Restrict cross-tenant Multi Attribute Login Identifier lookups

wso2-extensions · Jan 10, 2025 · e8d333c · e8d333c
1 parent 17b92fc
commit e8d333c
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/components/org.wso2.carbon.identity.conditional.auth.functions.utils/pom.xml b/components/org.wso2.carbon.identity.conditional.auth.functions.utils/pom.xml
@@ -118,6 +118,7 @@
                         </Export-Package>
                         <Import-Package>
                             org.apache.commons.lang,
+                            org.apache.commons.logging,
                             org.osgi.framework; version="${org.osgi.framework.imp.pkg.version.range}",
                             org.osgi.service.component; version="${org.osgi.service.imp.pkg.version.range}",
                             org.wso2.carbon.identity.application.authentication.framework; version="${carbon.identity.package.import.version.range}",

diff --git a/...ty/conditional/auth/functions/utils/ResolveMultiAttributeLoginIdentifierFunctionImpl.java b/...ty/conditional/auth/functions/utils/ResolveMultiAttributeLoginIdentifierFunctionImpl.java
@@ -18,19 +18,30 @@
 
 package org.wso2.carbon.identity.conditional.auth.functions.utils;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.graalvm.polyglot.HostAccess;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
+import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.multi.attribute.login.mgt.ResolvedUserResult;
 
 /**
  * Function to resolve user from multi attribute login identifier.
  */
 public class ResolveMultiAttributeLoginIdentifierFunctionImpl implements ResolveMultiAttributeLoginIdentifierFunction {
 
+    private static final Log log = LogFactory.getLog(ResolveMultiAttributeLoginIdentifierFunctionImpl.class);
+
     @Override
     @HostAccess.Export
     public String resolveMultiAttributeLoginIdentifier(String loginIdentifier, String tenantDomain) {
 
+        if (!IdentityTenantUtil.resolveTenantDomain().equals(tenantDomain)) {
+            if (log.isDebugEnabled()) {
+                log.debug("Cross-tenant multi attribute login identifier lookup is not allowed.");
+            }
+            return null;
+        }
         ResolvedUserResult resolvedUserResult = FrameworkUtils.processMultiAttributeLoginIdentification(
                 loginIdentifier, tenantDomain);