with-parent-controls for import only for #1662

aj-stein-nist · aj-stein-nist · commit a268d1c85572 · 2023-03-28T11:42:46.000-04:00
Add it for insert-controls, but not exclusion or merge, based upon team
review and analysis of current profile resolution specification.
diff --git a/src/metaschema/oscal_profile_metaschema.xml b/src/metaschema/oscal_profile_metaschema.xml
@@ -89,13 +89,28 @@
                               </remarks>
                         </assembly>
                   </choice>
-                  <assembly ref="select-control-by-id" max-occurs="unbounded">
-                        <use-name>exclude-controls</use-name>
-                        <group-as name="exclude-controls" in-json="ARRAY"/>
+                  <define-assembly name="exclude-controls">
+                        <formal-name>Select Control</formal-name>
+                        <description>Select a control or controls from an imported control set.</description>
+                        <flag ref="with-child-controls"/>
+                        <model>
+                              <define-field name="with-id" as-type="token" max-occurs="unbounded">
+                                    <formal-name>Match Controls by Identifier</formal-name>
+                                    <description>Selecting a control by its ID given as a literal.</description>
+                                    <group-as name="with-ids" in-json="ARRAY"/>
+                              </define-field>
+                              <define-assembly name="matching" max-occurs="unbounded">
+                                    <formal-name>Match Controls by Pattern</formal-name>
+                                    <description>Selecting a set of controls by matching their IDs with a
+                                          wildcard pattern.</description>
+                                    <group-as name="matching" in-json="ARRAY"/>
+                                    <flag ref="pattern"/>
+                              </define-assembly>
+                        </model>
                         <remarks>
-                              <p>Identifies which controls to exclude, or eliminate, from the set of included controls by control identifier or match pattern.</p>
+                              <p>If <code>with-child-controls</code> is <q>yes</q> on the call to a control, no sibling <code>call</code>elements need to be used to call any controls appearing within it. Since generally, this is how control enhancements are represented (as controls within controls), this provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.</p>
                         </remarks>
-                  </assembly>
+                  </define-assembly>
             </model>
             <remarks>
                   <p>The contents of the <code>import</code> element indicate which controls from the source will be included. Controls from the source catalog or profile may be either selected, using the <code>include-all</code> or <code>include-controls</code> directives, or de-selected (using an <code>exclude-controls</code> directive).</p>
@@ -148,7 +163,8 @@
                                     <assembly ref="group" max-occurs="unbounded">
                                           <group-as name="groups" in-json="ARRAY"/>
                                     </assembly>
-                                    <assembly ref="insert-controls" max-occurs="unbounded">
+                                    <assembly ref="insert-controls-for-merge-custom" max-occurs="unbounded">
+                                          <use-name>insert-controls</use-name>
                                           <group-as name="insert-controls" in-json="ARRAY"/>
                                     </assembly>
                               </model>
@@ -439,23 +455,61 @@
                   <p>If this directive is not provided, then no controls are to be inserted; i.e., all controls are included explicitly.</p>
             </remarks>
       </define-assembly>
+      <define-assembly name="insert-controls-for-merge-custom">
+            <formal-name>Select Controls</formal-name>
+            <description>Specifies which controls to use in the containing context.</description>
+            <define-flag as-type="token" name="order">
+                  <formal-name>Order</formal-name>
+                  <description>A designation of how a selection of controls in a profile is to be ordered.</description>
+                  <constraint>
+                        <allowed-values>
+                              <enum value="keep"/>
+                              <enum value="ascending"/>
+                              <enum value="descending"/>
+                        </allowed-values>
+                  </constraint>
+            </define-flag>
+            <model>
+                  <choice>
+                        <assembly ref="include-all" min-occurs="1"/>
+                        <assembly ref="merge-control-by-id" min-occurs="1" max-occurs="unbounded">
+                              <use-name>include-controls</use-name>
+                              <group-as name="include-controls" in-json="ARRAY"/>
+                        </assembly>
+                  </choice>
+                  <assembly ref="merge-control-by-id" max-occurs="unbounded">
+                        <use-name>exclude-controls</use-name>
+                        <group-as name="exclude-controls" in-json="ARRAY"/>
+                        <remarks>
+                              <p>Identifies which controls to exclude, or eliminate, from the set of matching includes.</p>
+                        </remarks>
+                  </assembly>
+            </model>
+            <remarks>
+                  <p>To be schema-valid, this element must contain either (but not both) a single <code>include-all</code> directive, or a sequence of <code>include-controls</code> directives.</p>
+                  <p>If this directive is not provided, then no controls are to be inserted; i.e., all controls are included explicitly.</p>
+            </remarks>
+      </define-assembly>
       <define-assembly name="select-control-by-id" scope="local">
             <formal-name>Select Control</formal-name>
             <description>Select a control or controls from an imported control set.</description>
             <flag ref="with-child-controls"/>
+            <flag ref="with-parent-controls"/>
             <model>
-                  <define-field name="with-id" as-type="token" max-occurs="unbounded">
-                        <formal-name>Match Controls by Identifier</formal-name>
-                        <description>Selecting a control by its ID given as a literal.</description>
-                        <group-as name="with-ids" in-json="ARRAY"/>
-                  </define-field>
-                  <define-assembly name="matching" max-occurs="unbounded">
-                        <formal-name>Match Controls by Pattern</formal-name>
-                        <description>Selecting a set of controls by matching their IDs with a
-                              wildcard pattern.</description>
-                        <group-as name="matching" in-json="ARRAY"/>
-                        <flag ref="pattern"/>
-                  </define-assembly>
+                  <field ref="with-id"/>
+                  <assembly ref="matching"/>
+            </model>
+            <remarks>
+                  <p>If <code>with-child-controls</code> is <q>yes</q> on the call to a control, no sibling <code>call</code>elements need to be used to call any controls appearing within it. Since generally, this is how control enhancements are represented (as controls within controls), this provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.</p>
+            </remarks>
+      </define-assembly>
+      <define-assembly name="merge-control-by-id" scope="local">
+            <formal-name>Merge Control</formal-name>
+            <description>Merge a control or controls from an imported control set.</description>
+            <flag ref="with-child-controls"/>
+            <model>
+                  <field ref="with-id"/>
+                  <assembly ref="matching"/>
             </model>
             <remarks>
                   <p>If <code>with-child-controls</code> is <q>yes</q> on the call to a control, no sibling <code>call</code>elements need to be used to call any controls appearing within it. Since generally, this is how control enhancements are represented (as controls within controls), this provides a way to include controls with all their dependent controls (enhancements) without having to call them individually.</p>
@@ -475,4 +529,26 @@
             <formal-name>Pattern</formal-name>
             <description>A <a href="https://en.wikipedia.org/wiki/Glob_(programming)">glob expression</a> matching the IDs of one or more controls to be selected.</description>
       </define-flag>
+      <define-flag as-type="token" name="with-parent-controls">
+            <formal-name>Include Parent Controls with Control</formal-name>
+            <description>When a control is included, whether its lineage of parent (ancestor) controls are also included.</description>
+            <constraint>
+                  <allowed-values>
+                        <enum value="yes">Include parent controls with an included control.</enum>
+                        <enum value="no">When importing a control, only include parent controls that are also explicitly called.</enum>
+                  </allowed-values>
+            </constraint>
+      </define-flag>
+      <define-field name="with-id" as-type="token" max-occurs="unbounded">
+            <formal-name>Match Controls by Identifier</formal-name>
+            <description>Selecting a control by its ID given as a literal.</description>
+            <group-as name="with-ids" in-json="ARRAY"/>
+      </define-field>
+      <define-assembly name="matching" max-occurs="unbounded">
+            <formal-name>Match Controls by Pattern</formal-name>
+            <description>Selecting a set of controls by matching their IDs with a
+                  wildcard pattern.</description>
+            <group-as name="matching" in-json="ARRAY"/>
+            <flag ref="pattern"/>
+      </define-assembly>
 </METASCHEMA>
