feat(crypto): extract crypto providers to overlay compose files + health probe API

- Extract smremote to docker-compose.crypto-provider.smremote.yml - Rename cryptopro/crypto-sim compose files for consistent naming - Add crypto provider health probe endpoint (CP-001) - Add tenant crypto provider preferences API + migration (CP-002) - Update docs and compliance env examples Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 13:21:50 +03:00
parent c1ecc75ace
commit 59ba757eaa
14 changed files with 1254 additions and 0 deletions
--- a/devops/compose/docker-compose.crypto-provider.crypto-sim.yml
+++ b/devops/compose/docker-compose.crypto-provider.crypto-sim.yml
@@ -0,0 +1,119 @@
+# =============================================================================
+# STELLA OPS - CRYPTO SIMULATION OVERLAY
+# =============================================================================
+# Universal crypto simulation service for testing sovereign crypto without
+# licensed hardware or certified modules.
+#
+# This overlay provides the sim-crypto-service which simulates:
+# - GOST R 34.10-2012 (Russia): GOST12-256, GOST12-512, ru.magma.sim, ru.kuznyechik.sim
+# - SM2/SM3/SM4 (China): SM2, sm.sim, sm2.sim
+# - Post-Quantum: DILITHIUM3, FALCON512, pq.sim
+# - FIPS/eIDAS/KCMVP: fips.sim, eidas.sim, kcmvp.sim, world.sim
+#
+# Usage with China compliance:
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-china.yml \
+#     -f docker-compose.crypto-provider.crypto-sim.yml up -d
+#
+# Usage with Russia compliance:
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-russia.yml \
+#     -f docker-compose.crypto-provider.crypto-sim.yml up -d
+#
+# Usage with EU compliance:
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-eu.yml \
+#     -f docker-compose.crypto-provider.crypto-sim.yml up -d
+#
+# IMPORTANT: This is for TESTING/DEVELOPMENT ONLY.
+# - Uses deterministic HMAC-SHA256 for SM/GOST/PQ (not real algorithms)
+# - Uses static ECDSA P-256 key for FIPS/eIDAS/KCMVP
+# - NOT suitable for production or compliance certification
+#
+# =============================================================================
+
+x-crypto-sim-labels: &crypto-sim-labels
+  com.stellaops.component: "crypto-sim"
+  com.stellaops.profile: "simulation"
+  com.stellaops.production: "false"
+
+x-sim-crypto-env: &sim-crypto-env
+  STELLAOPS_CRYPTO_ENABLE_SIM: "1"
+  STELLAOPS_CRYPTO_SIM_URL: "http://sim-crypto:8080"
+
+networks:
+  stellaops:
+    external: true
+    name: stellaops
+
+services:
+  # ---------------------------------------------------------------------------
+  # Sim Crypto Service - Universal sovereign crypto simulator
+  # ---------------------------------------------------------------------------
+  sim-crypto:
+    build:
+      context: ../services/crypto/sim-crypto-service
+      dockerfile: Dockerfile
+    image: registry.stella-ops.org/stellaops/sim-crypto:dev
+    container_name: stellaops-sim-crypto
+    restart: unless-stopped
+    environment:
+      ASPNETCORE_URLS: "http://0.0.0.0:8080"
+      ASPNETCORE_ENVIRONMENT: "Development"
+    ports:
+      - "${SIM_CRYPTO_PORT:-18090}:8080"
+    networks:
+      - stellaops
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/keys"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    labels: *crypto-sim-labels
+
+  # ---------------------------------------------------------------------------
+  # Override services to use sim-crypto
+  # ---------------------------------------------------------------------------
+
+  # Authority - Enable sim crypto
+  authority:
+    environment:
+      <<: *sim-crypto-env
+    labels:
+      com.stellaops.crypto.simulator: "enabled"
+
+  # Signer - Enable sim crypto
+  signer:
+    environment:
+      <<: *sim-crypto-env
+    labels:
+      com.stellaops.crypto.simulator: "enabled"
+
+  # Attestor - Enable sim crypto
+  attestor:
+    environment:
+      <<: *sim-crypto-env
+    labels:
+      com.stellaops.crypto.simulator: "enabled"
+
+  # Scanner Web - Enable sim crypto
+  scanner-web:
+    environment:
+      <<: *sim-crypto-env
+    labels:
+      com.stellaops.crypto.simulator: "enabled"
+
+  # Scanner Worker - Enable sim crypto
+  scanner-worker:
+    environment:
+      <<: *sim-crypto-env
+    labels:
+      com.stellaops.crypto.simulator: "enabled"
+
+  # Excititor - Enable sim crypto
+  excititor:
+    environment:
+      <<: *sim-crypto-env
+    labels:
+      com.stellaops.crypto.simulator: "enabled"
--- a/devops/compose/docker-compose.crypto-provider.cryptopro.yml
+++ b/devops/compose/docker-compose.crypto-provider.cryptopro.yml
@@ -0,0 +1,149 @@
+# =============================================================================
+# STELLA OPS - CRYPTOPRO CSP OVERLAY (Russia)
+# =============================================================================
+# CryptoPro CSP licensed provider overlay for compliance-russia.yml.
+# Adds real CryptoPro CSP service for certified GOST R 34.10-2012 operations.
+#
+# IMPORTANT: Requires EULA acceptance before use.
+#
+# Usage (MUST be combined with stella-ops AND compliance-russia):
+#   CRYPTOPRO_ACCEPT_EULA=1 docker compose \
+#     -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-russia.yml \
+#     -f docker-compose.crypto-provider.cryptopro.yml up -d
+#
+# For development/testing without CryptoPro license, use crypto-sim overlay instead:
+#   docker compose \
+#     -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-russia.yml \
+#     -f docker-compose.crypto-provider.crypto-sim.yml up -d
+#
+# Requirements:
+# - CryptoPro CSP license files in opt/cryptopro/downloads/
+# - CRYPTOPRO_ACCEPT_EULA=1 environment variable
+# - CryptoPro container images with GOST engine
+#
+# GOST Algorithms Provided:
+# - GOST R 34.10-2012: Digital signature (256/512-bit)
+# - GOST R 34.11-2012: Hash function (Streebog, 256/512-bit)
+# - GOST R 34.12-2015: Block cipher (Kuznyechik, Magma)
+#
+# =============================================================================
+
+x-cryptopro-labels: &cryptopro-labels
+  com.stellaops.component: "cryptopro-csp"
+  com.stellaops.crypto.provider: "cryptopro"
+  com.stellaops.crypto.profile: "russia"
+  com.stellaops.crypto.certified: "true"
+
+x-cryptopro-env: &cryptopro-env
+  STELLAOPS_CRYPTO_PROVIDERS: "cryptopro.gost"
+  STELLAOPS_CRYPTO_CRYPTOPRO_URL: "http://cryptopro-csp:8080"
+  STELLAOPS_CRYPTO_CRYPTOPRO_ENABLED: "true"
+
+networks:
+  stellaops:
+    external: true
+    name: stellaops
+
+services:
+  # ---------------------------------------------------------------------------
+  # CryptoPro CSP - Certified GOST cryptography provider
+  # ---------------------------------------------------------------------------
+  cryptopro-csp:
+    build:
+      context: ../..
+      dockerfile: devops/services/cryptopro/linux-csp-service/Dockerfile
+      args:
+        CRYPTOPRO_ACCEPT_EULA: "${CRYPTOPRO_ACCEPT_EULA:-0}"
+    image: registry.stella-ops.org/stellaops/cryptopro-csp:2025.10.0
+    container_name: stellaops-cryptopro-csp
+    restart: unless-stopped
+    environment:
+      ASPNETCORE_URLS: "http://0.0.0.0:8080"
+      CRYPTOPRO_ACCEPT_EULA: "${CRYPTOPRO_ACCEPT_EULA:-0}"
+      # GOST algorithm configuration
+      CRYPTOPRO_GOST_SIGNATURE_ALGORITHM: "GOST R 34.10-2012"
+      CRYPTOPRO_GOST_HASH_ALGORITHM: "GOST R 34.11-2012"
+      # Container and key store settings
+      CRYPTOPRO_CONTAINER_NAME: "${CRYPTOPRO_CONTAINER_NAME:-stellaops-signing}"
+      CRYPTOPRO_USE_MACHINE_STORE: "${CRYPTOPRO_USE_MACHINE_STORE:-true}"
+      CRYPTOPRO_PROVIDER_TYPE: "${CRYPTOPRO_PROVIDER_TYPE:-80}"
+    volumes:
+      - ../../opt/cryptopro/downloads:/opt/cryptopro/downloads:ro
+      - ../../etc/cryptopro:/app/etc/cryptopro:ro
+      # Optional: Mount key containers
+      - cryptopro-keys:/var/opt/cprocsp/keys
+    ports:
+      - "${CRYPTOPRO_PORT:-18080}:8080"
+    networks:
+      - stellaops
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+    labels: *cryptopro-labels
+
+  # ---------------------------------------------------------------------------
+  # Override services to use CryptoPro
+  # ---------------------------------------------------------------------------
+
+  # Authority - Use CryptoPro for GOST signatures
+  authority:
+    environment:
+      <<: *cryptopro-env
+    depends_on:
+      - cryptopro-csp
+    labels:
+      com.stellaops.crypto.provider: "cryptopro"
+
+  # Signer - Use CryptoPro for GOST signatures
+  signer:
+    environment:
+      <<: *cryptopro-env
+    depends_on:
+      - cryptopro-csp
+    labels:
+      com.stellaops.crypto.provider: "cryptopro"
+
+  # Attestor - Use CryptoPro for GOST signatures
+  attestor:
+    environment:
+      <<: *cryptopro-env
+    depends_on:
+      - cryptopro-csp
+    labels:
+      com.stellaops.crypto.provider: "cryptopro"
+
+  # Scanner Web - Use CryptoPro for verification
+  scanner-web:
+    environment:
+      <<: *cryptopro-env
+    depends_on:
+      - cryptopro-csp
+    labels:
+      com.stellaops.crypto.provider: "cryptopro"
+
+  # Scanner Worker - Use CryptoPro for verification
+  scanner-worker:
+    environment:
+      <<: *cryptopro-env
+    depends_on:
+      - cryptopro-csp
+    labels:
+      com.stellaops.crypto.provider: "cryptopro"
+
+  # Excititor - Use CryptoPro for VEX signing
+  excititor:
+    environment:
+      <<: *cryptopro-env
+    depends_on:
+      - cryptopro-csp
+    labels:
+      com.stellaops.crypto.provider: "cryptopro"
+
+volumes:
+  cryptopro-keys:
+    name: stellaops-cryptopro-keys
--- a/devops/compose/docker-compose.crypto-provider.smremote.yml
+++ b/devops/compose/docker-compose.crypto-provider.smremote.yml
@@ -0,0 +1,90 @@
+# =============================================================================
+# STELLA OPS - CRYPTO PROVIDER OVERLAY: SMREMOTE
+# =============================================================================
+# ShangMi (SM2/SM3/SM4) crypto microservice overlay.
+# Extracted from docker-compose.stella-ops.yml (Slot 31) so that the SM Remote
+# service is opt-in rather than always-on.
+#
+# Usage (with main stack):
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.crypto-provider.smremote.yml up -d
+#
+# Usage (with China compliance):
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.compliance-china.yml \
+#     -f docker-compose.crypto-provider.smremote.yml up -d
+#
+# SM Algorithms:
+# - SM2: Public key cryptography (GM/T 0003-2012)
+# - SM3: Hash function, 256-bit (GM/T 0004-2012)
+# - SM4: Block cipher, 128-bit (GM/T 0002-2012)
+#
+# =============================================================================
+
+networks:
+  stellaops:
+    external: true
+    name: stellaops
+  frontdoor:
+    external: true
+    name: compose_frontdoor
+
+services:
+  # --- Slot 31: SmRemote ----------------------------------------------------
+  smremote:
+    image: stellaops/smremote:dev
+    container_name: stellaops-smremote
+    restart: unless-stopped
+    depends_on:
+      postgres:
+        condition: service_healthy
+      valkey:
+        condition: service_healthy
+    environment:
+      ASPNETCORE_URLS: "http://+:8080"
+      Kestrel__Certificates__Default__Path: "/app/etc/certs/kestrel-dev.pfx"
+      Kestrel__Certificates__Default__Password: "devpass"
+      Router__Region: "local"
+      Router__Gateways__0__Host: "router.stella-ops.local"
+      Router__Gateways__0__Port: "9100"
+      Router__Gateways__0__TransportType: "Messaging"
+      Router__OnMissingAuthorization: "${ROUTER_ON_MISSING_AUTHORIZATION:-WarnAndAllow}"
+      Router__TransportPlugins__Directory: "/app/plugins/router/transports"
+      Router__TransportPlugins__SearchPattern: "StellaOps.Router.Transport.*.dll"
+      Router__Messaging__Transport: "valkey"
+      Router__Messaging__PluginDirectory: "/app/plugins/messaging"
+      Router__Messaging__SearchPattern: "StellaOps.Messaging.Transport.*.dll"
+      Router__Messaging__RequestQueueTemplate: "router:requests:{service}"
+      Router__Messaging__ResponseQueueName: "router:responses"
+      Router__Messaging__RequestTimeout: "30s"
+      Router__Messaging__LeaseDuration: "5m"
+      Router__Messaging__BatchSize: "10"
+      Router__Messaging__HeartbeatInterval: "${ROUTER_MESSAGING_HEARTBEAT_INTERVAL:-30s}"
+      Router__RegistrationRefreshIntervalSeconds: "${ROUTER_REGISTRATION_REFRESH_INTERVAL_SECONDS:-30}"
+      Router__Messaging__valkey__ConnectionString: "cache.stella-ops.local:6379"
+      Router__Messaging__valkey__Database: "0"
+      Router__Messaging__valkey__QueueWaitTimeoutSeconds: "${VALKEY_QUEUE_WAIT_TIMEOUT:-0}"
+      Router__IdentityEnvelopeSigningKey: "${STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY}"
+      ConnectionStrings__Default: "Host=db.stella-ops.local;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops};Maximum Pool Size=50"
+      ConnectionStrings__Redis: "cache.stella-ops.local:6379"
+      Router__Enabled: "${SMREMOTE_ROUTER_ENABLED:-true}"
+      Router__Messaging__ConsumerGroup: "smremote"
+    volumes:
+      - "../../etc/authority/keys:/app/etc/certs:ro"
+    ports:
+      - "127.1.0.31:80:80"
+    networks:
+      stellaops:
+        aliases:
+          - smremote.stella-ops.local
+      frontdoor: {}
+    healthcheck:
+      test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/8080'"]
+      interval: ${HEALTHCHECK_INTERVAL:-60s}
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+    labels:
+      com.stellaops.release.version: "2025.10.0"
+      com.stellaops.release.channel: "stable"
+      com.stellaops.profile: "default"