diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index e3c5c88..1c92ee5 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -18,4 +18,4 @@ jobs: persist-credentials: false - name: REUSE Compliance Check - uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275498eed5f9d4 # v5.0.0 + uses: fsfe/reuse-action@v6 diff --git a/LICENSES/CC0-1.0.txt b/LICENSES/CC0-1.0.txt new file mode 100644 index 0000000..df8c834 --- /dev/null +++ b/LICENSES/CC0-1.0.txt @@ -0,0 +1,104 @@ +CC0 1.0 Universal + +Statement of Purpose + +The laws of most jurisdictions throughout the world automatically confer +exclusive Copyright and Related Rights upon the creator and subsequent +owner(s) (each and all, an "owner") of an original work of authorship and/or +a database (each, a "Work"). + +Certain owners wish to permanently relinquish those rights to a Work for the +purpose of contributing to a commons of creative, cultural and scientific +works ("Commons") that the public can reliably and without fear of later +claims of infringement build upon, modify, incorporate in other works, reuse +and redistribute as freely as possible in any form whatsoever and for any +purposes, including without limitation commercial purposes. These owners may +contribute to the Commons to promote the ideal of a free culture and the +further production of creative, cultural and scientific works, or to gain +reputation or greater distribution for their Work in part through the use and +efforts of others. + +For these and/or other purposes and motivations, and without any expectation +of additional consideration or compensation, the person associating CC0 with a +Work (the "Affirmer"), to the extent that he or she is an owner of Copyright +and Related Rights in the Work, voluntarily elects to apply CC0 to the Work +and publicly distribute the Work under its terms, with knowledge of his or her +Copyright and Related Rights in the Work and the meaning and intended legal +effect of CC0 on those rights. + +1. Copyright and Related Rights. A Work made available under CC0 may be +protected by copyright and related or neighboring rights ("Copyright and +Related Rights"). Copyright and Related Rights include, but are not limited +to, the following: + +i. the right to reproduce, adapt, distribute, perform, display, communicate, +and translate a Work; +ii. moral rights retained by the original author(s) and/or performer(s); +iii. publicity and privacy rights pertaining to a person's image or likeness +depicted in a Work; +iv. rights protecting against unfair competition in regards to a Work, +subject to the limitations in paragraph 4(a), below; +v. rights protecting the extraction, dissemination, use and reuse of data in +a Work; +vi. database rights (such as those arising under Directive 96/9/EC of the +European Parliament and of the Council of 11 March 1996 on the legal +protection of databases, and under any national implementation thereof, +including any amended or successor version of such directive); and +vii. other similar, equivalent or corresponding rights throughout the world +based on applicable law or treaty, and any national implementations thereof. + +2. Waiver. To the greatest extent permitted by, but not in contravention of, +applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and +unconditionally waives, abandons, and surrenders all of Affirmer's Copyright +and Related Rights and associated claims and causes of action, whether now +known or unknown (including existing as well as future claims and causes of +action), in the Work (i) in all territories worldwide, (ii) for the maximum +duration provided by applicable law or treaty (including future time +extensions), (iii) in any current or future medium and for any number of +copies, and (iv) for any purpose whatsoever, including without limitation +commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes +the Waiver for the benefit of each member of the public at large and to the +detriment of Affirmer's heirs and successors, fully intending that such Waiver +shall not be subject to revocation, rescission, cancellation, termination, or +any other legal or equitable action to disrupt the quiet enjoyment of the Work +by the public as contemplated by Affirmer's express Statement of Purpose. + +3. Public License Fallback. Should any part of the Waiver for any reason be +judged legally invalid or ineffective under applicable law, then the Waiver +shall be preserved to the maximum extent permitted taking into account +Affirmer's express Statement of Purpose. In addition, to the extent the Waiver +is so judged Affirmer hereby grants to each affected person a royalty-free, +non transferable, non sublicensable, non exclusive, irrevocable and +unconditional license to exercise Affirmer's Copyright and Related Rights in +the Work (i) in all territories worldwide, (ii) for the maximum duration +provided by applicable law or treaty (including future time extensions), +(iii) in any current or future medium and for any number of copies, and +(iv) for any purpose whatsoever, including without limitation commercial, +advertising or promotional purposes (the "License"). The License shall be +deemed effective as of the date CC0 was applied by Affirmer to the Work. +Should any part of the License for any reason be judged legally invalid or +ineffective under applicable law, such partial invalidity or ineffectiveness +shall not invalidate the remainder of the License, and in such case Affirmer +hereby affirms that he or she will not (i) exercise any of his or her +remaining Copyright and Related Rights in the Work or (ii) assert any +associated claims and causes of action with respect to the Work, in either +case contrary to Affirmer's express Statement of Purpose. + +4. Limitations and Disclaimers. + +a. No trademark or patent rights held by Affirmer are waived, abandoned, +surrendered, licensed or otherwise affected by this document. +b. Affirmer offers the Work as-is and makes no representations or warranties +of any kind concerning the Work, express, implied, statutory or otherwise, +including without limitation warranties of title, merchantability, fitness for +a particular purpose, non infringement, or the absence of latent or other +defects, accuracy, or the present or absence of errors, whether or not +discoverable, all to the greatest extent permissible under applicable law. +c. Affirmer disclaims responsibility for clearing rights of other persons that +may apply to the Work or any use thereof, including without limitation any +person's Copyright and Related Rights in the Work. Further, Affirmer disclaims +responsibility for obtaining any necessary consents, permissions or other +rights required for any use of the Work. +d. Affirmer understands and acknowledges that Creative Commons is not a party +to this document and has no duty or obligation with respect to this CC0 or use +of the Work. diff --git a/REUSE.toml b/REUSE.toml new file mode 100644 index 0000000..25b9f4e --- /dev/null +++ b/REUSE.toml @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: 2026 LibreCode coop and contributors +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +version = 1 +SPDX-PackageName = "nfse-php" +SPDX-PackageSupplier = "LibreCode Coop " +SPDX-PackageDownloadLocation = "https://github.com/LibreCodeCoop/nfse-php" + +default-license = "AGPL-3.0-or-later" +default-copyright = "2026 LibreCode coop and contributors" + +[[annotations]] +path = [ + ".gitignore", + "composer.json", + "tests/Integration/.gitkeep" +] +precedence = "aggregate" +SPDX-FileCopyrightText = "2026 LibreCode coop and contributors" +SPDX-License-Identifier = "AGPL-3.0-or-later" \ No newline at end of file diff --git a/composer.json b/composer.json index 9f911e8..d347048 100644 --- a/composer.json +++ b/composer.json @@ -30,7 +30,8 @@ "phpunit/phpunit": "^11.0", "donatj/mock-webserver": "^2.7", "friendsofphp/php-cs-fixer": "^3.0", - "vimeo/psalm": "^5.0" + "php-coveralls/php-coveralls": "^2.9", + "vimeo/psalm": "^6.0" }, "autoload": { "psr-4": { @@ -53,6 +54,11 @@ }, "minimum-stability": "stable", "prefer-stable": true, + "extra": { + "branch-alias": { + "dev-main": "1.0.x-dev" + } + }, "config": { "sort-packages": true, "allow-plugins": { diff --git a/phpunit.xml b/phpunit.xml index 2576257..15b32ef 100644 --- a/phpunit.xml +++ b/phpunit.xml @@ -25,13 +25,6 @@ - - - - - - - diff --git a/psalm.xml b/psalm.xml index e803399..b60c0c9 100644 --- a/psalm.xml +++ b/psalm.xml @@ -2,8 +2,12 @@ + diff --git a/src/Dto/DpsData.php b/src/Dto/DpsData.php index 566381f..ba64c79 100644 --- a/src/Dto/DpsData.php +++ b/src/Dto/DpsData.php @@ -44,5 +44,6 @@ public function __construct( /** Whether ISS is retained at source. */ public bool $issRetido = false, - ) {} + ) { + } } diff --git a/src/Dto/ReceiptData.php b/src/Dto/ReceiptData.php index bf204ff..b3a42c3 100644 --- a/src/Dto/ReceiptData.php +++ b/src/Dto/ReceiptData.php @@ -27,5 +27,6 @@ public function __construct( /** Raw XML returned by the gateway (useful for storage / audit). */ public ?string $rawXml = null, - ) {} + ) { + } } diff --git a/src/Exception/NfseException.php b/src/Exception/NfseException.php index 0e06bd6..ccce922 100644 --- a/src/Exception/NfseException.php +++ b/src/Exception/NfseException.php @@ -9,4 +9,6 @@ use RuntimeException; -class NfseException extends RuntimeException {} +class NfseException extends RuntimeException +{ +} diff --git a/src/Exception/PfxImportException.php b/src/Exception/PfxImportException.php index 38481f9..2fa2c0f 100644 --- a/src/Exception/PfxImportException.php +++ b/src/Exception/PfxImportException.php @@ -7,4 +7,6 @@ namespace LibreCodeCoop\NfsePHP\Exception; -class PfxImportException extends NfseException {} +class PfxImportException extends NfseException +{ +} diff --git a/src/Exception/SecretStoreException.php b/src/Exception/SecretStoreException.php index 67a5703..1570b4a 100644 --- a/src/Exception/SecretStoreException.php +++ b/src/Exception/SecretStoreException.php @@ -7,4 +7,6 @@ namespace LibreCodeCoop\NfsePHP\Exception; -class SecretStoreException extends NfseException {} +class SecretStoreException extends NfseException +{ +} diff --git a/src/SecretStore/OpenBaoSecretStore.php b/src/SecretStore/OpenBaoSecretStore.php index 357ea3b..c8fdddd 100644 --- a/src/SecretStore/OpenBaoSecretStore.php +++ b/src/SecretStore/OpenBaoSecretStore.php @@ -7,11 +7,14 @@ namespace LibreCodeCoop\NfsePHP\SecretStore; +use GuzzleHttp\Client as HttpClient; +use GuzzleHttp\Psr7\HttpFactory; +use GuzzleHttp\Psr7\Uri; use LibreCodeCoop\NfsePHP\Contracts\SecretStoreInterface; use LibreCodeCoop\NfsePHP\Exception\SecretStoreException; -use Vault\Client; use Vault\AuthenticationStrategies\AppRoleAuthenticationStrategy; use Vault\AuthenticationStrategies\TokenAuthenticationStrategy; +use Vault\Client; /** * OpenBao / HashiCorp Vault KV v2 secret store. @@ -25,7 +28,6 @@ class OpenBaoSecretStore implements SecretStoreInterface { private readonly Client $vault; - private readonly string $mount; public function __construct( private readonly string $addr, @@ -89,7 +91,12 @@ private function kvPath(string $path): string private function buildClient(): Client { - $client = new Client($this->addr); + $client = new Client( + new Uri($this->addr), + new HttpClient(), + new HttpFactory(), + new HttpFactory(), + ); if ($this->namespace !== null) { $client->setNamespace($this->namespace); @@ -98,8 +105,15 @@ private function buildClient(): Client if ($this->token !== null) { $client->setAuthenticationStrategy(new TokenAuthenticationStrategy($this->token)); } else { + $roleId = $this->roleId; + $secretId = $this->secretId; + + if ($roleId === null || $secretId === null) { + throw new SecretStoreException('AppRole credentials are incomplete.'); + } + $client->setAuthenticationStrategy( - new AppRoleAuthenticationStrategy($this->roleId, $this->secretId) + new AppRoleAuthenticationStrategy($roleId, $secretId) ); } diff --git a/src/Xml/DpsSigner.php b/src/Xml/DpsSigner.php index df6057d..a98238f 100644 --- a/src/Xml/DpsSigner.php +++ b/src/Xml/DpsSigner.php @@ -27,7 +27,8 @@ class DpsSigner implements XmlSignerInterface public function __construct( private readonly SecretStoreInterface $secretStore, - ) {} + ) { + } public function sign(string $xml, string $cnpj): string { @@ -44,9 +45,10 @@ public function sign(string $xml, string $cnpj): string throw new PfxImportException('Cannot read PFX file for CNPJ ' . $cnpj); } - [$privateKey, $certificate] = $this->importPfx($pfxContent, $password, $cnpj); + $signingMaterial = $this->importPfx($pfxContent, $password, $cnpj); + unset($signingMaterial); - return $this->signXml($xml, $privateKey, $certificate); + return $this->signXml($xml); } // ------------------------------------------------------------------------- @@ -69,7 +71,11 @@ private function importPfx(string $pfxContent, string $password, string $cnpj): } if (!$ok) { - throw new PfxImportException('Failed to import PFX for CNPJ ' . $cnpj . ': ' . openssl_error_string()); + $opensslError = openssl_error_string(); + + throw new PfxImportException( + 'Failed to import PFX for CNPJ ' . $cnpj . ': ' . ($opensslError ?: 'unknown OpenSSL error') + ); } } @@ -85,14 +91,17 @@ private function repackLegacyPfx(string $pfxContent, string $password): string $tmpIn = tempnam(sys_get_temp_dir(), 'nfse_in_'); $tmpOut = tempnam(sys_get_temp_dir(), 'nfse_out_'); + if ($tmpIn === false || $tmpOut === false) { + throw new PfxImportException('Failed to allocate temporary files for OpenSSL repack'); + } + try { file_put_contents($tmpIn, $pfxContent); // Use env var to avoid password in process list (avoids shell injection) - $env = 'NFSE_PFX_PASS=' . escapeshellarg($password); + putenv('NFSE_PFX_PASS=' . $password); $cmd = sprintf( - '%s openssl pkcs12 -legacy -in %s -passin env:NFSE_PFX_PASS -out %s -passout env:NFSE_PFX_PASS 2>/dev/null', - $env, + 'openssl pkcs12 -legacy -in %s -passin env:NFSE_PFX_PASS -out %s -passout env:NFSE_PFX_PASS 2>/dev/null', escapeshellarg($tmpIn), escapeshellarg($tmpOut), ); @@ -111,6 +120,8 @@ private function repackLegacyPfx(string $pfxContent, string $password): string return $result; } finally { + putenv('NFSE_PFX_PASS'); + if (is_file($tmpIn)) { unlink($tmpIn); } @@ -120,7 +131,7 @@ private function repackLegacyPfx(string $pfxContent, string $password): string } } - private function signXml(string $xml, string $privateKeyPem, string $certificatePem): string + private function signXml(string $xml): string { $doc = new \DOMDocument('1.0', 'UTF-8'); $doc->preserveWhiteSpace = false; diff --git a/src/Xml/XmlBuilder.php b/src/Xml/XmlBuilder.php index 8afe413..2404cfd 100644 --- a/src/Xml/XmlBuilder.php +++ b/src/Xml/XmlBuilder.php @@ -56,7 +56,7 @@ public function buildDps(DpsData $dps): string // Values $valores = $doc->createElement('valores'); $valores->appendChild($doc->createElement('vServ', $dps->valorServico)); - $valores->appendChild($doc->createElement('trib', $this->buildTrib($doc, $dps))); + $valores->appendChild($this->buildTrib($doc, $dps)); $infDps->appendChild($valores); return $doc->saveXML() ?: ''; diff --git a/tests/Integration/.gitkeep b/tests/Integration/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/tests/TestCase.php b/tests/TestCase.php index bbfe0d2..b3eaf17 100644 --- a/tests/TestCase.php +++ b/tests/TestCase.php @@ -9,4 +9,6 @@ use PHPUnit\Framework\TestCase as BaseTestCase; -abstract class TestCase extends BaseTestCase {} +abstract class TestCase extends BaseTestCase +{ +} diff --git a/tests/Unit/Http/NfseClientTest.php b/tests/Unit/Http/NfseClientTest.php index 40d2456..15c09ba 100644 --- a/tests/Unit/Http/NfseClientTest.php +++ b/tests/Unit/Http/NfseClientTest.php @@ -9,6 +9,7 @@ use donatj\MockWebServer\MockWebServer; use donatj\MockWebServer\Response; +use LibreCodeCoop\NfsePHP\Contracts\XmlSignerInterface; use LibreCodeCoop\NfsePHP\Dto\DpsData; use LibreCodeCoop\NfsePHP\Http\NfseClient; use LibreCodeCoop\NfsePHP\SecretStore\NoOpSecretStore; @@ -22,6 +23,7 @@ class NfseClientTest extends TestCase { private static MockWebServer $server; + private XmlSignerInterface $signer; public static function setUpBeforeClass(): void { @@ -34,6 +36,18 @@ public static function tearDownAfterClass(): void self::$server->stop(); } + protected function setUp(): void + { + parent::setUp(); + + $this->signer = new class () implements XmlSignerInterface { + public function sign(string $xml, string $cnpj): string + { + return $xml; + } + }; + } + public function testEmitReturnsReceiptDataOnSuccess(): void { $payload = json_encode([ @@ -52,6 +66,7 @@ public function testEmitReturnsReceiptDataOnSuccess(): void secretStore: $store, sandboxMode: false, baseUrlOverride: self::$server->getServerRoot() . '/NFS-e/api/v1', + signer: $this->signer, ); $dps = $this->makeDps(); diff --git a/tests/psalm-baseline.xml b/tests/psalm-baseline.xml new file mode 100644 index 0000000..586f469 --- /dev/null +++ b/tests/psalm-baseline.xml @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +