- The password for your = htmlentities($this->data['accountName']); ?>
- account will expire on = htmlentities($dateString); ?>.
-
-
- The password for your = htmlentities($this->data['accountName']); ?>
- account expired on = htmlentities($dateString); ?>.
-
-
- You will need to update your password before you can continue to where you
- were going.
-
-
data['daysLeft'] ?? 0;
+ $daysLeft = $this->data['daysLeft'] ?? '0';
$expiringMessage = $daysLeft < 2 ?
$this->t('{material:about2expire:expiring_in_a_day}') :
$this->t('{material:about2expire:expiring_soon}',
diff --git a/modules/material/themes/material/mfa/low-on-backup-codes.php b/modules/material/themes/material/mfa/low-on-backup-codes.php
index 9f148a1c..b8d75d41 100644
--- a/modules/material/themes/material/mfa/low-on-backup-codes.php
+++ b/modules/material/themes/material/mfa/low-on-backup-codes.php
@@ -29,7 +29,7 @@
@@ -29,23 +12,16 @@ function excludeSelf($others, $selfId) {
-includeAtTemplateBase('includes/footer.php');
diff --git a/modules/mfa/templates/send-manager-mfa.php b/modules/mfa/templates/send-manager-mfa.php
deleted file mode 100644
index 4a274ac6..00000000
--- a/modules/mfa/templates/send-manager-mfa.php
+++ /dev/null
@@ -1,20 +0,0 @@
-data['header'] = 'Send manager backup code';
-$this->includeAtTemplateBase('includes/header.php');
-
-?>
-
- You can send a backup code to your manager to serve as an
- additional 2-Step Verification option.
- The email address on file (masked for privacy) is = $this->data['managerEmail'] ?>
-
-
-includeAtTemplateBase('includes/footer.php');
diff --git a/modules/mfa/www/prompt-for-mfa.php b/modules/mfa/www/prompt-for-mfa.php
index 3e63050a..a736fd69 100644
--- a/modules/mfa/www/prompt-for-mfa.php
+++ b/modules/mfa/www/prompt-for-mfa.php
@@ -67,6 +67,7 @@
// If the user has submitted their MFA value...
if (filter_has_var(INPUT_POST, 'submitMfa')) {
+ /* @var string|array $mfaSubmission */
$mfaSubmission = filter_input(INPUT_POST, 'mfaSubmission');
if (substr($mfaSubmission, 0, 1) == '{') {
$mfaSubmission = json_decode($mfaSubmission, true);
@@ -96,6 +97,25 @@
$globalConfig = Configuration::getInstance();
+$otherOptions = array_filter($mfaOptions, function($option) use ($mfaId) {
+ return $option['id'] != $mfaId;
+});
+if (! empty($state['managerEmail'])) {
+ $otherOptions[] = [
+ 'type' => 'manager',
+ 'callback' => '/module.php/mfa/send-manager-mfa.php?StateId='.htmlentities($stateId)
+ ];
+}
+foreach ($otherOptions as &$option) {
+ $option['callback'] = $option['callback'] ?? sprintf(
+ '/module.php/mfa/prompt-for-mfa.php?StateId=%s&mfaId=%s',
+ htmlentities($stateId),
+ htmlentities($option['id'])
+ );
+ $option['image'] = 'mfa-' . $option['type'] . '.svg';
+ $option['label'] = empty($option['id']) ? 'help' : $option['type'];
+}
+
$mfaTemplateToUse = Mfa::getTemplateFor($mfaOption['type']);
$t = new Template($globalConfig, $mfaTemplateToUse);
@@ -104,7 +124,10 @@
$t->data['mfaOptions'] = $mfaOptions;
$t->data['stateId'] = $stateId;
$t->data['supportsWebAuthn'] = LoginBrowser::supportsWebAuthn($userAgent);
+$browserJsHash = md5_file(__DIR__ . '/simplewebauthn/browser.js');
+$t->data['browserJsPath'] = '/module.php/mfa/simplewebauthn/browser.js?v=' . $browserJsHash;
$t->data['managerEmail'] = $state['managerEmail'];
+$t->data['otherOptions'] = $otherOptions;
$t->show();
$logger->info(json_encode([
diff --git a/modules/mfa/www/send-manager-mfa.php b/modules/mfa/www/send-manager-mfa.php
index 97ae0257..cf510162 100644
--- a/modules/mfa/www/send-manager-mfa.php
+++ b/modules/mfa/www/send-manager-mfa.php
@@ -24,7 +24,7 @@
$logger = LoggerFactory::getAccordingToState($state);
if (filter_has_var(INPUT_POST, 'send')) {
- Mfa::sendManagerCode($state, $logger);
+ $errorMessage = Mfa::sendManagerCode($state, $logger);
} elseif (filter_has_var(INPUT_POST, 'cancel')) {
$moduleUrl = SimpleSAML\Module::getModuleURL('mfa/prompt-for-mfa.php', [
'StateId' => $stateId,
@@ -37,6 +37,7 @@
$t = new Template($globalConfig, 'mfa:send-manager-mfa.php');
$t->data['stateId'] = $stateId;
$t->data['managerEmail'] = $state['managerEmail'];
+$t->data['errorMessage'] = $errorMessage ?? null;
$t->show();
$logger->info(json_encode([
diff --git a/modules/profilereview/lib/Assert.php b/modules/profilereview/lib/Assert.php
index f20dff99..af7bf7dc 100644
--- a/modules/profilereview/lib/Assert.php
+++ b/modules/profilereview/lib/Assert.php
@@ -13,7 +13,7 @@ class Assert
* @param string $className The name of the class in question.
* @throws InvalidArgumentException
*/
- public static function classExists(string $className)
+ public static function classExists(string $className): void
{
if (! class_exists($className)) {
throw new InvalidArgumentException(sprintf(
@@ -30,7 +30,7 @@ public static function classExists(string $className)
* @param mixed $value The value in question.
* @return string
*/
- protected static function describe($value)
+ protected static function describe(mixed $value): string
{
return is_object($value) ? get_class($value) : var_export($value, true);
}
@@ -42,7 +42,7 @@ protected static function describe($value)
* @param string $className The name/classpath of the class in question.
* @throws InvalidArgumentException
*/
- public static function isInstanceOf($object, string $className)
+ public static function isInstanceOf(mixed $object, string $className): void
{
if (! ($object instanceof $className)) {
throw new InvalidArgumentException(sprintf(
diff --git a/modules/profilereview/lib/Auth/Process/ProfileReview.php b/modules/profilereview/lib/Auth/Process/ProfileReview.php
index 8b8584a9..789f6838 100644
--- a/modules/profilereview/lib/Auth/Process/ProfileReview.php
+++ b/modules/profilereview/lib/Auth/Process/ProfileReview.php
@@ -25,15 +25,13 @@ class ProfileReview extends ProcessingFilter
const MFA_ADD_PAGE = 'nag-for-mfa.php';
const METHOD_ADD_PAGE = 'nag-for-method.php';
- private $employeeIdAttr = null;
- private $mfaLearnMoreUrl = null;
- private $profileUrl = null;
+ private string|null $employeeIdAttr = null;
+ private string|null $mfaLearnMoreUrl = null;
+ private string|null $profileUrl = null;
- /** @var LoggerInterface */
- protected $logger;
+ protected LoggerInterface $logger;
- /** @var string */
- protected $loggerClass;
+ protected string $loggerClass;
/**
* Initialize this filter.
@@ -42,7 +40,7 @@ class ProfileReview extends ProcessingFilter
* @param mixed $reserved For future use.
* @throws \Exception
*/
- public function __construct($config, $reserved)
+ public function __construct(array $config, mixed $reserved)
{
parent::__construct($config, $reserved);
$this->initComposerAutoloader();
@@ -65,7 +63,7 @@ public function __construct($config, $reserved)
* @param $attributes
* @throws \Exception
*/
- protected function loadValuesFromConfig($config, $attributes)
+ protected function loadValuesFromConfig(array $config, array $attributes): void
{
foreach ($attributes as $attribute) {
$this->$attribute = $config[$attribute] ?? null;
diff --git a/modules/profilereview/lib/LoggerFactory.php b/modules/profilereview/lib/LoggerFactory.php
index 83e335d1..8381476a 100644
--- a/modules/profilereview/lib/LoggerFactory.php
+++ b/modules/profilereview/lib/LoggerFactory.php
@@ -14,7 +14,7 @@ class LoggerFactory
*
* @throws InvalidArgumentException
*/
- public static function get($loggerClass)
+ public static function get(string $loggerClass): LoggerInterface
{
Assert::classExists($loggerClass);
$logger = new $loggerClass();
@@ -32,7 +32,7 @@ public static function get($loggerClass)
*
* @throws InvalidArgumentException
*/
- public static function getAccordingToState($state)
+ public static function getAccordingToState(array $state): LoggerInterface
{
return self::get($state['loggerClass'] ?? Psr3SamlLogger::class);
}
diff --git a/modules/profilereview/templates/nag-for-method.php b/modules/profilereview/templates/nag-for-method.php
deleted file mode 100644
index bd1c66ef..00000000
--- a/modules/profilereview/templates/nag-for-method.php
+++ /dev/null
@@ -1,21 +0,0 @@
-data['header'] = 'Set up Recovery Methods';
-$this->includeAtTemplateBase('includes/header.php');
-?>
-
- Did you know you can provide alternate email addresses for password recovery?
-
-
- We highly encourage you to do this to ensure continuous access and improved security.
-
-
-includeAtTemplateBase('includes/footer.php');
diff --git a/modules/profilereview/templates/nag-for-mfa.php b/modules/profilereview/templates/nag-for-mfa.php
deleted file mode 100644
index 1e31541e..00000000
--- a/modules/profilereview/templates/nag-for-mfa.php
+++ /dev/null
@@ -1,28 +0,0 @@
-data['header'] = 'Set up 2-Step Verification';
-$this->includeAtTemplateBase('includes/header.php');
-
-$mfaLearnMoreUrl = $this->data['mfaLearnMoreUrl'];
-?>
-
- Did you know you could greatly increase the security of your account by enabling 2-Step Verification?
-
-
- We highly encourage you to do this for your own safety.
-
-
-includeAtTemplateBase('includes/footer.php');
diff --git a/modules/profilereview/templates/review.php b/modules/profilereview/templates/review.php
deleted file mode 100644
index 365d908d..00000000
--- a/modules/profilereview/templates/review.php
+++ /dev/null
@@ -1,62 +0,0 @@
-data['header'] = 'Review 2-Step Verification and Password Recovery';
-$this->includeAtTemplateBase('includes/header.php');
-
-$profileUrl = $this->data['profileUrl'];
-
-?>
-
- Please take a moment to review your 2-Step Verification options and
- Password Recovery Methods.
-
-
- We highly encourage you to do this for your own safety.
-
-
2-Step Verification
-
-
- Label |
- Type |
- Created |
- Last Used |
-
- data['mfaOptions'] as $option): ?>
-
- = htmlentities($option['label']) ?> |
- = htmlentities($option['type']) ?> |
- = htmlentities($option['created_utc']) ?> |
- = htmlentities($option['last_used_utc']) ?> |
-
-
-
-
Password Recovery Methods
-
-
- Email |
- Verified |
- Created |
-
- data['methodOptions'] as $option): ?>
-
- = htmlentities($option['value']) ?> |
- = htmlentities($option['verified']) ? 'yes' : 'no' ?> |
- = htmlentities($option['created']) ?> |
-
-
-
-
-includeAtTemplateBase('includes/footer.php');
diff --git a/modules/profilereview/www/nag.php b/modules/profilereview/www/nag.php
index 7c0e91c0..7418418b 100644
--- a/modules/profilereview/www/nag.php
+++ b/modules/profilereview/www/nag.php
@@ -32,8 +32,8 @@
$t = new Template($globalConfig, 'profilereview:' . $state['template']);
$t->data['profileUrl'] = $state['profileUrl'];
-$t->data['methodOptions'] = $state['methodOptions'];
-$t->data['mfaOptions'] = $state['mfaOptions'];
+$t->data['methodOptions'] = $state['methodOptions'] ?? [];
+$t->data['mfaOptions'] = $state['mfaOptions'] ?? [];
$t->data['mfaLearnMoreUrl'] = $state['mfaLearnMoreUrl'];
$t->show();
diff --git a/modules/silauth/lib/Auth/Source/SilAuth.php b/modules/silauth/lib/Auth/Source/SilAuth.php
index 6560b4d9..f7c0624f 100644
--- a/modules/silauth/lib/Auth/Source/SilAuth.php
+++ b/modules/silauth/lib/Auth/Source/SilAuth.php
@@ -23,11 +23,11 @@
*/
class SilAuth extends UserPassBase
{
- protected $authConfig;
- protected $idBrokerConfig;
- protected $mysqlConfig;
- protected $recaptchaConfig;
- protected $templateData;
+ protected array $authConfig;
+ protected array $idBrokerConfig;
+ protected array $mysqlConfig;
+ protected array $recaptchaConfig;
+ protected array $templateData;
/**
* Constructor for this authentication source.
@@ -38,7 +38,7 @@ class SilAuth extends UserPassBase
* @param array $info Information about this authentication source.
* @param array $config Configuration for this authentication source.
*/
- public function __construct($info, $config)
+ public function __construct(array $info, array $config)
{
parent::__construct($info, $config);
@@ -67,7 +67,7 @@ public function __construct($info, $config)
*
* @param array &$state Information about the current authentication.
*/
- public function authenticate(&$state)
+ public function authenticate(&$state): void
{
assert('is_array($state)');
@@ -95,7 +95,7 @@ public function authenticate(&$state)
assert('FALSE');
}
- protected function getTrustedIpAddresses()
+ protected function getTrustedIpAddresses(): array
{
$trustedIpAddresses = [];
$ipAddressesString = $this->authConfig['trustedIpAddresses'] ?? '';
@@ -108,7 +108,7 @@ protected function getTrustedIpAddresses()
return $trustedIpAddresses;
}
- protected function login($username, $password)
+ protected function login($username, $password): ?array
{
$logger = new Psr3StdOutLogger();
$captcha = new Captcha($this->recaptchaConfig['secret'] ?? null);
diff --git a/modules/silauth/lib/Auth/Source/auth/AuthError.php b/modules/silauth/lib/Auth/Source/auth/AuthError.php
index e46a4abb..6eefe024 100644
--- a/modules/silauth/lib/Auth/Source/auth/AuthError.php
+++ b/modules/silauth/lib/Auth/Source/auth/AuthError.php
@@ -16,8 +16,8 @@ class AuthError
const CODE_RATE_LIMIT_1_MINUTE = 'rate_limit_1_minute';
const CODE_RATE_LIMIT_MINUTES = 'rate_limit_minutes';
- private $code = null;
- private $messageParams = [];
+ private string $code;
+ private array $messageParams = [];
/**
* Constructor.
@@ -25,7 +25,7 @@ class AuthError
* @param string $code One of the AuthError::CODE_* constants.
* @param array $messageParams The error message parameters.
*/
- public function __construct($code, $messageParams = [])
+ public function __construct(string $code, array $messageParams = [])
{
$this->code = $code;
$this->messageParams = $messageParams;
@@ -44,7 +44,7 @@ public function __toString()
*
* @return string
*/
- public function getCode()
+ public function getCode(): string
{
return $this->code;
}
@@ -56,7 +56,7 @@ public function getCode()
*
* @return string Example: '{silauth:error:generic_try_later}'
*/
- public function getFullSspErrorTag()
+ public function getFullSspErrorTag(): string
{
return sprintf(
'{%s:%s}',
@@ -65,7 +65,7 @@ public function getFullSspErrorTag()
);
}
- public function getMessageParams()
+ public function getMessageParams(): array
{
return $this->messageParams;
}
diff --git a/modules/silauth/lib/Auth/Source/auth/Authenticator.php b/modules/silauth/lib/Auth/Source/auth/Authenticator.php
index 82ca08fa..dc8d10ca 100644
--- a/modules/silauth/lib/Auth/Source/auth/Authenticator.php
+++ b/modules/silauth/lib/Auth/Source/auth/Authenticator.php
@@ -21,13 +21,9 @@ class Authenticator
const BLOCK_AFTER_NTH_FAILED_LOGIN = 50;
const MAX_SECONDS_TO_BLOCK = 3600; // 3600 seconds = 1 hour
- /** @var AuthError|null */
- private $authError = null;
-
- /** @var LoggerInterface */
- protected $logger;
-
- private $userAttributes = null;
+ private ?AuthError $authError = null;
+ protected LoggerInterface $logger;
+ private ?array $userAttributes = null;
/**
* Attempt to authenticate using the given username and password. Check
@@ -41,12 +37,12 @@ class Authenticator
* @param LoggerInterface $logger A PSR-3 compliant logger.
*/
public function __construct(
- $username,
- $password,
- Request $request,
- Captcha $captcha,
- IdBroker $idBroker,
- LoggerInterface $logger
+ string $username,
+ string $password,
+ Request $request,
+ Captcha $captcha,
+ IdBroker $idBroker,
+ LoggerInterface $logger
) {
$this->logger = $logger;
@@ -143,7 +139,7 @@ public function __construct(
* @return int The number of seconds to delay before allowing another such
* login attempt.
*/
- public static function calculateSecondsToDelay($numRecentFailures)
+ public static function calculateSecondsToDelay(int $numRecentFailures): int
{
if ( ! self::isEnoughFailedLoginsToBlock($numRecentFailures)) {
return 0;
@@ -164,7 +160,7 @@ public static function calculateSecondsToDelay($numRecentFailures)
*
* @return AuthError|null
*/
- public function getAuthError()
+ public function getAuthError(): ?AuthError
{
return $this->authError;
}
@@ -184,8 +180,9 @@ public function getAuthError()
*/
public static function getSecondsUntilUnblocked(
int $numRecentFailures,
- $mostRecentFailureAt
- ) {
+ ?string $mostRecentFailureAt
+ ): int
+ {
if ($mostRecentFailureAt === null) {
return 0;
}
@@ -216,7 +213,7 @@ public static function getSecondsUntilUnblocked(
*
* @throws \Exception
*/
- public function getUserAttributes()
+ public function getUserAttributes(): ?array
{
if ($this->userAttributes === null) {
throw new \Exception(
@@ -242,7 +239,7 @@ public function getUserAttributes()
* this request).
* @return WaitTime
*/
- protected function getWaitTimeUntilUnblocked($username, array $ipAddresses)
+ protected function getWaitTimeUntilUnblocked(string $username, array $ipAddresses): WaitTime
{
$durationsInSeconds = [
FailedLoginUsername::getSecondsUntilUnblocked($username),
@@ -255,7 +252,7 @@ protected function getWaitTimeUntilUnblocked($username, array $ipAddresses)
return WaitTime::getLongestWaitTime($durationsInSeconds);
}
- protected function hasError()
+ protected function hasError(): bool
{
return ($this->authError !== null);
}
@@ -266,46 +263,46 @@ protected function hasError()
*
* @return bool
*/
- public function isAuthenticated()
+ public function isAuthenticated(): bool
{
return ( ! $this->hasError());
}
- protected function isBlockedByRateLimit($username, array $ipAddresses)
+ protected function isBlockedByRateLimit(string $username, array $ipAddresses): bool
{
return FailedLoginUsername::isRateLimitBlocking($username) ||
FailedLoginIpAddress::isRateLimitBlockingAnyOfThese($ipAddresses);
}
- public static function isCaptchaRequired($username, array $ipAddresses)
+ public static function isCaptchaRequired(?string $username, array $ipAddresses): bool
{
return FailedLoginUsername::isCaptchaRequiredFor($username) ||
FailedLoginIpAddress::isCaptchaRequiredForAnyOfThese($ipAddresses);
}
- public static function isEnoughFailedLoginsToBlock($numFailedLogins)
+ public static function isEnoughFailedLoginsToBlock(int $numFailedLogins): bool
{
return ($numFailedLogins >= self::BLOCK_AFTER_NTH_FAILED_LOGIN);
}
- public static function isEnoughFailedLoginsToRequireCaptcha($numFailedLogins)
+ public static function isEnoughFailedLoginsToRequireCaptcha(int $numFailedLogins): bool
{
return ($numFailedLogins >= self::REQUIRE_CAPTCHA_AFTER_NTH_FAILED_LOGIN);
}
- protected function recordFailedLoginBy($username, array $ipAddresses)
+ protected function recordFailedLoginBy(string $username, array $ipAddresses): void
{
FailedLoginUsername::recordFailedLoginBy($username, $this->logger);
FailedLoginIpAddress::recordFailedLoginBy($ipAddresses, $this->logger);
}
- protected function resetFailedLoginsBy($username, array $ipAddresses)
+ protected function resetFailedLoginsBy(string $username, array $ipAddresses): void
{
FailedLoginUsername::resetFailedLoginsBy($username);
FailedLoginIpAddress::resetFailedLoginsBy($ipAddresses);
}
- protected function setError($code, $messageParams = [])
+ protected function setError(string $code, array $messageParams = []): void
{
$this->authError = new AuthError($code, $messageParams);
}
@@ -313,7 +310,7 @@ protected function setError($code, $messageParams = [])
/**
* @param WaitTime $waitTime
*/
- protected function setErrorBlockedByRateLimit($waitTime)
+ protected function setErrorBlockedByRateLimit(WaitTime $waitTime): void
{
$unit = $waitTime->getUnit();
$number = $waitTime->getFriendlyNumber();
@@ -331,32 +328,32 @@ protected function setErrorBlockedByRateLimit($waitTime)
$this->setError($errorCode, ['{number}' => $number]);
}
- protected function setErrorGenericTryLater()
+ protected function setErrorGenericTryLater(): void
{
$this->setError(AuthError::CODE_GENERIC_TRY_LATER);
}
- protected function setErrorInvalidLogin()
+ protected function setErrorInvalidLogin(): void
{
$this->setError(AuthError::CODE_INVALID_LOGIN);
}
- protected function setErrorNeedToSetAcctPassword()
+ protected function setErrorNeedToSetAcctPassword(): void
{
$this->setError(AuthError::CODE_NEED_TO_SET_ACCT_PASSWORD);
}
- protected function setErrorPasswordRequired()
+ protected function setErrorPasswordRequired(): void
{
$this->setError(AuthError::CODE_PASSWORD_REQUIRED);
}
- protected function setErrorUsernameRequired()
+ protected function setErrorUsernameRequired(): void
{
$this->setError(AuthError::CODE_USERNAME_REQUIRED);
}
- protected function setUserAttributes($attributes)
+ protected function setUserAttributes(?array $attributes): void
{
$this->userAttributes = $attributes;
}
diff --git a/modules/silauth/lib/Auth/Source/auth/IdBroker.php b/modules/silauth/lib/Auth/Source/auth/IdBroker.php
index 78f1cbd4..d542efa5 100644
--- a/modules/silauth/lib/Auth/Source/auth/IdBroker.php
+++ b/modules/silauth/lib/Auth/Source/auth/IdBroker.php
@@ -3,17 +3,17 @@
use Psr\Log\LoggerInterface;
use Sil\Idp\IdBroker\Client\IdBrokerClient;
+use Sil\SspBase\Features\fakes\FakeIdBrokerClient;
use SimpleSAML\Module\silauth\Auth\Source\saml\User as SamlUser;
class IdBroker
{
- /** @var IdBrokerClient */
- protected $client;
+ protected IdBrokerClient|FakeIdBrokerClient $client;
/** @var LoggerInterface */
- protected $logger;
+ protected LoggerInterface $logger;
- protected $idpDomainName;
+ protected string $idpDomainName;
/**
*
@@ -64,7 +64,7 @@ public function __construct(
* @return array|null The user's attributes (if successful), otherwise null.
* @throws \Exception
*/
- public function getAuthenticatedUser(string $username, string $password)
+ public function getAuthenticatedUser(string $username, string $password): ?array
{
$rpOrigin = 'https://' . $this->idpDomainName;
$userInfo = $this->client->authenticate($username, $password, $rpOrigin);
@@ -102,7 +102,7 @@ public function getAuthenticatedUser(string $username, string $password)
* @return string "OK"
* @throws Exception
*/
- public function getSiteStatus()
+ public function getSiteStatus(): string
{
return $this->client->getSiteStatus();
}
diff --git a/modules/silauth/lib/Auth/Source/captcha/Captcha.php b/modules/silauth/lib/Auth/Source/captcha/Captcha.php
index bffc6d46..3d001b8d 100644
--- a/modules/silauth/lib/Auth/Source/captcha/Captcha.php
+++ b/modules/silauth/lib/Auth/Source/captcha/Captcha.php
@@ -5,14 +5,14 @@
class Captcha
{
- private $secret;
+ private ?string $secret;
- public function __construct($secret = null)
+ public function __construct(?string $secret = null)
{
$this->secret = $secret;
}
- public function isValidIn(Request $request)
+ public function isValidIn(Request $request): bool
{
if (empty($this->secret)) {
throw new \RuntimeException('No captcha secret available.', 1487342411);
diff --git a/modules/silauth/lib/Auth/Source/config/ConfigManager.php b/modules/silauth/lib/Auth/Source/config/ConfigManager.php
index 0e95ecb7..4216b01d 100644
--- a/modules/silauth/lib/Auth/Source/config/ConfigManager.php
+++ b/modules/silauth/lib/Auth/Source/config/ConfigManager.php
@@ -2,6 +2,7 @@
namespace SimpleSAML\Module\silauth\Auth\Source\config;
use SimpleSAML\Module\silauth\Auth\Source\text\Text;
+use yii\console\Application;
class ConfigManager
{
@@ -12,7 +13,7 @@ class ConfigManager
*
* @return array
*/
- public static function getSspConfig()
+ public static function getSspConfig(): array
{
return require __DIR__ . '/ssp-config.php';
}
@@ -26,7 +27,7 @@ public static function getSspConfig()
* prefix will have been removed, so 'mysql.database' will be returned
* as 'database', etc.
*/
- public static function getSspConfigFor($category)
+ public static function getSspConfigFor(string $category): array
{
return self::getConfigFor($category, self::getSspConfig());
}
@@ -41,7 +42,7 @@ public static function getSspConfigFor($category)
* prefix will have been removed, so 'mysql.database' will be returned
* as 'database', etc.
*/
- public static function getConfigFor($category, $config)
+ public static function getConfigFor(string $category, array $config): array
{
$categoryPrefix = $category . self::SEPARATOR;
$categoryConfig = [];
@@ -60,7 +61,7 @@ public static function getConfigFor($category, $config)
* @param array $customConfig
* @return array
*/
- public static function getMergedYii2Config($customConfig)
+ public static function getMergedYii2Config(array $customConfig): array
{
$defaultConfig = require __DIR__ . '/yii2-config.php';
return array_replace_recursive(
@@ -69,21 +70,21 @@ public static function getMergedYii2Config($customConfig)
);
}
- private static function initializeYiiClass()
+ private static function initializeYiiClass(): void
{
if ( ! class_exists('Yii')) {
require_once __DIR__ . '/../../vendor/yiisoft/yii2/Yii.php';
}
}
- public static function getYii2ConsoleApp($customConfig)
+ public static function getYii2ConsoleApp(array $customConfig): Application
{
self::initializeYiiClass();
$mergedYii2Config = self::getMergedYii2Config($customConfig);
- return new \yii\console\Application($mergedYii2Config);
+ return new Application($mergedYii2Config);
}
- public static function initializeYii2WebApp($customConfig = [])
+ public static function initializeYii2WebApp(array $customConfig = []): void
{
self::initializeYiiClass();
@@ -99,7 +100,7 @@ public static function initializeYii2WebApp($customConfig = [])
$app->log->getLogger();
}
- public static function removeCategory($key)
+ public static function removeCategory(?string $key): bool|string|null
{
if ($key === null) {
return null;
diff --git a/modules/silauth/lib/Auth/Source/config/yii2-config.php b/modules/silauth/lib/Auth/Source/config/yii2-config.php
index b3f361c5..32a42f1b 100644
--- a/modules/silauth/lib/Auth/Source/config/yii2-config.php
+++ b/modules/silauth/lib/Auth/Source/config/yii2-config.php
@@ -8,6 +8,7 @@
'id' => 'SilAuth',
'aliases' => [
'@SimpleSAML/Module/silauth/Auth/Source' => __DIR__ . '/..',
+ '@Sil/SilAuth' => __DIR__ . '/../../../..',
],
'bootstrap' => [
'gii',
@@ -57,7 +58,7 @@
'migrate' => [
'class' => 'yii\console\controllers\MigrateController',
'migrationNamespaces' => [
- 'SimpleSAML\\Module\\silauth\\Auth\\Source\\migrations\\',
+ 'Sil\\SilAuth\\migrations\\',
],
// Disable non-namespaced migrations.
diff --git a/modules/silauth/lib/Auth/Source/csrf/CsrfProtector.php b/modules/silauth/lib/Auth/Source/csrf/CsrfProtector.php
index b913d51f..966b36ed 100644
--- a/modules/silauth/lib/Auth/Source/csrf/CsrfProtector.php
+++ b/modules/silauth/lib/Auth/Source/csrf/CsrfProtector.php
@@ -9,9 +9,9 @@
*/
class CsrfProtector
{
- protected $csrfSessionKey = 'silauth.csrfToken';
- protected $csrfTokenDataType = 'string';
- private $session;
+ protected string $csrfSessionKey = 'silauth.csrfToken';
+ protected string $csrfTokenDataType = 'string';
+ private Session $session;
/**
* Constructor.
@@ -23,13 +23,13 @@ public function __construct(Session $session)
$this->session = $session;
}
- public function changeMasterToken()
+ public function changeMasterToken(): void
{
$newMasterToken = $this->generateToken();
$this->setTokenInSession($newMasterToken);
}
- protected function generateToken()
+ protected function generateToken(): string
{
return bin2hex(random_bytes(32));
}
@@ -40,7 +40,7 @@ protected function generateToken()
*
* @return string The master (aka. authoritative) CSRF token.
*/
- public function getMasterToken()
+ public function getMasterToken(): string
{
$masterToken = $this->getTokenFromSession();
if (empty($masterToken)) {
@@ -50,7 +50,7 @@ public function getMasterToken()
return $masterToken;
}
- protected function getTokenFromSession()
+ protected function getTokenFromSession(): mixed
{
return $this->session->getData(
$this->csrfTokenDataType,
@@ -65,12 +65,12 @@ protected function getTokenFromSession()
* HTTP request.
* @return bool
*/
- public function isTokenCorrect($submittedToken)
+ public function isTokenCorrect(string $submittedToken): bool
{
return hash_equals($this->getMasterToken(), $submittedToken);
}
- protected function setTokenInSession($masterToken)
+ protected function setTokenInSession(string $masterToken): void
{
$this->session->setData(
$this->csrfTokenDataType,
diff --git a/modules/silauth/lib/Auth/Source/http/Request.php b/modules/silauth/lib/Auth/Source/http/Request.php
index fe6f242c..fda2d155 100644
--- a/modules/silauth/lib/Auth/Source/http/Request.php
+++ b/modules/silauth/lib/Auth/Source/http/Request.php
@@ -12,14 +12,14 @@ class Request
*
* @var IP[]
*/
- private $trustedIpAddresses = [];
+ private array $trustedIpAddresses = [];
/**
* The list of trusted IP address ranges (aka. blocks).
*
* @var IPBlock[]
*/
- private $trustedIpAddressRanges = [];
+ private array $trustedIpAddressRanges = [];
/**
* Constructor.
@@ -39,7 +39,7 @@ public function __construct(array $ipAddressesToTrust = [])
}
}
- public function getCaptchaResponse()
+ public function getCaptchaResponse(): string
{
return self::sanitizeInputString(INPUT_POST, 'g-recaptcha-response');
}
@@ -53,7 +53,7 @@ public function getCaptchaResponse()
*
* @return string[] A list of IP addresses.
*/
- public function getIpAddresses()
+ public function getIpAddresses(): array
{
$ipAddresses = [];
@@ -84,7 +84,7 @@ public function getIpAddresses()
*
* @return string|null An IP address, or null if none was available.
*/
- public function getMostLikelyIpAddress()
+ public function getMostLikelyIpAddress(): ?string
{
$untrustedIpAddresses = $this->getUntrustedIpAddresses();
@@ -117,13 +117,13 @@ public function getMostLikelyIpAddress()
* @param string $variableName Example: 'username'
* @return string
*/
- public static function getRawInputString(int $inputType, string $variableName)
+ public static function getRawInputString(int $inputType, string $variableName): string
{
$input = filter_input($inputType, $variableName);
return is_string($input) ? $input : '';
}
- public function getUntrustedIpAddresses()
+ public function getUntrustedIpAddresses(): array
{
$untrustedIpAddresses = [];
foreach ($this->getIpAddresses() as $ipAddress) {
@@ -139,7 +139,7 @@ public function getUntrustedIpAddresses()
*
* @return string The UA string, or an empty string if not found.
*/
- public static function getUserAgent()
+ public static function getUserAgent(): string
{
return self::sanitizeInputString(INPUT_SERVER, 'HTTP_USER_AGENT');
}
@@ -151,7 +151,7 @@ public static function getUserAgent()
* @param string $ipAddress The IP address in question.
* @return bool
*/
- public function isTrustedIpAddress($ipAddress)
+ public function isTrustedIpAddress(string $ipAddress): bool
{
foreach ($this->trustedIpAddresses as $trustedIp) {
if ($trustedIp->numeric() === IP::create($ipAddress)->numeric()) {
@@ -174,7 +174,7 @@ public function isTrustedIpAddress($ipAddress)
* @param string $ipAddress The IP address in question.
* @return bool
*/
- public static function isValidIpAddress($ipAddress)
+ public static function isValidIpAddress(string $ipAddress): bool
{
$flags = FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6;
return (filter_var($ipAddress, FILTER_VALIDATE_IP, $flags) !== false);
@@ -188,12 +188,12 @@ public static function isValidIpAddress($ipAddress)
* @param string $variableName Example: 'username'
* @return string
*/
- public static function sanitizeInputString(int $inputType, string $variableName)
+ public static function sanitizeInputString(int $inputType, string $variableName): string
{
return Text::sanitizeString(filter_input($inputType, $variableName));
}
- public function trustIpAddress($ipAddress)
+ public function trustIpAddress(string $ipAddress): void
{
if ( ! self::isValidIpAddress($ipAddress)) {
throw new \InvalidArgumentException(sprintf(
@@ -204,7 +204,7 @@ public function trustIpAddress($ipAddress)
$this->trustedIpAddresses[] = IP::create($ipAddress);
}
- public function trustIpAddressRange($ipAddressRangeString)
+ public function trustIpAddressRange(string $ipAddressRangeString): void
{
$ipBlock = IPBlock::create($ipAddressRangeString);
$this->trustedIpAddressRanges[] = $ipBlock;
diff --git a/modules/silauth/lib/Auth/Source/models/FailedLoginIpAddress.php b/modules/silauth/lib/Auth/Source/models/FailedLoginIpAddress.php
index ce192668..eefb2573 100644
--- a/modules/silauth/lib/Auth/Source/models/FailedLoginIpAddress.php
+++ b/modules/silauth/lib/Auth/Source/models/FailedLoginIpAddress.php
@@ -18,7 +18,7 @@ class FailedLoginIpAddress extends FailedLoginIpAddressBase implements LoggerAwa
/**
* @inheritdoc
*/
- public function attributeLabels()
+ public function attributeLabels(): array
{
return ArrayHelper::merge(parent::attributeLabels(), [
'ip_address' => Yii::t('app', 'IP Address'),
@@ -26,7 +26,7 @@ public function attributeLabels()
]);
}
- public function behaviors()
+ public function behaviors(): array
{
return [
[
@@ -38,16 +38,20 @@ public function behaviors()
];
}
- public static function countRecentFailedLoginsFor($ipAddress)
+ public static function countRecentFailedLoginsFor(string $ipAddress): int
{
- return self::find()->where([
+ $count = self::find()->where([
'ip_address' => strtolower($ipAddress),
])->andWhere([
'>=', 'occurred_at_utc', UtcTime::format('-60 minutes')
])->count();
+ if (!is_numeric($count)) {
+ throw new \Exception('expected a numeric value for recent failed logins by IP address, got '. $count);
+ }
+ return (int)$count;
}
- public static function getFailedLoginsFor($ipAddress)
+ public static function getFailedLoginsFor(string $ipAddress): array
{
if ( ! Request::isValidIpAddress($ipAddress)) {
throw new \InvalidArgumentException(sprintf(
@@ -66,7 +70,7 @@ public static function getFailedLoginsFor($ipAddress)
* @param string $ipAddress The IP address.
* @return FailedLoginIpAddress|null
*/
- public static function getMostRecentFailedLoginFor($ipAddress)
+ public static function getMostRecentFailedLoginFor(string $ipAddress): ?FailedLoginIpAddress
{
return self::find()->where([
'ip_address' => strtolower($ipAddress),
@@ -83,7 +87,7 @@ public static function getMostRecentFailedLoginFor($ipAddress)
* @param string $ipAddress The IP address in question
* @return int The number of seconds
*/
- public static function getSecondsUntilUnblocked($ipAddress)
+ public static function getSecondsUntilUnblocked(string $ipAddress): int
{
$failedLogin = self::getMostRecentFailedLoginFor($ipAddress);
@@ -93,20 +97,20 @@ public static function getSecondsUntilUnblocked($ipAddress)
);
}
- public function init()
+ public function init(): void
{
$this->initializeLogger();
parent::init();
}
- public static function isCaptchaRequiredFor($ipAddress)
+ public static function isCaptchaRequiredFor(string $ipAddress): bool
{
return Authenticator::isEnoughFailedLoginsToRequireCaptcha(
self::countRecentFailedLoginsFor($ipAddress)
);
}
- public static function isCaptchaRequiredForAnyOfThese(array $ipAddresses)
+ public static function isCaptchaRequiredForAnyOfThese(array $ipAddresses): bool
{
foreach ($ipAddresses as $ipAddress) {
if (self::isCaptchaRequiredFor($ipAddress)) {
@@ -116,13 +120,13 @@ public static function isCaptchaRequiredForAnyOfThese(array $ipAddresses)
return false;
}
- public static function isRateLimitBlocking($ipAddress)
+ public static function isRateLimitBlocking(string $ipAddress): bool
{
$secondsUntilUnblocked = self::getSecondsUntilUnblocked($ipAddress);
return ($secondsUntilUnblocked > 0);
}
- public static function isRateLimitBlockingAnyOfThese($ipAddresses)
+ public static function isRateLimitBlockingAnyOfThese(array $ipAddresses): bool
{
foreach ($ipAddresses as $ipAddress) {
if (self::isRateLimitBlocking($ipAddress)) {
@@ -135,7 +139,8 @@ public static function isRateLimitBlockingAnyOfThese($ipAddresses)
public static function recordFailedLoginBy(
array $ipAddresses,
LoggerInterface $logger
- ) {
+ ): void
+ {
foreach ($ipAddresses as $ipAddress) {
$newRecord = new FailedLoginIpAddress(['ip_address' => strtolower($ipAddress)]);
@@ -150,7 +155,7 @@ public static function recordFailedLoginBy(
}
}
- public static function resetFailedLoginsBy(array $ipAddresses)
+ public static function resetFailedLoginsBy(array $ipAddresses): void
{
foreach ($ipAddresses as $ipAddress) {
self::deleteAll(['ip_address' => strtolower($ipAddress)]);
diff --git a/modules/silauth/lib/Auth/Source/models/FailedLoginIpAddressBase.php b/modules/silauth/lib/Auth/Source/models/FailedLoginIpAddressBase.php
index 0675e2e0..25f2b5b1 100644
--- a/modules/silauth/lib/Auth/Source/models/FailedLoginIpAddressBase.php
+++ b/modules/silauth/lib/Auth/Source/models/FailedLoginIpAddressBase.php
@@ -16,7 +16,7 @@ class FailedLoginIpAddressBase extends \yii\db\ActiveRecord
/**
* @inheritdoc
*/
- public static function tableName()
+ public static function tableName(): string
{
return 'failed_login_ip_address';
}
@@ -24,7 +24,7 @@ public static function tableName()
/**
* @inheritdoc
*/
- public function rules()
+ public function rules(): array
{
return [
[['ip_address', 'occurred_at_utc'], 'required'],
@@ -36,7 +36,7 @@ public function rules()
/**
* @inheritdoc
*/
- public function attributeLabels()
+ public function attributeLabels(): array
{
return [
'id' => Yii::t('app', 'ID'),
diff --git a/modules/silauth/lib/Auth/Source/models/FailedLoginUsername.php b/modules/silauth/lib/Auth/Source/models/FailedLoginUsername.php
index 771132fc..771e1076 100644
--- a/modules/silauth/lib/Auth/Source/models/FailedLoginUsername.php
+++ b/modules/silauth/lib/Auth/Source/models/FailedLoginUsername.php
@@ -17,14 +17,14 @@ class FailedLoginUsername extends FailedLoginUsernameBase implements LoggerAware
/**
* @inheritdoc
*/
- public function attributeLabels()
+ public function attributeLabels(): array
{
return ArrayHelper::merge(parent::attributeLabels(), [
'occurred_at_utc' => Yii::t('app', 'Occurred At (UTC)'),
]);
}
- public function behaviors()
+ public function behaviors(): array
{
return [
[
@@ -36,13 +36,17 @@ public function behaviors()
];
}
- public static function countRecentFailedLoginsFor($username)
+ public static function countRecentFailedLoginsFor(string $username): int
{
- return self::find()->where([
+ $count = self::find()->where([
'username' => strtolower($username),
])->andWhere([
'>=', 'occurred_at_utc', UtcTime::format('-60 minutes')
])->count();
+ if (!is_numeric($count)) {
+ throw new \Exception('expected a numeric value for recent failed logins by username, got '. $count);
+ }
+ return (int)$count;
}
/**
@@ -51,7 +55,7 @@ public static function countRecentFailedLoginsFor($username)
* @param string $username The username.
* @return FailedLoginUsername[] An array of any matching records.
*/
- public static function getFailedLoginsFor($username)
+ public static function getFailedLoginsFor(string $username): array
{
return self::findAll(['username' => strtolower($username)]);
}
@@ -63,7 +67,7 @@ public static function getFailedLoginsFor($username)
* @param string $username The username.
* @return FailedLoginUsername|null
*/
- public static function getMostRecentFailedLoginFor($username)
+ public static function getMostRecentFailedLoginFor(string $username): ?FailedLoginUsername
{
return self::find()->where([
'username' => strtolower($username),
@@ -80,7 +84,7 @@ public static function getMostRecentFailedLoginFor($username)
* @param string $username The username in question
* @return int The number of seconds
*/
- public static function getSecondsUntilUnblocked($username)
+ public static function getSecondsUntilUnblocked(string $username): int
{
$failedLogin = self::getMostRecentFailedLoginFor($username);
@@ -90,7 +94,7 @@ public static function getSecondsUntilUnblocked($username)
);
}
- public function init()
+ public function init(): void
{
$this->initializeLogger();
parent::init();
@@ -102,13 +106,13 @@ public function init()
* @param string $username The username
* @return bool
*/
- public static function isRateLimitBlocking($username)
+ public static function isRateLimitBlocking(string $username): bool
{
$secondsUntilUnblocked = self::getSecondsUntilUnblocked($username);
return ($secondsUntilUnblocked > 0);
}
- public static function isCaptchaRequiredFor($username)
+ public static function isCaptchaRequiredFor(?string $username): bool
{
if (empty($username)) {
return false;
@@ -119,9 +123,10 @@ public static function isCaptchaRequiredFor($username)
}
public static function recordFailedLoginBy(
- $username,
+ string $username,
LoggerInterface $logger
- ) {
+ ): void
+ {
$newRecord = new FailedLoginUsername(['username' => strtolower($username)]);
if ( ! $newRecord->save()) {
$logger->critical(json_encode([
@@ -133,7 +138,7 @@ public static function recordFailedLoginBy(
}
}
- public static function resetFailedLoginsBy($username)
+ public static function resetFailedLoginsBy(string $username): void
{
self::deleteAll(['username' => strtolower($username)]);
}
diff --git a/modules/silauth/lib/Auth/Source/models/FailedLoginUsernameBase.php b/modules/silauth/lib/Auth/Source/models/FailedLoginUsernameBase.php
index a774ed47..a3c32cae 100644
--- a/modules/silauth/lib/Auth/Source/models/FailedLoginUsernameBase.php
+++ b/modules/silauth/lib/Auth/Source/models/FailedLoginUsernameBase.php
@@ -16,7 +16,7 @@ class FailedLoginUsernameBase extends \yii\db\ActiveRecord
/**
* @inheritdoc
*/
- public static function tableName()
+ public static function tableName(): string
{
return 'failed_login_username';
}
@@ -24,7 +24,7 @@ public static function tableName()
/**
* @inheritdoc
*/
- public function rules()
+ public function rules(): array
{
return [
[['username', 'occurred_at_utc'], 'required'],
@@ -36,7 +36,7 @@ public function rules()
/**
* @inheritdoc
*/
- public function attributeLabels()
+ public function attributeLabels(): array
{
return [
'id' => Yii::t('app', 'ID'),
diff --git a/modules/silauth/lib/Auth/Source/saml/User.php b/modules/silauth/lib/Auth/Source/saml/User.php
index 5986f5d1..864fe118 100644
--- a/modules/silauth/lib/Auth/Source/saml/User.php
+++ b/modules/silauth/lib/Auth/Source/saml/User.php
@@ -11,13 +11,14 @@ public static function convertToSamlFieldNames(
string $email,
string $uuid,
string $idpDomainName,
- $passwordExpirationDate,
+ ?string $passwordExpirationDate,
array $mfa,
array $method,
- $managerEmail,
- $profileReview,
+ ?string $managerEmail,
+ string $profileReview,
array $member
- ) {
+ ): array
+ {
// eduPersonUniqueId (only alphanumeric allowed)
$alphaNumericUuid = str_replace('-', '', $uuid);
diff --git a/modules/silauth/lib/Auth/Source/system/System.php b/modules/silauth/lib/Auth/Source/system/System.php
index ea576186..cfe11950 100644
--- a/modules/silauth/lib/Auth/Source/system/System.php
+++ b/modules/silauth/lib/Auth/Source/system/System.php
@@ -11,19 +11,19 @@
class System
{
- protected $logger;
+ protected LoggerInterface|NullLogger $logger;
/**
* Constructor.
*
* @param LoggerInterface|null $logger (Optional:) A PSR-3 compatible logger.
*/
- public function __construct($logger = null)
+ public function __construct(LoggerInterface $logger = null)
{
$this->logger = $logger ?? new NullLogger();
}
- protected function isDatabaseOkay()
+ protected function isDatabaseOkay(): bool
{
try {
FailedLoginIpAddress::getMostRecentFailedLoginFor('');
@@ -34,7 +34,7 @@ protected function isDatabaseOkay()
}
}
- protected function isRequiredConfigPresent()
+ protected function isRequiredConfigPresent(): bool
{
$globalConfig = Configuration::getInstance();
@@ -57,7 +57,7 @@ protected function isRequiredConfigPresent()
*
* @throws \Exception
*/
- public function reportStatus()
+ public function reportStatus(): void
{
if ( ! $this->isRequiredConfigPresent()) {
$this->reportError('Config problem', 1485984755);
@@ -75,7 +75,7 @@ public function reportStatus()
*
* @param string $message The error message.
*/
- protected function logError($message)
+ protected function logError(string $message): void
{
$this->logger->error($message);
}
@@ -88,7 +88,7 @@ protected function logError($message)
* @param int $code An error code.
* @throws \Exception
*/
- protected function reportError($message, $code)
+ protected function reportError(string $message, int $code): void
{
$this->logError($message);
throw new \Exception($message, $code);
diff --git a/modules/silauth/lib/Auth/Source/tests/fakes/FakeFailedIdBroker.php b/modules/silauth/lib/Auth/Source/tests/fakes/FakeFailedIdBroker.php
index a2a04fc7..aee14acd 100644
--- a/modules/silauth/lib/Auth/Source/tests/fakes/FakeFailedIdBroker.php
+++ b/modules/silauth/lib/Auth/Source/tests/fakes/FakeFailedIdBroker.php
@@ -5,7 +5,7 @@
class FakeFailedIdBroker extends FakeIdBroker
{
- public function getAuthenticatedUser(string $username, string $password)
+ public function getAuthenticatedUser(string $username, string $password): ?array
{
$this->logger->info('FAKE FAILURE: rejecting {username} and {password}.', [
'username' => var_export($username, true),
@@ -14,7 +14,7 @@ public function getAuthenticatedUser(string $username, string $password)
return parent::getAuthenticatedUser($username, $password);
}
- protected function getDesiredResponse()
+ protected function getDesiredResponse(): Response
{
return new Response(400);
}
diff --git a/modules/silauth/lib/Auth/Source/tests/fakes/FakeInvalidIdBroker.php b/modules/silauth/lib/Auth/Source/tests/fakes/FakeInvalidIdBroker.php
index 8e54e8f7..a22c85c1 100644
--- a/modules/silauth/lib/Auth/Source/tests/fakes/FakeInvalidIdBroker.php
+++ b/modules/silauth/lib/Auth/Source/tests/fakes/FakeInvalidIdBroker.php
@@ -5,13 +5,13 @@
class FakeInvalidIdBroker extends FakeIdBroker
{
- public function getAuthenticatedUser(string $username, string $password)
+ public function getAuthenticatedUser(string $username, string $password): ?array
{
$this->logger->info('FAKE ERROR: invalid/unexpected response.');
return parent::getAuthenticatedUser($username, $password);
}
- protected function getDesiredResponse()
+ protected function getDesiredResponse(): Response
{
return new Response(404);
}
diff --git a/modules/silauth/lib/Auth/Source/tests/fakes/FakeSuccessfulIdBroker.php b/modules/silauth/lib/Auth/Source/tests/fakes/FakeSuccessfulIdBroker.php
index 21d36b25..d385fa11 100644
--- a/modules/silauth/lib/Auth/Source/tests/fakes/FakeSuccessfulIdBroker.php
+++ b/modules/silauth/lib/Auth/Source/tests/fakes/FakeSuccessfulIdBroker.php
@@ -5,7 +5,7 @@
class FakeSuccessfulIdBroker extends FakeIdBroker
{
- public function getAuthenticatedUser(string $username, string $password)
+ public function getAuthenticatedUser(string $username, string $password): ?array
{
$this->logger->info('FAKE SUCCESS: accepting {username} and {password}.', [
'username' => var_export($username, true),
@@ -14,7 +14,7 @@ public function getAuthenticatedUser(string $username, string $password)
return parent::getAuthenticatedUser($username, $password);
}
- protected function getDesiredResponse()
+ protected function getDesiredResponse(): Response
{
return new Response(200, [], json_encode([
'uuid' => '11111111-aaaa-1111-aaaa-111111111111',
diff --git a/modules/silauth/lib/Auth/Source/tests/unit/captcha/DummyFailedCaptcha.php b/modules/silauth/lib/Auth/Source/tests/unit/captcha/DummyFailedCaptcha.php
index b6d5387c..9ddb58e6 100644
--- a/modules/silauth/lib/Auth/Source/tests/unit/captcha/DummyFailedCaptcha.php
+++ b/modules/silauth/lib/Auth/Source/tests/unit/captcha/DummyFailedCaptcha.php
@@ -6,7 +6,7 @@
class DummyFailedCaptcha extends Captcha
{
- public function isValidIn(Request $request)
+ public function isValidIn(Request $request): bool
{
return false;
}
diff --git a/modules/silauth/lib/Auth/Source/tests/unit/captcha/DummySuccessfulCaptcha.php b/modules/silauth/lib/Auth/Source/tests/unit/captcha/DummySuccessfulCaptcha.php
index 7a68b3d4..1bdfded2 100644
--- a/modules/silauth/lib/Auth/Source/tests/unit/captcha/DummySuccessfulCaptcha.php
+++ b/modules/silauth/lib/Auth/Source/tests/unit/captcha/DummySuccessfulCaptcha.php
@@ -6,7 +6,7 @@
class DummySuccessfulCaptcha extends Captcha
{
- public function isValidIn(Request $request)
+ public function isValidIn(Request $request): bool
{
return true;
}
diff --git a/modules/silauth/lib/Auth/Source/tests/unit/http/DummyRequest.php b/modules/silauth/lib/Auth/Source/tests/unit/http/DummyRequest.php
index ae2cfbf7..f2334110 100644
--- a/modules/silauth/lib/Auth/Source/tests/unit/http/DummyRequest.php
+++ b/modules/silauth/lib/Auth/Source/tests/unit/http/DummyRequest.php
@@ -12,12 +12,12 @@ class DummyRequest extends Request
*
* @return string[] A list containing the dummy IP address.
*/
- public function getIpAddresses()
+ public function getIpAddresses(): array
{
return [$this->dummyIpAddress];
}
- public function setDummyIpAddress($dummyIpAddress)
+ public function setDummyIpAddress(string $dummyIpAddress): void
{
if ( ! self::isValidIpAddress($dummyIpAddress)) {
throw new \InvalidArgumentException(sprintf(
diff --git a/modules/silauth/lib/Auth/Source/tests/unit/models/FailedLoginIpAddressTest.php b/modules/silauth/lib/Auth/Source/tests/unit/models/FailedLoginIpAddressTest.php
index 84f2163d..8b1c3daf 100644
--- a/modules/silauth/lib/Auth/Source/tests/unit/models/FailedLoginIpAddressTest.php
+++ b/modules/silauth/lib/Auth/Source/tests/unit/models/FailedLoginIpAddressTest.php
@@ -9,7 +9,7 @@
class FailedLoginIpAddressTest extends TestCase
{
- protected function setDbFixture($recordsData)
+ protected function setDbFixture(array $recordsData): void
{
FailedLoginIpAddress::deleteAll();
foreach ($recordsData as $recordData) {
diff --git a/modules/silauth/lib/Auth/Source/tests/unit/models/FailedLoginUsernameTest.php b/modules/silauth/lib/Auth/Source/tests/unit/models/FailedLoginUsernameTest.php
index bd403eff..b5b571c2 100644
--- a/modules/silauth/lib/Auth/Source/tests/unit/models/FailedLoginUsernameTest.php
+++ b/modules/silauth/lib/Auth/Source/tests/unit/models/FailedLoginUsernameTest.php
@@ -9,7 +9,7 @@
class FailedLoginUsernameTest extends TestCase
{
- protected function setDbFixture($recordsData)
+ protected function setDbFixture(array $recordsData): void
{
FailedLoginUsername::deleteAll();
foreach ($recordsData as $recordData) {
diff --git a/modules/silauth/lib/Auth/Source/text/Text.php b/modules/silauth/lib/Auth/Source/text/Text.php
index eed1282c..6649ca65 100644
--- a/modules/silauth/lib/Auth/Source/text/Text.php
+++ b/modules/silauth/lib/Auth/Source/text/Text.php
@@ -10,7 +10,7 @@ class Text
* @param string|mixed $input The input.
* @return string The sanitized string.
*/
- public static function sanitizeString($input)
+ public static function sanitizeString(mixed $input): string
{
$inputAsString = is_string($input) ? $input : '';
$output = filter_var($inputAsString, FILTER_SANITIZE_STRING, [
@@ -26,7 +26,7 @@ public static function sanitizeString($input)
* @param string $needle The string to search for.
* @return boolean
*/
- public static function startsWith(string $haystack, string $needle)
+ public static function startsWith(string $haystack, string $needle): bool
{
$length = mb_strlen($needle);
return (mb_substr($haystack, 0, $length) === $needle);
diff --git a/modules/silauth/lib/Auth/Source/time/UtcTime.php b/modules/silauth/lib/Auth/Source/time/UtcTime.php
index af727882..e269c14e 100644
--- a/modules/silauth/lib/Auth/Source/time/UtcTime.php
+++ b/modules/silauth/lib/Auth/Source/time/UtcTime.php
@@ -39,7 +39,7 @@ public function __toString()
* @throws Exception If an invalid date/time string is provided, an
* \Exception will be thrown.
*/
- public static function format(string $dateTimeString = 'now')
+ public static function format(string $dateTimeString = 'now'): string
{
return (string)(new UtcTime($dateTimeString));
}
@@ -55,7 +55,7 @@ public static function format(string $dateTimeString = 'now')
* passed.
* @return int The number of seconds remaining.
*/
- public static function getRemainingSeconds(int $totalSeconds, int $elapsedSeconds)
+ public static function getRemainingSeconds(int $totalSeconds, int $elapsedSeconds): int
{
$remainingSeconds = $totalSeconds - $elapsedSeconds;
return max($remainingSeconds, 0);
@@ -71,7 +71,7 @@ public static function getRemainingSeconds(int $totalSeconds, int $elapsedSecond
* (presumably in the past, though not necessarily).
* @return int The number of seconds
*/
- public function getSecondsSince(UtcTime $otherUtcTime)
+ public function getSecondsSince(UtcTime $otherUtcTime): int
{
return $this->getTimestamp() - $otherUtcTime->getTimestamp();
}
@@ -85,7 +85,7 @@ public function getSecondsSince(UtcTime $otherUtcTime)
* \Exception will be thrown.
* @throws \InvalidArgumentException
*/
- public static function getSecondsSinceDateTime(string $dateTimeString)
+ public static function getSecondsSinceDateTime(string $dateTimeString): int
{
if (empty($dateTimeString)) {
throw new \InvalidArgumentException(sprintf(
@@ -98,12 +98,12 @@ public static function getSecondsSinceDateTime(string $dateTimeString)
return $nowUtc->getSecondsSince($dateTimeUtc);
}
- public function getSecondsUntil(UtcTime $otherUtcTime)
+ public function getSecondsUntil(UtcTime $otherUtcTime): int
{
return $otherUtcTime->getTimestamp() - $this->getTimestamp();
}
- public function getTimestamp()
+ public function getTimestamp(): int
{
return $this->dateTime->getTimestamp();
}
@@ -113,7 +113,7 @@ public function getTimestamp()
*
* @return string
*/
- public static function now()
+ public static function now(): string
{
return self::format('now');
}
diff --git a/modules/silauth/lib/Auth/Source/time/WaitTime.php b/modules/silauth/lib/Auth/Source/time/WaitTime.php
index ba5094f3..216b46ba 100644
--- a/modules/silauth/lib/Auth/Source/time/WaitTime.php
+++ b/modules/silauth/lib/Auth/Source/time/WaitTime.php
@@ -11,8 +11,8 @@ class WaitTime
const UNIT_MINUTE = 'minute';
const UNIT_SECOND = 'second';
- private $friendlyNumber = null;
- private $unit = null;
+ private int $friendlyNumber;
+ private string $unit;
/**
* Constructor.
@@ -22,7 +22,7 @@ class WaitTime
*
* @param int $secondsToWait The number of seconds the user must wait.
*/
- public function __construct($secondsToWait)
+ public function __construct(int $secondsToWait)
{
if ($secondsToWait <= 5) {
$this->friendlyNumber = 5;
@@ -36,7 +36,7 @@ public function __construct($secondsToWait)
}
}
- public function getFriendlyNumber()
+ public function getFriendlyNumber(): int
{
return $this->friendlyNumber;
}
@@ -48,7 +48,7 @@ public function getFriendlyNumber()
* seconds.
* @return WaitTime
*/
- public static function getLongestWaitTime(array $durationsInSeconds)
+ public static function getLongestWaitTime(array $durationsInSeconds): WaitTime
{
if (empty($durationsInSeconds)) {
throw new \InvalidArgumentException('No durations given.', 1487605801);
@@ -56,7 +56,7 @@ public static function getLongestWaitTime(array $durationsInSeconds)
return new WaitTime(max($durationsInSeconds));
}
- public function getUnit()
+ public function getUnit(): string
{
return $this->unit;
}
diff --git a/modules/silauth/lib/Auth/Source/traits/LoggerAwareTrait.php b/modules/silauth/lib/Auth/Source/traits/LoggerAwareTrait.php
index 65fabe5a..c07c72c8 100644
--- a/modules/silauth/lib/Auth/Source/traits/LoggerAwareTrait.php
+++ b/modules/silauth/lib/Auth/Source/traits/LoggerAwareTrait.php
@@ -7,9 +7,9 @@
trait LoggerAwareTrait
{
/** @var LoggerInterface */
- protected $logger;
+ protected LoggerInterface $logger;
- public function initializeLogger()
+ public function initializeLogger(): void
{
if (empty($this->logger)) {
$this->logger = new NullLogger();
@@ -22,7 +22,7 @@ public function initializeLogger()
* @param LoggerInterface $logger A PSR-3 compliant logger.
* @return null
*/
- public function setLogger(LoggerInterface $logger)
+ public function setLogger(LoggerInterface $logger): void
{
$this->logger = $logger;
}
diff --git a/modules/silauth/lib/Auth/Source/migrations/M161213135750CreateInitialTables.php b/modules/silauth/migrations/M161213135750CreateInitialTables.php
similarity index 94%
rename from modules/silauth/lib/Auth/Source/migrations/M161213135750CreateInitialTables.php
rename to modules/silauth/migrations/M161213135750CreateInitialTables.php
index bc0dab3d..a123a8f6 100644
--- a/modules/silauth/lib/Auth/Source/migrations/M161213135750CreateInitialTables.php
+++ b/modules/silauth/migrations/M161213135750CreateInitialTables.php
@@ -1,12 +1,12 @@
createTable('{{user}}', [
'id' => 'pk',
@@ -45,7 +45,7 @@ public function safeUp()
);
}
- public function safeDown()
+ public function safeDown(): void
{
$this->dropForeignKey(
'fk_prev_pw_user_user_id',
diff --git a/modules/silauth/lib/Auth/Source/migrations/M161213150831SwitchToUtcForDateTimes.php b/modules/silauth/migrations/M161213150831SwitchToUtcForDateTimes.php
similarity index 82%
rename from modules/silauth/lib/Auth/Source/migrations/M161213150831SwitchToUtcForDateTimes.php
rename to modules/silauth/migrations/M161213150831SwitchToUtcForDateTimes.php
index c9d38f96..145a496a 100644
--- a/modules/silauth/lib/Auth/Source/migrations/M161213150831SwitchToUtcForDateTimes.php
+++ b/modules/silauth/migrations/M161213150831SwitchToUtcForDateTimes.php
@@ -1,19 +1,19 @@
renameColumn('{{user}}', 'block_until', 'block_until_utc');
$this->renameColumn('{{user}}', 'last_updated', 'last_updated_utc');
$this->renameColumn('{{previous_password}}', 'created', 'created_utc');
}
- public function safeDown()
+ public function safeDown(): void
{
$this->renameColumn('{{previous_password}}', 'created_utc', 'created');
$this->renameColumn('{{user}}', 'last_updated_utc', 'last_updated');
diff --git a/modules/silauth/lib/Auth/Source/migrations/M170214141109CreateFailedLoginsTable.php b/modules/silauth/migrations/M170214141109CreateFailedLoginsTable.php
similarity index 90%
rename from modules/silauth/lib/Auth/Source/migrations/M170214141109CreateFailedLoginsTable.php
rename to modules/silauth/migrations/M170214141109CreateFailedLoginsTable.php
index acba2e8a..a43abc01 100644
--- a/modules/silauth/lib/Auth/Source/migrations/M170214141109CreateFailedLoginsTable.php
+++ b/modules/silauth/migrations/M170214141109CreateFailedLoginsTable.php
@@ -1,12 +1,12 @@
dropIndex('idx_failed_logins_ip_address', '{{failed_logins}}');
$this->dropIndex('idx_failed_logins_username', '{{failed_logins}}');
diff --git a/modules/silauth/lib/Auth/Source/migrations/M170214145629RemoveOldTables.php b/modules/silauth/migrations/M170214145629RemoveOldTables.php
similarity index 84%
rename from modules/silauth/lib/Auth/Source/migrations/M170214145629RemoveOldTables.php
rename to modules/silauth/migrations/M170214145629RemoveOldTables.php
index 0b407f9d..24031976 100644
--- a/modules/silauth/lib/Auth/Source/migrations/M170214145629RemoveOldTables.php
+++ b/modules/silauth/migrations/M170214145629RemoveOldTables.php
@@ -1,12 +1,12 @@
dropForeignKey(
'fk_prev_pw_user_user_id',
@@ -21,7 +21,7 @@ public function safeUp()
$this->dropTable('{{user}}');
}
- public function safeDown()
+ public function safeDown(): bool
{
echo "M170214145629RemoveOldTables cannot be reverted.\n";
diff --git a/modules/silauth/lib/Auth/Source/migrations/M170215141724SplitFailedLoginsTable.php b/modules/silauth/migrations/M170215141724SplitFailedLoginsTable.php
similarity index 91%
rename from modules/silauth/lib/Auth/Source/migrations/M170215141724SplitFailedLoginsTable.php
rename to modules/silauth/migrations/M170215141724SplitFailedLoginsTable.php
index 305e21fe..e71ebef5 100644
--- a/modules/silauth/lib/Auth/Source/migrations/M170215141724SplitFailedLoginsTable.php
+++ b/modules/silauth/migrations/M170215141724SplitFailedLoginsTable.php
@@ -1,12 +1,12 @@
dropIndex('idx_failed_logins_ip_address', '{{failed_logins}}');
@@ -36,7 +36,7 @@ public function safeUp()
);
}
- public function safeDown()
+ public function safeDown(): bool
{
echo "M170215141724SplitFailedLoginsTable cannot be reverted.\n";
return false;
diff --git a/modules/silauth/www/loginuserpass.php b/modules/silauth/www/loginuserpass.php
index 5a34a285..dcddce3a 100644
--- a/modules/silauth/www/loginuserpass.php
+++ b/modules/silauth/www/loginuserpass.php
@@ -1,6 +1,7 @@
data['csrfToken'] = $csrfProtector->getMasterToken();
$t->data['profileUrl'] = $state['templateData']['profileUrl'] ?? '';
$t->data['helpCenterUrl'] = $state['templateData']['helpCenterUrl'] ?? '';
+$t->data['announcement'] = AnnouncementUtils::getAnnouncement();
/* For simplicity's sake, don't bother telling this Request to trust any IP
* addresses. This is okay because we only track the failures of untrusted
@@ -96,6 +98,8 @@
$request = new Request();
if (Authenticator::isCaptchaRequired($username, $request->getUntrustedIpAddresses())) {
$t->data['recaptcha.siteKey'] = $recaptchaSiteKey;
+} else {
+ $t->data['recaptcha.siteKey'] = null;
}
if (isset($state['SPMetadata'])) {
diff --git a/modules/sildisco/lib/Auth/Process/AddIdp2NameId.php b/modules/sildisco/lib/Auth/Process/AddIdp2NameId.php
index 0f816211..e3c8408e 100644
--- a/modules/sildisco/lib/Auth/Process/AddIdp2NameId.php
+++ b/modules/sildisco/lib/Auth/Process/AddIdp2NameId.php
@@ -2,6 +2,7 @@
namespace SimpleSAML\Module\sildisco\Auth\Process;
+use SAML2\XML\saml\NameID;
use Sil\SspUtils\Metadata;
/**
@@ -39,7 +40,7 @@ class AddIdp2NameId extends \SimpleSAML\Auth\ProcessingFilter {
*
* @var string|bool
*/
- private $nameQualifier;
+ private string|bool $nameQualifier;
/**
@@ -51,7 +52,7 @@ class AddIdp2NameId extends \SimpleSAML\Auth\ProcessingFilter {
*
* @var string|bool
*/
- private $spNameQualifier;
+ private sring|bool $spNameQualifier;
/**
@@ -61,7 +62,7 @@ class AddIdp2NameId extends \SimpleSAML\Auth\ProcessingFilter {
*
* @var string
*/
- protected $format;
+ protected ?string $format;
/**
@@ -70,7 +71,7 @@ class AddIdp2NameId extends \SimpleSAML\Auth\ProcessingFilter {
* @param array $config Configuration information about this filter.
* @param mixed $reserved For future use.
*/
- public function __construct($config, $reserved) {
+ public function __construct(array $config, mixed $reserved) {
parent::__construct($config, $reserved);
assert('is_array($config)');
@@ -93,12 +94,13 @@ public function __construct($config, $reserved) {
}
/**
- * @param $nameId \SAML2\XML\saml\NameID
+ * @param $nameId NameID
* @param $IDPNamespace string
*
* Modifies the nameID object by adding text to the end of its value attribute
*/
- public function appendIdp($nameId, $IDPNamespace) {
+ public function appendIdp(NameID $nameId, string $IDPNamespace): void
+ {
$suffix = self::DELIMITER . $IDPNamespace;
$value = $nameId->getValue();
@@ -112,7 +114,8 @@ public function appendIdp($nameId, $IDPNamespace) {
*
* @param array &$state The current state array
*/
- public function process(&$state) {
+ public function process(&$state): void
+ {
assert('is_array($state)');
$samlIDP = $state[self::IDP_KEY];
diff --git a/modules/sildisco/lib/Auth/Process/LogUser.php b/modules/sildisco/lib/Auth/Process/LogUser.php
index c1cc2a55..835ed287 100644
--- a/modules/sildisco/lib/Auth/Process/LogUser.php
+++ b/modules/sildisco/lib/Auth/Process/LogUser.php
@@ -3,6 +3,7 @@
namespace SimpleSAML\Module\sildisco\Auth\Process;
use Aws\DynamoDb\Marshaler;
+use Aws\Sdk;
/**
* This Auth Proc logs information about each successful login to an AWS Dynamodb table.
@@ -38,13 +39,13 @@ class LogUser extends \SimpleSAML\Auth\ProcessingFilter
// The host of the aws dynamodb
- private $dynamoEndpoint;
+ private ?string $dynamoEndpoint;
// The region of the aws dynamodb
- private $dynamoRegion;
+ private ?string $dynamoRegion;
// The name of the aws dynamodb table that stores the login data
- private $dynamoLogTable;
+ private ?string $dynamoLogTable;
/**
* Initialize this filter, parse configuration.
@@ -52,9 +53,9 @@ class LogUser extends \SimpleSAML\Auth\ProcessingFilter
* @param array $config Configuration information about this filter.
* @param mixed $reserved For future use.
*/
- public function __construct($config, $reserved) {
+ public function __construct(array $config, mixed $reserved)
+ {
parent::__construct($config, $reserved);
- assert(is_array($config));
$this->dynamoEndpoint = $config[self::DYNAMO_ENDPOINT_KEY] ?? null;
$this->dynamoRegion = $config[self::DYNAMO_REGION_KEY] ?? null;
@@ -62,11 +63,12 @@ public function __construct($config, $reserved) {
}
/**
- * Log info for a user's login to Dyanmodb
+ * Log info for a user's login to Dynamodb
*
* @param array &$state The current state array
*/
- public function process(&$state) {
+ public function process(&$state): void
+ {
if (! $this->configsAreValid()) {
return;
}
@@ -103,7 +105,7 @@ public function process(&$state) {
$sdkConfig['endpoint'] = $this->dynamoEndpoint;
}
- $sdk = new \Aws\Sdk($sdkConfig);
+ $sdk = new Sdk($sdkConfig);
$dynamodb = $sdk->createDynamoDb();
$marshaler = new Marshaler();
@@ -137,7 +139,8 @@ public function process(&$state) {
}
}
- private function configsAreValid() {
+ private function configsAreValid(): bool
+ {
$msg = ' config value not provided to LogUser.';
if (empty($this->dynamoRegion)) {
@@ -153,7 +156,8 @@ private function configsAreValid() {
return true;
}
- private function getIdp(&$state) {
+ private function getIdp(array &$state)
+ {
if (empty($state[self::IDP_KEY])) {
return 'No IDP available';
}
@@ -182,7 +186,8 @@ private function getIdp(&$state) {
}
// Get the current user's common name attribute and/or eduPersonPrincipalName and/or employeeNumber
- private function getUserAttributes($state) {
+ private function getUserAttributes(array $state): array
+ {
$attributes = $state['Attributes'];
$cn = $this->getAttributeFrom($attributes, 'urn:oid:2.5.4.3', 'cn');
@@ -208,7 +213,8 @@ private function getUserAttributes($state) {
return $userAttrs;
}
- private function getAttributeFrom($attributes, $oidKey, $friendlyKey) {
+ private function getAttributeFrom(array $attributes, string $oidKey, string $friendlyKey): string
+ {
if (!empty($attributes[$oidKey])) {
return $attributes[$oidKey][0];
}
@@ -222,7 +228,7 @@ private function getAttributeFrom($attributes, $oidKey, $friendlyKey) {
// Dynamodb seems to complain when a value is an empty string.
// This ensures that only attributes with a non empty value get included.
- private function addUserAttribute($attributes, $attrKey, $attr) {
+ private function addUserAttribute(array $attributes, string $attrKey, string $attr): array {
if (!empty($attr)) {
$attributes[$attrKey] = $attr;
}
diff --git a/modules/sildisco/lib/Auth/Process/TagGroup.php b/modules/sildisco/lib/Auth/Process/TagGroup.php
index 59402907..5d8ccf68 100644
--- a/modules/sildisco/lib/Auth/Process/TagGroup.php
+++ b/modules/sildisco/lib/Auth/Process/TagGroup.php
@@ -16,7 +16,8 @@ class TagGroup extends \SimpleSAML\Auth\ProcessingFilter {
const IDP_CODE_KEY = 'IDPNamespace';
- public function prependIdp2Groups($attributes, $attributeLabel, $idpLabel) {
+ public function prependIdp2Groups(array $attributes, string $attributeLabel, string $idpLabel): array
+ {
$newGroups = [];
$delimiter = '|';
diff --git a/modules/sildisco/lib/Auth/Source/SP.php b/modules/sildisco/lib/Auth/Source/SP.php
index b9781797..6cf2863b 100644
--- a/modules/sildisco/lib/Auth/Source/SP.php
+++ b/modules/sildisco/lib/Auth/Source/SP.php
@@ -2,7 +2,7 @@
/**
* Modified from origin: modules/saml/lib/Auth/Source/SP.php
- * 2022-09-26 -- Merged with simplesamlphp 1.19.6, lines/sections marked with GTIS are modified
+ * 2024-06-06 -- Merged with simplesamlphp 1.19.8, lines/sections marked with GTIS are modified
*/
declare(strict_types=1);
@@ -561,6 +561,7 @@ private function startSSO2(Configuration $idpMetadata, array $state): void
if (isset($state['saml:Audience'])) {
$ar->setAudiences($state['saml:Audience']);
}
+
if (isset($state['ForceAuthn'])) {
$ar->setForceAuthn((bool) $state['ForceAuthn']);
}
@@ -866,7 +867,6 @@ public function reauthenticate(array &$state)
{
$session = Session::getSessionFromRequest();
$data = $session->getAuthState($this->authId);
- $data = $session->getAuthState($this->authId);
if ($data === null) {
throw new Error\NoState();
}
diff --git a/modules/sildisco/lib/IdP/SAML2.php b/modules/sildisco/lib/IdP/SAML2.php
index 4d975bd6..9f7f2345 100644
--- a/modules/sildisco/lib/IdP/SAML2.php
+++ b/modules/sildisco/lib/IdP/SAML2.php
@@ -5,7 +5,7 @@
* Copied from the built-in simplesamlphp module modules/saml/lib/IdP/SAML2.php with code inserted.
* See comment below about GTIS.
*
- * 2022-09-26 -- Merged with simplesamlphp 1.19.6, lines marked with GTIS are modified
+ * 2024-06-06 -- Merged with simplesamlphp 1.19.8, lines marked with GTIS are modified
*/
declare(strict_types=1);
@@ -487,7 +487,7 @@ public static function receiveAuthnRequest(\SimpleSAML\IdP $idp)
* to authenticate through any of the IDP's that have so far
* been used for authentication.
*
- * In order for this for this to avoid forcing authentication
+ * In order for this to avoid forcing authentication
* in every case, the hub's saml20-idp-hosted.php entry needs
* to include an authproc entry that adds each authenticating
* IDP to a list in the session.
@@ -1512,4 +1512,4 @@ private static function buildResponse(
return $r;
}
-}
\ No newline at end of file
+}
diff --git a/modules/sildisco/lib/IdPDisco.php b/modules/sildisco/lib/IdPDisco.php
index 0ea08a17..4808a8ff 100644
--- a/modules/sildisco/lib/IdPDisco.php
+++ b/modules/sildisco/lib/IdPDisco.php
@@ -18,23 +18,23 @@ class IdPDisco extends \SimpleSAML\XHTML\IdPDisco
{
/* The session type for this class */
- public static $sessionType = 'sildisco:authentication';
+ public static string $sessionType = 'sildisco:authentication';
/* The session key for checking if the current user has the beta_tester cookie */
- public static $betaTesterSessionKey = 'beta_tester';
+ public static string $betaTesterSessionKey = 'beta_tester';
/* The idp metadata key that says whether an IDP is betaEnabled */
- public static $betaEnabledMdKey = 'betaEnabled';
+ public static string $betaEnabledMdKey = 'betaEnabled';
/* The idp metadata key that says whether an IDP is enabled */
- public static $enabledMdKey = 'enabled';
+ public static string $enabledMdKey = 'enabled';
/* The sp metadata key that gives the name of the SP */
- public static $spNameMdKey = 'name';
+ public static string $spNameMdKey = 'name';
/* Used to get the SP Entity ID, e.g. $spEntityId = $this->session->getData($sessionDataType, $sessionKeyForSP); */
- public static $sessionDataType = 'sildisco:authentication';
- public static $sessionKeyForSP = 'spentityid';
+ public static string $sessionDataType = 'sildisco:authentication';
+ public static string $sessionKeyForSP = 'spentityid';
/**
@@ -44,7 +44,7 @@ class IdPDisco extends \SimpleSAML\XHTML\IdPDisco
*
* @param string $message The message which should be logged.
*/
- protected function log($message)
+ protected function log($message): void
{
\SimpleSAML\Logger::info('SildiscoIdPDisco.'.$this->instance.': '.$message);
}
@@ -54,7 +54,7 @@ private function getMetadataPath() {
return __DIR__ . '/../../../metadata/';
}
- private function getSPEntityIDAndReducedIdpList()
+ private function getSPEntityIDAndReducedIdpList(): array
{
$idpList = $this->getIdPList();
@@ -76,7 +76,7 @@ private function getSPEntityIDAndReducedIdpList()
*
* The IdP disco parameters should be set before calling this function.
*/
- public function handleRequest()
+ public function handleRequest(): void
{
$this->start();
@@ -119,7 +119,7 @@ public function handleRequest()
$t->data['entityID'] = $this->spEntityId;
$t->data['spName'] = $spName;
$t->data['urlpattern'] = htmlspecialchars(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery());
- $t->data['announcement'] = AnnouncementUtils::getSimpleAnnouncement();
+ $t->data['announcement'] = AnnouncementUtils::getAnnouncement();
$t->data['helpCenterUrl'] = $this->config->getValue('helpCenterUrl', '');
$t->show();
@@ -127,14 +127,15 @@ public function handleRequest()
/**
* @param array $idpList the IDPs with their metadata
- * @param bool $isBetaTester optional (default=null) just for unit testing
+ * @param bool|null $isBetaTester optional (default=null) just for unit testing
* @return array $idpList
*
* If the current user has the beta_tester cookie, then for each IDP in
* the idpList that has 'betaEnabled' => true, give it 'enabled' => true
*
*/
- public static function enableBetaEnabled($idpList, $isBetaTester=null) {
+ public static function enableBetaEnabled(array $idpList, ?bool $isBetaTester=null): array
+ {
if ( $isBetaTester === null) {
$session = \SimpleSAML\Session::getSessionFromRequest();
@@ -168,7 +169,7 @@ public static function enableBetaEnabled($idpList, $isBetaTester=null) {
*
* @return string|null The entity id if it is valid, null if not.
*/
- protected function validateIdP($idp)
+ protected function validateIdP($idp): ?string
{
if ($idp === null) {
return null;
@@ -203,7 +204,6 @@ protected function validateIdP($idp)
return null;
}
-
if (array_key_exists($idp, $idpList) && $idpList[$idp]['enabled']) {
return $idp;
}
diff --git a/modules/sildisco/www/disco.php b/modules/sildisco/www/disco.php
index 6c3c08f0..e6b87f69 100644
--- a/modules/sildisco/www/disco.php
+++ b/modules/sildisco/www/disco.php
@@ -1,7 +1,7 @@
handleResponse($state, $issuer, $attributes);
-assert(false);
\ No newline at end of file
+assert(false);
diff --git a/modules/sildisco/www/sp/saml2-logout.php b/modules/sildisco/www/sp/saml2-logout.php
index 05d9c14b..53219f92 100644
--- a/modules/sildisco/www/sp/saml2-logout.php
+++ b/modules/sildisco/www/sp/saml2-logout.php
@@ -6,7 +6,7 @@
* This endpoint handles both logout requests and logout responses.
*
* Similar to modules/saml/www/sp/saml2-logout.php
- * 2022-09-26 -- Merged with simplesamlphp 1.19.6, lines marked with GTIS are modified
+ * 2024-06-06 -- Merged with simplesamlphp 1.19.8, lines marked with GTIS are modified
*/
if (!array_key_exists('PATH_INFO', $_SERVER)) {
diff --git a/package-lock.json b/package-lock.json
new file mode 100644
index 00000000..e8abf91e
--- /dev/null
+++ b/package-lock.json
@@ -0,0 +1,18 @@
+{
+ "name": "simplesamlphp-module-material",
+ "lockfileVersion": 3,
+ "requires": true,
+ "packages": {
+ "": {
+ "name": "simplesamlphp-module-material",
+ "dependencies": {
+ "@simplewebauthn/browser": "^4.1.0"
+ }
+ },
+ "node_modules/@simplewebauthn/browser": {
+ "version": "4.1.0",
+ "resolved": "https://registry.npmjs.org/@simplewebauthn/browser/-/browser-4.1.0.tgz",
+ "integrity": "sha512-tIsEfShC1rrqrsNb44tOFuSriAFCz4tkdDnCjHfn2rYxgz+t+yqEvuIRfJHQpFrWSnZPdsjrAHtasj6lzfGI6w=="
+ }
+ }
+}