Central-Ledger Fulfil Handler does not correctly invalidate requests with an incorrect/non-existent FSP-ID in the FSPIOP-Destination header #2697

mdebarros · 2022-02-14T10:46:31Z

Summary:
Central-Ledger Fulfil Handler does not correctly invalidate requests with an incorrect/non-existent FSP-ID in the FSPIOP-Destination header.

Here is the ML-API-Adapter Notification Handler log showing that a transfer was successfully processed through the Fulfil and Position handlers before being processed for egress notification, only to fail when looking up the callback URL for the non-existent doesnotexistfsp FSP:

2022-02-14T10:33:47.548Z - info: Notification:consumeMessage message: - [{"value":{"from":"ttkpayeefsp","to":"doesnotexistfsp","id":"e4fd75bd-1f74-49c6-92a5-476938634122","content":{"uriParams":{"id":"e4fd75bd-1f74-49c6-92a5-476938634122"},"headers":{"host":"ml-api-adapter.moja2.test.mojaloop.live","x-request-id":"f0a7d208c993c9ce05e73aaeea2dd541","x-real-ip":"10.1.2.230","x-forwarded-for":"10.1.2.230","x-forwarded-host":"ml-api-adapter.moja2.test.mojaloop.live","x-forwarded-port":"80","x-forwarded-proto":"http","x-scheme":"http","x-original-forwarded-for":"in Lorem voluptate","content-length":"135","content-type":"application/vnd.interoperability.transfers+json;version=1.1","date":"2022-02-14T10:33:47.000Z","fspiop-source":"ttkpayeefsp","fspiop-destination":"doesnotexistfsp","fspiop-encryption":"veniam sed magna dolore","fspiop-signature":"nulla consequat veniam minim","fspiop-uri":"est eu","fspiop-http-method":"culpa Excepteur do anim","traceparent":"00-aabbd02665d1c5da420528547707fdd7-818ca77eebb1de20-30","user-agent":"axios/0.21.4"},"payload":{"completedTimestamp":"2022-02-14T10:33:48.000Z","transferState":"COMMITTED","fulfilment":"bs9-Hl5Gf31VKFza84u1vwJeX1xJjmhI_ifMcJHhU5Y"}},"type":"application/json","metadata":{"correlationId":"e4fd75bd-1f74-49c6-92a5-476938634122","event":{"type":"notification","action":"reserve","createdAt":"2022-02-14T10:33:47.499Z","state":{"status":"success","code":0,"description":"action successful"},"id":"9c63faab-001d-4a98-8eba-8abed6afe5db","responseTo":"eb2f56ba-9b87-4615-bd9c-5ec3273a2f72"},"trace":{"startTimestamp":"2022-02-14T10:33:47.529Z","service":"cl_transfer_position","traceId":"aabbd02665d1c5da420528547707fdd7","spanId":"564d3f8948bcfb96","parentSpanId":"122f06d2c47c3892","sampled":0,"flags":"30","tags":{"tracestate":"mojaloop=eyJzcGFuSWQiOiI1NjRkM2Y4OTQ4YmNmYjk2IiwidGltZUFwaUZ1bGZpbCI6IjE2NDQ4MzQ4Mjc0OTcifQ==","transactionType":"transfer","transactionAction":"fulfil","transactionId":"e4fd75bd-1f74-49c6-92a5-476938634122","source
":"ttkpayeefsp","destination":"doesnotexistfsp"},"tracestates":{"mojaloop":{"spanId":"564d3f8948bcfb96","timeApiFulfil":"1644834827497"}}},"protocol.createdAt":1644834827542}},"size":2100,"key":null,"topic":"topic-notification-event","offset":278,"partition":0,"timestamp":1644834827542}]
2022-02-14T10:33:47.548Z - info: Notification::consumeMessage::processMessage
2022-02-14T10:33:47.551Z - info: Notification::processMessage
2022-02-14T10:33:47.551Z - info: Notification::processMessage action: reserve
2022-02-14T10:33:47.551Z - info: Notification::processMessage status: success
2022-02-14T10:33:47.552Z - info: participantEndpointCache::getEndpoint::endpointType - FSPIOP_CALLBACK_URL_TRANSFER_PUT
2022-02-14T10:33:47.552Z - info: [fsp=doesnotexistfsp] ~ participantEndpointCache::fetchEndpoints := Refreshing the cache for FSP: doesnotexistfsp
2022-02-14T10:33:47.552Z - info: sendRequest::request {"url":"http://moja2-centralledger-service:80/participants/doesnotexistfsp/endpoints","method":"GET","headers":{"accept":"application/vnd.interoperability.participants+json;version=1","FSPIOP-Destination":"switch","Content-Type":"application/vnd.interoperability.participants+json;version=1.0","date":"Mon, 14 Feb 2022 10:33:47 GMT","FSPIOP-Source":"switch"},"responseType":"json"}
2022-02-14T10:33:47.557Z - error: Request failed with status code 500

Severity:
Medium

Priority:
Medium

Expected Behavior

Central-Ledger Fulfil Handler should validate FSP IDs to ensure that they are valid AND that they are correctly associated to the transfer as the payer or the payee!

Steps to Reproduce

Send a transfer to a Payee FSP TTK Simulator
Modify the TTK's Callback rule to something like so to override the FSPIOP-Destination:

MOCK_CALLBACK
{
  "headers": {
    "FSPIOP-Destination": "doesnotexistfsp"
  },
  "body": {
    "fulfilment": "WLctttbu2HvTsa1XWvUoGRcQozHsqeu9Ahl2JW9Bsu8",
    "completedTimestamp": "{$function.generic.curDateISO}",
    "transferState": "RESERVED",
    "extensionList": null
  },
  "scripts": {
    "scriptingEngine": "postman"
  }
}

Monitor the Central-Ledger Fulfil Handler and ML-API-Adapter Notification Handler logs

Specifications

Component (if known): Central-ledger
Version: v3.14.16
Platform: n/a
Subsystem: Fulfil-handler
Type of testing: n/a
Bug found/raised by: @mdebarros

Notes:

Severity when opened: Medium
Priority when opened: Medium

Tasks for fix:

central-ledger
ml-api-adapter

PRs:

The text was updated successfully, but these errors were encountered:

@lewisdaly

… scenarios (#874) PR re-based from #872 from @lewisdaly. feat(mojaloop/project/issue2556): Implement patch notification for failure scenarios (following v1.1 update) - mojaloop/project#2556 chore: updated dependencies - updated dependencies - fixed audit issues - fixed lint issues fix([#2697](mojaloop/project#2697)): Central-Ledger Fulfil Handler does not correctly invalidate requests with an incorrect/non-existent FSP-ID in the FSPIOP-Destination header - mojaloop/project#2697 - fixed/added unit tests - improved test coverage

@lewisdaly

… scenarios (#492) PR re-based from #489 from @lewisdaly. feat([mojaloop/project/issue](mojaloop/project#2556): Implement patch notification for failure scenarios (following v1.1 update) - mojaloop/project#2556 - fixed unit tests chore: updated dependencies - updated dependencies - fixed audit issues - fixed lint issues fix([#2697](mojaloop/project#2697)): Central-Ledger Fulfil Handler does not correctly invalidate requests with an incorrect/non-existent FSP-ID in the FSPIOP-Destination header - mojaloop/project#2697 - fixed/added unit tests - improved test coverage

…ios (#200) Added callback rules: - ttkpayeefsp PATCH Notifications Success Test-case - mojaloop/project#2676 - ttkpayeefsp PATCH Notifications Failure due to invalid fulfiment Test-case - mojaloop/project#2556 - ttkpayeefsp PUT Notifications Failure Test-case due to invalid FSPIOP-Destination Test-case - mojaloop/project#2697 - ttkpayeefsp PATCH Notifications Failure Test-case due to invalid FSPIOP-Destination Test-case - mojaloop/project#2697 ~Blocked by mojaloop/project#2696

- ml-api-adapter upgraded to v12.3.0 - central-ledger upgraded to v13.15.4 - ml-testing-toolkit backend upgraded to v14.0.4 These upgrades address the following issues: - Implement patch notification for failure scenarios (following v1.1 update) #2556 - mojaloop/project#2556 - Central-Ledger Fulfil Handler does not correctly invalidate requests with an incorrect/non-existent FSP-ID in the FSPIOP-Destination header #2697 - mojaloop/project#2697 - TTK GP Tests for patch notifications - positive scenarios #2676 - mojaloop/project#2676

- ml-api-adapter upgraded to v12.3.0 - central-ledger upgraded to v13.15.4 - ml-testing-toolkit backend upgraded to v14.0.4 These upgrades address the following issues (inc. updated changelog): - Implement patch notification for failure scenarios (following v1.1 update) #2556 - mojaloop/project#2556 - Central-Ledger Fulfil Handler does not correctly invalidate requests with an incorrect/non-existent FSP-ID in the FSPIOP-Destination header #2697 - mojaloop/project#2697 - TTK GP Tests for patch notifications - positive scenarios #2676 - mojaloop/project#2676

mdebarros added bug Something isn't working or it has wrong behavior on a Mojaloop Core service oss-core This is an issue - story or epic related to a feature on a Mojaloop core service or related to it labels Feb 14, 2022

elnyry-sam-k added this to the Sprint 17.2 milestone Feb 14, 2022

elnyry-sam-k assigned mdebarros Feb 14, 2022

This was referenced Feb 16, 2022

feat(mojaloop/project#2556): implement patch notification for failure scenarios mojaloop/ml-api-adapter#492

Merged

feat(mojaloop/project#2556): implement patch notification for failure scenarios mojaloop/central-ledger#874

Merged

mdebarros mentioned this issue Feb 22, 2022

feat: callback rule updates to suppose patch notification test-scenarios mojaloop/ml-testing-toolkit#200

Merged

mdebarros mentioned this issue Feb 25, 2022

fix: v13.1.0 release updates to containers mojaloop/helm#465

Merged

elnyry-sam-k closed this as completed Feb 28, 2022

PaulGregoryBaker mentioned this issue Oct 17, 2023

fix: missing toDestination on handling the fspiop source/destiation headers #3580

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Central-Ledger Fulfil Handler does not correctly invalidate requests with an incorrect/non-existent FSP-ID in the FSPIOP-Destination header #2697

Central-Ledger Fulfil Handler does not correctly invalidate requests with an incorrect/non-existent FSP-ID in the FSPIOP-Destination header #2697

mdebarros commented Feb 14, 2022 •

edited by elnyry-sam-k

Loading

Central-Ledger Fulfil Handler does not correctly invalidate requests with an incorrect/non-existent FSP-ID in the FSPIOP-Destination header #2697

Central-Ledger Fulfil Handler does not correctly invalidate requests with an incorrect/non-existent FSP-ID in the FSPIOP-Destination header #2697

Comments

mdebarros commented Feb 14, 2022 • edited by elnyry-sam-k Loading

mdebarros commented Feb 14, 2022 •

edited by elnyry-sam-k

Loading