue have been updated.?
• If applicable, does this PR reference the issue it addresses and explain how it addresses the issue?

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

[Gabeblis]

This needs a rebase @DimitriZhurkin

[Gabeblis]

After looking at #930 (comment) on issue #930, it looks like we're not looking for FDQN. I suggest you make these edits to align with his comments.

[Gabeblis]

NON-BLOCKING: This is just to make the invalid test content a little more clear as to what is being tested.

Suggested change

	<component uuid="11111111-2222-4000-8000-009000200002" type="interconnection">
	<title>Authorized Connection Information System Name</title>
	<description>
	<p>Describe the purpose of the external system/service; specifically, provide reasons for connectivity (e.g., system monitoring, system alerting, download updates, etc.)</p>
	</description>
	<prop name="nature-of-agreement" value="contract" ns="http://fedramp.gov/ns/oscal"/>
	<prop name="authentication-method" value="yes" ns="http://fedramp.gov/ns/oscal">
	<remarks>
	<p>If 'yes', describe the authentication method in the remarks.</p>
	<p>If 'no', explain why no authentication is used in the remarks.</p>
	<p>If 'not-applicable', attest explain why authentication is not applicable in the remarks.</p>
	</remarks>
	</prop>
	<prop name="information-type" class="incoming" value="C.3.5.1" ns="http://fedramp.gov/ns/oscal"/>
	<prop name="information-type" class="incoming" value="C.3.5.8" ns="http://fedramp.gov/ns/oscal"/>
	<prop name="ipv4-address" class="local" value="10.1.1.1"/>
	<prop name="ipv6-address" class="local" value="::ffff:10.1.1.1"/>
	<!--prop name="ipv4-address" class="remote" value="10.2.2.2"/>
	<prop name="ipv6-address" class="remote" value="::ffff:10.2.2.2"/>
	<prop name="fqdn" class="remote" value="www.example.com" ns="http://fedramp.gov/ns/oscal"/>
	<prop name="uri" class="remote" value="https://sample.com#content" ns="http://fedramp.gov/ns/oscal"/>
	<prop name="connection-security" value="tls-1.3" ns="http://fedramp.gov/ns/oscal"/>
	<link rel="uri" href="https://www.example.com#content"/-->
	<status state="operational"/>
	<responsible-role role-id="provider">
	<party-uuid>44444444-2222-4000-8000-004000000001</party-uuid>
	</responsible-role>
	<responsible-role role-id="isa-poc-remote">
	<party-uuid>11111111-2222-4000-8000-004000000008</party-uuid>
	</responsible-role>
	<responsible-role role-id="isa-poc-local">
	<party-uuid>11111111-2222-4000-8000-004000000008</party-uuid>
	</responsible-role>
	<responsible-role role-id="administrator">
	<prop name="privilege-uuid" value="11111111-2222-4000-8000-008000000004" ns="http://fedramp.gov/ns/oscal"/>
	<party-uuid>11111111-2222-4000-8000-004000000010</party-uuid>
	<party-uuid>11111111-2222-4000-8000-004000000011</party-uuid>
	<party-uuid>11111111-2222-4000-8000-004000000012</party-uuid>
	</responsible-role>
	</component>
	<component uuid="11111111-2222-4000-8000-009000200002" type="interconnection">
	<!-- Missing at least one remote ipv4-address, ipv6-address, or URI. -->
	<!--prop name="ipv4-address" class="remote" value="10.2.2.2"/>-->
	<!--<prop name="ipv6-address" class="remote" value="::ffff:10.2.2.2"/>-->
	<!--<link rel="uri" href="https://www.example.com#content"/-->
	</component>

[Gabeblis]

Suggested change

	<expect id="interconnection-component-has-remote-protocol" target="component[@type='interconnection']" test="count(prop[@class='remote' and @name=('ipv4-address','ipv6-address','fqdn','uri')] | link[@rel='uri']) &gt;= 1" level="ERROR">
	<formal-name>Interconnection Component Has Remote Protocols</formal-name>
	<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>
	<message>In a FedRAMP SSP, an interconnection component MUST have at least one remote IPv4 Address, IPv6 Address, URI, or FQDN.</message>
	</expect>
	<expect id="interconnection-component-has-remote-protocol" target="component[@type='interconnection']" test="count(prop[@class='remote' and @name=('ipv4-address','ipv6-address')] | link[@rel='uri']) &gt;= 1" level="ERROR">
	<formal-name>Interconnection Component Has Remote Protocols</formal-name>
	<prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/5-attachments/"/>
	<message>In a FedRAMP SSP, an interconnection component MUST have at least one remote IPv4 Address, IPv6 Address, or URI.</message>
	</expect>

[Gabeblis]

Suggested change

	description: Test that the FedRAMP SSP interconnection component does not have remote IPv4 Address, IPv6 Address, URI, or FQDN.
	description: Test that the FedRAMP SSP interconnection component does not have remote IPv4 Address, IPv6 Address, or URI.

[Gabeblis]

Suggested change

	description: Test that the FedRAMP SSP interconnection component has at least one remote IPv4 Address, IPv6 Address, URI, or FQDN.
	description: Test that the FedRAMP SSP interconnection component has at least one remote IPv4 Address, IPv6 Address, or URI.