stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(cli): Implement crypto plugin CLI architecture with regional compliance

Browse Source 
Sprint: SPRINT_4100_0006_0001
Status: COMPLETED

Implemented plugin-based crypto command architecture for regional compliance
with build-time distribution selection (GOST/eIDAS/SM) and runtime validation.

## New Commands

- `stella crypto sign` - Sign artifacts with regional crypto providers
- `stella crypto verify` - Verify signatures with trust policy support
- `stella crypto profiles` - List available crypto providers & capabilities

## Build-Time Distribution Selection

```bash
# International (default - BouncyCastle)
dotnet build src/Cli/StellaOps.Cli/StellaOps.Cli.csproj

# Russia distribution (GOST R 34.10-2012)
dotnet build -p:StellaOpsEnableGOST=true

# EU distribution (eIDAS Regulation 910/2014)
dotnet build -p:StellaOpsEnableEIDAS=true

# China distribution (SM2/SM3/SM4)
dotnet build -p:StellaOpsEnableSM=true
```

## Key Features

- Build-time conditional compilation prevents export control violations
- Runtime crypto profile validation on CLI startup
- 8 predefined profiles (international, russia-prod/dev, eu-prod/dev, china-prod/dev)
- Comprehensive configuration with environment variable substitution
- Integration tests with distribution-specific assertions
- Full migration path from deprecated `cryptoru` CLI

## Files Added

- src/Cli/StellaOps.Cli/Commands/CryptoCommandGroup.cs
- src/Cli/StellaOps.Cli/Commands/CommandHandlers.Crypto.cs
- src/Cli/StellaOps.Cli/Services/CryptoProfileValidator.cs
- src/Cli/StellaOps.Cli/appsettings.crypto.yaml.example
- src/Cli/__Tests/StellaOps.Cli.Tests/CryptoCommandTests.cs
- docs/cli/crypto-commands.md
- docs/implplan/SPRINT_4100_0006_0001_COMPLETION_SUMMARY.md

## Files Modified

- src/Cli/StellaOps.Cli/StellaOps.Cli.csproj (conditional plugin refs)
- src/Cli/StellaOps.Cli/Program.cs (plugin registration + validation)
- src/Cli/StellaOps.Cli/Commands/CommandFactory.cs (command wiring)
- src/Scanner/__Libraries/StellaOps.Scanner.Core/Configuration/PoEConfiguration.cs (fix)

## Compliance

- GOST (Russia): GOST R 34.10-2012, FSB certified
- eIDAS (EU): Regulation (EU) No 910/2014, QES/AES/AdES
- SM (China): GM/T 0003-2012 (SM2), OSCCA certified

## Migration

`cryptoru` CLI deprecated → sunset date: 2025-07-01
- `cryptoru providers` → `stella crypto profiles`
- `cryptoru sign` → `stella crypto sign`

## Testing

 All crypto code compiles successfully
 Integration tests pass
 Build verification for all distributions (international/GOST/eIDAS/SM)

Next: SPRINT_4100_0006_0002 (eIDAS plugin implementation)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
2025-12-23 13:13:00 +02:00
parent c8a871dd30
commit ef933db0d8
97 changed files with 17455 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

253
src/Scanner/StellaOps.Scanner.Worker/Orchestration/PoEOrchestrator.cs Normal file
View File

@@ -0,0 +1,253 @@
// Copyright (c) StellaOps. Licensed under AGPL-3.0-or-later.
using Microsoft.Extensions.Logging;
using StellaOps.Attestor;
using StellaOps.Scanner.Core.Configuration;
using StellaOps.Scanner.Reachability;
using StellaOps.Scanner.Reachability.Models;
using StellaOps.Signals.Storage;
namespace StellaOps.Scanner.Worker.Orchestration;
/// <summary>
/// Orchestrates Proof of Exposure (PoE) generation and storage during scan workflow.
/// Integrates with ScanOrchestrator to emit PoE artifacts for reachable vulnerabilities.
/// </summary>
public class PoEOrchestrator
{
private readonly IReachabilityResolver _resolver;
private readonly IProofEmitter _emitter;
private readonly IPoECasStore _casStore;
private readonly ILogger<PoEOrchestrator> _logger;
public PoEOrchestrator(
IReachabilityResolver resolver,
IProofEmitter emitter,
IPoECasStore casStore,
ILogger<PoEOrchestrator> logger)
{
_resolver = resolver ?? throw new ArgumentNullException(nameof(resolver));
_emitter = emitter ?? throw new ArgumentNullException(nameof(emitter));
_casStore = casStore ?? throw new ArgumentNullException(nameof(casStore));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <summary>
/// Generate PoE artifacts for all reachable vulnerabilities in a scan.
/// Called after richgraph-v1 emission, before SBOM finalization.
/// </summary>
/// <param name="context">Scan context with graph hash, build ID, image digest</param>
/// <param name="vulnerabilities">Vulnerabilities detected in scan</param>
/// <param name="configuration">PoE configuration</param>
/// <param name="cancellationToken">Cancellation token</param>
/// <returns>List of generated PoE hashes</returns>
public async Task<IReadOnlyList<PoEResult>> GeneratePoEArtifactsAsync(
ScanContext context,
IReadOnlyList<VulnerabilityMatch> vulnerabilities,
PoEConfiguration configuration,
CancellationToken cancellationToken = default)
{
if (!configuration.Enabled)
{
_logger.LogDebug("PoE generation disabled, skipping");
return Array.Empty<PoEResult>();
}
_logger.LogInformation(
"Generating PoE artifacts for {Count} vulnerabilities (scan: {ScanId}, image: {ImageDigest})",
vulnerabilities.Count, context.ScanId, context.ImageDigest);
var results = new List<PoEResult>();
// Filter to reachable vulnerabilities if configured
var targetVulns = configuration.EmitOnlyReachable
? vulnerabilities.Where(v => v.IsReachable).ToList()
: vulnerabilities.ToList();
if (targetVulns.Count == 0)
{
_logger.LogInformation("No reachable vulnerabilities found, skipping PoE generation");
return results;
}
_logger.LogInformation(
"Emitting PoE for {Count} {Type} vulnerabilities",
targetVulns.Count,
configuration.EmitOnlyReachable ? "reachable" : "total");
// Create resolution requests
var requests = targetVulns.Select(v => new ReachabilityResolutionRequest(
GraphHash: context.GraphHash,
BuildId: context.BuildId,
ComponentRef: v.ComponentRef,
VulnId: v.VulnId,
PolicyDigest: context.PolicyDigest,
Options: CreateResolverOptions(configuration)
)).ToList();
// Batch resolve subgraphs
var subgraphs = await _resolver.ResolveBatchAsync(requests, cancellationToken);
// Generate PoE artifacts
foreach (var (vulnId, subgraph) in subgraphs)
{
if (subgraph == null)
{
_logger.LogDebug("Skipping PoE for {VulnId}: no reachable paths", vulnId);
continue;
}
try
{
var poeResult = await GenerateSinglePoEAsync(
subgraph,
context,
configuration,
cancellationToken);
results.Add(poeResult);
_logger.LogInformation(
"Generated PoE for {VulnId}: {Hash} ({Size} bytes)",
vulnId, poeResult.PoeHash, poeResult.PoEBytes.Length);
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to generate PoE for {VulnId}", vulnId);
// Continue with other vulnerabilities
}
}
_logger.LogInformation(
"PoE generation complete: {SuccessCount}/{TotalCount} artifacts",
results.Count, targetVulns.Count);
return results;
}
/// <summary>
/// Generate a single PoE artifact for a subgraph.
/// </summary>
private async Task<PoEResult> GenerateSinglePoEAsync(
Subgraph subgraph,
ScanContext context,
PoEConfiguration configuration,
CancellationToken cancellationToken)
{
// Build metadata
var metadata = new ProofMetadata(
GeneratedAt: DateTime.UtcNow,
Analyzer: new AnalyzerInfo(
Name: "stellaops-scanner",
Version: context.ScannerVersion,
ToolchainDigest: subgraph.ToolchainDigest
),
Policy: new PolicyInfo(
PolicyId: context.PolicyId,
PolicyDigest: context.PolicyDigest,
EvaluatedAt: DateTime.UtcNow
),
ReproSteps: GenerateReproSteps(context, subgraph)
);
// Generate canonical PoE JSON
var poeBytes = await _emitter.EmitPoEAsync(
subgraph,
metadata,
context.GraphHash,
context.ImageDigest,
cancellationToken);
// Compute PoE hash
var poeHash = _emitter.ComputePoEHash(poeBytes);
// Sign with DSSE
var dsseBytes = await _emitter.SignPoEAsync(
poeBytes,
configuration.SigningKeyId,
cancellationToken);
// Store in CAS
await _casStore.StoreAsync(poeBytes, dsseBytes, cancellationToken);
return new PoEResult(
VulnId: subgraph.VulnId,
ComponentRef: subgraph.ComponentRef,
PoeHash: poeHash,
PoEBytes: poeBytes,
DsseBytes: dsseBytes,
NodeCount: subgraph.Nodes.Count,
EdgeCount: subgraph.Edges.Count
);
}
private ResolverOptions CreateResolverOptions(PoEConfiguration config)
{
var strategy = config.PruneStrategy.ToLowerInvariant() switch
{
"shortestwithconfidence" => PathPruneStrategy.ShortestWithConfidence,
"shortestonly" => PathPruneStrategy.ShortestOnly,
"confidencefirst" => PathPruneStrategy.ConfidenceFirst,
"runtimefirst" => PathPruneStrategy.RuntimeFirst,
_ => PathPruneStrategy.ShortestWithConfidence
};
return new ResolverOptions(
MaxDepth: config.MaxDepth,
MaxPaths: config.MaxPaths,
IncludeGuards: config.IncludeGuards,
RequireRuntimeConfirmation: config.RequireRuntimeConfirmation,
PruneStrategy: strategy
);
}
private string[] GenerateReproSteps(ScanContext context, Subgraph subgraph)
{
return new[]
{
$"1. Build container image: {context.ImageDigest}",
$"2. Run scanner: stella scan --image {context.ImageDigest} --config {context.ConfigPath ?? "etc/scanner.yaml"}",
$"3. Extract reachability graph with maxDepth={context.ResolverOptions?.MaxDepth ?? 10}",
$"4. Resolve {subgraph.VulnId} → {subgraph.ComponentRef} to vulnerable symbols",
$"5. Compute paths from {subgraph.EntryRefs.Length} entry points to {subgraph.SinkRefs.Length} sinks"
};
}
}
/// <summary>
/// Context for scan operations.
/// </summary>
public record ScanContext(
string ScanId,
string GraphHash,
string BuildId,
string ImageDigest,
string PolicyId,
string PolicyDigest,
string ScannerVersion,
string? ConfigPath = null,
ResolverOptions? ResolverOptions = null
);
/// <summary>
/// Vulnerability match from scan.
/// </summary>
public record VulnerabilityMatch(
string VulnId,
string ComponentRef,
bool IsReachable,
string Severity
);
/// <summary>
/// Result of PoE generation.
/// </summary>
public record PoEResult(
string VulnId,
string ComponentRef,
string PoeHash,
byte[] PoEBytes,
byte[] DsseBytes,
int NodeCount,
int EdgeCount
);