Replace Psalm with PHPstan

.github/workflows/php.yml

@@ -162,9 +162,8 @@ jobs:
         with:
           # Should be the higest supported version, so we can use the newest tools
           php-version: '8.4'
-          tools: composer, composer-require-checker, composer-unused, phpcs, psalm
-          # optional performance gain for psalm: opcache
-          extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, opcache, openssl, \
+          tools: composer, composer-require-checker, composer-unused, phpcs
+          extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, openssl, \
                       pcre, posix, soap, spl, xml
 
       - name: Setup problem matchers for PHP
@@ -197,27 +196,14 @@ jobs:
       - name: PHP Code Sniffer
         run: phpcs
 
-      - name: Psalm
-        continue-on-error: true
-        run: |
-          psalm -c psalm.xml \
-          --show-info=true \
-          --shepherd \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
 
-      - name: Psalm (testsuite)
+      - name: PHPStan
         run: |
-          psalm -c psalm-dev.xml \
-          --show-info=true \
-          --shepherd \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
+          vendor/bin/phpstan analyze -c phpstan.neon
 
-      - name: Psalter
+      - name: PHPStan (testsuite)
         run: |
-          psalm --alter \
-          --issues=UnnecessaryVarAnnotation \
-          --dry-run \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
+          vendor/bin/phpstan analyze -c phpstan-dev.neon
 
   security:
     name: Security checks

phpstan-dev.neon

@@ -0,0 +1,4 @@
+parameters:
+  level: 9
+  paths:
+    - tests

phpstan.neon

@@ -0,0 +1,4 @@
+parameters:
+  level: 6
+  paths:
+    - src

src/IdP/ADFS.php

@@ -108,7 +108,7 @@
         // Ensure we know the issuer
         $issuer = $endpointReference->getAddress()->getContent();
 
         $metadata = MetaDataStorageHandler::getMetadataHandler(Configuration::getInstance());
         $spMetadata = $metadata->getMetaDataConfig($issuer, 'adfs-sp-remote');
 
         $usernameToken = UsernameToken::getChildrenOfClass($security->toXML());
@@ -119,7 +119,7 @@
         $password = Password::getChildrenOfClass($usernameToken->toXML());
         $password = array_pop($password);
 
-        if ($username === null || $password === null) {
+        if ($password === null) {
             throw new Error\BadRequest('Missing username or password in SOAP header.');
         } else {
             $_SERVER['PHP_AUTH_USER'] = $username->getContent();
@@ -158,7 +158,7 @@
         $requestid = $query['wctx'] ?? null;
         $issuer = $query['wtrealm'];
 
         $metadata = MetaDataStorageHandler::getMetadataHandler(Configuration::getInstance());
         $spMetadata = $metadata->getMetaDataConfig($issuer, 'adfs-sp-remote');
 
         Logger::info('ADFS - IdP.prp: Incoming Authentication request: ' . $issuer . ' id ' . $requestid);
@@ -207,7 +207,7 @@
      * @param string $issuer
      * @param string $target
      * @param string $nameid
-     * @param array $attributes
+     * @param array<mixed> $attributes
      * @param int $assertionLifetime
      * @param string $method
      * @return \SimpleSAML\SAML11\XML\saml\Assertion
@@ -287,7 +287,7 @@
      * @param string $issuer
      * @param string $target
      * @param string $nameid
-     * @param array $attributes
+     * @param array<mixed> $attributes
      * @param int $assertionLifetime
      * @return \SimpleSAML\SAML11\XML\saml\Assertion
      */
@@ -409,7 +409,7 @@
 
 
     /**
-     * @param array $state
+     * @param array<mixed> $state
      * @throws \Exception
      */
     public static function sendPassiveResponse(array $state): void
@@ -519,7 +519,7 @@
 
 
     /**
-     * @param array $state
+     * @param array<mixed> $state
      * @throws \Exception
      */
     public static function sendResponse(array $state): void
@@ -603,7 +603,7 @@
 
     /**
      * @param \SimpleSAML\IdP $idp
-     * @param array $state
+     * @param array<mixed> $state
      */
     public static function sendLogoutResponse(IdP $idp, array $state): void
     {
@@ -645,7 +645,7 @@
      * accepts an association array, and returns a URL that can be accessed to terminate the association
      *
      * @param \SimpleSAML\IdP $idp
-     * @param array $association
+     * @param array<mixed> $association
      * @param string $relayState
      * @return string
      */

src/IdP/MetadataBuilder.php

@@ -99,7 +99,7 @@
     {
         $cryptoUtils = new Utils\Crypto();
 
-        /** @var array $keyArray */
+        /** @var array<mixed> $keyArray */
         $keyArray = $cryptoUtils->loadPrivateKey($this->config, true, 'metadata.sign.');
         $certArray = $cryptoUtils->loadPublicKey($this->config, false, 'metadata.sign.');
         $algo = $this->config->getOptionalString('metadata.sign.algorithm', C::SIG_RSA_SHA256);
@@ -123,6 +123,8 @@
 
     /**
      * This method builds the md:Organization element, if any
+     *
+     * @return \SimpleSAML\SAML2\XML\md\Organization
      */
     private function getOrganization(): ?Organization
     {
@@ -157,6 +159,8 @@
 
     /**
      * This method builds the role descriptor elements
+     *
+     * @return \SimpleSAML\SAML2\XML\md\AbstractRoleDescriptor[]
      */
     private function getRoleDescriptor(): array
     {
@@ -177,6 +181,8 @@
 
     /**
      * This method builds the SecurityTokenService element
+     *
+     * @return \SimpleSAML\WSSecurity\XML\fed\SecurityTokenServiceType
      */
     public function getSecurityTokenService(): SecurityTokenServiceType
     {
@@ -202,6 +208,8 @@
 
     /**
      * This method builds the md:KeyDescriptor elements, if any
+     *
+     * @return \SimpleSAML\SAML2\XML\md\KeyDescriptor[]
      */
     private function getKeyDescriptor(): array
     {
@@ -238,6 +246,8 @@
 
     /**
      * This method builds the md:ContactPerson elements, if any
+     *
+     * @return \SimpleSAML\SAML2\XML\md\ContactPerson[]
      */
     private function getContactPerson(): array
     {
@@ -255,8 +265,10 @@
 
     /**
      * This method builds the md:Extensions, if any
+     *
+     * @return \SimpleSAML\SAML2\XML\md\Extensions|null
      */
     private function getExtensions(): ?Extensions
     {
         $extensions = [];
 
@@ -332,6 +344,13 @@
     }
 
 
+    /**
+     * @param string $use
+     * @param string $x509Cert
+     * @param string|null $keyName
+     *
+     * @return \SimpleSAML\SAML2\XML\md\KeyDescriptor
+     */
     private static function buildKeyDescriptor(string $use, string $x509Cert, ?string $keyName): KeyDescriptor
     {
         Assert::oneOf($use, ['encryption', 'signing']);

src/IdP/PassiveIdP.php

@@ -29,7 +29,7 @@
     /**
      * A cache for resolving IdP id's.
      *
-     * @var array
+     * @var \SimpleSAML\Module\adfs\IdP\PassiveIdP[]
      */
     private static array $idpCache = [];
 
@@ -75,7 +75,7 @@
         $this->id = $id;
 
         $this->globalConfig = $config;
         $metadata = MetaDataStorageHandler::getMetadataHandler($this->globalConfig);
 
         if (substr($id, 0, 5) === 'adfs:') {
             if (!$this->globalConfig->getOptionalBoolean('enable.adfs-idp', false)) {
@@ -130,7 +130,7 @@
      * Retrieve the IdP "owning" the state.
      *
      * @param \SimpleSAML\Configuration $config The Configuration.
-     * @param array &$state The state array.
+     * @param array<mixed> &$state The state array.
      *
      * @return \SimpleSAML\Module\adfs\IdP\PassiveIdP The IdP.
      */
@@ -167,7 +167,7 @@
     /**
      * Called after authproc has run.
      *
-     * @param array $state The authentication request state array.
+     * @param array<mixed> $state The authentication request state array.
      */
     public static function postAuthProc(array $state): void
     {
@@ -191,7 +191,7 @@
     /**
      * The user is authenticated.
      *
-     * @param array $state The authentication request state array.
+     * @param array<mixed> $state The authentication request state array.
      *
      * @throws \SimpleSAML\Error\Exception If we are not authenticated.
      */
@@ -229,7 +229,7 @@
 
         $pc->processState($state);
 
         return self::postAuthProc($state);
     }
 
 
@@ -238,18 +238,18 @@
      *
      * This function authenticates the user.
      *
-     * @param array &$state The authentication request state.
+     * @param array<mixed> &$state The authentication request state.
      */
     private function authenticate(array &$state): Response
     {
         return $this->authSource->login($state);
     }
 
 
     /**
      * Process authentication requests.
      *
-     * @param array &$state The authentication request state.
+     * @param array<mixed> &$state The authentication request state.
      */
     public function handleAuthenticationRequest(array &$state): Response
     {
@@ -314,7 +314,7 @@
      *
      * This function will never return.
      *
-     * @param array &$state The logout request state.
+     * @param array<mixed> &$state The logout request state.
      */
     public function finishLogout(array &$state): Response
     {

src/MetadataExchange.php

@@ -56,9 +56,6 @@ class MetadataExchange
 {
     /**
      * Constructor.
-     *
-     * @param \SimpleSAML\Configuration $config The general configuration
-     * @param \SimpleSAML\Configuration $metadata The metadata configuration
      */
     public function __construct()
     {
@@ -68,7 +65,7 @@ public function __construct()
     /**
      * Build a mex document
      *
-     * @return \SimpleSAML\WSSecurity\XML\wsdl\Definitions
+     * @return \SimpleSAML\WSDL\XML\wsdl\Definitions
      */
     public function buildDocument(): Definitions
     {
@@ -89,7 +86,7 @@ public function buildDocument(): Definitions
     /**
      * This method builds the wsp:Policy elements
      *
-     * @param \SimpleSAML\WSSecurity\XML\wsp\Policy[]
+     * @return \SimpleSAML\WSSecurity\XML\wsp\Policy[]
      */
     private function getPolicies(): array
     {
@@ -106,7 +103,7 @@ private function getPolicies(): array
     /**
      * This method builds the wsdl:types elements
      *
-     * @param \SimpleSAML\WSSecurity\XML\wsdl\Types[]
+     * @return \SimpleSAML\WSSL\XML\wsdl\Types[]
     private function getTypes(): array
     {
         $defaultEndpoint = Module::getModuleURL('adfs/services/trust/mex');
@@ -132,7 +129,7 @@ private function getTypes(): array
     /**
      * This method builds the wsdl:message elements
      *
-     * @param \SimpleSAML\WSSecurity\XML\wsdl\Message[]
+     * @return \SimpleSAML\WSDL\XML\wsdl\Message[]
      */
     private function getMessages(): array
     {
@@ -190,7 +187,7 @@ private function getMessages(): array
     /**
      * This method builds the wsdl:portType elements
      *
-     * @param \SimpleSAML\WSSecurity\XML\wsdl\PortType[]
+     * @return \SimpleSAML\WSDL\XML\wsdl\PortType[]
      */
     private function getPortTypes(): array
     {
@@ -258,7 +255,7 @@ private function getPortTypes(): array
     /**
      * This method builds the wsdl:binding elements
      *
-     * @param \SimpleSAML\WSSecurity\XML\wsdl\Binding[]
+     * @return \SimpleSAML\WSDL\XML\wsdl\Binding[]
      */
     private function getBindings(): array
     {
@@ -569,7 +566,7 @@ private function getBindings(): array
     /**
      * This method builds the wsdl:service elements
      *
-     * @param \SimpleSAML\WSSecurity\XML\wsdl\Service[]
+     * @return \SimpleSAML\WSDL\XML\wsdl\Service[]
      */
     private function getServices(): array
     {