Phpstan: Fix get parameter types

Prior to this change, type errors were thrown when invalid actorId/identityId parameters were passed.

This change makes these errors explicit by throwing 400 bad request errors.

Prior to this change, \Surfnet\StepupMiddleware\ApiBundle\Controller\RaCandidateController::search could receive `secondFactorTypes`, which could never be an array, yet the query expects an array.
This change ensures the query parameters for this property are read sa an array read.

Author: johanib

ci/qa/phpstan-baseline.neon

@@ -128,7 +128,7 @@
  *     http_method_override?: bool, // Set true to enable support for the '_method' request parameter to determine the intended HTTP method on POST requests. // Default: false
  *     allowed_http_method_override?: list<string>|null,
  *     trust_x_sendfile_type_header?: scalar|null, // Set true to enable support for xsendfile in binary file responses. // Default: "%env(bool:default::SYMFONY_TRUST_X_SENDFILE_TYPE_HEADER)%"
- *     ide?: scalar|null, // Default: null
+ *     ide?: scalar|null, // Default: "%env(default::SYMFONY_IDE)%"
  *     test?: bool,
  *     default_locale?: scalar|null, // Default: "en"
  *     set_locale_from_accept_language?: bool, // Whether to use the Accept-Language HTTP header to set the Request locale (only when the "_locale" request attribute is not passed). // Default: false
@@ -285,7 +285,7 @@
  *         paths?: array<string, scalar|null>,
  *         excluded_patterns?: list<scalar|null>,
  *         exclude_dotfiles?: bool, // If true, any files starting with "." will be excluded from the asset mapper. // Default: true
- *         server?: bool, // If true, a "dev server" will return the assets from the public directory (true in "debug" mode only by default). // Default: false
+ *         server?: bool, // If true, a "dev server" will return the assets from the public directory (true in "debug" mode only by default). // Default: true
  *         public_prefix?: scalar|null, // The public path where the assets will be written to (and served from when "server" is true). // Default: "/assets/"
  *         missing_import_mode?: "strict"|"warn"|"ignore", // Behavior if an asset cannot be found when imported from JavaScript or CSS files - e.g. "import './non-existent.js'". "strict" means an exception is thrown, "warn" means a warning is logged, "ignore" means the import is left as-is. // Default: "warn"
  *         extensions?: array<string, scalar|null>,
@@ -405,7 +405,7 @@
  *     },
  *     php_errors?: array{ // PHP errors handling configuration
  *         log?: mixed, // Use the application logger instead of the PHP logger for logging PHP errors. // Default: true
- *         throw?: bool, // Throw PHP errors as \ErrorException instances. // Default: false
+ *         throw?: bool, // Throw PHP errors as \ErrorException instances. // Default: true
  *     },
  *     exceptions?: array<string, array{ // Default: []
  *         log_level?: scalar|null, // The level of log message. Null to let Symfony decide. // Default: null
@@ -468,7 +468,7 @@
  *     scheduler?: bool|array{ // Scheduler configuration
  *         enabled?: bool, // Default: false
  *     },
- *     disallow_search_engine_index?: bool, // Enabled by default when debug is enabled. // Default: false
+ *     disallow_search_engine_index?: bool, // Enabled by default when debug is enabled. // Default: true
  *     http_client?: bool|array{ // HTTP Client configuration
  *         enabled?: bool, // Default: false
  *         max_host_connections?: int, // The maximum number of connections to a single host.
@@ -1112,8 +1112,8 @@
  *             platform_service?: scalar|null, // Deprecated: The "platform_service" configuration key is deprecated since doctrine-bundle 2.9. DBAL 4 will not support setting a custom platform via connection params anymore.
  *             auto_commit?: bool,
  *             schema_filter?: scalar|null,
- *             logging?: bool, // Default: false
- *             profiling?: bool, // Default: false
+ *             logging?: bool, // Default: true
+ *             profiling?: bool, // Default: true
  *             profiling_collect_backtrace?: bool, // Enables collecting backtraces when profiling is enabled // Default: false
  *             profiling_collect_schema_errors?: bool, // Enables collecting schema errors when profiling is enabled // Default: true
  *             disable_type_comments?: bool,
@@ -1252,7 +1252,7 @@
  *                     pool?: scalar|null,
  *                 },
  *                 region_lock_lifetime?: scalar|null, // Default: 60
- *                 log_enabled?: bool, // Default: false
+ *                 log_enabled?: bool, // Default: true
  *                 region_lifetime?: scalar|null, // Default: 3600
  *                 enabled?: bool, // Default: true
  *                 factory?: scalar|null,

config/reference.php

@@ -47,7 +47,7 @@ public function secondFactorAuditLog(Request $request, Institution $institution)
         $query->identityId = new IdentityId($identityId);
         $query->orderBy = $request->query->get('orderBy', $query->orderBy);
         $query->orderDirection = $request->query->get('orderDirection', $query->orderDirection);
-        $query->pageNumber = $request->query->get('p', 1);
+        $query->pageNumber = $request->query->getInt('p', 1);
 
         $paginator = $this->auditLogService->searchSecondFactorAuditLog($query);
 

src/Surfnet/StepupMiddleware/ApiBundle/Controller/AuditLogController.php

@@ -58,7 +58,7 @@ public function collection(Request $request, Institution $institution): JsonColl
         $query->nameId = $request->query->get('NameID');
         $query->commonName = $request->query->get('commonName');
         $query->email = $request->query->get('email');
-        $query->pageNumber = (int)$request->query->get('p', 1);
+        $query->pageNumber = $request->query->getInt('p', 1);
 
         $paginator = $this->identityService->search($query);
 

src/Surfnet/StepupMiddleware/ApiBundle/Controller/IdentityController.php

@@ -27,6 +27,7 @@
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use function sprintf;
 
@@ -45,15 +46,27 @@ public function search(Request $request): JsonCollectionResponse
     {
         $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
-        $actorId = new IdentityId($request->query->get('actorId'));
+        $actorIdString = $request->query->get('actorId');
+        if (!is_string($actorIdString)) {
+            throw new BadRequestHttpException(sprintf('Invalid actorId "%s"', $actorIdString));
+        }
+        $actorId = new IdentityId($actorIdString);
+
+        $secondFactorTypes = $request->query->all('secondFactorTypes');
+        foreach ($secondFactorTypes as $type) {
+            if (!is_string($type)) {
+                throw new BadRequestHttpException(sprintf('Invalid secondFactorType "%s", string expected.', $type));
+            }
+        }
+        /** @var array<string> $secondFactorTypes */
 
         $query = new RaCandidateQuery();
         $query->institution = $request->query->get('institution');
         $query->commonName = $request->query->get('commonName');
         $query->email = $request->query->get('email');
-        $query->secondFactorTypes = $request->query->get('secondFactorTypes');
+        $query->secondFactorTypes = $secondFactorTypes;
         $query->raInstitution = $request->query->get('raInstitution');
-        $query->pageNumber = (int)$request->query->get('p', 1);
+        $query->pageNumber = $request->query->getInt('p', 1);
 
         $query->authorizationContext = $this->authorizationService->buildSelectRaaInstitutionAuthorizationContext(
             $actorId,
@@ -73,9 +86,17 @@ public function get(Request $request): JsonResponse
     {
         $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
-        $actorId = new IdentityId($request->query->get('actorId'));
+        $actorIdString = $request->query->get('actorId');
+        if (!is_string($actorIdString)) {
+            throw new BadRequestHttpException(sprintf('Invalid actorId "%s"', $actorIdString));
+        }
+
+        $actorId = new IdentityId($actorIdString);
 
         $identityId = $request->query->get('identityId');
+        if (!is_string($identityId)) {
+            throw new BadRequestHttpException(sprintf('Invalid identityId "%s"', $identityId));
+        }
 
         $authorizationContext = $this->authorizationService->buildInstitutionAuthorizationContext(
             $actorId,

src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaCandidateController.php

@@ -22,13 +22,13 @@
 use Surfnet\Stepup\Identity\Value\Institution;
 use Surfnet\Stepup\Identity\Value\RegistrationAuthorityRole;
 use Surfnet\StepupMiddleware\ApiBundle\Authorization\Service\AuthorizationContextService;
-use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Entity\RaListing;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Query\RaListingQuery;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\RaListingService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 class RaListingController extends AbstractController
@@ -43,8 +43,13 @@ public function get(Request $request, string $identityId): JsonResponse
     {
         $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
-        $actorId = new IdentityId($request->query->get('actorId'));
-        $institution = new Institution($request->query->get('institution'));
+        $actorIdString = $request->query->get('actorId');
+        if (!is_string($actorIdString)) {
+            throw new BadRequestHttpException(sprintf('Invalid actorId "%s"', $actorIdString));
+        }
+        $actorId = new IdentityId($actorIdString);
+
+        $institution = new Institution($request->query->getString('institution'));
 
         $authorizationContext = $this->authorizationService->buildInstitutionAuthorizationContext(
             $actorId,
@@ -71,7 +76,11 @@ public function search(Request $request): JsonCollectionResponse
     {
         $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_READ']);
 
-        $actorId = new IdentityId($request->query->get('actorId'));
+        $actorIdString = $request->query->get('actorId');
+        if (!is_string($actorIdString)) {
+            throw new BadRequestHttpException(sprintf('Invalid actorId "%s"', $actorIdString));
+        }
+        $actorId = new IdentityId($actorIdString);
 
         $query = new RaListingQuery();
 
@@ -99,9 +108,9 @@ public function search(Request $request): JsonCollectionResponse
             $query->raInstitution = $request->query->get('raInstitution');
         }
 
-        $query->pageNumber = (int)$request->query->get('p', 1);
-        $query->orderBy = $request->query->get('orderBy');
-        $query->orderDirection = $request->query->get('orderDirection');
+        $query->pageNumber = $request->query->getInt('p', 1);
+        $query->orderBy = $request->query->getString('orderBy');
+        $query->orderDirection = $request->query->getString('orderDirection');
         $query->authorizationContext = $this->authorizationService->buildInstitutionAuthorizationContext(
             $actorId,
             RegistrationAuthorityRole::raa(),

src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaListingController.php

@@ -53,7 +53,7 @@ public function get(Request $request): JsonResponse
     {
         $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
 
-        $raLocationId = new RaLocationId($request->query->get('raLocationId'));
+        $raLocationId = new RaLocationId($request->query->getString('raLocationId'));
         $raLocation = $this->raLocationService->findByRaLocationId($raLocationId);
 
         return new JsonResponse($raLocation);

src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaLocationController.php

@@ -27,6 +27,7 @@
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 final class RaSecondFactorController extends AbstractController
 {
@@ -65,10 +66,15 @@ public function export(Request $request): JsonResponse
      */
     private function buildRaSecondFactorQuery(Request $request): RaSecondFactorQuery
     {
-        $actorId = new IdentityId($request->query->get('actorId'));
+        $actorIdString = $request->query->get('actorId');
+        if (!is_string($actorIdString)) {
+            throw new BadRequestHttpException(sprintf('Invalid actorId "%s"', $actorIdString));
+        }
+
+        $actorId = new IdentityId($actorIdString);
 
         $query = new RaSecondFactorQuery();
-        $query->pageNumber = (int)$request->query->get('p', 1);
+        $query->pageNumber = $request->query->getInt('p', 1);
         $query->name = $request->query->get('name');
         $query->type = $request->query->get('type');
         $query->secondFactorId = $request->query->get('secondFactorId');

src/Surfnet/StepupMiddleware/ApiBundle/Controller/RaSecondFactorController.php

@@ -23,18 +23,19 @@
 use Surfnet\Stepup\Identity\Value\RecoveryTokenId;
 use Surfnet\Stepup\Identity\Value\RegistrationAuthorityRole;
 use Surfnet\StepupMiddleware\ApiBundle\Authorization\Service\AuthorizationContextService;
-use Surfnet\StepupMiddleware\ApiBundle\Controller\AbstractController;
 use Surfnet\StepupMiddleware\ApiBundle\Exception\NotFoundException;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Query\RecoveryTokenQuery;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\RecoveryTokenService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 /**
  * Exposes the Recovery Tokens projection through the
  * Middleware Identity (read) API
+ * @SuppressWarnings("PHPMD.CouplingBetweenObjects")
  */
 class RecoveryTokenController extends AbstractController
 {
@@ -71,7 +72,7 @@ public function collection(Request $request): JsonCollectionResponse
         $query->institution = $request->query->get('institution');
         $query->email = $request->query->get('email');
         $query->name = $request->query->get('name');
-        $query->pageNumber = (int)$request->query->get('p', 1);
+        $query->pageNumber = $request->query->getInt('p', 1);
         $query->orderBy = $request->query->get('orderBy');
         $query->orderDirection = $request->query->get('orderDirection');
 
@@ -80,6 +81,9 @@ public function collection(Request $request): JsonCollectionResponse
         if (!in_array('ROLE_SS', $roles)) {
             $actorId = $request->query->get('actorId', $request->query->get('identityId'));
             $this->logger->info(sprintf('Executing query on behalf of %s', $actorId));
+            if (!is_string($actorId)) {
+                throw new BadRequestHttpException('Invalid actorId or identityId, string expected.');
+            }
             $actorId = new IdentityId($actorId);
             $query->authorizationContext = $this->authorizationService->buildInstitutionAuthorizationContext(
                 $actorId,

src/Surfnet/StepupMiddleware/ApiBundle/Controller/RecoveryTokenController.php

@@ -25,6 +25,7 @@
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Query\UnverifiedSecondFactorQuery;
 use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\SecondFactorService;
 use Surfnet\StepupMiddleware\ApiBundle\Response\JsonCollectionResponse;
+use Symfony\Component\HttpFoundation\Exception\BadRequestException;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -54,9 +55,16 @@ public function collection(Request $request): JsonCollectionResponse
         $this->denyAccessUnlessGrantedOneOff(['ROLE_RA', 'ROLE_SS', 'ROLE_READ']);
 
         $query = new UnverifiedSecondFactorQuery();
-        $query->identityId = new IdentityId($request->query->get('identityId'));
+
+        $identityIdString = $request->query->get('identityId');
+        if (!is_string($identityIdString)) {
+            throw new BadRequestException(sprintf('Invalid identityId "%s"', $identityIdString));
+        }
+
+        $query->identityId = new IdentityId($identityIdString);
+
         $query->verificationNonce = $request->query->get('verificationNonce');
-        $query->pageNumber = (int)$request->query->get('p', 1);
+        $query->pageNumber = $request->query->getInt('p', 1);
 
         $paginator = $this->secondFactorService->searchUnverifiedSecondFactors($query);