Adjust Neos.Flow Security subcontext

Author: Bernhard Schmitt

Neos.Flow/Classes/Security/Account.php

@@ -55,7 +55,7 @@ class Account
     protected $creationDate;
 
     /**
-     * @var \DateTime
+     * @var \DateTime|null
      * @ORM\Column(nullable=true)
      */
     protected $expirationDate;
@@ -73,7 +73,7 @@ class Account
     protected $failedAuthenticationCount;
 
     /**
-     * @var array of strings
+     * @var array<string>
      * @ORM\Column(type="simple_array", nullable=true)
      */
     protected $roleIdentifiers = [];
@@ -225,9 +225,6 @@ public function setRoles(array $roles)
         $this->roleIdentifiers = [];
         $this->roles = [];
         foreach ($roles as $role) {
-            if (!$role instanceof Role) {
-                throw new \InvalidArgumentException(sprintf('setRoles() only accepts an array of %s instances, given: "%s"', Role::class, gettype($role)), 1397125997);
-            }
             $this->addRole($role);
         }
     }
@@ -310,7 +307,7 @@ public function getExpirationDate()
     /**
      * Sets the date on which this account will become inactive
      *
-     * @param \DateTime $expirationDate
+     * @param ?\DateTime $expirationDate
      * @return void
      * @api
      */

Neos.Flow/Classes/Security/AccountFactory.php

@@ -37,7 +37,7 @@ class AccountFactory
      *
      * @param string $identifier Identifier of the account, must be unique
      * @param string $password The clear text password
-     * @param array $roleIdentifiers Optionally an array of role identifiers to assign to the new account
+     * @param array<string> $roleIdentifiers Optionally an array of role identifiers to assign to the new account
      * @param string $authenticationProviderName Optional name of the authentication provider the account is affiliated with
      * @param string $passwordHashingStrategy Optional password hashing strategy to use for the password
      * @return Account A new account, not yet added to the account repository

Neos.Flow/Classes/Security/AccountRepository.php

@@ -30,7 +30,7 @@ class AccountRepository extends Repository
     const ENTITY_CLASSNAME = Account::class;
 
     /**
-     * @var array
+     * @var array<string,string>
      */
     protected $defaultOrderings = ['creationDate' => QueryInterface::ORDER_DESCENDING];
 
@@ -51,6 +51,9 @@ class AccountRepository extends Repository
      */
     public function remove($object): void
     {
+        if (!$object instanceof Account) {
+            throw new \InvalidArgumentException('Can only remove account objects.', 1743961393);
+        }
         parent::remove($object);
 
         // destroy the sessions for the account to be removed
@@ -67,12 +70,14 @@ public function remove($object): void
     public function findByAccountIdentifierAndAuthenticationProviderName($accountIdentifier, $authenticationProviderName)
     {
         $query = $this->createQuery();
-        return $query->matching(
+        $result = $query->matching(
             $query->logicalAnd(
                 $query->equals('accountIdentifier', $accountIdentifier),
                 $query->equals('authenticationProviderName', $authenticationProviderName)
             )
         )->execute()->getFirst();
+
+        return $result instanceof Account ? $result : null;
     }
 
     /**
@@ -85,7 +90,7 @@ public function findByAccountIdentifierAndAuthenticationProviderName($accountIde
     public function findActiveByAccountIdentifierAndAuthenticationProviderName($accountIdentifier, $authenticationProviderName)
     {
         $query = $this->createQuery();
-        return $query->matching(
+        $result = $query->matching(
             $query->logicalAnd(
                 $query->equals('accountIdentifier', $accountIdentifier),
                 $query->equals('authenticationProviderName', $authenticationProviderName),
@@ -95,5 +100,7 @@ public function findActiveByAccountIdentifierAndAuthenticationProviderName($acco
                 )
             )
         )->execute()->getFirst();
+
+        return $result instanceof Account ? $result : null;
     }
 }

Neos.Flow/Classes/Security/Aspect/LoggingAspect.php

@@ -100,9 +100,9 @@ public function logManagerLogout(JoinPointInterface $joinPoint)
     }
 
     /**
-     * @param array $collectedIdentifiers
+     * @param array<string> $collectedIdentifiers
      * @param TokenInterface $token
-     * @return array
+     * @return array<string>
      */
     protected function reduceTokenToAccountIdentifier(array $collectedIdentifiers, TokenInterface $token): array
     {
@@ -170,7 +170,7 @@ public function logPrivilegeAccessDecisions(JoinPointInterface $joinPoint)
 
     /**
      * @param JoinPointInterface $joinPoint
-     * @return array
+     * @return array<string,array{packageKey: string, className: string, methodName: string}>
      */
     protected function getLogEnvironmentFromJoinPoint(JoinPointInterface $joinPoint): array
     {

Neos.Flow/Classes/Security/Authentication/AuthenticationProviderInterface.php

@@ -21,7 +21,7 @@ interface AuthenticationProviderInterface
      * Constructs an instance with the given name and options.
      *
      * @param string $name
-     * @param array $options
+     * @param array<mixed> $options
      * @return self
      */
     public static function create(string $name, array $options);
@@ -37,7 +37,7 @@ public function canAuthenticate(TokenInterface $token);
     /**
      * Returns the classnames of the tokens this provider is responsible for.
      *
-     * @return array The classname of the token this provider is responsible for
+     * @return array<class-string<TokenInterface>> The classname of the token this provider is responsible for
      */
     public function getTokenClassNames();
 

Neos.Flow/Classes/Security/Authentication/AuthenticationProviderManager.php

@@ -51,7 +51,7 @@ class AuthenticationProviderManager implements AuthenticationManagerInterface
      * Injected configuration for providers.
      * Will be null'd again after building the object instances.
      *
-     * @var array|null
+     * @var array<mixed>|null
      */
     protected $providerConfigurations;
 
@@ -81,7 +81,7 @@ public function __construct(TokenAndProviderFactoryInterface $tokenAndProviderFa
     /**
      * Inject the settings and does a fresh build of tokens based on the injected settings
      *
-     * @param array $settings The settings
+     * @param array<string,mixed> $settings The settings
      * @return void
      * @throws Exception
      */
@@ -206,7 +206,10 @@ public function isAuthenticated(): bool
             } catch (AuthenticationRequiredException $exception) {
             }
         }
-        return $this->isAuthenticated;
+
+        return $this->isAuthenticated !== null
+            ? $this->isAuthenticated
+            : false;
     }
 
     /**

Neos.Flow/Classes/Security/Authentication/AuthenticationProviderResolver.php

@@ -47,12 +47,12 @@ public function __construct(ObjectManagerInterface $objectManager)
     public function resolveProviderClass($providerName)
     {
         $className = $this->objectManager->getClassNameByObjectName($providerName);
-        if ($className !== false) {
+        if ($className !== false && is_subclass_of($className, AuthenticationProviderInterface::class)) {
             return $className;
         }
 
         $className = $this->objectManager->getClassNameByObjectName('Neos\Flow\Security\Authentication\Provider\\' . $providerName);
-        if ($className !== false) {
+        if ($className !== false && is_subclass_of($className, AuthenticationProviderInterface::class)) {
             return $className;
         }
 

Neos.Flow/Classes/Security/Authentication/Controller/AbstractAuthenticationController.php

@@ -85,7 +85,11 @@ public function authenticateAction()
 
         if (!$this->authenticationManager->isAuthenticated()) {
             $this->onAuthenticationFailure($authenticationException);
-            return call_user_func([$this, $this->errorMethodName]);
+            $callable = [$this, $this->errorMethodName];
+            if (!is_callable($callable)) {
+                throw new \Exception('Invalid error method ' . $this->errorMethodName, 1743955562);
+            }
+            return call_user_func($callable);
         }
 
         $storedRequest = $this->securityContext->getInterceptedRequest();

Neos.Flow/Classes/Security/Authentication/EntryPoint/AbstractEntryPoint.php

@@ -21,14 +21,14 @@ abstract class AbstractEntryPoint implements EntryPointInterface
     /**
      * The configurations options
      *
-     * @var array
+     * @var array<mixed>
      */
     protected $options = [];
 
     /**
      * Sets the options array
      *
-     * @param array $options An array of configuration options
+     * @param array<mixed> $options An array of configuration options
      * @return void
      */
     public function setOptions(array $options)
@@ -39,7 +39,7 @@ public function setOptions(array $options)
     /**
      * Returns the options array
      *
-     * @return array The configuration options of this entry point
+     * @return array<mixed> The configuration options of this entry point
      */
     public function getOptions()
     {

Neos.Flow/Classes/Security/Authentication/EntryPoint/WebRedirect.php

@@ -75,7 +75,7 @@ public function startAuthentication(ServerRequestInterface $request, ResponseInt
     }
 
     /**
-     * @param array $routeValues
+     * @param array<string,mixed> $routeValues
      * @param ServerRequestInterface $request
      * @return string
      * @throws \Neos\Flow\Mvc\Routing\Exception\MissingActionNameException
@@ -96,7 +96,7 @@ protected function generateUriFromRouteValues(array $routeValues, ServerRequestI
      * Returns the entry $key from the array $routeValues removing the original array item.
      * If $key does not exist, NULL is returned.
      *
-     * @param array $routeValues
+     * @param array<string,mixed> $routeValues
      * @param string $key
      * @return mixed the specified route value or NULL if it is not set
      */