feat(Deployment): Integrate Ansible deployment via PHP deployment pipeline

- Create AnsibleDeployStage using framework's Process module for secure command execution - Integrate AnsibleDeployStage into DeploymentPipelineCommands for production deployments - Add force_deploy flag support in Ansible playbook to override stale locks - Use PHP deployment module as orchestrator (php console.php deploy:production) - Fix ErrorAggregationInitializer to use Environment class instead of $_ENV superglobal Architecture: - BuildStage → AnsibleDeployStage → HealthCheckStage for production - Process module provides timeout, error handling, and output capture - Ansible playbook supports rollback via rollback-git-based.yml - Zero-downtime deployments with health checks
2025-10-26 14:08:07 +01:00
parent a90263d3be
commit 3b623e7afb
170 changed files with 19888 additions and 575 deletions
--- a/src/Framework/Webhook/Security/Providers/TelegramSignatureProvider.php
+++ b/src/Framework/Webhook/Security/Providers/TelegramSignatureProvider.php
@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Framework\Webhook\Security\Providers;
+
+/**
+ * Telegram Webhook Signature Provider
+ *
+ * Telegram uses a different authentication mechanism than HMAC signatures.
+ * Instead, they recommend validating the webhook URL contains the bot token,
+ * or using a secret token in the X-Telegram-Bot-Api-Secret-Token header.
+ *
+ * @see https://core.telegram.org/bots/api#setwebhook
+ */
+final readonly class TelegramSignatureProvider implements SignatureProvider
+{
+    /**
+     * Verify Telegram webhook authenticity
+     *
+     * Telegram recommends two approaches:
+     * 1. Include bot token in webhook URL path
+     * 2. Use secret_token parameter when setting webhook (sent in X-Telegram-Bot-Api-Secret-Token header)
+     *
+     * We use approach #2 for better security (token not in URL logs)
+     *
+     * @param string $payload Request body (not used for Telegram)
+     * @param string $signature Secret token from X-Telegram-Bot-Api-Secret-Token header
+     * @param string $secret Expected secret token (set when configuring webhook)
+     */
+    public function verify(string $payload, string $signature, string $secret): bool
+    {
+        // Telegram secret token validation is simple string comparison
+        // Both strings are provided by the developer (no cryptographic signature)
+        return hash_equals($secret, $signature);
+    }
+
+    /**
+     * Generate signature (not applicable for Telegram)
+     *
+     * Telegram doesn't generate signatures from payload.
+     * This method exists for SignatureProvider interface compliance.
+     */
+    public function generate(string $payload, string $secret): string
+    {
+        // For Telegram, we just return the secret token
+        // It's sent as-is in the X-Telegram-Bot-Api-Secret-Token header
+        return $secret;
+    }
+
+    public function getAlgorithm(): string
+    {
+        return 'token';
+    }
+}