Merge master into release-5.x

.github/workflows/interoperability.yml

@@ -0,0 +1,101 @@
+---
+
+name: Interoperability
+
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches: ['**']
+    paths-ignore:
+      - '**.md'
+      - '**.yml'
+  pull_request:
+    branches: [master, release-*]
+    paths-ignore:
+      - '**.md'
+      - '**.yml'
+  workflow_dispatch:
+
+jobs:
+  edugain:
+    name: "Interoperability tests, PHP ${{ matrix.php-versions }}, ${{ matrix.operating-system }}"
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      fail-fast: false
+      matrix:
+        operating-system: [ubuntu-latest]
+        php-versions: ['8.2']
+
+    steps:
+      - name: Setup PHP, with composer and extensions
+        # https://github.com/shivammathur/setup-php
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php-versions }}
+          extensions: ctype, date, dom, hash, mbstring, openssl, pcre, spl, xml
+          tools: composer:v2
+          ini-values: error_reporting=E_ALL, memory_limit=-1
+          coverage: none
+
+      - name: Setup problem matchers for PHP
+        run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
+
+      - name: Setup problem matchers for PHPUnit
+        run: echo "::add-matcher::${{ runner.tool_cache }}/phpunit.json"
+
+      - name: Set git to use LF
+        run: |
+          git config --global core.autocrlf false
+          git config --global core.eol lf
+
+      - uses: actions/checkout@v4
+
+      - name: Cache composer dependencies
+        uses: actions/cache@v4
+        with:
+          path: $(composer config cache-files-dir)
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+
+      - name: Validate composer.json and composer.lock
+        run: composer validate
+
+      - name: Install Composer dependencies
+        run: composer install --no-progress --prefer-dist --optimize-autoloader
+
+      - name: Get current date
+        id: date
+        run: |
+          echo "{date}={$(date +'%Y-%m-%d')}" >> "$GITHUB_STATE"
+
+      - name: Cache metadata
+        id: cache-metadata
+        uses: actions/cache@v4
+        with:
+          path: /tmp/metadata
+          key: ${{ runner.os }}-metadata-${{ env.date }}
+          restore-keys: ${{ runner.os }}-metadata-
+
+      - name: Download eduGAIN metadata & public key
+        if: steps.cache-metadata.outputs.cache-hit != 'true'
+        run: |
+            mkdir -p /tmp/metadata
+            wget https://mds.edugain.org/edugain-v2.xml -O /tmp/metadata/edugain.xml
+            wget https://technical.edugain.org/mds-v2.cer -O /tmp/metadataedugain-pub.crt
+
+
+      - name: Download GRNET metadata
+        if: steps.cache-metadata.outputs.cache-hit != 'true'
+        run: |
+            mkdir -p /tmp/metadata
+            wget https://md.aai.grnet.gr/aggregates/grnet-metadata.xml -O /tmp/metadata/grnet.xml
+
+      - name: Download MicrosoftOnline metadata
+        if: steps.cache-metadata.outputs.cache-hit != 'true'
+        run: |
+            mkdir -p /tmp/metadata
+            wget https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml \
+              -O /tmp/metadata/microsoftonline.xml
+
+      - name: Run unit tests
+        run: |
+          ./vendor/bin/phpunit -c phpunit-interoperability.xml

.github/workflows/php.yml

@@ -11,23 +11,28 @@ on:  # yamllint disable-line rule:truthy
     branches: [master, release-*]
     paths-ignore:
       - '**.md'
+  workflow_dispatch:
 
 jobs:
   linter:
     name: Linter
     runs-on: ['ubuntu-latest']
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
+          # super-linter needs the full git history to get the
+          # list of files that changed across commits
           fetch-depth: 0
 
       - name: Lint Code Base
-        uses: github/super-linter/slim@v5
+        uses: super-linter/super-linter/slim@v6
         env:
+          # To report GitHub Actions status checks
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LINTER_RULES_PATH: 'tools/linters'
           LOG_LEVEL: NOTICE
           VALIDATE_ALL_CODEBASE: true
-          LINTER_RULES_PATH: 'tools/linters'
           VALIDATE_BASH: true
           VALIDATE_BASH_EXEC: true
           VALIDATE_JSON: true
@@ -47,21 +52,20 @@ jobs:
         with:
           # Should be the higest supported version, so we can use the newest tools
           php-version: '8.3'
-          tools: composer, composer-require-checker, composer-unused, phpcs, psalm
-          # optional performance gain for psalm: opcache
-          extensions: ctype, date, dom, filter, hash, mbstring, opcache, openssl, pcre, soap, spl, xml
+          tools: composer, composer-require-checker, composer-unused, phpcs, phpstan
+          extensions: ctype, date, dom, filter, hash, mbstring, openssl, pcre, soap, spl, xml
           coverage: none
 
       - name: Setup problem matchers for PHP
         run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Get composer cache directory
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
 
       - name: Cache composer dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: $COMPOSER_CACHE
           key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
@@ -83,28 +87,13 @@ jobs:
       - name: PHP Code Sniffer
         run: phpcs
 
-      - name: Psalm
-        continue-on-error: true
-        run: |
-          psalm -c psalm.xml \
-          --show-info=true \
-          --shepherd \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
-
-      - name: Psalm (testsuite)
-        continue-on-error: true
+      - name: PHPStan
         run: |
-          psalm -c psalm-dev.xml \
-          --show-info=true \
-          --shepherd \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
+          phpstan analyze -c phpstan.neon
 
-      - name: Psalter
+      - name: PHPStan (testsuite)
         run: |
-          psalm --alter \
-          --issues=UnnecessaryVarAnnotation \
-          --dry-run \
-          --php-version=${{ steps.setup-php.outputs.php-version }}
+          phpstan analyze -c phpstan-dev.neon
 
   security:
     name: Security checks
@@ -123,13 +112,13 @@ jobs:
       - name: Setup problem matchers for PHP
         run: echo "::add-matcher::${{ runner.tool_cache }}/php.json"
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Get composer cache directory
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
 
       - name: Cache composer dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: $COMPOSER_CACHE
           key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
@@ -179,13 +168,13 @@ jobs:
           git config --global core.autocrlf false
           git config --global core.eol lf
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Get composer cache directory
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$GITHUB_ENV"
 
       - name: Cache composer dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: $COMPOSER_CACHE
           key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
@@ -204,7 +193,7 @@ jobs:
 
       - name: Save coverage data
         if: ${{ matrix.php-versions == '8.3' }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: coverage-data
           path: ${{ github.workspace }}/build
@@ -241,13 +230,13 @@ jobs:
           git config --global core.autocrlf false
           git config --global core.eol lf
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Get composer cache directory
         run: echo COMPOSER_CACHE="$(composer config cache-files-dir)" >> "$env:GITHUB_ENV"
 
       - name: Cache composer dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: $COMPOSER_CACHE
           key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
@@ -264,16 +253,30 @@ jobs:
     runs-on: [ubuntu-latest]
     needs: [unit-tests-linux]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: coverage-data
           path: ${{ github.workspace }}/build
 
       - name: Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: true
           verbose: true
+
+  cleanup:
+    name: Cleanup artifacts
+    needs: [unit-tests-linux, coverage]
+    runs-on: [ubuntu-latest]
+    if: |
+      always() &&
+      needs.coverage.result == 'success' ||
+      (needs.unit-tests-linux == 'success' && needs.coverage == 'skipped')
+
+    steps:
+      - uses: geekyeggo/delete-artifact@v5
+        with:
+          name: coverage-data

phpstan-baseline-dev.neon

@@ -0,0 +1,106 @@
+parameters:
+	ignoreErrors:
+		-
+			message: "#^PHPDoc tag @var for property SimpleSAML\\\\Test\\\\SAML2\\\\Assertion\\\\Transformer\\\\NameIdDecryptionTransformerTest\\:\\:\\$validator with type SimpleSAML\\\\SAML2\\\\Response\\\\Validation\\\\Validator is incompatible with native type SimpleSAML\\\\SAML2\\\\Signature\\\\Validator\\.$#"
+			count: 1
+			path: tests/SAML2/Assertion/Transformer/NameIdDecryptionTransformerTest.php
+
+		-
+			message: "#^Unreachable statement \\- code above always terminates\\.$#"
+			count: 2
+			path: tests/SAML2/Assertion/Transformer/NameIdDecryptionTransformerTest.php
+
+		-
+			message: "#^PHPDoc tag @var for property SimpleSAML\\\\Test\\\\SAML2\\\\Assertion\\\\Validation\\\\AssertionValidatorTest\\:\\:\\$validator with type SimpleSAML\\\\SAML2\\\\Response\\\\Validation\\\\Validator is incompatible with native type SimpleSAML\\\\SAML2\\\\Signature\\\\Validator\\.$#"
+			count: 1
+			path: tests/SAML2/Assertion/Validation/AssertionValidatorTest.php
+
+		-
+			message: "#^Parameter \\#1 \\$xml of static method SimpleSAML\\\\SAML2\\\\XML\\\\saml\\\\Assertion\\:\\:fromXML\\(\\) expects DOMElement, DOMNode\\|null given\\.$#"
+			count: 2
+			path: tests/SAML2/Assertion/Validation/AssertionValidatorTest.php
+
+		-
+			message: "#^Result of method SimpleSAML\\\\SAML2\\\\Assertion\\\\Processor\\:\\:validateAssertion\\(\\) \\(void\\) is used\\.$#"
+			count: 2
+			path: tests/SAML2/Assertion/Validation/AssertionValidatorTest.php
+
+		-
+			message: "#^Parameter \\#1 \\$serviceProvider of method SimpleSAML\\\\SAML2\\\\Assertion\\\\Validation\\\\ConstraintValidator\\\\SpIsValidAudience\\:\\:setServiceProvider\\(\\) expects SimpleSAML\\\\SAML2\\\\Configuration\\\\ServiceProvider, Mockery\\\\MockInterface given\\.$#"
+			count: 3
+			path: tests/SAML2/Assertion/Validation/ConstraintValidator/SpIsValidAudienceTest.php
+
+		-
+			message: "#^Call to an undefined method Mockery\\\\ExpectationInterface\\|Mockery\\\\HigherOrderMessage\\:\\:andReturnNull\\(\\)\\.$#"
+			count: 2
+			path: tests/SAML2/Assertion/Validation/ConstraintValidator/SubjectConfirmationResponseToMatchesTest.php
+
+		-
+			message: "#^Parameter \\#1 \\$response of class SimpleSAML\\\\SAML2\\\\Assertion\\\\Validation\\\\ConstraintValidator\\\\SubjectConfirmationResponseToMatches constructor expects SimpleSAML\\\\SAML2\\\\XML\\\\samlp\\\\Response, Mockery\\\\MockInterface given\\.$#"
+			count: 5
+			path: tests/SAML2/Assertion/Validation/ConstraintValidator/SubjectConfirmationResponseToMatchesTest.php
+
+		-
+			message: "#^PHPDoc tag @var for property SimpleSAML\\\\Test\\\\SAML2\\\\XML\\\\saml\\\\SubjectConfirmationValidatorTest\\:\\:\\$validator with type SimpleSAML\\\\SAML2\\\\Response\\\\Validation\\\\Validator is incompatible with native type SimpleSAML\\\\SAML2\\\\Signature\\\\Validator\\.$#"
+			count: 1
+			path: tests/SAML2/Assertion/Validation/SubjectConfirmationValidatorTest.php
+
+		-
+			message: "#^Result of method SimpleSAML\\\\SAML2\\\\Assertion\\\\Processor\\:\\:validateAssertion\\(\\) \\(void\\) is used\\.$#"
+			count: 1
+			path: tests/SAML2/Assertion/Validation/SubjectConfirmationValidatorTest.php
+
+		-
+			message: "#^Parameter \\#1 \\$element of method SimpleSAML\\\\SAML2\\\\Certificate\\\\KeyCollection\\:\\:add\\(\\) expects SimpleSAML\\\\SAML2\\\\Certificate\\\\Key, string given\\.$#"
+			count: 1
+			path: tests/SAML2/Certificate/KeyCollectionTest.php
+
+		-
+			message: "#^Call to an undefined method Mockery\\\\ExpectationInterface\\|Mockery\\\\HigherOrderMessage\\:\\:atMost\\(\\)\\.$#"
+			count: 2
+			path: tests/SAML2/Certificate/KeyLoaderTest.php
+
+		-
+			message: "#^Call to an undefined method Mockery\\\\ExpectationInterface\\|Mockery\\\\HigherOrderMessage\\:\\:once\\(\\)\\.$#"
+			count: 1
+			path: tests/SAML2/Certificate/KeyLoaderTest.php
+
+		-
+			message: "#^Parameter \\#1 \\$config of method SimpleSAML\\\\SAML2\\\\Certificate\\\\KeyLoader\\:\\:loadKeysFromConfiguration\\(\\) expects SimpleSAML\\\\SAML2\\\\Configuration\\\\CertificateProvider, Mockery\\\\MockInterface given\\.$#"
+			count: 3
+			path: tests/SAML2/Certificate/KeyLoaderTest.php
+
+		-
+			message: "#^Call to an undefined method Mockery\\\\ExpectationInterface\\|Mockery\\\\HigherOrderMessage\\:\\:once\\(\\)\\.$#"
+			count: 8
+			path: tests/SAML2/Response/SignatureValidationTest.php
+
+		-
+			message: "#^Call to method shouldReceive\\(\\) on an unknown class alias\\:SimpleSAML\\\\SAML2\\\\Assertion\\\\ProcessorBuilder\\.$#"
+			count: 1
+			path: tests/SAML2/Response/SignatureValidationTest.php
+
+		-
+			message: "#^Call to an undefined method Mockery\\\\ExpectationInterface\\|Mockery\\\\HigherOrderMessage\\:\\:once\\(\\)\\.$#"
+			count: 2
+			path: tests/SAML2/Response/Validation/ConstraintValidator/DestinationMatchesTest.php
+
+		-
+			message: "#^Parameter \\#1 \\$response of method SimpleSAML\\\\SAML2\\\\Response\\\\Validation\\\\ConstraintValidator\\\\DestinationMatches\\:\\:validate\\(\\) expects SimpleSAML\\\\SAML2\\\\XML\\\\samlp\\\\Response, Mockery\\\\MockInterface given\\.$#"
+			count: 2
+			path: tests/SAML2/Response/Validation/ConstraintValidator/DestinationMatchesTest.php
+
+		-
+			message: "#^Call to an undefined method Mockery\\\\ExpectationInterface\\|Mockery\\\\HigherOrderMessage\\:\\:once\\(\\)\\.$#"
+			count: 3
+			path: tests/SAML2/Response/Validation/ConstraintValidator/IsSuccessfulTest.php
+
+		-
+			message: "#^Parameter \\#1 \\$response of method SimpleSAML\\\\SAML2\\\\Response\\\\Validation\\\\ConstraintValidator\\\\IsSuccessful\\:\\:validate\\(\\) expects SimpleSAML\\\\SAML2\\\\XML\\\\samlp\\\\Response, Mockery\\\\MockInterface given\\.$#"
+			count: 2
+			path: tests/SAML2/Response/Validation/ConstraintValidator/IsSuccessfulTest.php
+
+		-
+			message: "#^Parameter \\#1 \\$xml of static method SimpleSAML\\\\SAML2\\\\XML\\\\saml\\\\Assertion\\:\\:fromXML\\(\\) expects DOMElement, DOMNode\\|null given\\.$#"
+			count: 2
+			path: tests/SAML2/Response/XmlSignatureWrappingTest.php