Prepare for SSP 2.0

Author: tvdijen

composer.json

@@ -31,13 +31,13 @@
         }
     },
     "require": {
-        "php": ">=5.6",
+        "php": ">=7.2",
         "ext-ldap": "*",
         "simplesamlphp/composer-module-installer": "~1.1",
+        "simplesamlphp/simplesamlphp": "dev-master",
         "webmozart/assert": "~1.4"
     },
     "require-dev": {
-        "simplesamlphp/simplesamlphp": "^1.17",
         "simplesamlphp/simplesamlphp-test-framework": "^0.1.0"
     },
     "support": {

default-enable

@@ -65,12 +65,12 @@ class Ldap
      * @psalm-suppress NullArgument
      */
     public function __construct(
-        $hostname,
-        $enable_tls = true,
-        $debug = false,
-        $timeout = 0,
-        $port = 389,
-        $referrals = true
+        string $hostname,
+        bool $enable_tls = true,
+        bool $debug = false,
+        int $timeout = 0,
+        int $port = 389,
+        bool $referrals = true
     ) {
         // Debug
         Logger::debug('Library - LDAP __construct(): Setup LDAP with ' .
@@ -152,7 +152,7 @@ public function __construct(
      * @param int|null $type The exception's type
      * @return \Exception
      */
-    private function makeException($description, $type = null)
+    private function makeException(string $description, int $type = null): \Exception
     {
         $errNo = @ldap_errno($this->ldap);
 
@@ -234,8 +234,13 @@ private function makeException($description, $type = null)
      * - Zero entries were found
      * @psalm-suppress TypeDoesNotContainType
      */
-    private function search($base, $attribute, $value, $searchFilter = null, $scope = "subtree")
-    {
+    private function search(
+        string $base,
+        $attribute,
+        string $value,
+        ?string $searchFilter = null,
+        string $scope = "subtree"
+    ): string {
         // Create the search filter
         /** @var array $attribute */
         $attribute = self::escapeFilterValue($attribute, false);
@@ -342,11 +347,11 @@ private function search($base, $attribute, $value, $searchFilter = null, $scope
     public function searchfordn(
         $base,
         $attribute,
-        $value,
-        $allowZeroHits = false,
-        $searchFilter = null,
-        $scope = 'subtree'
-    ) {
+        string $value,
+        bool $allowZeroHits = false,
+        ?string $searchFilter = null,
+        string $scope = 'subtree'
+    ): ?string {
         // Traverse all search bases, returning DN if found
         $bases = Utils\Arrays::arrayize($base);
         foreach ($bases as $current) {
@@ -395,10 +400,10 @@ public function searchformultiple(
         $bases,
         $filters,
         $attributes = [],
-        $and = true,
-        $escape = true,
-        $scope = 'subtree'
-    ) {
+        bool $and = true,
+        bool $escape = true,
+        string $scope = 'subtree'
+    ): array {
         // Escape the filter values, if requested
         if ($escape) {
             $filters = $this->escapeFilterValue($filters, false);
@@ -414,6 +419,7 @@ public function searchformultiple(
                 $filter = ($and ? '(&' : '(|') . $filter . ')';
             }
         } else {
+            /** @psalm-suppress RedundantConditionGivenDocblockType */
             Assert::string($filters);
             $filter = $filters;
         }
@@ -516,7 +522,7 @@ public function searchformultiple(
      * LDAP_INAPPROPRIATE_AUTH, LDAP_INSUFFICIENT_ACCESS
      * @throws Error\Exception on other errors
      */
-    public function bind($dn, $password, array $sasl_args = null)
+    public function bind(string $dn, string $password, array $sasl_args = null): ?bool
     {
         if ($sasl_args != null) {
             if (!function_exists('ldap_sasl_bind')) {
@@ -580,7 +586,7 @@ public function bind($dn, $password, array $sasl_args = null)
      * @param mixed $value
      * @return void
      */
-    public function setOption($option, $value)
+    public function setOption($option, $value): void
     {
         // Attempt to set the LDAP option
         if (!@ldap_set_option($this->ldap, $option, $value)) {
@@ -615,7 +621,7 @@ public function setOption($option, $value)
      * The array of attributes and their values.
      * @see http://no.php.net/manual/en/function.ldap-read.php
      */
-    public function getAttributes($dn, $attributes = null, $maxsize = null)
+    public function getAttributes(string $dn, $attributes = null, int $maxsize = null): array
     {
         // Preparations, including a pretty debug message...
         $description = 'all attributes';
@@ -698,10 +704,10 @@ public function getAttributes($dn, $attributes = null, $maxsize = null)
      *
      * @param array $config
      * @param string $username
-     * @param string $password
+     * @param string|null $password
      * @return array|false
      */
-    public function validate($config, $username, $password = null)
+    public function validate(array $config, string $username, string $password = null)
     {
         /**
          * Escape any characters with a special meaning in LDAP. The following
@@ -755,7 +761,7 @@ public function validate($config, $username, $password = null)
      * @param bool $singleValue
      * @return string|array Array $values, but escaped
      */
-    public static function escapeFilterValue($values = [], $singleValue = true)
+    public static function escapeFilterValue($values = [], bool $singleValue = true)
     {
         // Parameter validation
         $values = Utils\Arrays::arrayize($values);
@@ -793,7 +799,7 @@ public static function escapeFilterValue($values = [], $singleValue = true)
      * @static
      * @return string
      */
-    public static function asc2hex32($string)
+    public static function asc2hex32(string $string): string
     {
         for ($i = 0; $i < strlen($string); $i++) {
             $char = substr($string, $i, 1);
@@ -808,6 +814,7 @@ public static function asc2hex32($string)
         return $string;
     }
 
+
     /**
      * Convert SASL authz_id into a DN
      *
@@ -816,7 +823,7 @@ public static function asc2hex32($string)
      * @param string $authz_id
      * @return string|null
      */
-    private function authzidToDn($searchBase, $searchAttributes, $authz_id)
+    private function authzidToDn(string $searchBase, array $searchAttributes, string $authz_id): ?string
     {
         if (preg_match("/^dn:/", $authz_id)) {
             return preg_replace("/^dn:/", "", $authz_id);
@@ -832,46 +839,24 @@ private function authzidToDn($searchBase, $searchAttributes, $authz_id)
         return $authz_id;
     }
 
+
     /**
      * ldap_exop_whoami accessor, if available. Use requested authz_id
      * otherwise.
      *
-     * ldap_exop_whoami() has been provided as a third party patch that
-     * waited several years to get its way upstream:
-     * http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/databases/php-ldap/files
-     *
-     * When it was integrated into PHP repository, the function prototype
-     * was changed, The new prototype was used in third party patch for
-     * PHP 7.0 and 7.1, hence the version test below.
-     *
      * @param string $searchBase
      * @param array $searchAttributes
      * @throws \Exception
      * @return string
      */
-    public function whoami($searchBase, $searchAttributes)
+    public function whoami(string $searchBase, array $searchAttributes): string
     {
-        $authz_id = '';
-        if (function_exists('ldap_exop_whoami')) {
-            if (version_compare(phpversion(), '7', '<')) {
-                /** @psalm-suppress TooManyArguments */
-                if (ldap_exop_whoami($this->ldap, $authz_id) === false) {
-                    throw $this->makeException('LDAP whoami exop failure');
-                }
-            } else {
-                $authz_id = ldap_exop_whoami($this->ldap);
-                if ($authz_id === false) {
-                    throw $this->makeException('LDAP whoami exop failure');
-                }
-            }
-        } else {
-            Assert::string($authz_id);
-            /** @var string $authz_id */
-            $authz_id = $this->authz_id;
+        $authz_id = ldap_exop_whoami($this->ldap);
+        if ($authz_id === false) {
+            throw $this->makeException('LDAP whoami exop failure');
         }
 
         $dn = $this->authzidToDn($searchBase, $searchAttributes, $authz_id);
-
         if (empty($dn)) {
             throw $this->makeException('Cannot figure userID');
         }

lib/Auth/Ldap.php

@@ -48,15 +48,13 @@ class AttributeAddFromLDAP extends BaseFilter
      */
     protected $search_attributes;
 
-
     /**
      * LDAP search filter to use in the LDAP query
      *
      * @var string
      */
     protected $search_filter;
 
-
     /**
      * What to do with attributes when the target already exists. Either replace, merge or add.
      *
@@ -71,7 +69,7 @@ class AttributeAddFromLDAP extends BaseFilter
      * @param array $config Configuration information about this filter.
      * @param mixed $reserved For future use.
      */
-    public function __construct($config, $reserved)
+    public function __construct(array $config, $reserved)
     {
         parent::__construct($config, $reserved);
 
@@ -94,9 +92,8 @@ public function __construct($config, $reserved)
      * @param array &$request The current request
      * @return void
      */
-    public function process(&$request)
+    public function process(array &$request): void
     {
-        Assert::isArray($request);
         Assert::keyExists($request, 'Attributes');
 
         $attributes = &$request['Attributes'];

lib/Auth/Process/AttributeAddFromLDAP.php

@@ -25,12 +25,11 @@ class AttributeAddUsersGroups extends BaseFilter
      * are then added to the request attributes.
      *
      * @throws \SimpleSAML\Error\Exception
-     * @param $request
+     * @param array $request
      * @return void
      */
-    public function process(&$request)
+    public function process(array &$request): void
     {
-        Assert::isArray($request);
         Assert::keyExists($request, 'Attributes');
 
         // Log the process
@@ -82,7 +81,7 @@ public function process(&$request)
      * @param array $attributes
      * @return array
      */
-    protected function getGroups($attributes)
+    protected function getGroups(array $attributes): array
     {
         // Log the request
         Logger::debug(
@@ -144,7 +143,7 @@ protected function getGroups($attributes)
      * @param array $attributes
      * @return array
      */
-    protected function getGroupsOpenLdap($attributes)
+    protected function getGroupsOpenLdap(array $attributes): array
     {
         // Log the OpenLDAP specific search
         Logger::debug(
@@ -193,7 +192,7 @@ protected function getGroupsOpenLdap($attributes)
      * @param array $attributes
      * @return array
      */
-    protected function getGroupsActiveDirectory($attributes)
+    protected function getGroupsActiveDirectory(array $attributes): array
     {
         // Log the AD specific search
         Logger::debug(
@@ -223,6 +222,7 @@ protected function getGroupsActiveDirectory($attributes)
         return $this->searchActiveDirectory($attributes[$map['dn']][0]);
     }
 
+
     /**
      * Looks for groups from the list of DN's passed. Also
      * recursively searches groups for further membership.
@@ -232,7 +232,7 @@ protected function getGroupsActiveDirectory($attributes)
      * @param array $memberof
      * @return array
      */
-    protected function search(array $memberof)
+    protected function search(array $memberof): array
     {
         // Used to determine what DN's have already been searched
         static $searched = [];
@@ -308,10 +308,8 @@ protected function search(array $memberof)
      * @param string $dn
      * @return array
      */
-    protected function searchActiveDirectory($dn)
+    protected function searchActiveDirectory(string $dn): array
     {
-        Assert::stringNotEmpty($dn);
-
         // Shorten the variable name
         $map = &$this->attribute_map;