Add validation for duplicate SAML attribute keys

This commit enhances the SAML attributes implementation by adding validation for duplicate attribute keys. When the same attribute key appears multiple times in a request, the validation will now fail with a clear error message. Signed-off-by: lloydmeta <lloydmeta@gmail.com>

Author: lloydmeta

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlInitiateSingleSignOnRequest.java

@@ -15,6 +15,8 @@
 import org.elasticsearch.xpack.idp.saml.support.SamlInitiateSingleSignOnAttributes;
 
 import java.io.IOException;
+import java.util.HashSet;
+import java.util.Set;
 
 import static org.elasticsearch.action.ValidateActions.addValidationError;
 
@@ -44,6 +46,20 @@ public ActionRequestValidationException validate() {
  if (Strings.isNullOrEmpty(assertionConsumerService)) {
  validationException = addValidationError("acs is missing", validationException);
  }
+
+ // Check for duplicate attribute keys
+ if (attributes != null && attributes.getAttributes().isEmpty() == false) {
+ Set<String> keys = new HashSet<>();
+ for (SamlInitiateSingleSignOnAttributes.Attribute attribute : attributes.getAttributes()) {
+ if (keys.add(attribute.getKey()) == false) {
+ validationException = addValidationError(
+ "duplicate attribute key [" + attribute.getKey() + "] found",
+ validationException
+ );
+ }
+ }
+ }
+
  return validationException;
  }
 

x-pack/plugin/identity-provider/src/test/java/org/elasticsearch/xpack/idp/action/SamlInitiateSingleSignOnRequestTests.java

@@ -9,6 +9,12 @@
 import org.elasticsearch.action.ActionRequestValidationException;
 import org.elasticsearch.common.io.stream.BytesStreamOutput;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.idp.saml.support.SamlInitiateSingleSignOnAttributes;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
 
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.equalTo;
@@ -39,4 +45,38 @@ public void testValidation() {
  assertThat(validationException.validationErrors().get(0), containsString("entity_id is missing"));
  assertThat(validationException.validationErrors().get(1), containsString("acs is missing"));
  }
+
+ public void testDuplicateAttributeKeysValidation() {
+ // Create request with valid required fields
+ final SamlInitiateSingleSignOnRequest request = new SamlInitiateSingleSignOnRequest();
+ request.setSpEntityId("https://kibana_url");
+ request.setAssertionConsumerService("https://kibana_url/acs");
+
+ // Test with unique attribute keys - should be valid
+ SamlInitiateSingleSignOnAttributes attributes = new SamlInitiateSingleSignOnAttributes();
+ List<SamlInitiateSingleSignOnAttributes.Attribute> attributeList = new ArrayList<>();
+ attributeList.add(new SamlInitiateSingleSignOnAttributes.Attribute("key1", Collections.singletonList("value1")));
+ attributeList.add(new SamlInitiateSingleSignOnAttributes.Attribute("key2", Arrays.asList("value2A", "value2B")));
+ attributes.setAttributes(attributeList);
+ request.setAttributes(attributes);
+
+ // Should pass validation
+ ActionRequestValidationException validationException = request.validate();
+ assertNull("Request with unique attribute keys should pass validation", validationException);
+
+ // Test with duplicate attribute keys - should be invalid
+ attributes = new SamlInitiateSingleSignOnAttributes();
+ attributeList = new ArrayList<>();
+ attributeList.add(new SamlInitiateSingleSignOnAttributes.Attribute("duplicate_key", Collections.singletonList("value1")));
+ attributeList.add(new SamlInitiateSingleSignOnAttributes.Attribute("unique_key", Collections.singletonList("value2")));
+ attributeList.add(new SamlInitiateSingleSignOnAttributes.Attribute("duplicate_key", Arrays.asList("value3", "value4")));
+ attributes.setAttributes(attributeList);
+ request.setAttributes(attributes);
+
+ // Should fail validation with appropriate error message
+ validationException = request.validate();
+ assertNotNull("Request with duplicate attribute keys should fail validation", validationException);
+ assertThat(validationException.validationErrors().size(), equalTo(1));
+ assertThat(validationException.validationErrors().get(0), containsString("duplicate attribute key [duplicate_key] found"));
+ }
 }