Merge pull request #41 from itk-dev/release/5.0.0

release: 5.0.0

Author: turegjorup

.github/workflows/composer.yaml

@@ -80,4 +80,5 @@ jobs:
           docker network create frontend
 
       - run: |
+          docker compose run --rm phpfpm composer install
           docker compose run --rm phpfpm composer audit

.gitignore

@@ -18,3 +18,6 @@ var
 .php-cs-fixer.cache
 .phpunit.cache
 unit.xml
+
+# Local Claude Code instructions (not part of the published package)
+/CLAUDE.md

.markdownlintignore

@@ -10,3 +10,5 @@ web/*.md
 web/core/
 web/libraries/
 web/*/contrib/
+# Claude Code guidance — verbose narrative prose, intentionally long lines.
+CLAUDE.md

CHANGELOG.md

@@ -7,6 +7,59 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [5.0.0] - 2026-06-02
+
+### Changed (BREAKING)
+
+- **Exception hierarchy reworked.** Every exception thrown from a public
+  method now implements `OpenIdConnectBundleExceptionInterface` (which
+  extends `\ItkDev\OpenIdConnect\Exception\OpenIdConnectExceptionInterface`
+  from the upstream library). Concrete exceptions now extend the SPL type
+  that best describes the failure category (`\RuntimeException`,
+  `\InvalidArgumentException`); they no longer extend
+  `ItkOpenIdConnectBundleException`. Consumers catching the abstract base
+  must migrate to `OpenIdConnectBundleExceptionInterface` — the abstract
+  class is kept for this release as a documented alias and is
+  `@deprecated`, but `catch (ItkOpenIdConnectBundleException $e)` blocks
+  will no longer match any concrete thrown by the bundle.
+- Bumped `itk-dev/openid-connect` requirement to `^5.0` for the matching
+  upstream contract.
+- `OpenIdLoginAuthenticator::validateClaims` now catches on the marker
+  interface (`OpenIdConnectExceptionInterface`) instead of the deprecated
+  upstream abstract. The `$previous`-chain behaviour is preserved.
+- `LoginController::login` catches on the marker interface before mapping
+  to `ServiceUnavailableHttpException`. No consumer-visible behaviour
+  change.
+
+### Added
+
+- `ItkDev\OpenIdConnectBundle\Exception\OpenIdConnectBundleExceptionInterface`
+  marker for catching all bundle-thrown OIDC failures.
+- Custom PHPStan rules (`ThrownExceptionImplementsBundleMarker`,
+  `WrappedExceptionChainsPrevious`) that lock the exception contract on every
+  CI run — thrown exceptions must implement the marker (with documented
+  controller/authenticator carve-outs), and wraps inside a catch must chain
+  the caught cause as `$previous`.
+- `UPGRADE-5.0.md` migration guide for consumers.
+
+### Changed
+
+- Hardened static analysis. PHPStan now analyses `tests/` in addition to
+  `src/`, runs the strict, deprecation, PHPUnit and Symfony rule packs, and
+  requires a comment on every ignore (`reportIgnoresWithoutComments`). Pinned
+  `phpstan/phpstan` to `^2.1.41`. No public-API or behavioural change.
+
+### Deprecated
+
+- `ItkDev\OpenIdConnectBundle\Exception\ItkOpenIdConnectBundleException`
+  abstract class (catch `OpenIdConnectBundleExceptionInterface` instead).
+  Will be removed in 6.0.
+
+### Fixed
+
+- Tests build real `Request` instances instead of stubbing `Request`, which
+  fails under Symfony 8.1 (where `InputBag` is `final`) with recent PHPUnit.
+
 ## [4.2.0] - 2026-05-11
 
 ### Added
@@ -154,7 +207,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   `itk-dev/openid-connect` 1.0.0 to 2.1.0
 - OpenId Connect Bundle: Added CLI login feature.
 
-[unreleased]: https://github.com/itk-dev/openid-connect-bundle/compare/4.2.0...HEAD
+[unreleased]: https://github.com/itk-dev/openid-connect-bundle/compare/5.0.0...HEAD
+[5.0.0]: https://github.com/itk-dev/openid-connect-bundle/compare/4.2.0...5.0.0
 [4.2.0]: https://github.com/itk-dev/openid-connect-bundle/compare/4.1.0...4.2.0
 [4.1.0]: https://github.com/itk-dev/openid-connect-bundle/compare/4.0.1...4.1.0
 [4.0.1]: https://github.com/itk-dev/openid-connect-bundle/compare/4.0.0...4.0.1

UPGRADE-5.0.md

@@ -0,0 +1,78 @@
+# Upgrading from 4.x to 5.0
+
+5.0 reworks the bundle's exception hierarchy onto a marker interface and
+bumps the `itk-dev/openid-connect` requirement to `^5.0`. Runtime behaviour
+is unchanged — this document covers the consumer-visible API changes you'll
+need to adjust catch blocks for.
+
+See the architecture decision in
+[docs/adr/001-marker-interface-exception-hierarchy.md](docs/adr/001-marker-interface-exception-hierarchy.md).
+
+## Catch the marker interface, not the abstract
+
+Concrete bundle exceptions no longer extend
+`\ItkDev\OpenIdConnectBundle\Exception\ItkOpenIdConnectBundleException`.
+Existing catches against the abstract will not match anything thrown by
+5.0+ code:
+
+```diff
+- } catch (\ItkDev\OpenIdConnectBundle\Exception\ItkOpenIdConnectBundleException $e) {
++ } catch (\ItkDev\OpenIdConnectBundle\Exception\OpenIdConnectBundleExceptionInterface $e) {
+```
+
+The abstract class is kept through the 5.x line as a `@deprecated` alias
+that still implements the marker; removal is scheduled for 6.0.
+
+`OpenIdConnectBundleExceptionInterface` **extends** the upstream library's
+`\ItkDev\OpenIdConnect\Exception\OpenIdConnectExceptionInterface`, so a
+single catch handles failures from both packages:
+
+```php
+try {
+    $claims = $this->validateClaims($request);
+} catch (\ItkDev\OpenIdConnect\Exception\OpenIdConnectExceptionInterface $e) {
+    // catches both library- and bundle-thrown OIDC failures
+}
+```
+
+## Catch on SPL types still works
+
+Each concrete now extends the SPL type that best fits its failure category,
+so catches at the SPL level continue to match:
+
+| Concrete | Parent | When it fires |
+| --- | --- | --- |
+| `InvalidProviderException` | `\InvalidArgumentException` | Unknown provider key requested from the manager |
+| `UsernameDoesNotExistException` | `\InvalidArgumentException` | CLI login resolved a token to no username |
+| `CacheException` | `\RuntimeException` | PSR-6 cache layer failed during CLI login token handling |
+| `TokenNotFoundException` | `\RuntimeException` | CLI login token not found in the cache |
+| `UserDoesNotExistException` | `\RuntimeException` | Configured user provider has no matching user |
+
+For example, code catching the raw `\InvalidArgumentException` around a
+provider lookup keeps working, because `InvalidProviderException` still
+extends it:
+
+```php
+try {
+    $provider = $providerManager->getProvider($key);
+} catch (\InvalidArgumentException $e) { // still catches in 5.0
+    // ...
+}
+```
+
+## Update the dependency constraint
+
+If your application pins the bundle, bump it to `^5.0`. The bundle now
+requires `itk-dev/openid-connect:^5.0`; review that library's
+[UPGRADE-5.0.md](https://github.com/itk-dev/openid-connect/blob/main/UPGRADE-5.0.md)
+for its own contract changes (it reworks the same exception hierarchy and
+tightens several IdP-payload validations).
+
+## Framework-boundary exceptions are unchanged
+
+`LoginController` still ships Symfony `HttpException` subclasses
+(`NotFoundHttpException` for an unknown provider → 404,
+`ServiceUnavailableHttpException` for an unreachable IdP / cache failure →
+503), and authenticators still throw `AuthenticationException`. These are a
+documented carve-out from the wrap-at-boundary rule and did not change in
+5.0; the OIDC cause remains chained via `$previous`.

composer.json

@@ -18,7 +18,7 @@
         "ext-json": "*",
         "ext-openssl": "*",
         "doctrine/orm": "^2.8 || ^3.0",
-        "itk-dev/openid-connect": "^4.0",
+        "itk-dev/openid-connect": "^5.0",
         "symfony/cache": "^6.4 || ^7.0 || ^8.0",
         "symfony/framework-bundle": "^6.4.13 || ^7.0 || ^8.0",
         "symfony/security-bundle": "^6.4.13 || ^7.0 || ^8.0",
@@ -28,7 +28,11 @@
     "require-dev": {
         "ergebnis/composer-normalize": "^2.28",
         "friendsofphp/php-cs-fixer": "^3.11",
-        "phpstan/phpstan": "^2.1",
+        "phpstan/phpstan": "^2.1.41",
+        "phpstan/phpstan-deprecation-rules": "^2.0",
+        "phpstan/phpstan-phpunit": "^2.0",
+        "phpstan/phpstan-strict-rules": "^2.0",
+        "phpstan/phpstan-symfony": "^2.0",
         "phpunit/phpunit": "^12.0",
         "rector/rector": "^2.0",
         "symfony/runtime": "^6.4.13 || ^7.0 || ^8.0"
@@ -40,6 +44,7 @@
     },
     "autoload-dev": {
         "psr-4": {
+            "ItkDev\\OpenIdConnectBundle\\PHPStan\\": "phpstan/",
             "ItkDev\\OpenIdConnectBundle\\Tests\\": "tests/"
         }
     },

phpstan.neon

@@ -1,4 +1,65 @@
+includes:
+	- vendor/phpstan/phpstan-strict-rules/rules.neon
+	- vendor/phpstan/phpstan-deprecation-rules/rules.neon
+	- vendor/phpstan/phpstan-phpunit/extension.neon
+	- vendor/phpstan/phpstan-phpunit/rules.neon
+	- vendor/phpstan/phpstan-symfony/extension.neon
+	- vendor/phpstan/phpstan-symfony/rules.neon
+	- phpstan/exception-contract.neon
+
 parameters:
 	level: max
 	paths:
 		- src
+		- tests
+		- phpstan/Rule
+	reportIgnoresWithoutComments: true
+
+	ignoreErrors:
+		# PHPUnit declares assertions as static methods on `Assert`, but the
+		# pervasive idiom is `$this->assertX()`. phpstan-phpunit handles type
+		# narrowing for these but doesn't override strict-rules' judgment that
+		# this is a dynamic call to a static method.
+		-
+			identifier: staticMethod.dynamicCall
+			path: tests/*
+
+		# Test fixture/helper PHPDoc completeness — out of scope for the static
+		# analysis hardening; can be tightened as a follow-up.
+		-
+			identifier: missingType.generics
+			path: tests/*
+		-
+			identifier: missingType.iterableValue
+			path: tests/*
+		-
+			identifier: missingType.return
+			path: tests/*
+
+		# Symfony's Processor returns an untyped array; phpstan-symfony narrows
+		# many other Symfony APIs but does not type processConfiguration's result
+		# from a Configuration definition. The tests probe specific keys precisely
+		# *because* the production code does.
+		-
+			identifier: argument.type
+			path: tests/DependencyInjection/ConfigurationTest.php
+		-
+			identifier: offsetAccess.nonOffsetAccessible
+			path: tests/DependencyInjection/ConfigurationTest.php
+
+		# `validateClaims` throws `ValidationException`, but the throw happens behind
+		# the abstract `authenticate()` the test fixture overrides, so PHPStan's
+		# throw-type analysis can't see it reach the catch. The test deliberately
+		# asserts the wrap behaviour by catching the concrete type.
+		-
+			identifier: catch.neverThrown
+			path: tests/Security/OpenIdLoginAuthenticatorTest.php
+
+		# Manager tests assert `getProvider()` returns an `OpenIdConfigurationProvider`
+		# as a "didn't throw on construction" smoke check. The return type already
+		# guarantees the class, so phpstan-phpunit flags the assertion as redundant.
+		# A follow-up should replace these with behavioural assertions on the
+		# constructed provider; until then the assertion documents intent.
+		-
+			identifier: method.alreadyNarrowedType
+			path: tests/Security/OpenIdConfigurationProviderManagerTest.php

phpstan/README.md

@@ -0,0 +1,75 @@
+# PHPStan exception-contract rules
+
+Two custom PHPStan rules lock the exception contract documented in
+[ADR 001](../docs/adr/001-marker-interface-exception-hierarchy.md). They run
+automatically as part of `task analyze:php` (and therefore `task pr:actions`).
+
+## `ThrownExceptionImplementsBundleMarker`
+
+Every literal `throw new X(...)` site under `src/` must throw an exception
+that implements:
+
+- `ItkDev\OpenIdConnectBundle\Exception\OpenIdConnectBundleExceptionInterface`, or
+- `ItkDev\OpenIdConnect\Exception\OpenIdConnectExceptionInterface` (the upstream marker).
+
+Two framework-boundary carve-outs apply, matching ADR 001:
+
+| Path                                | Additionally allowed                                                    | Why                                                                |
+| ----------------------------------- | ----------------------------------------------------------------------- | ------------------------------------------------------------------ |
+| `src/Controller/*`                  | `Symfony\Component\HttpKernel\Exception\HttpExceptionInterface`         | Symfony's kernel renders the HTTP status off these.                |
+| `src/Security/*Authenticator.php`   | `Symfony\Component\Security\Core\Exception\AuthenticationException`     | Symfony Security catches these to render the auth-failure response.|
+
+Escape hatch for an intentional outlier:
+
+```php
+// @phpstan-ignore throw.notMarkerInterface
+throw new MyOddException(...);
+```
+
+Pair the annotation with a one-line justification comment.
+
+## `WrappedExceptionChainsPrevious`
+
+Any `throw new Y(...)` inside a `catch (... $e)` block must pass `$e`
+as the new exception's `$previous`, either as a named argument
+(`previous: $e`) or as a direct positional argument value. This preserves
+`getPrevious()` traversal for logs and debugging — the lesson from the
+4.1 → 4.2 bug-fix PR that surfaced four `CliLoginHelper` wrap sites
+discarding the original cause.
+
+The check is intentionally lenient: it accepts any positional argument
+whose value is the catch variable, not just the 3rd slot. This covers
+Symfony's HTTP exception subclasses (which bake the status into the
+class and place `$previous` at index 1) without needing constructor
+reflection.
+
+Escape hatch when the rethrow is intentionally unrelated to the cause:
+
+```php
+} catch (\Throwable $e) {
+    // @phpstan-ignore throw.unchainedPrevious
+    throw new UnrelatedDomainException('...');
+}
+```
+
+Annotate with a justification.
+
+## Verifying the rules
+
+The rules are exercised on every CI run because PHPStan analyses `src/`
+and `tests/`. If a refactor produces a contract violation, the build
+breaks — which is the point. To verify a rule manually after editing,
+clear the cache and re-run:
+
+```shell
+docker compose exec phpfpm vendor/bin/phpstan clear-result-cache
+task analyze:php
+```
+
+## Why not php-cs-fixer
+
+php-cs-fixer's rule model is syntactic. Exception-type enforcement is
+a type-level concern — what a thrown class extends or implements — and
+PHPStan has the reflection machinery to express it. Future work could
+add a php-cs-fixer rule for the narrower "no `throw new \Exception(…)`
+anywhere" check, but the inheritance graph belongs to PHPStan.