TASK: Adjust phpstan config to apply level 8 rules to the Flow/Security context and remove breaking changes

Some return type Annotations in the ObjectManagerInterface are adjusted to match the reality already to prevent false errors beeing reported by PhpStan

Author: mficzel

Neos.Flow/Classes/ObjectManagement/ObjectManagerInterface.php

@@ -110,7 +110,7 @@ public function getObjectNameByClassName($className);
      * Returns the implementation class name for the specified object
      *
      * @param string $objectName The object name
-     * @return string The class name corresponding to the given object name or false if no such object is registered
+     * @return string|false The class name corresponding to the given object name or false if no such object is registered
      * @api
      */
     public function getClassNameByObjectName($objectName);
@@ -119,7 +119,7 @@ public function getClassNameByObjectName($objectName);
      * Returns the key of the package the specified object is contained in.
      *
      * @param string $objectName The object name
-     * @return string The package key or false if no such object exists
+     * @return string|false The package key or false if no such object exists
      */
     public function getPackageKeyByObjectName($objectName);
 

Neos.Flow/Classes/Security/Aspect/LoggingAspect.php

@@ -50,6 +50,7 @@ class LoggingAspect
     public function logManagerAuthenticate(JoinPointInterface $joinPoint)
     {
         if ($joinPoint->hasException()) {
+            /** @var \Exception $exception */
             $exception = $joinPoint->getException();
             if (!$exception instanceof NoTokensAuthenticatedException) {
                 $this->securityLogger->notice(sprintf('Authentication failed: "%s" #%d', $exception->getMessage(), $exception->getCode()), $this->getLogEnvironmentFromJoinPoint($joinPoint));

Neos.Flow/Classes/Security/Authentication/AuthenticationProviderResolver.php

@@ -47,12 +47,12 @@ public function __construct(ObjectManagerInterface $objectManager)
     public function resolveProviderClass($providerName)
     {
         $className = $this->objectManager->getClassNameByObjectName($providerName);
-        if ($className !== false && is_subclass_of($className, AuthenticationProviderInterface::class)) {
+        if (is_string($className) && is_subclass_of($className, AuthenticationProviderInterface::class)) {
             return $className;
         }
 
         $className = $this->objectManager->getClassNameByObjectName('Neos\Flow\Security\Authentication\Provider\\' . $providerName);
-        if ($className !== false && is_subclass_of($className, AuthenticationProviderInterface::class)) {
+        if (is_string($className) &&  is_subclass_of($className, AuthenticationProviderInterface::class)) {
             return $className;
         }
 

Neos.Flow/Classes/Security/Authentication/Provider/FileBasedSimpleKeyProvider.php

@@ -107,7 +107,7 @@ public function authenticate(TokenInterface $authenticationToken)
     protected function validateCredentials(PasswordTokenInterface $authenticationToken): void
     {
         $key = $this->fileBasedSimpleKeyService->getKey($this->options['keyName']);
-        if (!$this->hashService->validatePassword($authenticationToken->getPassword(),$key)) {
+        if (!$this->hashService->validatePassword($authenticationToken->getPassword(), $key)) {
             $authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
             return;
         }

Neos.Flow/Classes/Security/Authorization/Interceptor/PolicyEnforcement.php

@@ -96,6 +96,7 @@ public function invoke()
 
         try {
             $this->authenticationManager->authenticate();
+        /** @phpstan-ignore catch.neverThrown */
         } catch (EntityNotFoundException $exception) {
             throw new AuthenticationRequiredException('Could not authenticate. Looks like a broken session.', 1358971444, $exception);
         } catch (NoTokensAuthenticatedException $noTokensAuthenticatedException) {

Neos.Flow/Classes/Security/Authorization/Privilege/Entity/Doctrine/EntityPrivilege.php

@@ -11,7 +11,6 @@
  * source code.
  */
 
-use Doctrine\Persistence\Mapping\ClassMetadata;
 use Doctrine\ORM\EntityManager;
 use Doctrine\ORM\EntityManagerInterface;
 use Neos\Eel\Context as EelContext;

Neos.Flow/Classes/Security/Authorization/Privilege/Entity/Doctrine/EntityPrivilegeExpressionParser.php

@@ -25,8 +25,9 @@ class EntityPrivilegeExpressionParser extends CompilingEelParser
     /**
      * @param array<string,mixed> $result
      * @param array<string,mixed> $sub
+     * @return void
      */
-    public function NotExpression_exp(&$result, $sub): void
+    public function NotExpression_exp(&$result, $sub)
     {
         if (!isset($result['code'])) {
             $result['code'] = '$context';
@@ -37,27 +38,30 @@ public function NotExpression_exp(&$result, $sub): void
     /**
      * @param array<string,mixed> $result
      * @param array<string,mixed> $sub
+     * @return void
      */
-    public function Disjunction_rgt(&$result, $sub): void
+    public function Disjunction_rgt(&$result, $sub)
     {
         $result['code'] = '$context->callAndWrap(\'disjunction\', array(' . $this->unwrapExpression($result['code']) . ', ' . $this->unwrapExpression($sub['code']) . '))';
     }
 
     /**
      * @param array<string,mixed> $result
      * @param array<string,mixed> $sub
+     * @return void
      */
-    public function Conjunction_rgt(&$result, $sub): void
+    public function Conjunction_rgt(&$result, $sub)
     {
         $result['code'] = '$context->callAndWrap(\'conjunction\', array(' . $this->unwrapExpression($result['code']) . ', ' . $this->unwrapExpression($sub['code']) . '))';
     }
 
     /**
      * @param array<string,mixed> $result
      * @param array<string,mixed> $sub
+     * @return void
      * @throws ParserException
      */
-    public function Comparison_rgt(&$result, $sub): void
+    public function Comparison_rgt(&$result, $sub)
     {
         $lval = $result['code'];
         $rval = $sub['code'];

Neos.Flow/Classes/Security/Authorization/Privilege/Entity/Doctrine/PropertyConditionGenerator.php

@@ -254,8 +254,8 @@ public function getSql(DoctrineSqlFilter $sqlFilter, ORMClassMetadata $targetEnt
         } elseif ($targetEntity->isSingleValuedAssociation($targetEntityPropertyName) === true && $targetEntity->isAssociationInverseSide($targetEntityPropertyName) === true) {
             throw new InvalidQueryRewritingConstraintException(
                 'Single valued properties from the inverse side are not supported in a content security constraint path! Got: "'
-                    . $this->path . ' ' . $this->operator . ' ' . json_encode($this->operandDefinition) . '"'
-                , 1416397754
+                    . $this->path . ' ' . $this->operator . ' ' . json_encode($this->operandDefinition) . '"',
+                1416397754
             );
         } elseif ($targetEntity->isCollectionValuedAssociation($targetEntityPropertyName) === true) {
             return $this->getSqlForPropertyContains($sqlFilter, $quoteStrategy, $targetEntity, $targetTableAlias, $targetEntityPropertyName);
@@ -381,19 +381,13 @@ protected function getSqlForManyToOneAndOneToOneRelationsWithoutPropertyPath(Doc
             $currentReferencedOperandName = $operandAlias . $joinColumn['referencedColumnName'];
             if (is_object($this->operand)) {
                 $type = TypeHandling::getTypeForValue($this->operand);
-                if ($type === false) {
-                    throw new \Exception('Could not resolve type for ' . get_debug_type($this->operand), 1743930563);
-                }
                 $operandMetadataInfo = $this->entityManager->getClassMetadata($type);
                 $currentReferencedValueOfOperand = $operandMetadataInfo->getFieldValue($this->operand, $operandMetadataInfo->getFieldForColumn($joinColumn['referencedColumnName']));
                 $this->setParameter($sqlFilter, $currentReferencedOperandName, $currentReferencedValueOfOperand, $associationMapping['type']);
             } elseif (is_array($this->operandDefinition)) {
                 foreach ($this->operandDefinition as $operandIterator => $singleOperandValue) {
                     if (is_object($singleOperandValue)) {
                         $type = TypeHandling::getTypeForValue($singleOperandValue);
-                        if ($type === false) {
-                            throw new \Exception('Could not resolve type for ' . get_debug_type($singleOperandValue), 1743930566);
-                        }
                         $operandMetadataInfo = $this->entityManager->getClassMetadata($type);
                         $currentReferencedValueOfOperand = $operandMetadataInfo->getFieldValue($singleOperandValue, $operandMetadataInfo->getFieldForColumn($joinColumn['referencedColumnName']));
                         $this->setParameter($sqlFilter, $operandIterator, $currentReferencedValueOfOperand, $associationMapping['type']);
@@ -466,6 +460,7 @@ protected function getSubselectQuery(ClassMetadata $targetEntity, $targetEntityP
                 $subselectConstraint = $subselectQuery->equals($propertyName, $this->operand);
                 break;
             case '!=':
+                /** @phpstan-ignore argument.type */
                 $subselectConstraint = $subselectQuery->logicalNot($subselectQuery->equals($propertyName, $this->operand));
                 break;
             case '<':
@@ -489,7 +484,7 @@ protected function getSubselectQuery(ClassMetadata $targetEntity, $targetEntityP
             default:
                 throw new \Exception(sprintf('Invalid operator "%s".', $this->operator), 1699025734);
         }
-
+        /** @phpstan-ignore argument.type */
         $subselectQuery->matching($subselectConstraint);
         return $subselectQuery;
     }

Neos.Flow/Classes/Security/Cryptography/HashService.php

@@ -72,8 +72,11 @@ public function injectSettings(array $settings)
      * @return string The hash of the string
      * @throws InvalidArgumentForHashGenerationException if something else than a string was given as parameter
      */
-    public function generateHmac(string $string): string
+    public function generateHmac($string)
     {
+        if (!is_string($string)) {
+            throw new InvalidArgumentForHashGenerationException('A hash can only be generated for a string, but "' . gettype($string) . '" was given.', 1255069587);
+        }
         return hash_hmac('sha1', $string, $this->getEncryptionKey());
     }
 
@@ -117,8 +120,11 @@ public function validateHmac($string, $hmac)
      * @throws InvalidHashException if the hash did not fit to the data.
      * @todo Mark as API once it is more stable
      */
-    public function validateAndStripHmac(string $string): string
+    public function validateAndStripHmac($string)
     {
+        if (!is_string($string)) {
+            throw new InvalidArgumentForHashGenerationException('A hash can only be validated for a string, but "' . gettype($string) . '" was given.', 1320829762);
+        }
         if (strlen($string) < 40) {
             throw new InvalidArgumentForHashGenerationException('A hashed string must contain at least 40 characters, the given string was only ' . strlen($string) . ' characters long.', 1320830276);
         }

Neos.Flow/Classes/Security/Cryptography/RsaWalletServiceInterface.php

@@ -54,7 +54,7 @@ public function registerPublicKeyFromString($publicKeyString);
      * @return OpenSslRsaKey The public key
      * @throws InvalidKeyPairIdException If the given fingerprint identifies no valid key pair
      */
-    public function getPublicKey(string $fingerprint): OpenSslRsaKey;
+    public function getPublicKey($fingerprint);
 
     /**
      * Decrypts the given cypher with the private key identified by the given fingerprint
@@ -67,7 +67,7 @@ public function getPublicKey(string $fingerprint): OpenSslRsaKey;
      * @throws InvalidKeyPairIdException If the given fingerprint identifies no valid keypair
      * @throws DecryptionNotAllowedException If the given fingerprint identifies a keypair for encrypted passwords
      */
-    public function decrypt(string $cypher, string $fingerprint): string;
+    public function decrypt($cypher, $fingerprint);
 
     /**
      * Signs the given plaintext with the private key identified by the given fingerprint
@@ -77,7 +77,7 @@ public function decrypt(string $cypher, string $fingerprint): string;
      * @return string The signature of the given plaintext
      * @throws InvalidKeyPairIdException If the given fingerprint identifies no valid keypair
      */
-    public function sign(string $plaintext, string $fingerprint): string;
+    public function sign($plaintext, $fingerprint);
 
     /**
      * Checks whether the given signature is valid for the given plaintext
@@ -88,7 +88,7 @@ public function sign(string $plaintext, string $fingerprint): string;
      * @param string $fingerprint The fingerprint to identify to correct public key
      * @return boolean true if the signature is correct for the given plaintext and public key
      */
-    public function verifySignature(string $plaintext, string $signature, string $fingerprint): bool;
+    public function verifySignature($plaintext, $signature, $fingerprint);
 
     /**
      * Encrypts the given plaintext with the public key identified by the given fingerprint
@@ -109,12 +109,14 @@ public function encryptWithPublicKey($plaintext, $fingerprint);
      * @param string $fingerprint The fingerprint to identify to correct private key
      * @return boolean true if the password is correct
      */
-    public function checkRSAEncryptedPassword(string $encryptedPassword, string $passwordHash, string $salt, string $fingerprint): bool;
+    public function checkRSAEncryptedPassword($encryptedPassword, $passwordHash, $salt, $fingerprint);
 
     /**
      * Destroys the keypair identified by the given fingerprint
      *
+     * @param string $fingerprint
+     * @return void
      * @throws InvalidKeyPairIdException If the given fingerprint identifies no valid key pair
      */
-    public function destroyKeypair(string $fingerprint): void;
+    public function destroyKeypair($fingerprint);
 }