Limit the federated IDP authenticator property update based on the configured max limit

sadilchamishka · sadilchamishka · commit 418fccdcdb30 · 2025-09-11T15:13:02.000+05:30
diff --git a/components/org.wso2.carbon.identity.api.server.idp/org.wso2.carbon.identity.api.server.idp.common/src/main/java/org/wso2/carbon/identity/api/server/idp/common/Constants.java b/components/org.wso2.carbon.identity.api.server.idp/org.wso2.carbon.identity.api.server.idp.common/src/main/java/org/wso2/carbon/identity/api/server/idp/common/Constants.java
@@ -95,6 +95,9 @@ public class Constants {
     public static final String TENANT_DOMAIN_KEY = "tenantDomain";
     public static final String SEARCH_VALUE_AUTHENTICATION_PROVISIONING = SERV_PROVISIONING + "," + SERV_AUTHENTICATION;
 
+    public static final String MAX_FEDERATED_AUTHENTICATORS_PROPERTY_LIMIT =
+            "MaxFederatedAuthenticatorPropertiesPerIdP";
+
     /**
      * Enum for error messages.
      */
@@ -161,6 +164,10 @@ public enum ErrorMessage {
         ERROR_COED_MULTIPLE_USER_DEFINED_AUTHENTICATORS_FOUND("60044", "Invalid federated " +
                 "authenticators combination.", "Allow to have only one user defined " +
                 "federated authenticator and no system authenticators."),
+        ERROR_CODE_MAX_FEDERATED_AUTHENTICATOR_PROPERTY_EXCEEDED("60045",
+                "Maximum number of authenticator properties exceeded.",
+                "Maximum number of allowed properties for a federated authenticator have been exceeded. " +
+                        "Max allowed: %s."),
 
         // Server Error starting from 650xx.
         ERROR_CODE_ERROR_ADDING_IDP("65002",
diff --git a/components/org.wso2.carbon.identity.api.server.idp/org.wso2.carbon.identity.api.server.idp.v1/src/main/java/org/wso2/carbon/identity/api/server/idp/v1/core/ServerIdpManagementService.java b/components/org.wso2.carbon.identity.api.server.idp/org.wso2.carbon.identity.api.server.idp.v1/src/main/java/org/wso2/carbon/identity/api/server/idp/v1/core/ServerIdpManagementService.java
@@ -264,6 +264,7 @@ public IdentityProviderResponse addIDP(IdentityProviderPOSTRequest identityProvi
         IdentityProvider identityProvider;
         try {
             validateSystemReservedIDP(identityProviderPOSTRequest.getName());
+            validateFederatedAuthenticatorsPropertyLimit(identityProviderPOSTRequest.getFederatedAuthenticators());
             identityProvider = identityProviderManager.addIdPWithResourceId(createIDP(identityProviderPOSTRequest),
                     ContextLoader.getTenantDomainFromContext());
         } catch (IdentityProviderManagementException e) {
@@ -747,6 +748,10 @@ public FederatedAuthenticator updateFederatedAuthenticator(String idpId, String
             // IDP object.
             IdentityProvider idpToUpdate = createIdPClone(idp);
 
+            if (authenticator.getProperties() != null) {
+                validateAuthenticatorPropertyLimit(authenticator.getProperties().size());
+            }
+
             checkAuthenticatorExistence(federatedAuthenticatorId, tenantDomain);
             // Create new FederatedAuthenticatorConfig to store the federated authenticator information.
             FederatedAuthenticatorConfig authConfig = updateFederatedAuthenticatorConfig(federatedAuthenticatorId,
@@ -3762,4 +3767,43 @@ private enum IdpOperation {
         CREATION,
         UPDATE
     }
+
+    private void validateFederatedAuthenticatorsPropertyLimit(
+            FederatedAuthenticatorRequest federatedAuthenticatorRequest) {
+
+        if (federatedAuthenticatorRequest == null || federatedAuthenticatorRequest.getAuthenticators() == null) {
+            return;
+        }
+
+        for (FederatedAuthenticator authenticator : federatedAuthenticatorRequest.getAuthenticators()) {
+            if (authenticator.getProperties() != null) {
+                validateAuthenticatorPropertyLimit(authenticator.getProperties().size());
+            }
+        }
+    }
+
+    private void validateAuthenticatorPropertyLimit(int propertyCount) {
+
+        int maxFederatedAuthenticatorPropertyLimit;
+        try {
+            maxFederatedAuthenticatorPropertyLimit = Integer.parseInt(IdentityUtil
+                    .getProperty(Constants.MAX_FEDERATED_AUTHENTICATORS_PROPERTY_LIMIT));
+        } catch (NumberFormatException e) {
+            if (log.isDebugEnabled()) {
+                log.debug("The system property: " + Constants.MAX_FEDERATED_AUTHENTICATORS_PROPERTY_LIMIT +
+                        " is not a valid integer.");
+            }
+            return;
+        }
+
+        if (propertyCount > maxFederatedAuthenticatorPropertyLimit) {
+            if (log.isDebugEnabled()) {
+                log.debug("The number of properties provided for the federated authenticator exceeds the maximum " +
+                        "allowed limit of: " + maxFederatedAuthenticatorPropertyLimit);
+            }
+            throw handleException(Response.Status.BAD_REQUEST,
+                    Constants.ErrorMessage.ERROR_CODE_MAX_FEDERATED_AUTHENTICATOR_PROPERTY_EXCEEDED,
+                    String.valueOf(maxFederatedAuthenticatorPropertyLimit));
+        }
+    }
 }
