Restrict cross-tenant Multi Attribute Login Identifier lookups

wso2-extensions · Jan 10, 2025 · 6fa821f · 6fa821f
1 parent 17b92fc
commit 6fa821f
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.utils/pom.xml b/components/org.wso2.carbon.identity.conditional.auth.functions.utils/pom.xml
@@ -52,6 +52,11 @@
             <groupId>org.wso2.carbon.identity.framework</groupId>
             <artifactId>org.wso2.carbon.identity.central.log.mgt</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon</groupId>
+            <artifactId>org.wso2.carbon.utils</artifactId>
+            <scope>provided</scope>
+        </dependency>
 
         <!-- Test related dependencies -->
         <dependency>
@@ -125,7 +130,8 @@
                             org.wso2.carbon.identity.central.log.mgt.utils; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.identity.multi.attribute.login.mgt; version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.user.core.common; version="${carbon.kernel.package.import.version.range}",
-                            org.wso2.carbon.utils*;version="${carbon.kernel.package.import.version.range}"
+                            org.wso2.carbon.utils*;version="${carbon.kernel.package.import.version.range}",
+                            org.wso2.carbon.context,
                         </Import-Package>
                     </instructions>
                 </configuration>

diff --git a/...ty/conditional/auth/functions/utils/ResolveMultiAttributeLoginIdentifierFunctionImpl.java b/...ty/conditional/auth/functions/utils/ResolveMultiAttributeLoginIdentifierFunctionImpl.java
@@ -18,19 +18,30 @@
 
 package org.wso2.carbon.identity.conditional.auth.functions.utils;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.graalvm.polyglot.HostAccess;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
 import org.wso2.carbon.identity.multi.attribute.login.mgt.ResolvedUserResult;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
 
 /**
  * Function to resolve user from multi attribute login identifier.
  */
 public class ResolveMultiAttributeLoginIdentifierFunctionImpl implements ResolveMultiAttributeLoginIdentifierFunction {
 
+    private static final Log log = LogFactory.getLog(FrameworkUtils.class);
+
     @Override
     @HostAccess.Export
     public String resolveMultiAttributeLoginIdentifier(String loginIdentifier, String tenantDomain) {
 
+        if (!PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain().equals(tenantDomain)) {
+            if (log.isDebugEnabled()) {
+                log.debug("Cross-tenant multi attribute login identifier lookup is not allowed.");
+            }
+            return null;
+        }
         ResolvedUserResult resolvedUserResult = FrameworkUtils.processMultiAttributeLoginIdentification(
                 loginIdentifier, tenantDomain);