@@ -50,10 +50,10 @@ class Negotiate extends Auth\Source
5050 /** @var string|integer|null */
5151 protected $ spnnull ;
5252
53- /** @var array |null */
53+ /** @var string[] |null */
5454 protected ?array $ subnetnull ;
5555
56- /** @var array */
56+ /** @var string[] */
5757 private array $ realms
5858
5959 /** @var string[] */
@@ -66,8 +66,8 @@ class Negotiate extends Auth\Source
6666 /**
6767 * Constructor for this authentication source.
6868 *
69- * @param array $info Information about this authentication source.
70- * @param array $config The configuration of the module
69+ * @param array<mixed> $info Information about this authentication source.
70+ * @param array<mixed> $config The configuration of the module
7171 *
7272 * @throws \Exception If the KRB5 extension is not installed or active.
7373 */
@@ -101,7 +101,7 @@ public function __construct(array $info, array $config)
101101 *
102102 * LDAP is used as a user metadata source.
103103 *
104- * @param array &$state Information about the current authentication.
104+ * @param array<mixed> &$state Information about the current authentication.
105105 */
106106 public function authenticate (array &$ statevoid
107107 {
@@ -151,7 +151,7 @@ public function authenticate(array &$state): void
151151 Logger::debug ('Negotiate - authenticate(): No "Negotiate" found. Skipping. ' );
152152 } else {
153153 // attempt Kerberos authentication
154- $ replynull ;
154+ $ reply$ auth = null ;
155155
156156 try {
157157 if (version_compare (phpversion ('krb5 ' ), '1.1.6 ' , '< ' )) {
@@ -178,7 +178,7 @@ public function authenticate(array &$state): void
178178 }
179179 }
180180
181- if (!$ authisChannelBound ()) {
181+ if ($ auth === null || !$ authisChannelBound ()) {
182182 throw new Error \Exception (
183183 'Negotiate - authenticate(): Failed to perform channel binding using '
184184 . 'any of the configured certificate hashes. ' ,
@@ -189,15 +189,13 @@ public function authenticate(array &$state): void
189189 Logger::error ('Negotiate - authenticate(): doAuthentication() exception: ' . $ egetMessage ());
190190 }
191191
192- if ($ reply
192+ if ($ reply && $ auth !== null ) {
193193 // success! krb TGS received
194- /** @psalm-var \KRB5NegotiateAuth $auth */
195194 $ userPrincipalName$ authgetAuthenticatedUser ();
196195 Logger::info ('Negotiate - authenticate(): ' . $ userPrincipalName' authenticated. ' );
197196
198197 // Search for the corresponding realm and set current variables
199198 @list ($ uid$ realmNamepreg_split ('/@/ ' , $ userPrincipalName2 );
200- /** @psalm-var string $realmName */
201199 Assert::notNull ($ realmName
202200
203201 // Use the correct realm
@@ -279,7 +277,7 @@ private function doAuthentication(KRB5NegotiateAuth $auth, ?string $hash = null)
279277
280278
281279 /**
282- * @param array $spMetadata
280+ * @param array<mixed> $spMetadata
283281 * @return bool
284282 */
285283 public function spDisabledInMetadata (array $ spMetadatabool
@@ -330,7 +328,7 @@ public function checkMask(): bool
330328 * Send the actual headers and body of the 401. Embedded in the body is a post that is triggered by JS if the client
331329 * wants to show the 401 message.
332330 *
333- * @param array $params additional parameters to the URL in the URL in the body.
331+ * @param array<mixed> $params additional parameters to the URL in the URL in the body.
334332 */
335333 protected function sendNegotiate (array $ paramsvoid
336334 {
@@ -351,7 +349,7 @@ protected function sendNegotiate(array $params): void
351349 /**
352350 * Passes control of the login process to a different module.
353351 *
354- * @param array $state Information about the current authentication.
352+ * @param array<mixed> $state Information about the current authentication.
355353 *
356354 * @throws \SimpleSAML\Error\Error If couldn't determine the auth source.
357355 * @throws \SimpleSAML\Error\Exception
@@ -364,7 +362,6 @@ public static function fallBack(array &$state): void // never
364362 throw new Error \Error ([500 , "Unable to determine auth source. " ]);
365363 }
366364
367- /** @psalm-var \SimpleSAML\Auth\Source|null $source */
368365 $ sourceAuth \Source::getById ($ authId
369366 if ($ sourcenull ) {
370367 throw new Exception ('Could not find authentication source with id ' . $ stateself ::AUTHID ]);
@@ -390,13 +387,12 @@ public static function fallBack(array &$state): void // never
390387 *
391388 * @param string $uid The user identifier.
392389 *
393- * @return array|null The attributes for the user or NULL if not found.
390+ * @return array<mixed> |null The attributes for the user or NULL if not found.
394391 */
395392 protected function lookupUserData (string $ uidarray
396393 {
397394 /**
398395 * @var \SimpleSAML\Module\ldap\Auth\Source\Ldap|null $source
399- * @psalm-var string $this->backend - We only reach this method when $this->backend is set
400396 */
401397 $ sourceAuth \Source::getById ($ this backend );
402398 if ($ sourcenull ) {
@@ -418,7 +414,7 @@ protected function lookupUserData(string $uid): ?array
418414 * This method either logs the user out from Negotiate or passes the
419415 * logout call to the fallback module.
420416 *
421- * @param array &$state Information about the current logout operation.
417+ * @param array<mixed> &$state Information about the current logout operation.
422418 */
423419 public function logout (array &$ statevoid
424420 {
@@ -431,7 +427,6 @@ public function logout(array &$state): void
431427 $ sessionsetData ('negotiate:disable ' , 'session ' , true , 24 * 60 * 60 );
432428 parent ::logout ($ state
433429 } else {
434- /** @psalm-var \SimpleSAML\Module\negotiate\Auth\Source\Negotiate|null $source */
435430 $ sourceAuth \Source::getById ($ authId
436431 if ($ sourcenull ) {
437432 throw new Exception ('Could not find authentication source with id ' . $ stateself ::AUTHID ]);
0 commit comments