Replace Psalm with PHPstan

Author: tvdijen

.github/workflows/php.yml

@@ -51,9 +51,8 @@ jobs:
         with:
           # Should be the higest supported version, so we can use the newest tools
           php-version: '8.3'
-          tools: composer, composer-require-checker, composer-unused, phpcs, psalm
-          # optional performance gain for psalm: opcache
-          extensions: ctype, date, dom, fileinfo, filter, hash, intl, ldap, mbstring, opcache, openssl, pcre, posix, spl, xml
+          tools: composer, composer-require-checker, composer-unused, phpcs
+          extensions: ctype, date, dom, fileinfo, filter, hash, intl, ldap, mbstring, openssl, pcre, posix, spl, xml
 
       - name: Setup problem matchers for PHP
         run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
@@ -85,27 +84,13 @@ jobs:
       - name: PHP Code Sniffer
         run: phpcs
 
-      - name: Psalm
-        continue-on-error: true
-        run: |
-          psalm -c psalm.xml \
-          --show-info=true \
-          --shepherd \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
-
-      - name: Psalm (testsuite)
+      - name: PHPStan
         run: |
-          psalm -c psalm-dev.xml \
-          --show-info=true \
-          --shepherd \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
+          vendor/bin/phpstan analyze -c phpstan.neon --debug
 
-      - name: Psalter
+      - name: PHPStan (testsuite)
         run: |
-          psalm --alter \
-          --issues=UnnecessaryVarAnnotation \
-          --dry-run \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
+          vendor/bin/phpstan analyze -c phpstan-dev.neon --debug
 
   security:
     name: Security checks

phpstan-dev.neon

@@ -0,0 +1,4 @@
+parameters:
+  level: 9
+  paths:
+    - tests

phpstan.neon

@@ -0,0 +1,4 @@
+parameters:
+  level: 6
+  paths:
+    - src

psalm-dev.xml

@@ -17,22 +17,26 @@
 
 abstract class BaseFilter extends Auth\ProcessingFilter
 {
-    // TODO: Support ldap:LDAPMulti, if possible
+    /**
+     * TODO: Support ldap:LDAPMulti, if possible
+     *
+     * @var string[]
+     */
     protected static array $ldapsources = ['ldap:Ldap', 'authX509:X509userCert'];
 
     /**
      * List of attribute "alias's" linked to the real attribute
      * name. Used for abstraction / configuration of the LDAP
      * attribute names, which may change between dir service.
      *
-     * @var array
+     * @var array<mixed>
      */
     protected array $attribute_map;
 
     /**
      * The base DN of the LDAP connection. Used when searching the LDAP server.
      *
-     * @var array
+     * @var array<mixed.
      */
     protected array $searchBase;
 
@@ -64,7 +68,7 @@ abstract class BaseFilter extends Auth\ProcessingFilter
      * List of LDAP object types, used to determine the type of
      * object that a DN references.
      *
-     * @var array
+     * @var array<mixed>
      */
     protected array $type_map;
 

psalm.xml

@@ -49,8 +49,8 @@ class Ldap extends UserPassBase
     /**
      * Constructor for this authentication source.
      *
-     * @param array $info  Information about this authentication source.
-     * @param array $config  Configuration.
+     * @param array<mixed> $info  Information about this authentication source.
+     * @param array<mixed> $config  Configuration.
      */
     public function __construct(array $info, array $config)
     {
@@ -71,11 +71,15 @@ public function __construct(array $info, array $config)
      *
      * @param string $username  The username the user wrote.
      * @param string $password  The password the user wrote.
-     * @param array|null $sasl_args  SASL options
-     * @return array  Associative array with the users attributes.
+     * @param array<mixed>|null $sasl_args  SASL options
+     * @return array<mixed> Associative array with the users attributes.
      */
-    protected function loginSasl(string $username, #[\SensitiveParameter]string $password, array $sasl_args = []): array
-    {
+    protected function loginSasl(
+        string $username,
+        #[\SensitiveParameter]
+        string $password,
+        array $sasl_args = [],
+    ): array {
         if (preg_match('/^\s*$/', $password)) {
             // The empty string is considered an anonymous bind to Symfony
             throw new Error\Error('WRONGUSERPASS');
@@ -110,7 +114,7 @@ protected function loginSasl(string $username, #[\SensitiveParameter]string $pas
             Assert::nullOrNotWhitespaceOnly($searchUsername);
 
             $searchPassword = $this->ldapConfig->getOptionalString('search.password', null);
-            Assert::nullOrnotWhitespaceOnly($searchPassword);
+            Assert::nullOrNotWhitespaceOnly($searchPassword);
 
             try {
                 $this->connector->bind($searchUsername, $searchPassword);
@@ -164,7 +168,7 @@ protected function loginSasl(string $username, #[\SensitiveParameter]string $pas
      *
      * @param string $username  The username the user wrote.
      * @param string $password  The password the user wrote.
-     * @return array  Associative array with the users attributes.
+     * @return array<mixed> Associative array with the users attributes.
      */
     protected function login(string $username, #[\SensitiveParameter]string $password): array
     {
@@ -176,15 +180,15 @@ protected function login(string $username, #[\SensitiveParameter]string $passwor
      * Attempt to find a user's attributes given its username.
      *
      * @param string $username  The username who's attributes we want.
-     * @return array  Associative array with the users attributes.
+     * @return array<mixed> Associative array with the users attributes.
      */
     public function getAttributes(string $username): array
     {
         $searchUsername = $this->ldapConfig->getOptionalString('search.username', null);
         Assert::nullOrNotWhitespaceOnly($searchUsername);
 
         $searchPassword = $this->ldapConfig->getOptionalString('search.password', null);
-        Assert::nullOrnotWhitespaceOnly($searchPassword);
+        Assert::nullOrNotWhitespaceOnly($searchPassword);
 
         try {
             $this->connector->bind($searchUsername, $searchPassword);
@@ -232,7 +236,7 @@ public function getAttributes(string $username): array
 
     /**
      * @param \Symfony\Component\Ldap\Entry $entry
-     * @return array
+     * @return array<mixed>
      */
     private function processAttributes(Entry $entry): array
     {

src/Auth/Process/BaseFilter.php

@@ -33,16 +33,22 @@ class LdapMulti extends UserPassOrgBase
 
     /**
      * An array with mappings for organization => authsource.
+     *
+     * @var array<mixed>
      */
     private array $mapping;
 
     /**
      * An array with descriptions for organizations.
+     *
+     * @var array<mixed>
      */
     private array $orgs;
 
     /**
      * An array of organization IDs to LDAP configuration objects.
+     *
+     * @var array<mixed>
      */
     private array $ldapOrgs;
 
@@ -55,8 +61,8 @@ class LdapMulti extends UserPassOrgBase
     /**
      * Constructor for this authentication source.
      *
-     * @param array $info  Information about this authentication source.
-     * @param array $config  Configuration.
+     * @param array<mixed> $info  Information about this authentication source.
+     * @param array<mixed> $config  Configuration.
      */
     public function __construct(array $info, array $config)
     {
@@ -109,9 +115,9 @@ public function __construct(array $info, array $config)
      *
      * @param string $username  The username the user wrote.
      * @param string $password  The password the user wrote.
-     * @param string $organizaion  The organization the user chose.
-     * @param array|null $sasl_args SASL options
-     * @return array  Associative array with the users attributes.
+     * @param string $organization  The organization the user chose.
+     * @param array<mixed>|null $sasl_args SASL options
+     * @return array<mixed> Associative array with the users attributes.
      */
     protected function loginSasl(
         string $username,
@@ -134,6 +140,10 @@ protected function loginSasl(
 
         $ldap = new class (['AuthId' => $authsource], $sourceConfig->toArray()) extends Ldap
         {
+            /**
+             * @param array<mixed> $sasl_args
+             * @return array<mixed>
+             */
             public function loginOverload(
                 string $username,
                 #[\SensitiveParameter]string $password,
@@ -146,23 +156,25 @@ public function loginOverload(
         return $ldap->loginOverload($username, $password, $sasl_args);
     }
 
+
     /**
      * Attempt to log in using the given username and password.
      *
      * @param string $username  The username the user wrote.
      * @param string $password  The password the user wrote.
-     * @param string $organizaion  The organization the user chose.
-     * @return array  Associative array with the users attributes.
+     * @param string $organization  The organization the user chose.
+     * @return array<mixed> Associative array with the users attributes.
      */
     protected function login(string $username, #[\SensitiveParameter]string $password, string $organization): array
     {
         return $this->loginSasl($username, $password, $organization);
     }
 
+
     /**
      * Retrieve list of organizations.
      *
-     * @return array  Associative array with the organizations.
+     * @return array<mixed> Associative array with the organizations.
      */
     protected function getOrganizations(): array
     {

src/Auth/Source/Ldap.php

@@ -44,7 +44,7 @@ class Ldap implements ConnectorInterface
      * @param int $version
      * @param string $extension
      * @param bool $debug
-     * @param array $options
+     * @param array<mixed> $options
      */
     public function __construct(
         string $connection_strings,

src/Auth/Source/LdapMulti.php

@@ -64,9 +64,9 @@ public function whoami(): string;
     /**
      * Search the LDAP-directory for a specific object
      *
-     * @param array $searchBase
+     * @param string[] $searchBase
      * @param string $filter
-     * @param array $options
+     * @param array<mixed> $options
      * @param boolean $allowMissing
      * @return \Symfony\Component\Ldap\Entry|null The result of the search or null if none found
      * @psalm-return ($allowMissing is true ? \Symfony\Component\Ldap\Entry|null : \Symfony\Component\Ldap\Entry)
@@ -85,9 +85,9 @@ public function search(
     /**
      * Search the LDAP-directory for any object matching the search filter
      *
-     * @param array $searchBase
+     * @param string[] $searchBase
      * @param string $filter
-     * @param array $options
+     * @param array<mixed> $options
      * @param boolean $allowMissing
      * @return \Symfony\Component\Ldap\Entry[] The result of the search
      *