fix constraint test

features/fedramp_extensions.feature

@@ -323,8 +323,8 @@ Examples:
   | leveraged-authorization-has-system-identifier-PASS.yaml |
   | leveraged-authorization-nature-of-agreement-FAIL.yaml |
   | leveraged-authorization-nature-of-agreement-PASS.yaml |
-  | leveraged-authorization-matches-impact-level-FAIL.yaml |
-  | leveraged-authorization-matches-impact-level-PASS.yaml |
+  | leveraged-authorization-has-valid-impact-level-FAIL.yaml |
+  | leveraged-authorization-has-valid-impact-level-PASS.yaml |
   | marking-FAIL.yaml |
   | marking-PASS.yaml |
   | missing-response-components-FAIL.yaml |

src/validations/constraints/content/ssp-leveraged-authorization-matches-impact-level-INVALID.xml → src/validations/constraints/content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml

@@ -8,7 +8,7 @@
   </system-characteristics>
   <system-implementation>
     <leveraged-authorization uuid="5a9c98ab-8e5e-433d-a7bd-515c07cd1497">
-      <prop ns="http://fedramp.gov/ns/oscal" name="impact-level" value="high"/>
+      <prop ns="http://fedramp.gov/ns/oscal" name="impact-level" value="fips-199-high"/>
     </leveraged-authorization>
   </system-implementation>
 </system-security-plan>

src/validations/constraints/fedramp-external-constraints.xml

@@ -81,12 +81,7 @@
             <let var="network-architecture-link" expression="system-characteristics/network-architecture/diagram/link/@href"/>
             <let var="import-profile-href" expression="import-profile/@href"/>
             <let var="resolved-import-profile-href" expression="if (starts-with($import-profile-href, '#')) then back-matter/resource[@uuid = substring($import-profile-href, 2)]/rlink/@href else $import-profile-href"/>
-            <let var="impact-level" expression=
-                "if (//security-impact-level//* = 'fips-199-high')
-                    then ('high')
-                else if (//security-impact-level//* = 'fips-199-moderate')
-                    then ('moderate')
-                else ('low')"/>
+            <let var="sensitivity-level" expression="system-characteristics/security-sensitivity-level"/>
             <expect id="component-has-authentication-method" target="//component[(@type='system' and ./prop[@name='leveraged-authorization-uuid']) or (@type='service' and not(./prop[@name='leveraged-authorization-uuid']) and ./prop[@name='implementation-point' and @value='external']) or (@type='interconnection') or (@type='service' and ./prop[@name='implementation-point' and @value='internal'] and ./prop[@name='direction']) or (@type='software' and ./prop[@name='asset-type' and @value='cli'] and ./prop[@name='direction'])]" test="count(prop[@ns='https://fedramp.gov/ns/oscal' and @name='authentication-method']) >= 1" level="ERROR">
                 <formal-name>Component Has Authentication Method</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
@@ -120,8 +115,8 @@
                     <p>A FedRAMP SSP MUST use a valid FedRAMP catalog to reference security controls. It MUST NOT reference controls from a non-FedRAMP catalog.</p>
                 </remarks>
             </expect>
-            <expect id="leveraged-authorization-matches-impact-level" target="//leveraged-authorization/prop[@name='impact-level'][@ns='http://fedramp.gov/ns/oscal']/@value" test=". = $impact-level">
-                <formal-name>Leveraged Authorization Has Allowed Impact Level</formal-name>
+            <expect id="leveraged-authorization-has-valid-impact-level" target="//leveraged-authorization/prop[@name='impact-level'][@ns='http://fedramp.gov/ns/oscal']/@value" test=". = $sensitivity-level">
+                <formal-name>Leveraged Authorization Has Valid Impact Level</formal-name>
                 <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#leveraged-fedramp-authorized-services"/>
                 <message>A FedRAMP SSP MUST define the appropriate FIPS-199 impact level (low, moderate, or high) for each leveraged authorization.</message>
             </expect>             

src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-FAIL.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for leveraged-authorization-has-valid-impact-level
+  description: >-
+    This test case validates the behavior of constraint
+    leveraged-authorization-matches-impact-level
+  content: ../content/ssp-leveraged-authorization-has-valid-impact-level-INVALID.xml
+  expectations:
+    - constraint-id: leveraged-authorization-has-valid-impact-level
+      result: fail

src/validations/constraints/unit-tests/leveraged-authorization-has-valid-impact-level-PASS.yaml

@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for leveraged-authorization-has-valid-impact-level
+  description: >-
+    This test case validates the behavior of constraint
+    leveraged-authorization-has-valid-impact-level
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: leveraged-authorization-has-valid-impact-level
+      result: pass