Add sensitive data attribute

tvdijen · tvdijen · commit 44fe196f531b · 2024-05-30T00:16:01.000+02:00
diff --git a/modules/core/src/Auth/Source/AdminPassword.php b/modules/core/src/Auth/Source/AdminPassword.php
@@ -45,8 +45,11 @@ public function __construct(array $info, array $config)
      * @param string $password  The password the user wrote.
      * @return array  Associative array with the users attributes.
      */
-    protected function login(string $username, string $password): array
-    {
+    protected function login(
+        string $username,
+        #[\SensitiveParameter]
+        string $password,
+    ): array {
         $config = Configuration::getInstance();
         $adminPassword = $config->getString('auth.adminpassword');
         if ($adminPassword === '123') {
diff --git a/modules/core/src/Auth/UserPassBase.php b/modules/core/src/Auth/UserPassBase.php
@@ -263,7 +263,7 @@ public function authenticate(Request $request, array &$state): ?Response
      * @param string $password  The password the user wrote.
      * @return array Associative array with the user's attributes.
      */
-    abstract protected function login(string $username, string $password): array;
+    abstract protected function login(string $username, #[\SensitiveParameter] string $password): array;
 
 
     /**
@@ -277,8 +277,12 @@ abstract protected function login(string $username, string $password): array;
      * @param string $username  The username the user wrote.
      * @param string $password  The password the user wrote.
      */
-    public static function handleLogin(string $authStateId, string $username, string $password): Response
-    {
+    public static function handleLogin(
+        string $authStateId,
+        string $username,
+        #[\SensitiveParameter]
+        string $password,
+    ): Response {
         // Here we retrieve the state array we saved in the authenticate-function.
         $state = Auth\State::loadState($authStateId, self::STAGEID);
 
diff --git a/modules/core/src/Auth/UserPassOrgBase.php b/modules/core/src/Auth/UserPassOrgBase.php
@@ -238,7 +238,12 @@ public function authenticate(Request $request, array &$state): ?Response
      * @param string $organization  The id of the organization the user chose.
      * @return array  Associative array with the user's attributes.
      */
-    abstract protected function login(string $username, string $password, string $organization): array;
+    abstract protected function login(
+        string $username,
+        #[\SensitiveParameter]
+        string $password,
+        string $organization
+    ): array;
 
 
     /**
@@ -269,6 +274,7 @@ abstract protected function getOrganizations(): array;
     public static function handleLogin(
         string $authStateId,
         string $username,
+        #[\SensitiveParameter]
         string $password,
         string $organization,
     ): Response {
diff --git a/modules/cron/src/Controller/Cron.php b/modules/cron/src/Controller/Cron.php
@@ -117,6 +117,7 @@ public function info(/** @scrutinizer ignore-unused */Request $request): Respons
     public function run(
         /** @scrutinizer ignore-unused */Request $request,
         string $tag,
+        #[\SensitiveParameter]
         string $key,
         string $output = 'xhtml',
     ): Template {
diff --git a/modules/exampleauth/src/Auth/Source/UserPass.php b/modules/exampleauth/src/Auth/Source/UserPass.php
@@ -93,8 +93,11 @@ public function __construct(array $info, array $config)
      * @param string $password  The password the user wrote.
      * @return array  Associative array with the users attributes.
      */
-    protected function login(string $username, string $password): array
-    {
+    protected function login(
+        string $username,
+        #[\SensitiveParameter]
+        string $password,
+    ): array {
         $userpass = $username . ':' . $password;
         if (!array_key_exists($userpass, $this->users)) {
             throw new Error\Error(Error\ErrorCodes::WRONGUSERPASS);
diff --git a/modules/saml/hooks/hook_sanitycheck.php b/modules/saml/hooks/hook_sanitycheck.php
@@ -53,7 +53,11 @@ function saml_hook_sanitycheck(array &$hookinfo): void
     }
 }
 
-function matchingKeyPair(string $publicKey, string $privateKey, ?string $password = null): bool
-{
+function matchingKeyPair(
+    string $publicKey,
+    string $privateKey,
+    #[\SensitiveParameter]
+    ?string $password = null
+): bool {
     return openssl_x509_check_private_key($publicKey, [$privateKey, $password]);
 }
diff --git a/src/SimpleSAML/Database.php b/src/SimpleSAML/Database.php
@@ -152,8 +152,13 @@ private static function generateInstanceId(Configuration $config): string
      * @throws \Exception If an error happens while trying to connect to the database.
      * @return \PDO object
      */
-    private function connect(string $dsn, string $username = null, string $password = null, array $options): PDO
-    {
+    private function connect(
+        string $dsn,
+        string $username = null,
+        #[\SensitiveParameter]
+        string $password = null,
+        array $options
+    ): PDO {
         try {
             $db = new PDO($dsn, $username, $password, $options);
             $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
diff --git a/src/SimpleSAML/XML/Signer.php b/src/SimpleSAML/XML/Signer.php
@@ -132,8 +132,12 @@ public function loadPrivateKeyArray(array $privatekey): void
      *                         Default to false.
      * @throws \Exception
      */
-    public function loadPrivateKey(string $location, ?string $pass, bool $full_path = false): void
-    {
+    public function loadPrivateKey(
+        string $location,
+        #[\SensitiveParameter]
+        ?string $pass,
+        bool $full_path = false
+    ): void {
         $cryptoUtils = new Utils\Crypto();
         $keyData = $cryptoUtils->retrieveKey($location, $full_path);
 

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,11 @@ function saml_hook_sanitycheck(array &$hookinfo): void`
`53`	`53`	`}`
`54`	`54`	`}`
`55`	`55`
`56`		`-function matchingKeyPair(string $publicKey, string $privateKey, ?string $password = null): bool`
`57`		`-{`
	`56`	`+function matchingKeyPair(`
	`57`	`+ string $publicKey,`
	`58`	`+ string $privateKey,`
	`59`	`+ #[\SensitiveParameter]`
	`60`	`+ ?string $password = null`
	`61`	`+): bool {`
`58`	`62`	`return openssl_x509_check_private_key($publicKey, [$privateKey, $password]);`
`59`	`63`	`}`