Migrate psalm to phpstan

.github/workflows/php.yml

@@ -50,8 +50,7 @@ jobs:
         with:
           # Should be the higest supported version, so we can use the newest tools
           php-version: '8.3'
-          tools: composer, composer-require-checker, composer-unused, phpcs, psalm
-          # optional performance gain for psalm: opcache
+          tools: composer, composer-require-checker, composer-unused, phpcs, phpstan
           extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, opcache, openssl, pcre, spl, xml
 
       - name: Setup problem matchers for PHP
@@ -84,27 +83,13 @@ jobs:
       - name: PHP Code Sniffer
         run: phpcs
 
-      - name: Psalm
-        continue-on-error: true
+      - name: PHPStan
         run: |
-          psalm -c psalm.xml \
-          --show-info=true \
-          --shepherd \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
+          phpstan analyze -c phpstan.neon --debug
 
-      - name: Psalm (testsuite)
+      - name: PHPStan (testsuite)
         run: |
-          psalm -c psalm-dev.xml \
-          --show-info=true \
-          --shepherd \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
-
-      - name: Psalter
-        run: |
-          psalm --alter \
-          --issues=UnnecessaryVarAnnotation \
-          --dry-run \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
+          phpstan analyze -c phpstan-dev.neon --debug
 
   security:
     name: Security checks

phpstan-dev-baseline.neon

@@ -0,0 +1,11 @@
+parameters:
+	ignoreErrors:
+		-
+			message: "#^Unreachable statement \\- code above always terminates\\.$#"
+			count: 1
+			path: tests/src/Controller/RegProcessTest.php
+
+		-
+			message: "#^Unreachable statement \\- code above always terminates\\.$#"
+			count: 1
+			path: tests/src/Controller/RegistrationTest.php

phpstan-dev.neon

@@ -0,0 +1,4 @@
+parameters:
+  level: 5
+  paths:
+    - tests

phpstan.neon

@@ -0,0 +1,6 @@
+parameters:
+  level: 3
+  paths:
+    - src
+  bootstrapFiles:
+    - tests/bootstrap.php

src/Auth/Process/WebAuthn.php

@@ -71,10 +71,6 @@ class WebAuthn extends Auth\ProcessingFilter
      */
     public function __construct(array $config, $reserved)
     {
-        /**
-         * Remove annotation + assert as soon as this method can be typehinted (SSP 2.0)
-         * @psalm-suppress RedundantConditionGivenDocblockType
-         */
         parent::__construct($config, $reserved);
 
         $moduleConfig = Configuration::getOptionalConfig('module_webauthn.php')->toArray();

src/Controller/AuthProcess.php

@@ -29,16 +29,10 @@
  */
 class AuthProcess
 {
-    /**
-     * @var \SimpleSAML\Auth\State|string
-     * @psalm-var \SimpleSAML\Auth\State|class-string
-     */
+    /** @var \SimpleSAML\Auth\State|string */
     protected $authState = Auth\State::class;
 
-    /**
-     * @var \SimpleSAML\Logger|string
-     * @psalm-var \SimpleSAML\Logger|class-string
-     */
+    /** @var \SimpleSAML\Logger|string */
     protected $logger = Logger::class;
 
     /**
@@ -151,7 +145,6 @@ public function main(Request $request): Response
             $oneToken[1] = stream_get_contents($oneToken[1]);
         }
 
-        /** @psalm-var array $oneToken */
         $authObject = new WebAuthnAuthenticationEvent(
             $request->request->get('type'),
             ($state['FIDO2Scope'] === null ? $state['FIDO2DerivedScope'] : $state['FIDO2Scope']),

src/Controller/ManageToken.php

@@ -24,16 +24,10 @@
  */
 class ManageToken
 {
-    /**
-     * @var \SimpleSAML\Auth\State|string
-     * @psalm-var \SimpleSAML\Auth\State|class-string
-     */
+    /** @var \SimpleSAML\Auth\State|string */
     protected $authState = Auth\State::class;
 
-    /**
-     * @var \SimpleSAML\Logger|string
-     * @psalm-var \SimpleSAML\Logger|class-string
-     */
+    /** @var \SimpleSAML\Logger|string */
     protected $logger = Logger::class;
 
 

src/Controller/PushbackUserPass.php

@@ -6,14 +6,13 @@
 
 use Exception;
 use SimpleSAML\Auth;
-use SimpleSAML\Auth\Source;
 use SimpleSAML\Configuration;
 use SimpleSAML\Error;
+use SimpleSAML\HTTP\RunnableResponse;
 use SimpleSAML\Logger;
 use SimpleSAML\Module\webauthn\Auth\Source\AuthSourceOverloader;
 use SimpleSAML\Session;
-use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\{Request, Response};
 
 /**
  * Controller class for the webauthn module.
@@ -24,16 +23,10 @@
  */
 class PushbackUserPass
 {
-    /**
-     * @var \SimpleSAML\Auth\State|string
-     * @psalm-var \SimpleSAML\Auth\State|class-string
-     */
+    /** @var \SimpleSAML\Auth\State|string */
     protected $authState = Auth\State::class;
 
-    /**
-     * @var \SimpleSAML\Logger|string
-     * @psalm-var \SimpleSAML\Logger|class-string
-     */
+    /** @var \SimpleSAML\Logger|string */
     protected $logger = Logger::class;
 
     /**
@@ -92,7 +85,7 @@ public function main(Request $request): Response
 
         $authsources = Configuration::getConfig('authsources.php')->toArray();
         $authsourceString = $state['pushbackAuthsource'];
-        $classname = get_class(Source::getById($authsourceString));
+        $classname = get_class(Auth\Source::getById($authsourceString));
         class_alias($classname, '\SimpleSAML\Module\webauthn\Auth\Source\AuthSourceOverloader');
         $overrideSource = new class (
             ['AuthId' => $authsourceString],
@@ -117,7 +110,7 @@ public function loginOverload(string $username, string $password): array
         unset($attribs);
 
         // now properly return our final state to the framework
-        Source::completeAuth($state);
+        return new RunnableResponse([Auth\Source::class, 'completeAuth'], [&$state]);
     }
 
     public function login(string $username, string $password): array

src/Controller/RegProcess.php

@@ -30,16 +30,10 @@
  */
 class RegProcess
 {
-    /**
-     * @var \SimpleSAML\Auth\State|string
-     * @psalm-var \SimpleSAML\Auth\State|class-string
-     */
+    /** @var \SimpleSAML\Auth\State|string */
     protected $authState = Auth\State::class;
 
-    /**
-     * @var \SimpleSAML\Logger|string
-     * @psalm-var \SimpleSAML\Logger|class-string
-     */
+    /** @var \SimpleSAML\Logger|string */
     protected $logger = Logger::class;
 
 

src/Controller/Registration.php

@@ -27,22 +27,13 @@
  */
 class Registration
 {
-    /**
-     * @var \SimpleSAML\Auth\State|string
-     * @psalm-var \SimpleSAML\Auth\State|class-string
-     */
+    /** @var \SimpleSAML\Auth\State|string */
     protected $authState = Auth\State::class;
 
-    /**
-     * @var \SimpleSAML\Auth\Simple|string
-     * @psalm-var \SimpleSAML\Auth\Simple|class-string
-     */
+    /** @var \SimpleSAML\Auth\Simple|string */
     protected $authSimple = Auth\Simple::class;
 
-    /**
-     * @var \SimpleSAML\Logger|string
-     * @psalm-var \SimpleSAML\Logger|class-string
-     */
+    /** @var \SimpleSAML\Logger|string */
     protected $logger = Logger::class;
 
 
@@ -108,7 +99,7 @@ public function main(/** @scrutinizer ignore-unused */ Request $request): Runnab
 
         $state = [];
         $state['SPMetadata']['entityid'] = "WEBAUTHN-SP-REGISTRATION";
-        /** @psalm-var class-string $authSimple */
+
         $authSimple = $this->authSimple;
         $as = new $authSimple($registrationAuthSource);
         $as->requireAuth();

src/Controller/WebAuthn.php

@@ -29,16 +29,10 @@ class WebAuthn
     public const STATE_AUTH_ALLOWMGMT = 2; // allow to switch to mgmt page
     public const STATE_MGMT = 4; // show token management page
 
-    /**
-     * @var \SimpleSAML\Auth\State|string
-     * @psalm-var \SimpleSAML\Auth\State|class-string
-     */
+    /** @var \SimpleSAML\Auth\State|string */
     protected $authState = Auth\State::class;
 
-    /**
-     * @var \SimpleSAML\Logger|string
-     * @psalm-var \SimpleSAML\Logger|class-string
-     */
+    /** @var \SimpleSAML\Logger|string */
     protected $logger = Logger::class;
 
 

src/Store.php

@@ -25,6 +25,7 @@ abstract class Store
      * This constructor should always be called first in any class which implements this class.
      *
      * @param array &$config The configuration for this storage handler.
+     * @phpstan-ignore constructor.unusedParameter
      */
     protected function __construct(array &$config)
     {
@@ -168,10 +169,7 @@ public static function parseStoreConfig(string|array $config): Store
             '\SimpleSAML\Module\webauthn\Store',
         );
 
-        /**
-         * @psalm-suppress InvalidStringClass
-         * @var \SimpleSAML\Module\webauthn\Store
-         */
+        /** @var \SimpleSAML\Module\webauthn\Store */
         return new $className($config);
     }
 }

src/WebAuthn/AAGUID.php

@@ -31,7 +31,7 @@ class AAGUID
     /**
      * The singleton instance.
      *
-     * @var static
+     * @var \SimpleSAML\Module\webauthn\WebAuthn\AAGUID
      */
     protected static AAGUID $instance;
 
@@ -45,7 +45,7 @@ protected function __construct()
         $path = $config->getConfigDir() . '/' . self::AAGUID_CONFIG_FILE;
         if (!file_exists($path)) {
             Logger::warning("Missing AAGUID configuration file ($path). No device will be recognized.");
-            return null;
+            return;
         }
 
         $data = file_get_contents($path);
@@ -62,7 +62,7 @@ protected function __construct()
     /**
      * Get the singleton instance of the AAGUID dictionary.
      *
-     * @return static
+     * @return self
      */
     public static function getInstance(): self
     {

src/WebAuthn/WebAuthnAbstractEvent.php

@@ -430,8 +430,11 @@ protected function cborDecode(string $rawData): array
 
         $decoder = new Decoder($tagManager, $otherObjectManager);
         $stream = new StringStream($rawData);
+
+        /** @var \CBOR\OtherObject $object */
         $object = $decoder->decode($stream);
         $finalData = $object->normalize();
+
         if ($finalData === null) {
             $this->fail("CBOR data decoding failed.");
         }

src/WebAuthn/WebAuthnRegistrationEvent.php

@@ -628,8 +628,6 @@ private function validateAttestationFormatFidoU2F(array $attestationData): void
         }
         /**
          * §8.6 Verification Step 5: create verificationData
-         *
-         * @psalm-var string $publicKeyU2F
          */
         $verificationData = chr(0) . $this->rpIdHash . $this->clientDataHash . $this->credentialId . $publicKeyU2F;
         /**

tests/bootstrap.php

@@ -11,3 +11,9 @@
     print "Linking '$linkPath' to '$projectRoot'\n";
     symlink($projectRoot, $linkPath);
 }
+
+// Little dirty hack to satisfy PHPstan
+class_alias(
+    \SimpleSAML\Module\core\Auth\Source\AdminPassword::class,
+    '\SimpleSAML\Module\webauthn\Auth\Source\AuthSourceOverloader',
+);