Add test for SAML custom attributes in authentication response

lloydmeta · lloydmeta · commit 341d94922fb8 · 2025-05-20T17:41:53.000+09:00
This commit adds a comprehensive test that verifies SAML custom attributes
are correctly handled in the authentication response builder. The test ensures:

1. Custom attributes with single and multiple values are properly included
2. The response with custom attributes is still correctly signed
3. The XML schema validation still passes with custom attributes
4. We can locate and verify individual attribute values in the response

This provides critical test coverage for the SAML custom attributes
feature implementation.
diff --git a/x-pack/plugin/identity-provider/src/test/java/org/elasticsearch/xpack/idp/saml/authn/SuccessfulAuthenticationResponseMessageBuilderTests.java b/x-pack/plugin/identity-provider/src/test/java/org/elasticsearch/xpack/idp/saml/authn/SuccessfulAuthenticationResponseMessageBuilderTests.java
@@ -12,14 +12,20 @@
 import org.elasticsearch.xpack.idp.saml.sp.ServiceProviderDefaults;
 import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
 import org.elasticsearch.xpack.idp.saml.support.SamlInit;
+import org.elasticsearch.xpack.idp.saml.support.SamlInitiateSingleSignOnAttributes;
 import org.elasticsearch.xpack.idp.saml.support.XmlValidator;
 import org.elasticsearch.xpack.idp.saml.test.IdpSamlTestCase;
 import org.junit.Before;
+import org.opensaml.saml.saml2.core.Attribute;
+import org.opensaml.saml.saml2.core.AttributeStatement;
 import org.opensaml.saml.saml2.core.Response;
 
 import java.net.URI;
 import java.time.Clock;
 import java.time.Duration;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
 import java.util.Set;
 
 import static org.hamcrest.Matchers.containsString;
@@ -46,13 +52,58 @@ public void setupSaml() throws Exception {
     }
 
     public void testSignedResponseIsValidAgainstXmlSchema() throws Exception {
-        final Response response = buildResponse();
+        final Response response = buildResponse(null);
         final String xml = super.toString(response);
         assertThat(xml, containsString("SignedInfo>"));
         validator.validate(xml);
     }
 
-    private Response buildResponse() throws Exception {
+    public void testSignedResponseWithCustomAttributes() throws Exception {
+        // Create custom attributes
+        SamlInitiateSingleSignOnAttributes attributes = new SamlInitiateSingleSignOnAttributes();
+        List<SamlInitiateSingleSignOnAttributes.Attribute> attributeList = new ArrayList<>();
+        attributeList.add(new SamlInitiateSingleSignOnAttributes.Attribute("customAttr1", Collections.singletonList("value1")));
+
+        List<String> multipleValues = new ArrayList<>();
+        multipleValues.add("value2A");
+        multipleValues.add("value2B");
+        attributeList.add(new SamlInitiateSingleSignOnAttributes.Attribute("customAttr2", multipleValues));
+
+        attributes.setAttributes(attributeList);
+
+        // Build response with custom attributes
+        final Response response = buildResponse(attributes);
+        final String xml = super.toString(response);
+
+        // Validate that response is correctly signed
+        assertThat(xml, containsString("SignedInfo>"));
+        validator.validate(xml);
+
+        // Verify custom attributes are included
+        boolean foundCustomAttr1 = false;
+        boolean foundCustomAttr2 = false;
+
+        for (AttributeStatement statement : response.getAssertions().get(0).getAttributeStatements()) {
+            for (Attribute attribute : statement.getAttributes()) {
+                String name = attribute.getName();
+                if (name.equals("customAttr1")) {
+                    foundCustomAttr1 = true;
+                    assertEquals(1, attribute.getAttributeValues().size());
+                    assertThat(attribute.getAttributeValues().get(0).getDOM().getTextContent(), containsString("value1"));
+                } else if (name.equals("customAttr2")) {
+                    foundCustomAttr2 = true;
+                    assertEquals(2, attribute.getAttributeValues().size());
+                    assertThat(attribute.getAttributeValues().get(0).getDOM().getTextContent(), containsString("value2A"));
+                    assertThat(attribute.getAttributeValues().get(1).getDOM().getTextContent(), containsString("value2B"));
+                }
+            }
+        }
+
+        assertTrue("Custom attribute 'customAttr1' not found in SAML response", foundCustomAttr1);
+        assertTrue("Custom attribute 'customAttr2' not found in SAML response", foundCustomAttr2);
+    }
+
+    private Response buildResponse(SamlInitiateSingleSignOnAttributes customAttributes) throws Exception {
         final Clock clock = Clock.systemUTC();
 
         final SamlServiceProvider sp = mock(SamlServiceProvider.class);
@@ -75,7 +126,7 @@ private Response buildResponse() throws Exception {
             clock,
             idp
         );
-        return builder.build(user, null, null);
+        return builder.build(user, null, customAttributes);
     }
 
 }
