diff --git a/src/test/java/gov/nist/secauto/oscal/tools/cli/core/CLITest.java b/src/test/java/gov/nist/secauto/oscal/tools/cli/core/CLITest.java index 7b7441f..13f9831 100644 --- a/src/test/java/gov/nist/secauto/oscal/tools/cli/core/CLITest.java +++ b/src/test/java/gov/nist/secauto/oscal/tools/cli/core/CLITest.java @@ -7,6 +7,7 @@ import static org.junit.jupiter.api.Assertions.assertAll; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotEquals; import static org.junit.jupiter.api.Assertions.assertNull; import gov.nist.secauto.metaschema.cli.processor.ExitCode; @@ -35,6 +36,8 @@ import edu.umd.cs.findbugs.annotations.NonNull; class CLITest { + private static final Throwable NO_THROWABLE_RESULT = null; + void evaluateResult(@NonNull ExitStatus status, @NonNull ExitCode expectedCode) { assertAll( () -> assertEquals(expectedCode, status.getExitCode(), "exit code mismatch"), @@ -90,7 +93,7 @@ private static Stream providesValues() throws IOException { Paths.get("src/test/resources/cli/example_" + cmd + "_invalid" + sourceExtension).toString() }, ExitCode.FAIL, - null)); + NO_THROWABLE_RESULT)); values.add( Arguments.of( new String[] { @@ -101,7 +104,7 @@ private static Stream providesValues() throws IOException { Paths.get("src/test/resources/cli/example_" + cmd + "_valid" + sourceExtension).toString() }, ExitCode.OK, - null)); + NO_THROWABLE_RESULT)); // test general commands values.add( @@ -113,7 +116,7 @@ private static Stream providesValues() throws IOException { Paths.get("src/test/resources/cli/example_" + cmd + "_invalid" + sourceExtension).toString() }, ExitCode.FAIL, - null)); + NO_THROWABLE_RESULT)); values.add( Arguments.of( new String[] { @@ -123,7 +126,7 @@ private static Stream providesValues() throws IOException { Paths.get("src/test/resources/cli/example_" + cmd + "_valid" + sourceExtension).toString() }, ExitCode.OK, - null)); + NO_THROWABLE_RESULT)); for (Format targetFormat : formatEntries.get(format)) { Path path = Paths.get("src/test/resources/cli/example_" + cmd + "_valid" + sourceExtension); @@ -139,7 +142,7 @@ private static Stream providesValues() throws IOException { "--overwrite" }, ExitCode.OK, - null)); + NO_THROWABLE_RESULT)); // test general command values.add( Arguments.of( @@ -151,7 +154,7 @@ private static Stream providesValues() throws IOException { "--overwrite" }, ExitCode.OK, - null)); + NO_THROWABLE_RESULT)); // test command path-specific command path = Paths.get("src/test/resources/cli/example_" + cmd + "_invalid" + sourceExtension); @@ -166,7 +169,7 @@ private static Stream providesValues() throws IOException { "--overwrite" }, ExitCode.OK, - null)); + NO_THROWABLE_RESULT)); // test general command values.add( Arguments.of( @@ -178,7 +181,7 @@ private static Stream providesValues() throws IOException { "--overwrite" }, ExitCode.OK, - null)); + NO_THROWABLE_RESULT)); } if ("profile".equals(cmd)) { // test command path-specific command @@ -191,7 +194,7 @@ private static Stream providesValues() throws IOException { Paths.get("src/test/resources/cli/example_profile_valid" + sourceExtension).toString() }, ExitCode.OK, - null)); + NO_THROWABLE_RESULT)); values.add( Arguments.of( new String[] { @@ -243,20 +246,58 @@ void testAllSubCommands(@NonNull String[] commandArgs, @NonNull ExitCode expecte evaluateResult(CLI.runCli(args), expectedExitCode, expectedThrownClass); } } - + @Test void testSystemSecurityPlanQuietlyFailing() { - Throwable NO_THROWABLE_RESULT = null; - String[] args= new String[] { - "convert", - "--to=yaml", - "src/test/resources/cli/quietly_failing_ssp.xml", - "target/oscal-cli-convert/quietly_failing_ssp_converted.json", - "--show-stack-trace" - }; - ExitStatus status = CLI.runCli(args); - Throwable thrown = status.getThrowable(); - assertAll(() -> assertEquals(ExitCode.OK, status.getExitCode()), - ()-> assertEquals(NO_THROWABLE_RESULT, thrown)); + String[] args = { + "convert", + "--to=yaml", + "src/test/resources/cli/quietly_failing_ssp.xml", + "target/oscal-cli-convert/quietly_failing_ssp_converted.json", + "--show-stack-trace", + "--overwrite" + }; + + ExitStatus status = CLI.runCli(args); + Throwable thrown = status.getThrowable(); + assertAll( + () -> assertEquals(ExitCode.OK, status.getExitCode()), + () -> assertEquals(NO_THROWABLE_RESULT, thrown), + () -> assertNotEquals(Files.size(Paths.get("target/oscal-cli-convert/quietly_failing_ssp_converted.json")), 0)); + } + + @Test + void testSystemSecurityPlanQuietlyFailing2() { + String[] args = { + "validate", + "src/test/resources/AwesomeCloudSSP1extrainvalid.xml", + "--show-stack-trace" + }; + + ExitStatus status = CLI.runCli(args); + Throwable thrown = status.getThrowable(); + assertAll( + () -> assertEquals(ExitCode.IO_ERROR, status.getExitCode()), + () -> assertEquals(IOException.class, thrown == null ? null : thrown.getClass()), + () -> assertNotEquals(Files.size(Paths.get("target/oscal-cli-convert/quietly_failing_ssp_converted.json")), 0)); + } + + @Test + void testSystemSecurityPlanQuietlyFailing3() { + String[] args = { + "convert", + "--to=json", + "src/test/resources/AwesomeCloudSSP1extrainvalid.xml", + "target/oscal-cli-convert/quietly_failing_ssp_converted2.json", + "--show-stack-trace", + "--overwrite" + }; + + ExitStatus status = CLI.runCli(args); + Throwable thrown = status.getThrowable(); + assertAll( + () -> assertEquals(ExitCode.IO_ERROR, status.getExitCode()), + () -> assertEquals(IOException.class, thrown == null ? null : thrown.getClass()), + () -> assertNotEquals(Files.size(Paths.get("target/oscal-cli-convert/quietly_failing_ssp_converted.json")), 0)); } } diff --git a/src/test/resources/AwesomeCloudSSP1extrainvalid.xml b/src/test/resources/AwesomeCloudSSP1extrainvalid.xml new file mode 100644 index 0000000..53595cd --- /dev/null +++ b/src/test/resources/AwesomeCloudSSP1extrainvalid.xml @@ -0,0 +1,819 @@ + + + + AwesomeCloud SSP + + 2023-05-11T10:57:30-04:00 + 1.0 + 1.0.4 + + + + Information System Owner + ISO + + + Authorizing Official + AO + + + Information System Management Point of Contact + ISMPoC + + + Information System Technical Point of Contact + ISTPoC + + + Information System Other Point of Contact + ISOPoC + + + Information System Security Officer + ISSO + + + Authorizing Official (AO) PoC + AOPoC + + + System Administrator + admin + + + + Jon Doe + + + + Tony Stark + + + + Eliot Dottie + + + + Elinor Des + + + + Kailyn Mya + + + + Dave Smith + + + + Janel Bowie + + + + Brenden Malinda + + + + + ff83daa9-85ce-4191-8110-88e099105270 + + + 1eefb7cd-a86e-4490-bb65-ce83141e6ee6 + + + 9c33da3b-8d05-4737-8513-10e3bcd34a72 + + + 9c33da3b-8d05-4737-8513-10e3bcd34a72 + + + f1a42308-bbfc-4ad4-a990-fc310923fe05 + + + f8290312-3fdc-46e5-953d-01600dcc851d + + + 263f31bd-3e0f-44b3-add9-ff0793edcf13 + + + 8679148a-7fbd-4c52-9e0f-1101a89ed8d6 + + +
+ US +
+ + + +
+ US +
+ + + + + + F00000001 + F00000001 + AwesomeCloud + AWC + +

AwesomeCloud hosts a public facing web application that collects surveys from consumers on their favorite condiments. Based on responses to surveys the AwesomeCloud proprietary algorithm assigns a score to each condiment and determines whether a condiment earns the endorsement of Awesome Sauce. The scores are updated dynamically as new surveys are submitted and the scores and Awesome Sauce endorsements are posted to the AwesomeCloud public web page. +

+ + + + + + + + fips-199-moderate + + + Research and Developemnt + +

Research and Development involves the gathering and analysis of data, dissemination of results, and development of new products, methodologies, and ideas. The sensitivity and criticality of most research and development information depends on the subject matter involved.

+ + + D.20.1 + + + fips-199-low + fips-199-moderate + + + fips-199-moderate + fips-199-moderate + + + fips-199-low + fips-199-low + + + + + fips-199-moderate + fips-199-moderate + fips-199-low + + + + +

AwesomeCloud Information System Boundary

+ + + +

AwesomeCloud Boundary Diagram

+ + + + + + + +

AwesomeCloud network description

+ + + +

AwesomeCloud Network Diagram

+ + + + + + + +

AwesomeCloud Dataflow

+ + + +

AwesomeCloud Dataflow Diagram

+ + + + + + + + + Microsoft Azure IaaS + e192a61d-9123-4991-8294-a936a42bfe50 + 2018-01-01 + + + + + + system-owner + + GRC Access (Read Only) + Read only access to system management tools + Read and write access to file services + Read access to GRC tool + + + + + + + authorizing-official + + GRC Access (Read Only) + Read only access to system management tools + Read and write access to file services + Read access to GRC tool + + + + + + + system-poc-management + + GRC Access (Read Only) + Read only access to system management tools + Read and write access to file services + Read access to GRC tool + + + + + + + system-poc-technical + + GRC Access + Read only access to system management tools + Read and write access to file services + Read and write access to GRC tool + + + + + + + system-poc-other + + GRC Access + Read only access to system management tools + Read and write access to file services + Read and write access to GRC tool + + + + + + + information-system-security-officer + + Managerial Access + Read only access to system management tools + Read and write access to file services + Read and write access to GRC tool + + + + + + + authorizing-official-poc + + Managerial Access + Read only access to system management tools + Read and write access to file services + Read access to GRC tool + + + + + + + sys-admin + + Administrative Access + Add/remove users and hardware + Install and configure software + OS updates, patches, and hot fixes + + + + The AwesomeCloud Software as a Service (SaaS) Solution + +

AwesomeCloud hosts a public facing web application that collects surveys from consumers on their favorite condiments.

+ + + + + + +

Microsoft Azure Traffic Manager

+ + + + + + + + + + + + + +

This is an appliance.

+ + + + + +

This is an appliance.

+ + + + + + +

Citrix NetScaler SDX

+ + + + + + + + + + + + + +

This is an appliance.

+ + + + + +

This is an appliance.

+ + + + + + +

Citrix NetScaler SDX

+ + + + + + + + + + + + + +

This is an appliance.

+ + + + + +

This is an appliance.

+ + + + + + +

Microsoft IIS 10 Web Server

+ + + + + + + + + + + + + + + + + + + + +

Microsoft IIS 10 Web Server

+ + + + + + + + + + + + + + + + + + + + +

Apache 2.4 Web Server

+ + + + + + + + + + + + + + + + + + + + +

Citrix NetScaler SDX

+ + + + + + + + + + + + + +

This is an appliance.

+ + + + + +

This is an appliance.

+ + + + + + +

Application Server hosting Splunk Enterprise Edition 9

+ + + + + + + + + + + + + + + + + + + + +

Microsoft Windows Server 2019 Datacenter File Server

+ + + + + + + + + + + + + + + + + + + + +

RHEL Application Server hosting REST APIs

+ + + + + + + + + + + + + + + + + + + + +

Ubuntu Database Server

+ + + + + + + + + + + + + + + + + + + + +

Ubuntu Database Server

+ + + + + + + + + + + + + + + + + + + + +

Jump box for administrator access to AwesomeCloud network

+ + + + + + + + + + + + + + + + + + + + +

LDAP Active Directory Server

+ + + + + + + + + + + + + + + + + + + + + +

Security Control Implementations

+ + + + + + + Access Control policy is disseminated to all personnel with access to the system. The Access Control procedures are disseminated to the System Owner, Information System Security Officer, and all personnel with signifigant security responsibilities. + + + Every three years or when a major change occurs + + + At least annually + + + + + + +

The AwesomeCloud Access Control Policy contain specific sections to address purpose, scope, role, responsibilities, management commitment, coordination among organizational entities, and compliance.

+ + + + + + +

The AwesomeCloud Access Control Policy contains procedures to facilitate the implementation of the required access controls.

+ + + + + + +

The AwesomeCloud Access Control Policy is update at least every three years or when a signifigant change occurs to the system.

+ + + + + + +

The AwesomeCloud Access Control procedures are updated at least every annually or when a signifigant change occurs to the system.

+ + + + + + + + + + the information contained in the FedRAMP Integrated Inventory Workbook Template + + + at least monthly + +

There is a FedRAMP constraint on this ODP: at least monthly

+ + + + + + + +

The AwesomeCloud SaaS Solution

+ + + + + + +

AwesomeCloud maintains the information system inventory to include the data elements outlined in the FedRAMP Integrated Inventory Workbook Template. Information system inventory items are documented within the AwesomeCloud System Security Plan (SSP). Monthly, the AwesomeCloud SSP is exported to OSCAL and submitted to the FedRAMP ConMon Web Service.

+ + + + + + +

The inventory: Accurately reflects the current information system, by documenting all of the mandatory fields contained within the FedRAMP Integrated Inventory Workbook Template

+ + + + + + +

AwesomeCloud ensures that the inventory includes all components within the authorization boundary of the information system by reconciling the inventory with discovery scans performed by the vulnerability management tool (i.e. Tenable Nessus)

+ + + + + + +

AwesomeCloud ensures that the inventory is at the level of granularity deemed necessary for tracking and reporting, by capturing all of the required fields identified in the FedRAMP Integrated Inventory Workbook Template.

+ + + + + + +

Awesome ensure that the inventory contains the fields outlined within the FedRAMP Integrated Inventory Workbook Template.

+ + + + + + +

Monthly, AwesomeCloud performs discovery scans using the vulnerability management tool (i.e. Tenable Nessus) and reconciles the inventory items from the discovery scan with the official inventory maintained within the AwesomeCloud GRC tool. The inventory is updated within the GRC tool to reflect the current state of the AwesomeCloud system.

+ + + + + + +

Monthly, the AwesomeCloud ISSO exports the SSP containing the inventory items to OSCAL and submits it to the FedRAMP using the FedRAMP Web Services API.

+ + + + + + + + + Authorization Boundary Diagram + +

AwesomeCloud System Boundary

+ + + + + + Network Architecture Diagram + +

AwesomeCLoud Network Architecture

+ + + + + + Data Flow Diagram + +

AwesomeCloud Dataflow

+ + + + + + Laws and Regulations + + + + + + User Guide + + + + + + Rules of Behavior + + + + + + Contingency Plan + + + + + + Configuration Management Plan + + + + + + Incident Response Plan + + + + + + Separation of Duties Matrix + + + + +