ml finance portal: "forbidden" mojaloop report generation

[pye-aung]

Summary:
We have deployed Mojaloop v16.0.4 and Finance Portal v4.2.3 using iacv2 v5.3.8 (from the Mojaloop iac-modules repository). We assigned the portal_admin role for managers and the finance-manager role, but when attempting to generate reports, we receive a 403 Forbidden error.

We’ve reviewed the reporting-legacy-api , oathkeeper and keto logs, but there are no indications of any forbidden access issues there.

Request URL: https://finance-portal.int.hub.wynepayhubsanbox-pre.com/api/reports/dfspSettlement?settlementId=43&dfspId=wallet1

reporting-legacy-api logs

{ "ts": "2025-01-17T10:07:36.840Z", "msg": "Handled request", "ctx": { "request": { "id": "divergent-suggestion-slimy-elbow", "path": "/dfspSettlement", "method": "GET", "query": { "settlementId": "43", "dfspId": "wallet1" } } } }

oathkeeper logs

{"audience":"application","granted":true,"http_host":"finance-portal.int.hub.wynepayhubsanbox-pre.com","http_method":"GET","http_url":"http://finance-portal.int.hub.wynepayhubsanbox-pre.com/api/reports/dfspSettlement?settlementId=43&dfspId=wallet1","http_user_agent":"","level":"info","msg":"Access request granted","service_name":"ORY Oathkeeper","service_version":"v0.40.6","time":"2025-01-17T10:28:57.145258919Z"} {"http_request":{"headers":{"content-length":"0","cookie":"Value is sensitive and has been redacted. To see the value set config key \"log.leak_sensitive_values = true\" or environment variable \"LOG_LEAK_SENSITIVE_VALUES=true\".","x-b3-parentspanid":"14f32a7aef0894a6","x-b3-sampled":"0","x-b3-spanid":"ef3533c0636fce2f","x-b3-traceid":"6f6ddd3698d22e1314f32a7aef0894a6","x-envoy-expected-rq-timeout-ms":"10000","x-envoy-internal":"true","x-forwarded-for":"10.1.31.205"},"host":"finance-portal.int.hub.wynepayhubsanbox-pre.com","method":"GET","path":"/api/reports/dfspSettlement","query":"Value is sensitive and has been redacted. To see the value set config key \"log.leak_sensitive_values = true\" or environment variable \"LOG_LEAK_SENSITIVE_VALUES=true\".","remote":"10.1.31.205:54316","scheme":"http"},"http_response":{"headers":{"x-extra":"map[active:true authenticated_at:2025-01-17T06:17:05Z authentication_methods:[map[aal:aal1 completed_at:2025-01-17T06:17:04.994665324Z method:oidc provider:keycloak]] authenticator_assurance_level:aal1 devices:[map[id:03458459-10f3-4c7f-8608-d1af3e14840b ip_address:34.87.189.204 location: user_agent:Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0]] expires_at:2025-01-18T06:17:05Z id:05534e83-b7c3-46c3-b4a2-c055c3d02df9 identity:map[created_at:2024-12-27T04:30:28Z id:b0eb55b5-8245-4fc7-93c3-bc9999f1fad3 metadata_public:<nil> schema_id:default schema_url:https://auth.hub.wynepayhubsanbox-pre.com/kratos/schemas/ZGVmYXVsdA state:active state_changed_at:2024-12-27T04:30:28Z traits:map[email:[email protected] name:[email protected] subject:7bcac927-a259-4b56-9df8-240173020a9e] updated_at:2024-12-27T04:30:28Z] issued_at:2025-01-17T06:17:05Z]","x-user":"7bcac927-a259-4b56-9df8-240173020a9e"},"size":0,"status":200,"text_status":"OK","took":44003990},"level":"info","msg":"completed handling request","time":"2025-01-17T10:28:57.145355808Z"}

keto logs

time=2025-01-17T10:32:15Z level=info msg=started handling request http_request=map[headers:map[accept:application/json, text/plain, */* connection:close user-agent:axios/0.21.4] host:keto-read method:GET path:/relation-tuples query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:10.1.121.179:48598 scheme:http] time=2025-01-17T10:32:15Z level=info msg=completed handling request http_request=map[headers:map[accept:application/json, text/plain, */* connection:close user-agent:axios/0.21.4] host:keto-read method:GET path:/relation-tuples query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:10.1.121.179:48598 scheme:http] http_response=map[headers:map[content-type:application/json; charset=utf-8] size:55697 status:200 text_status:OK took:11.64644ms]

istio ingress logs

[2025-01-17T10:35:16.396Z] "GET /api/reports/dfspSettlement?settlementId=43&dfspId=wallet1 HTTP/2" 403 - via_upstream - "-" 0 9 116 33 "10.1.45.192" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" "8b212359-e436-4e6d-a91c-5436924614b3" "finance-portal.int.hub.wynepayhubsanbox-pre.com" "10.1.45.246:3000" outbound|80||fin-portal-reporting-legacy-api.mojaloop.svc.cluster.local 10.1.31.205:49524 10.1.31.205:443 10.1.45.192:9917 finance-portal.int.hub.wynepayhubsanbox-pre.com reports [2025-01-17T10:35:16.636Z] "GET /favicon.ico HTTP/2" 404 - via_upstream - "-" 0 153 1 0 "10.1.45.192" "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" "1c0fd83c-b498-49f4-a110-a292764398d5" "finance-portal.int.hub.wynepayhubsanbox-pre.com" "10.1.45.239:8080" outbound|80||fin-portal-reporting-hub-bop-shell.mojaloop.svc.cluster.local 10.1.31.205:43456 10.1.31.205:443 10.1.45.192:9917 finance-portal.int.hub.wynepayhubsanbox-pre.com reporting-hub-bop-shell

Severity:
Medium

Priority:
Medium

Expected Behavior
Users with the portal_admin and finance-manager roles should be able to generate reports without encountering a 403 Forbidden error.

Steps to Reproduce

1. Deploy Mojaloop v16.0.4 and Finance Portal v4.2.3 using iacv2 v5.3.8.
2. Assign portal_admin for managers and finance-manager roles.
3. Attempt to generate a report.
4. Observe the 403 Forbidden error.

Specifications

• Component: Reporting Legacy API
• Version: mojaloop v16.0.4, finance portal v4.2.3, reporting v11.0.0, iac v5.3.8
• Platform: AWS/GCP
• Subsystem: Ubuntu20.4,Microk8s v1.29
• Type of Testing: Manual
• Bug Found/Raised By: @pye-aung

Notes:

• No specific issues found in reporting-legacy-api logs.
• Severity and Priority are both set to Medium upon initial review.