Apply phpstan level 6

src/Codebooks/MetadataPolicyOperatorsEnum.php

@@ -299,6 +299,7 @@ public static function validateGeneralParameterOperationRules(array $parameterOp
     }
 
     /**
+     * @param array<string,mixed> $parameterOperations
      * @throws \SimpleSAML\OpenID\Exceptions\MetadataPolicyException
      */
     public static function validateSpecificParameterOperationRules(array $parameterOperations): void
@@ -316,13 +317,13 @@ public static function validateSpecificParameterOperationRules(array $parameterO
 
             // No special resolving rules for operator 'value', continue with 'add'.
             if ($metadataPolicyOperatorEnum === MetadataPolicyOperatorsEnum::Add) {
-                /** @var array $operatorValue We ensured this is array. */
+                /** @var array<mixed> $operatorValue We ensured this is array. */
                 // If add is combined with subset_of, the values of add MUST be a subset of the values of
                 // subset_of.
                 if (
                     in_array(MetadataPolicyOperatorsEnum::SubsetOf->value, $parameterOperatorKeys, true)
                 ) {
-                    /** @var array $superset We ensured this is array. */
+                    /** @var array<mixed> $superset We ensured this is array. */
                     $superset = $parameterOperations[
                     MetadataPolicyOperatorsEnum::SubsetOf->value
                     ];
@@ -346,7 +347,7 @@ public static function validateSpecificParameterOperationRules(array $parameterO
                         true,
                     )
                 ) {
-                    /** @var array $subset We ensured this is array. */
+                    /** @var array<mixed> $subset We ensured this is array. */
                     $subset = $parameterOperations[
                     MetadataPolicyOperatorsEnum::SupersetOf->value
                     ];
@@ -366,7 +367,7 @@ public static function validateSpecificParameterOperationRules(array $parameterO
                 if (
                     in_array(MetadataPolicyOperatorsEnum::OneOf->value, $parameterOperatorKeys, true)
                 ) {
-                    /** @var array $superset We ensured this is array. */
+                    /** @var array<mixed> $superset We ensured this is array. */
                     $superset = $parameterOperations[
                     MetadataPolicyOperatorsEnum::OneOf->value
                     ];
@@ -386,7 +387,7 @@ public static function validateSpecificParameterOperationRules(array $parameterO
                 if (
                     in_array(MetadataPolicyOperatorsEnum::SubsetOf->value, $parameterOperatorKeys, true)
                 ) {
-                    /** @var array $superset We ensured this is array. */
+                    /** @var array<mixed> $superset We ensured this is array. */
                     $superset = $parameterOperations[
                     MetadataPolicyOperatorsEnum::SubsetOf->value
                     ];
@@ -410,7 +411,7 @@ public static function validateSpecificParameterOperationRules(array $parameterO
                         true,
                     )
                 ) {
-                    /** @var array $subset We ensured this is array. */
+                    /** @var array<mixed> $subset We ensured this is array. */
                     $subset = $parameterOperations[
                     MetadataPolicyOperatorsEnum::SupersetOf->value
                     ];
@@ -440,7 +441,7 @@ public static function validateSpecificParameterOperationRules(array $parameterO
                         true,
                     )
                 ) {
-                    /** @var array $subset We ensured this is array. */
+                    /** @var array<mixed> $subset We ensured this is array. */
                     $subset = $parameterOperations[
                     MetadataPolicyOperatorsEnum::SupersetOf->value
                     ];

src/Federation/EntityStatement.php

@@ -81,7 +81,7 @@ public function getExpirationTime(): int
 
     /**
      * @throws \SimpleSAML\OpenID\Exceptions\JwsException
-     * @return array[]
+     * @return array{keys:array<array<string,mixed>>}
      * @psalm-suppress MixedReturnTypeCoercion
      */
     public function getJwks(): array
@@ -98,6 +98,12 @@ public function getJwks(): array
             throw new JwsException('Invalid JWKS encountered: ' . var_export($jwks, true));
         }
 
+        $jwks[ClaimsEnum::Keys->value] = array_map(
+            $this->helpers->arr()->ensureStringKeys(...),
+            $jwks[ClaimsEnum::Keys->value],
+        );
+
+        /** @var array{keys:array<array<string,mixed>>} $jwks */
         return $jwks;
     }
 
@@ -153,6 +159,7 @@ public function getAuthorityHints(): ?array
     }
 
     /**
+     * @return ?array<string,mixed>
      * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
      */
@@ -172,12 +179,13 @@ public function getMetadata(): ?array
             throw new EntityStatementException('Invalid Metadata claim.');
         }
 
-        return $metadata;
+        return $this->helpers->arr()->ensureStringKeys($metadata);
     }
 
     /**
      * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @throws \SimpleSAML\OpenID\Exceptions\EntityStatementException
+     * @phpstan-ignore missingType.iterableValue (We will ensure proper format in policy resolver.)
      */
     public function getMetadataPolicy(): ?array
     {
@@ -273,6 +281,7 @@ public function isConfiguration(): bool
 
     /**
      * @throws \SimpleSAML\OpenID\Exceptions\JwsException
+     * @phpstan-ignore missingType.iterableValue (Format is validated later.)
      */
     public function verifyWithKeySet(?array $jwks = null, int $signatureIndex = 0): void
     {

src/Federation/EntityStatement/TrustMarkClaim.php

@@ -59,6 +59,9 @@ public function getTrustMark(): TrustMark
         return $this->trustMark;
     }
 
+    /**
+     * @return array<string,mixed>
+     */
     public function getOtherClaims(): array
     {
         return $this->otherClaims;

src/Federation/MetadataPolicyApplicator.php

@@ -17,26 +17,24 @@ public function __construct(
     }
 
     /**
-     * @param array $resolvedMetadataPolicy Resolved (validated) metadata policy.
+     * @param array<string,array<string,mixed>> $resolvedMetadataPolicy Resolved (validated) metadata policy.
+     * @param array<string,mixed> $metadata
+     * @return array<string,mixed> Metadata with applied policies.
      * @throws \SimpleSAML\OpenID\Exceptions\MetadataPolicyException
      * @throws \SimpleSAML\OpenID\Exceptions\OpenIdException
      */
     public function for(
         array $resolvedMetadataPolicy,
         array $metadata,
     ): array {
-        /**
-         * @var string $policyParameterName
-         * @var array<string,mixed> $policyOperations
-         */
         foreach ($resolvedMetadataPolicy as $policyParameterName => $policyOperations) {
             foreach (MetadataPolicyOperatorsEnum::cases() as $metadataPolicyOperatorEnum) {
                 if (!array_key_exists($metadataPolicyOperatorEnum->value, $policyOperations)) {
                     continue;
                 }
                 /** @psalm-suppress MixedAssignment */
                 $operatorValue = $policyOperations[$metadataPolicyOperatorEnum->value];
-                /** @psalm-suppress MixedAssignment */
+                /** @psalm-suppress MixedAssignment, MixedArgumentTypeCoercion */
                 $metadataParameterValueBeforePolicy = $this->resolveParameterValueBeforePolicy(
                     $metadata,
                     $policyParameterName,
@@ -99,7 +97,7 @@ public function for(
                         $policyParameterName,
                     );
 
-                    /** @var array $operatorValue */
+                    /** @var array<mixed> $operatorValue Set bc of phpstan */
                     if (!in_array($metadataParameterValueBeforePolicy, $operatorValue, true)) {
                         throw new MetadataPolicyException(
                             sprintf(
@@ -152,7 +150,7 @@ public function for(
                         $policyParameterName,
                     );
 
-                    /** @var array $operatorValue */
+                    /** @var array<mixed> $operatorValue  Set bc of phpstan */
                     if (
                         !$metadataPolicyOperatorEnum->isValueSupersetOf(
                             $metadataParameterValueBeforePolicy,
@@ -190,9 +188,13 @@ public function for(
             }
         }
 
+        /** @var array<string,mixed> $metadata */
         return $metadata;
     }
 
+    /**
+     * @param array<string,mixed> $metadata
+     */
     protected function resolveParameterValueBeforePolicy(array $metadata, string $parameter): mixed
     {
         /** @psalm-suppress MixedAssignment */

src/Federation/MetadataPolicyResolver.php

@@ -20,6 +20,7 @@ public function __construct(
      * @return array<string,array<string,array<string,mixed>>>
      * @throws \SimpleSAML\OpenID\Exceptions\MetadataPolicyException
      * @psalm-suppress MixedAssignment
+     * @phpstan-ignore missingType.iterableValue (We validate it here)
      */
     public function ensureFormat(array $metadataPolicies): array
     {
@@ -55,7 +56,7 @@ public function ensureFormat(array $metadataPolicies): array
     /**
      * @param array<array<string,array<string,array<string,mixed>>>> $metadataPolicies
      * @param string[] $criticalMetadataPolicyOperators
-     *
+     * @return array<string,array<string,mixed>>
      * @throws \SimpleSAML\OpenID\Exceptions\MetadataPolicyException
      * @throws \SimpleSAML\OpenID\Exceptions\OpenIdException
      */
@@ -72,6 +73,7 @@ public function for(
             /** @psalm-suppress MixedAssignment We'll check if $nextPolicy is array type. */
             if (
                 (!array_key_exists($entityTypeEnum->value, $metadataPolicy)) ||
+                /** @phpstan-ignore booleanNot.alwaysFalse (Let's check for validity here.) */
                 (!is_array($nextPolicy = $metadataPolicy[$entityTypeEnum->value]))
             ) {
                 continue;

src/Federation/RequestObject.php

@@ -66,20 +66,22 @@ public function getExpirationTime(): int
     }
 
     /**
+     * @return ?string[]
      * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @throws \SimpleSAML\OpenID\Exceptions\RequestObjectException
      */
     public function getTrustChain(): ?array
     {
+        $claimKey = ClaimsEnum::TrustChain->value;
         /** @psalm-suppress MixedAssignment */
-        $trustChain = $this->getPayloadClaim(ClaimsEnum::TrustChain->value) ?? null;
+        $trustChain = $this->getPayloadClaim($claimKey) ?? null;
 
         if (is_null($trustChain)) {
             return null;
         }
 
         if (is_array($trustChain)) {
-            return $trustChain;
+            return $this->ensureNonEmptyStrings($trustChain, $claimKey);
         }
 
         throw new RequestObjectException(

src/Federation/TrustChain.php

@@ -43,14 +43,14 @@ class TrustChain implements JsonSerializable
     /**
      * Resolved metadata policy per entity type.
      *
-     * @var array[]
+     * @var array<string,array<string,array<string,mixed>>>
      */
     protected array $resolvedMetadataPolicy = [];
 
     /**
      * Resolved metadata (after applying resolved policy) per entity type.
      *
-     * @var array<string,null|array>
+     * @var array<string,null|array<string,mixed>>
      */
     protected array $resolvedMetadata = [];
 
@@ -122,6 +122,7 @@ public function getResolvedTrustAnchor(): EntityStatement
     }
 
     /**
+     * @return ?array<string,mixed>
      * @throws \SimpleSAML\OpenID\Exceptions\TrustChainException
      * @throws \SimpleSAML\OpenID\Exceptions\JwsException
      * @throws \SimpleSAML\OpenID\Exceptions\OpenIdException
@@ -433,17 +434,22 @@ protected function resolveMetadataFor(EntityTypesEnum $entityTypeEnum): void
         // to it.
         /** @psalm-suppress RiskyTruthyFalsyComparison */
         if (empty($this->resolvedMetadataPolicy[$entityTypeEnum->value])) {
+            /** @var array<string,mixed> $leafMetadataEntityType */
             $this->resolvedMetadata[$entityTypeEnum->value] = $leafMetadataEntityType;
             return;
         }
 
         // Policy application to leaf metadata.
+        /** @var array<string,mixed> $leafMetadataEntityType */
         $this->resolvedMetadata[$entityTypeEnum->value] = $this->metadataPolicyApplicator->for(
             $this->resolvedMetadataPolicy[$entityTypeEnum->value],
             $leafMetadataEntityType,
         );
     }
 
+    /**
+     * @return \SimpleSAML\OpenID\Federation\EntityStatement[]
+     */
     public function getEntities(): array
     {
         return $this->entities;

src/Federation/TrustChainResolver.php

@@ -288,6 +288,7 @@ public function for(string $entityId, array $validTrustAnchorIds): TrustChainBag
 
     /**
      * @throws \SimpleSAML\OpenID\Exceptions\TrustChainException
+     * @phpstan-ignore missingType.iterableValue (We validate it here)
      */
     protected function validateStart(string $entityId, array $validTrustAnchorIds): void
     {

src/Helpers/Arr.php

@@ -8,6 +8,9 @@
 
 class Arr
 {
+    /**
+     * @phpstan-ignore missingType.iterableValue (We can handle mixed type)
+     */
     public function ensureArrayDepth(array &$array, int|string ...$keys): void
     {
         if (count($keys) > 99) {
@@ -30,6 +33,7 @@ public function ensureArrayDepth(array &$array, int|string ...$keys): void
 
     /**
      * @return array<string,mixed>
+     * @phpstan-ignore missingType.iterableValue (We can handle mixed type)
      */
     public function ensureStringKeys(array $array): array
     {

src/Helpers/Url.php

@@ -14,6 +14,7 @@ public function isValid(string $url): bool
 
     /**
      * Add (new) params to URL while preserving existing ones (if any).
+     * @param array<string,mixed> $params
      */
     public function withParams(string $url, array $params): string
     {

src/Jwks/Factories/JwksFactory.php

@@ -9,6 +9,9 @@
 
 class JwksFactory
 {
+    /**
+     * @phpstan-ignore missingType.iterableValue (JWKS array is validated later)
+     */
     public function fromKeyData(array $jwks): JwksDecorator
     {
         return new JwksDecorator(JWKSet::createFromKeyData($jwks));

src/Jwks/JwksDecorator.php

@@ -20,6 +20,10 @@ public function jwks(): JWKSet
         return $this->jwks;
     }
 
+    /**
+     * @return array{keys:array<array<string,mixed>>}
+     * @psalm-suppress MixedReturnTypeCoercion, MixedReturnTypeCoercion
+     */
     public function jsonSerialize(): array
     {
         return [

src/Jwks/JwksFetcher.php

@@ -31,7 +31,7 @@ public function __construct(
     }
 
     /**
-     * @return array{keys:array <string,mixed>}
+     * @return array{keys:array<array<string,mixed>>}
      * @throws \SimpleSAML\OpenID\Exceptions\JwksException
      */
     protected function decodeJwksJson(string $jwksJson): array
@@ -63,8 +63,12 @@ protected function decodeJwksJson(string $jwksJson): array
             throw new JwksException($message);
         }
 
-        $jwks[ClaimsEnum::Keys->value] = $this->helpers->arr()->ensureStringKeys($jwks[ClaimsEnum::Keys->value]);
-        /** @var array{keys:array<string,mixed>} $jwks */
+        $jwks[ClaimsEnum::Keys->value] = array_map(
+            $this->helpers->arr()->ensureStringKeys(...),
+            $jwks[ClaimsEnum::Keys->value],
+        );
+
+        /** @var array{keys:array<array<string,mixed>>} $jwks */
         return $jwks;
     }