Replace Psalm with PHPstan

.github/workflows/php.yml

@@ -51,9 +51,8 @@ jobs:
         with:
           # Should be the higest supported version, so we can use the newest tools
           php-version: '8.3'
-          tools: composer, composer-require-checker, composer-unused, phpcs, psalm
-          # optional performance gain for psalm: opcache
-          extensions: ctype, date, dom, fileinfo, filter, hash, intl, ldap, mbstring, opcache, openssl, pcre, posix, spl, xml
+          tools: composer, composer-require-checker, composer-unused, phpcs
+          extensions: ctype, date, dom, fileinfo, filter, hash, intl, ldap, mbstring, openssl, pcre, posix, spl, xml
 
       - name: Setup problem matchers for PHP
         run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
@@ -85,27 +84,13 @@ jobs:
       - name: PHP Code Sniffer
         run: phpcs
 
-      - name: Psalm
-        continue-on-error: true
-        run: |
-          psalm -c psalm.xml \
-          --show-info=true \
-          --shepherd \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
-
-      - name: Psalm (testsuite)
+      - name: PHPStan
         run: |
-          psalm -c psalm-dev.xml \
-          --show-info=true \
-          --shepherd \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
+          vendor/bin/phpstan analyze -c phpstan.neon --debug
 
-      - name: Psalter
+      - name: PHPStan (testsuite)
         run: |
-          psalm --alter \
-          --issues=UnnecessaryVarAnnotation \
-          --dry-run \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
+          vendor/bin/phpstan analyze -c phpstan-dev.neon --debug
 
   security:
     name: Security checks

phpstan-baseline.neon

@@ -0,0 +1,21 @@
+parameters:
+	ignoreErrors:
+		-
+			message: "#^Call to an undefined method SimpleSAML\\\\Module\\\\ldap\\\\ConnectorInterface\\:\\:escapeFilterValue\\(\\)\\.$#"
+			count: 1
+			path: src/Auth/Process/AttributeAddFromLDAP.php
+
+		-
+			message: "#^Call to an undefined method SimpleSAML\\\\Module\\\\ldap\\\\ConnectorInterface\\:\\:escapeFilterValue\\(\\)\\.$#"
+			count: 1
+			path: src/Auth/Process/AttributeAddUsersGroups.php
+
+		-
+			message: "#^Call to an undefined method Symfony\\\\Component\\\\Ldap\\\\Adapter\\\\ConnectionInterface\\:\\:getResource\\(\\)\\.$#"
+			count: 1
+			path: src/Connector/ActiveDirectory.php
+
+		-
+			message: "#^Constructor of class SimpleSAML\\\\Module\\\\ldap\\\\Connector\\\\Ldap has an unused parameter \\$extension\\.$#"
+			count: 1
+			path: src/Connector/Ldap.php

phpstan-dev.neon

@@ -0,0 +1,4 @@
+parameters:
+  level: 9
+  paths:
+    - tests

phpstan.neon

@@ -0,0 +1,6 @@
+parameters:
+  level: 3
+  paths:
+    - src
+includes:
+  - phpstan-baseline.neon

src/Auth/InvalidCredentialResult.php

@@ -57,7 +57,7 @@ class InvalidCredentialResult
     /**
      * Map of keys to check the code against when using is* methods
      *
-     * @var array
+     * @var array<string, array<string>>
      */
     protected array $codeMap = [
         self::KEY_INVALID_CREDENTIAL => [
@@ -155,7 +155,7 @@ public function getRawMessage(): string
 
     /**
      * Allows the default code mappings to be updated
-     * @param array $codes
+     * @param array<mixed> $codes
      * @return void
      */
     public function updateCodeMap(array $codes): void
@@ -167,7 +167,7 @@ public function updateCodeMap(array $codes): void
     /**
      * Allows the default code mappings to be replaced
      *
-     * @param array $codes
+     * @param array<mixed> $codes
      * @return void
      */
     public function replaceCodeMap(array $codes): void

src/Auth/Process/AttributeAddFromLDAP.php

@@ -21,14 +21,14 @@ class AttributeAddFromLDAP extends BaseFilter
     /**
      * LDAP attributes to add to the request attributes
      *
-     * @var array
+     * @var string[]
      */
     protected array $searchAttributes;
 
     /**
      * LDAP attributes to base64 encode
      *
-     * @var array
+     * @var string[]
      */
     protected array $binaryAttributes;
 
@@ -55,7 +55,7 @@ class AttributeAddFromLDAP extends BaseFilter
     /**
      * Initialize this filter.
      *
-     * @param array $config Configuration information about this filter.
+     * @param array<mixed> $config Configuration information about this filter.
      * @param mixed $reserved For future use.
      */
     public function __construct(array $config, $reserved)
@@ -83,7 +83,7 @@ public function __construct(array $config, $reserved)
     /**
      * Add attributes from an LDAP server.
      *
-     * @param array &$state The current request
+     * @param array<mixed> &$state The current request
      */
     public function process(array &$state): void
     {
@@ -148,7 +148,6 @@ public function process(array &$state): void
                 $this->binaryAttributes,
             );
             foreach ($binaries as $binary) {
-                /** @psalm-var array $attr */
                 $attr = $entry->getAttribute($binary);
                 $tmp[$binary] = array_map('base64_encode', $attr);
             }

src/Auth/Process/AttributeAddUsersGroups.php

@@ -33,7 +33,7 @@ class AttributeAddUsersGroups extends BaseFilter
     /**
      * Initialize this filter.
      *
-     * @param array $config Configuration information about this filter.
+     * @param array<mixed> $config Configuration information about this filter.
      * @param mixed $reserved For future use.
      */
     public function __construct(array $config, $reserved)
@@ -51,7 +51,7 @@ public function __construct(array $config, $reserved)
      * LDAP search filters to be added to the base filters for this authproc-filter.
      * It's an array of key => value pairs that will be translated to (key=value) in the ldap query.
      *
-     * @var array
+     * @var array<mixed>
      */
     protected array $additional_filters;
 
@@ -63,7 +63,7 @@ public function __construct(array $config, $reserved)
      * are then added to the request attributes.
      *
      * @throws \SimpleSAML\Error\Exception
-     * @param array &$state
+     * @param array<mixed> &$state
      */
     public function process(array &$state): void
     {
@@ -124,8 +124,8 @@ public function process(array &$state): void
      * get their group membership, recursively.
      *
      * @throws \SimpleSAML\Error\Exception
-     * @param array $attributes
-     * @return array
+     * @param array<mixed> $attributes
+     * @return array<mixed>
      */
     protected function getGroups(array $attributes): array
     {
@@ -291,13 +291,11 @@ protected function getGroups(array $attributes): array
         $groups = [];
         foreach ($entries as $entry) {
             if ($entry->hasAttribute($return_attribute)) {
-                /** @psalm-var array $values */
                 $values = $entry->getAttribute($return_attribute);
                 $groups[] = array_pop($values);
                 continue;
             } elseif ($entry->hasAttribute(strtolower($return_attribute))) {
                 // Some backends return lowercase attributes
-                /** @psalm-var array $values */
                 $values = $entry->getAttribute(strtolower($return_attribute));
                 $groups[] = array_pop($values);
                 continue;
@@ -330,9 +328,9 @@ protected function getGroups(array $attributes): array
      * Avoids loops by only searching a DN once. Returns
      * the list of groups found.
      *
-     * @param array $memberOf
-     * @param array $options
-     * @return array
+     * @param array<mixed> $memberOf
+     * @param array<mixed> $options
+     * @return array<mixed>
      */
     protected function search(array $memberOf, array $options): array
     {

src/Auth/Process/BaseFilter.php

@@ -17,22 +17,26 @@
 
 abstract class BaseFilter extends Auth\ProcessingFilter
 {
-    // TODO: Support ldap:LDAPMulti, if possible
+    /**
+     * TODO: Support ldap:LDAPMulti, if possible
+     *
+     * @var string[]
+     */
     protected static array $ldapsources = ['ldap:Ldap', 'authX509:X509userCert'];
 
     /**
      * List of attribute "alias's" linked to the real attribute
      * name. Used for abstraction / configuration of the LDAP
      * attribute names, which may change between dir service.
      *
-     * @var array
+     * @var array<mixed>
      */
     protected array $attribute_map;
 
     /**
      * The base DN of the LDAP connection. Used when searching the LDAP server.
      *
-     * @var array
+     * @var array<mixed>
      */
     protected array $searchBase;
 
@@ -64,7 +68,7 @@ abstract class BaseFilter extends Auth\ProcessingFilter
      * List of LDAP object types, used to determine the type of
      * object that a DN references.
      *
-     * @var array
+     * @var array<mixed>
      */
     protected array $type_map;
 
@@ -75,7 +79,7 @@ abstract class BaseFilter extends Auth\ProcessingFilter
      * instance/object and stores everything in class members.
      *
      * @throws \SimpleSAML\Error\Exception
-     * @param array &$config
+     * @param array<mixed> &$config
      * @param mixed $reserved
      */
     public function __construct(array &$config, $reserved)
@@ -164,6 +168,7 @@ public function __construct(array &$config, $reserved)
      * Parse authsource config
      *
      * @param string $as The name of the authsource
+     * @return array<mixed>
      */
     private function parseAuthSourceConfig(string $as): array
     {