Merge branch 'main' into fix/823/filter-unsupported-jwks-keys

Author: strobelpierre

.github/workflows/psalm.yml

@@ -6,35 +6,102 @@
 # SPDX-FileCopyrightText: 2022-2024 Nextcloud GmbH and Nextcloud contributors
 # SPDX-License-Identifier: MIT
 
-name: Static analysis
+name: Psalm Static analysis
 
-on: pull_request
+on:
+  pull_request:
+    paths:
+      - .github/workflows/psalm.yml
+      - appinfo/**
+      - composer.*
+      - lib/**
+      - templates/**
+      - tests/**
+  push:
+    branches:
+      - main
+      - stable*
+      - test
+    paths:
+      - .github/workflows/psalm.yml
+      - appinfo/**
+      - composer.*
+      - lib/**
+      - templates/**
+      - tests/**
 
 concurrency:
   group: psalm-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
+  matrix:
+    runs-on: ubuntu-latest-low
+    outputs:
+      ocp-matrix: ${{ steps.versions.outputs.ocp-matrix }}
+    steps:
+      - name: Checkout app
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Get version matrix
+        id: versions
+        uses: icewind1991/nextcloud-version-matrix@58becf3b4bb6dc6cef677b15e2fd8e7d48c0908f # v1.3.1
+
+      - name: Check enforcement of minimum PHP version ${{ steps.versions.outputs.php-min }} in psalm.xml
+        run: grep 'phpVersion="${{ steps.versions.outputs.php-min }}' psalm.xml
+
   static-analysis:
     runs-on: ubuntu-latest
+    needs: matrix
+    strategy:
+      # do not stop on another job's failure
+      fail-fast: false
+      matrix: ${{ fromJson(needs.matrix.outputs.ocp-matrix) }}
 
-    name: static-psalm-analysis
+    name: static-psalm-analysis ${{ matrix.ocp-version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
-      - name: Set up php8.2
+      - name: Set up php${{ matrix.php-min }}
         uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2.36.0
         with:
-          php-version: 8.2
+          php-version: ${{ matrix.php-min }}
           extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite
           coverage: none
           ini-file: development
+          # Temporary workaround for missing pcntl_* in PHP 8.3
+          ini-values: disable_functions=
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install dependencies
-        run: composer i
+        run: |
+          composer remove nextcloud/ocp --dev
+          composer i
+
+
+      - name: Install dependencies # zizmor: ignore[template-injection]
+        run: composer require --dev 'nextcloud/ocp:${{ matrix.ocp-version }}' --ignore-platform-reqs --with-dependencies
 
       - name: Run coding standards check
-        run: composer run psalm
+        run: composer run psalm -- --threads=1 --monochrome --no-progress --output-format=github
+
+  summary:
+    runs-on: ubuntu-latest-low
+    needs: static-analysis
+
+    if: always()
+
+    name: static-psalm-analysis-summary
+
+    steps:
+      - name: Summary status
+        run: if ${{ needs.static-analysis.result != 'success' }}; then exit 1; fi

.gitignore

@@ -3,7 +3,7 @@
 .idea
 *.iml
 /js
-/vendor/
+vendor/
 /build/
 node_modules/
 /.php_cs.cache

REUSE.toml

@@ -18,7 +18,7 @@ SPDX-FileCopyrightText = "2020 Nextcloud GmbH and Nextcloud contributors"
 SPDX-License-Identifier = "AGPL-3.0-or-later"
 
 [[annotations]]
-path = ["tests/integration/config/realm-export.json", "vendor-bin/mozart/composer.json", "vendor-bin/mozart/composer.lock"]
+path = ["tests/integration/config/realm-export.json", "vendor-bin/mozart/composer.json", "vendor-bin/mozart/composer.lock", "vendor-bin/psalm/composer.json", "vendor-bin/psalm/composer.lock"]
 precedence = "aggregate"
 SPDX-FileCopyrightText = "2021 Nextcloud GmbH and Nextcloud contributors"
 SPDX-License-Identifier = "AGPL-3.0-or-later"

composer.json

@@ -14,9 +14,9 @@
     "cs:check": "php-cs-fixer fix --dry-run --diff",
     "lint": "find . -name \\*.php ! -path './vendor/*' ! -path './vendor-bin/*' ! -path './lib/Vendor/*' -exec php -l \"{}\" \\;",
     "test:unit": "phpunit -c tests/phpunit.xml",
-    "psalm": "psalm.phar --no-cache",
-    "psalm:update-baseline": "psalm.phar --threads=1 --update-baseline",
-    "psalm:update-baseline:force": "psalm.phar --threads=1 --update-baseline --set-baseline=tests/psalm-baseline.xml",
+    "psalm": "psalm --no-cache",
+    "psalm:update-baseline": "psalm --threads=1 --update-baseline",
+    "psalm:update-baseline:force": "psalm --threads=1 --update-baseline --set-baseline=tests/psalm-baseline.xml",
     "post-install-cmd": [
       "@composer bin all install --ansi",
       "\"vendor/bin/mozart\" compose",
@@ -37,7 +37,6 @@
     "nextcloud/coding-standard": "^1.0.0",
     "symfony/event-dispatcher": "^4",
     "nextcloud/ocp": "dev-stable29",
-    "psalm/phar": "^6",
     "phpunit/phpunit": "^10"
   },
   "extra": {
@@ -50,6 +49,11 @@
             "firebase/php-jwt"
         ],
         "delete_vendor_directories": true
-    }
+    },
+	"bamarni-bin": {
+		"bin-links": true,
+		"target-directory": "vendor-bin",
+		"forward-command": true
+	}
   }
 }

composer.lock

@@ -178,6 +178,8 @@ protected function configure() {
 			->addArgument('identifier', InputArgument::OPTIONAL, 'Administrative identifier name of the provider in the setup')
 			->addOption('clientid', 'c', InputOption::VALUE_REQUIRED, 'OpenID client identifier')
 			->addOption('clientsecret', 's', InputOption::VALUE_REQUIRED, 'OpenID client secret')
+			->addOption('clientsecret-file', null, InputOption::VALUE_REQUIRED, 'File that contains the OpenID client secret')
+			->addOption('clientsecret-env', null, InputOption::VALUE_REQUIRED, 'Environment variable that contains the OpenID client secret')
 			->addOption('discoveryuri', 'd', InputOption::VALUE_REQUIRED, 'OpenID discovery endpoint uri')
 			->addOption('endsessionendpointuri', 'e', InputOption::VALUE_REQUIRED, 'OpenID end session endpoint uri')
 			->addOption('postlogouturi', 'p', InputOption::VALUE_REQUIRED, 'Post logout URI')
@@ -192,10 +194,15 @@ protected function execute(InputInterface $input, OutputInterface $output) {
 		$outputFormat = $input->getOption('output') ?? 'table';
 
 		$identifier = $input->getArgument('identifier');
-		$clientid = $input->getOption('clientid');
-		$clientsecret = $input->getOption('clientsecret');
-		if ($clientsecret !== null) {
-			$clientsecret = $this->crypto->encrypt($clientsecret);
+		$clientId = $input->getOption('clientid');
+		$clientSecret = $input->getOption('clientsecret');
+		$clientSecretFile = $input->getOption('clientsecret-file');
+		$clientSecretEnv = $input->getOption('clientsecret-env');
+		try {
+			$clientSecret = $this->getClientSecretInput($clientSecret, $clientSecretFile, $clientSecretEnv, $output);
+		} catch (\Exception $e) {
+			$output->writeln($e->getMessage());
+			return 1;
 		}
 		$discoveryuri = $input->getOption('discoveryuri');
 		$endsessionendpointuri = $input->getOption('endsessionendpointuri');
@@ -218,7 +225,7 @@ protected function execute(InputInterface $input, OutputInterface $output) {
 			try {
 				$provider = $this->providerMapper->findProviderByIdentifier($identifier);
 			} catch (DoesNotExistException $e) {
-				$output->writeln('Provider not found');
+				$output->writeln('<error>Provider not found</error>');
 				return -1;
 			}
 			$provider = $this->providerService->getProviderWithSettings($provider->getId());
@@ -250,7 +257,7 @@ protected function execute(InputInterface $input, OutputInterface $output) {
 		}
 		try {
 			$provider = $this->providerMapper->createOrUpdateProvider(
-				$identifier, $clientid, $clientsecret, $discoveryuri, $scope, $endsessionendpointuri, $postLogoutUri
+				$identifier, $clientId, $clientSecret, $discoveryuri, $scope, $endsessionendpointuri, $postLogoutUri
 			);
 			// invalidate JWKS cache (even if it was just created)
 			$this->providerService->setSetting($provider->getId(), ProviderService::SETTING_JWKS_CACHE, '');
@@ -287,7 +294,7 @@ private function listProviders(InputInterface $input, OutputInterface $output) {
 		}
 
 		if (count($providers) === 0) {
-			$output->writeln('No providers configured');
+			$output->writeln('<error>No providers configured</error>');
 			return 0;
 		}
 
@@ -306,4 +313,40 @@ private function listProviders(InputInterface $input, OutputInterface $output) {
 		$table->render();
 		return 0;
 	}
+
+	private function getClientSecretInput(
+		?string $clientSecret, ?string $clientSecretFile, ?string $clientSecretEnv, OutputInterface $output,
+	): ?string {
+		if (
+			($clientSecret !== null && $clientSecretFile !== null)
+			|| ($clientSecret !== null && $clientSecretEnv !== null)
+			|| ($clientSecretFile !== null && $clientSecretEnv !== null)
+		) {
+			throw new \Exception('<comment>Only one of "--clientsecret", "--clientsecret-file" or "--clientsecret-env" can be used.</comment>');
+		}
+		if ($clientSecret !== null) {
+			return $this->crypto->encrypt($clientSecret);
+		}
+		if ($clientSecretFile !== null) {
+			$clientSecret = file_get_contents($clientSecretFile);
+			if (is_string($clientSecret) && $clientSecret !== '') {
+				$output->writeln('<info>Client secret loaded from file "' . $clientSecretFile . '"</info>');
+				$clientSecret = trim($clientSecret);
+				return $this->crypto->encrypt($clientSecret);
+			} else {
+				throw new \Exception('<error>Client secret file "' . $clientSecretFile . '" could not be read or is empty</error>');
+			}
+		}
+		if ($clientSecretEnv !== null) {
+			$clientSecret = getenv($clientSecretEnv);
+			if (is_string($clientSecret) && $clientSecret !== '') {
+				$output->writeln('<info>Client secret loaded from environment variable "' . $clientSecretEnv . '"</info>');
+				$clientSecret = trim($clientSecret);
+				return $this->crypto->encrypt($clientSecret);
+			} else {
+				throw new \Exception('<error>Client secret environment variable "' . $clientSecretEnv . '" could not be read or is empty</error>');
+			}
+		}
+		return null;
+	}
 }

lib/Command/UpsertProvider.php

@@ -0,0 +1,13 @@
+{
+	"require": {
+		"php": "^8.2 || ^8.3 || ^8.4 || ^8.5"
+	},
+	"require-dev": {
+		"vimeo/psalm": "^6.10.0"
+	},
+	"config": {
+		"platform": {
+			"php": "8.2.27"
+		}
+	}
+}