Prevent colon character in group names for CustomAWSSAMLGroupMapper

[bburky]

#185 added support for a custom mapper supporting AWS. This mapper joins group names with a colon, :, character.

This code is potentially vulnerable to group name injection if any groups contain a : in their name.

To fix the mapper, throw an error or drop group names containing a :

uds-identity-config/src/plugin/src/main/java/com/defenseunicorns/uds/keycloak/plugin/CustomAWSSAMLGroupMapper.java

Lines 89 to 103 in fdd1738

	if (!groups.isEmpty()) {
	// Use Keycloak's ModelToRepresentation utility to get the full group paths
	List<String> groupPaths = groups.stream()
	.map(ModelToRepresentation::buildGroupPath)
	.collect(Collectors.toList());
	// Concatenate the group paths into a single string separated by colons
	String groupsString = String.join(":", groupPaths);
	// Create a new SAML attribute
	AttributeType attribute = new AttributeType(mappingModel.getConfig().get(AttributeStatementHelper.SAML_ATTRIBUTE_NAME));
	attribute.setNameFormat(JBossSAMLURIConstants.ATTRIBUTE_FORMAT_BASIC.get());
	attribute.addAttributeValue(groupsString);
	attributeStatement.addAttribute(new ASTChoiceType(attribute));
	}