Add unit tests for PhpFrameworkSurface and PhpPharScanner

- Implement comprehensive tests for PhpFrameworkSurface, covering scenarios such as empty surfaces, presence of routes, controllers, middlewares, CLI commands, cron jobs, and event listeners. - Validate metadata creation for route counts, HTTP methods, protected and public routes, and route patterns. - Introduce tests for PhpPharScanner, including handling of non-existent files, null or empty paths, invalid PHAR files, and minimal PHAR structures. - Ensure correct computation of SHA256 for valid PHAR files and validate the properties of PhpPharArchive, PhpPharEntry, and PhpPharScanResult.
2025-12-07 13:44:13 +02:00
parent af30fc322f
commit 965cbf9574
49 changed files with 11935 additions and 152 deletions
--- a/docs/legal/crypto-compliance-review.md
+++ b/docs/legal/crypto-compliance-review.md
@@ -0,0 +1,257 @@
+# Crypto Compliance Review · License & Export Analysis
+
+**Status:** DRAFT
+**Date:** 2025-12-07
+**Owners:** Security Guild, Legal
+**Unblocks:** RU-CRYPTO-VAL-05, RU-CRYPTO-VAL-06
+
+## Overview
+
+This document captures the licensing, export controls, and distribution guidance for cryptographic components in StellaOps, specifically:
+
+1. **GostCryptography Fork** (`third_party/forks/AlexMAS.GostCryptography`)
+2. **CryptoPro Plugin** (`StellaOps.Cryptography.Plugin.CryptoPro`)
+3. **Regional Crypto Providers** (GOST, SM2/SM3, eIDAS)
+
+## 1. GostCryptography Fork
+
+### 1.1 License
+
+| Attribute | Value |
+|-----------|-------|
+| Upstream | https://github.com/AlexMAS/GostCryptography |
+| License | MIT |
+| StellaOps Usage | Source-vendored in `third_party/forks/` |
+| Compatibility | MIT is compatible with AGPL-3.0-or-later |
+
+### 1.2 Attribution Requirements
+
+The MIT license requires attribution in distributed software:
+
+```
+Copyright (c) 2014-2024 AlexMAS
+See third_party/forks/AlexMAS.GostCryptography/LICENSE
+```
+
+**Required Actions:**
+- [x] Keep `LICENSE` file in fork directory
+- [ ] Add attribution to `NOTICE.md` in repository root
+- [ ] Include attribution in RootPack_RU bundle documentation
+
+### 1.3 Distribution Guidance
+
+| Distribution Channel | Allowed | Notes |
+|---------------------|---------|-------|
+| StellaOps Source | Yes | Fork stays vendored |
+| RootPack_RU Bundle | Yes | Source + binaries allowed |
+| Public NuGet | **No** | Do not publish as standalone package |
+| Container Images | Yes | With source attribution |
+
+## 2. CryptoPro CSP Plugin
+
+### 2.1 License
+
+| Attribute | Value |
+|-----------|-------|
+| Vendor | CryptoPro LLC (crypto-pro.ru) |
+| Product | CryptoPro CSP 5.0 |
+| License Type | Commercial (per-deployment) |
+| Cost | Varies by tier (~$50-200 USD per instance) |
+
+### 2.2 Distribution Model
+
+CryptoPro CSP is **not redistributable** by StellaOps. The distribution model is:
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                        Distribution Model                        │
+├─────────────────────────────────────────────────────────────────┤
+│                                                                  │
+│  StellaOps ships:                                               │
+│  ├── Plugin source code (AGPL-3.0-or-later)                     │
+│  ├── Interface bindings to CryptoPro CSP                        │
+│  └── Documentation for customer-provided CSP installation       │
+│                                                                  │
+│  Customer provides:                                              │
+│  ├── CryptoPro CSP license                                      │
+│  ├── CSP binaries installed on target system                    │
+│  └── PKCS#11 module path configuration                          │
+│                                                                  │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+### 2.3 Configuration for Customer-Provided CSP
+
+```yaml
+# etc/authority.yaml - Customer configures CSP path
+crypto:
+  pkcs11:
+    library_path: /opt/cprocsp/lib/amd64/libcapi20.so  # Customer-provided
+    slot_id: 0
+    pin_env: AUTHORITY_HSM_PIN
+```
+
+### 2.4 Documentation Requirements
+
+- [ ] Document that CSP is "customer-provided" in installation guide
+- [ ] Add EULA notice that CSP licensing is customer responsibility
+- [ ] Include CSP version compatibility matrix (CSP 4.0/5.0)
+
+## 3. Export Control Analysis
+
+### 3.1 Applicable Regulations
+
+| Regulation | Jurisdiction | Relevance |
+|------------|--------------|-----------|
+| EAR (Export Administration Regulations) | USA | Crypto export controls |
+| Wassenaar Arrangement | 42 countries | Dual-use goods |
+| EU Dual-Use Regulation | EU | Crypto controls |
+| Russian Export Controls | Russia | GOST algorithm distribution |
+
+### 3.2 Algorithm Classification
+
+| Algorithm | Classification | Notes |
+|-----------|---------------|-------|
+| ECDSA P-256/P-384 | Mass-market exempt | Widely available |
+| RSA 2048+ | Mass-market exempt | Widely available |
+| EdDSA (Ed25519) | Mass-market exempt | Widely available |
+| GOST R 34.10-2012 | Regional use | See Section 3.3 |
+| SM2/SM3 | Regional use | Chinese national standard |
+
+### 3.3 GOST Algorithm Guidance
+
+GOST algorithms (GOST R 34.10-2012, GOST R 34.11-2012) are:
+
+- **Not export-controlled** from Russia when used in commercial software
+- **May be restricted** for import into certain jurisdictions
+- **Recommended** for use only in RootPack_RU deployments targeting Russian customers
+
+**Guidance:**
+1. Default StellaOps distribution does NOT include GOST algorithms enabled
+2. RootPack_RU is a separate distribution with GOST opt-in
+3. Document that customers are responsible for compliance with local crypto regulations
+
+### 3.4 Distribution Matrix
+
+| Component | Global | RootPack_RU | RootPack_CN | Notes |
+|-----------|--------|-------------|-------------|-------|
+| Core StellaOps | Yes | Yes | Yes | ECDSA/RSA/EdDSA |
+| GostCryptography Fork | Source only | Source + Binary | No | MIT license |
+| CryptoPro Plugin | Interface only | Interface + docs | No | Customer-provided CSP |
+| SM2/SM3 Plugin | No | No | Interface + docs | Customer-provided HSM |
+
+## 4. EULA and Notice Requirements
+
+### 4.1 NOTICE.md Addition
+
+Add to repository `NOTICE.md`:
+
+```markdown
+## Third-Party Cryptographic Components
+
+### GostCryptography (MIT License)
+Copyright (c) 2014-2024 AlexMAS
+https://github.com/AlexMAS/GostCryptography
+
+This software includes a forked version of the GostCryptography library
+for GOST algorithm support. The fork is located at:
+third_party/forks/AlexMAS.GostCryptography/
+
+### CryptoPro CSP Integration
+The CryptoPro CSP plugin provides integration with CryptoPro CSP software.
+CryptoPro CSP is commercial software and must be licensed separately by
+the end user. StellaOps does not distribute CryptoPro CSP binaries.
+```
+
+### 4.2 Installation Guide Addition
+
+Add to installation documentation:
+
+```markdown
+## Regional Crypto Support (Optional)
+
+### Russian Federation (RootPack_RU)
+
+StellaOps supports GOST R 34.10-2012 signing through integration with
+CryptoPro CSP. This integration requires:
+
+1. A valid CryptoPro CSP license (obtained separately from crypto-pro.ru)
+2. CryptoPro CSP 4.0 or 5.0 installed on the target system
+3. Configuration of the PKCS#11 module path
+
+**Note:** CryptoPro CSP is commercial software. StellaOps provides only
+the integration plugin; the CSP runtime must be licensed and installed
+by the customer.
+```
+
+## 5. CI/Testing Implications
+
+### 5.1 Test Environment Requirements
+
+| Environment | CSP Required | Legal Status |
+|-------------|--------------|--------------|
+| Development (Linux) | No | OpenSSL GOST engine fallback |
+| CI (Linux) | No | Mock/skip CSP tests |
+| CI (Windows opt-in) | Yes | Customer/StellaOps license |
+| Production | Customer | Customer license |
+
+### 5.2 CI Guard Implementation
+
+Tests are guarded by environment variable:
+
+```csharp
+[Fact]
+[SkipUnless("STELLAOPS_CRYPTO_PRO_ENABLED", "1")]
+public async Task CryptoProSigner_SignsWithGost()
+{
+    // Test only runs when CSP is available and licensed
+}
+```
+
+### 5.3 Wine Loader Experiment (RU-CRYPTO-VAL-05)
+
+**Status:** BLOCKED pending legal review
+
+Running CryptoPro CSP DLLs under Wine for cross-platform testing:
+
+| Consideration | Assessment |
+|---------------|------------|
+| Technical Feasibility | Uncertain - CSP uses Windows APIs |
+| Legal Permissibility | Requires CryptoPro EULA review |
+| Recommendation | Defer to Windows-only testing |
+
+**Decision:** Do not pursue Wine loader approach until/unless CryptoPro explicitly permits this use case in their EULA.
+
+## 6. Action Items
+
+### Immediate (unblocks RU-CRYPTO-VAL-06)
+
+- [x] Document fork licensing (MIT) ← This document
+- [x] Document CryptoPro distribution model ← This document
+- [ ] Add attribution to NOTICE.md
+- [ ] Update installation guide with CSP requirements
+
+### Short-term
+
+- [ ] Review CryptoPro EULA for Wine usage (if needed)
+- [ ] Create regional distribution manifests for RootPack_RU
+- [ ] Add compliance checkboxes to RootPack_RU installation
+
+### For Legal Sign-off
+
+- [ ] Confirm MIT + AGPL-3.0 compatibility statement
+- [ ] Confirm customer-provided model for CSP is acceptable
+- [ ] Review export control applicability for GOST distribution
+
+## 7. Sign-off Log
+
+| Role | Name | Date | Notes |
+|------|------|------|-------|
+| Security Guild | | | |
+| Legal | | | |
+| Product | | | |
+
+---
+
+*Document Version: 1.0.0*
+*Last Updated: 2025-12-07*