feat(express): add enclaved express configurations

TICKET: WP-4376

Author: mohammadalfaiyazbitgo

modules/express/README.md

@@ -96,6 +96,14 @@ parser.addArgument(['--externalSignerUrl'], {
   help: 'URL which specifies the external signing API.',
 });
 
+parser.addArgument(['--enclavedExpressUrl'], {
+  help: 'URL to an Express instance in a secure environment.',
+});
+
+parser.addArgument(['--enclavedExpressSSLCert'], {
+  help: 'Path to the SSL certificate file for communicating with enclavedExpressUrl.',
+});
+
 parser.addArgument(['--signerMode'], {
   action: 'storeConst',
   constant: true,

modules/express/src/args.ts

@@ -38,6 +38,7 @@ import type { ParamsDictionary } from 'express-serve-static-core';
 import * as _ from 'lodash';
 import * as url from 'url';
 import * as superagent from 'superagent';
+import { handlePingEnclavedExpress } from './enclavedExpressRoutes';
 
 // RequestTracer should be extracted into a separate npm package (along with
 // the rest of the BitGoJS HTTP request machinery)
@@ -1770,6 +1771,10 @@ export function setupSigningRoutes(app: express.Application, config: Config): vo
   );
 }
 
+export function setupEnclavedSigningRoutes(app: express.Application, config: Config): void {
+  app.post('/ping/enclavedExpress', parseBody, prepareBitGo(config), promiseWrapper(handlePingEnclavedExpress));
+}
+
 export function setupLightningSignerNodeRoutes(app: express.Application, config: Config): void {
   app.post(
     '/api/v2/:coin/wallet/:id/initwallet',

modules/express/src/clientRoutes.ts

@@ -1,5 +1,6 @@
 import { EnvironmentName, V1Network } from 'bitgo';
 import { isNil, isNumber } from 'lodash';
+import { readFileSync } from 'fs';
 import 'dotenv/config';
 
 import { args } from './args';
@@ -38,6 +39,8 @@ export interface Config {
   customBitcoinNetwork?: V1Network;
   authVersion: number;
   externalSignerUrl?: string;
+  enclavedExpressUrl?: string;
+  enclavedExpressSSLCert?: string;
   signerMode?: boolean;
   signerFileSystemPath?: string;
   lightningSignerFileSystemPath?: string;
@@ -64,6 +67,8 @@ export const ArgConfig = (args): Partial<Config> => ({
   customBitcoinNetwork: args.custombitcoinnetwork,
   authVersion: args.authVersion,
   externalSignerUrl: args.externalSignerUrl,
+  enclavedExpressUrl: args.enclavedExpressUrl,
+  enclavedExpressSSLCert: args.enclavedExpressSSLCert,
   signerMode: args.signerMode,
   signerFileSystemPath: args.signerFileSystemPath,
   lightningSignerFileSystemPath: args.lightningSignerFileSystemPath,
@@ -90,6 +95,8 @@ export const EnvConfig = (): Partial<Config> => ({
   customBitcoinNetwork: readEnvVar('BITGO_CUSTOM_BITCOIN_NETWORK') as V1Network,
   authVersion: Number(readEnvVar('BITGO_AUTH_VERSION')),
   externalSignerUrl: readEnvVar('BITGO_EXTERNAL_SIGNER_URL'),
+  enclavedExpressUrl: readEnvVar('BITGO_ENCLAVED_EXPRESS_URL'),
+  enclavedExpressSSLCert: readEnvVar('BITGO_ENCLAVED_EXPRESS_SSL_CERT'),
   signerMode: readEnvVar('BITGO_SIGNER_MODE') ? true : undefined,
   signerFileSystemPath: readEnvVar('BITGO_SIGNER_FILE_SYSTEM_PATH'),
   lightningSignerFileSystemPath: readEnvVar('BITGO_LIGHTNING_SIGNER_FILE_SYSTEM_PATH'),
@@ -110,6 +117,8 @@ export const DefaultConfig: Config = {
   disableEnvCheck: true,
   timeout: 305 * 1000,
   authVersion: 2,
+  enclavedExpressUrl: undefined,
+  enclavedExpressSSLCert: undefined,
 };
 
 /**
@@ -147,6 +156,8 @@ function mergeConfigs(...configs: Partial<Config>[]): Config {
   const disableSSL = get('disableSSL') || false;
   let customRootUri = get('customRootUri');
   let externalSignerUrl = get('externalSignerUrl');
+  let enclavedExpressUrl = get('enclavedExpressUrl');
+  let enclavedExpressSSLCert: string | undefined;
 
   if (disableSSL !== true) {
     if (customRootUri) {
@@ -155,6 +166,19 @@ function mergeConfigs(...configs: Partial<Config>[]): Config {
     if (externalSignerUrl) {
       externalSignerUrl = forceSecureUrl(externalSignerUrl);
     }
+    if (enclavedExpressUrl) {
+      enclavedExpressUrl = forceSecureUrl(enclavedExpressUrl);
+      console.log('Using secure enclaved express URL:', enclavedExpressUrl);
+    }
+    const enclavedExpressSSLCertPath = get('enclavedExpressSSLCert');
+    if (enclavedExpressSSLCertPath) {
+      try {
+        enclavedExpressSSLCert = readFileSync(enclavedExpressSSLCertPath, { encoding: 'utf8' });
+        console.log('Successfully loaded SSL cert from:', enclavedExpressSSLCertPath);
+      } catch (e) {
+        console.error(`Failed to load enclaved express SSL cert from path: ${enclavedExpressSSLCertPath}`, e);
+      }
+    }
   }
 
   return {
@@ -176,6 +200,8 @@ function mergeConfigs(...configs: Partial<Config>[]): Config {
     customBitcoinNetwork: get('customBitcoinNetwork'),
     authVersion: get('authVersion'),
     externalSignerUrl,
+    enclavedExpressUrl,
+    enclavedExpressSSLCert,
     signerMode: get('signerMode'),
     signerFileSystemPath: get('signerFileSystemPath'),
     lightningSignerFileSystemPath: get('lightningSignerFileSystemPath'),
@@ -184,8 +210,8 @@ function mergeConfigs(...configs: Partial<Config>[]): Config {
   };
 }
 
-export const config = () => {
+export function config(): Config {
   const arg = ArgConfig(args());
   const env = EnvConfig();
   return mergeConfigs(env, arg);
-};
+}

modules/express/src/config.ts

@@ -0,0 +1,17 @@
+import * as superagent from 'superagent';
+import * as debug from 'debug';
+import * as express from 'express';
+import { retryPromise } from '../retryPromise';
+
+export async function handlePingEnclavedExpress(req: express.Request) {
+  return await retryPromise(
+    () =>
+      superagent
+        .post(`${req.config?.enclavedExpressUrl}/ping`)
+        .ca(req.config?.enclavedExpressSSLCert as string)
+        .send({}),
+    (err, tryCount) => {
+      debug(`Failed to ping enclavedExpress: ${err.message}`);
+    }
+  );
+}

modules/express/src/enclavedExpressRoutes/enclavedExpressRoutes.ts

@@ -0,0 +1 @@
+export * from './enclavedExpressRoutes';

modules/express/src/enclavedExpressRoutes/index.ts

@@ -116,7 +116,16 @@ function createHttpServer(app: express.Application): http.Server {
  */
 export function startup(config: Config, baseUri: string): () => void {
   return function () {
-    const { env, ipc, customRootUri, customBitcoinNetwork, signerMode, lightningSignerFileSystemPath } = config;
+    const {
+      env,
+      ipc,
+      customRootUri,
+      customBitcoinNetwork,
+      signerMode,
+      lightningSignerFileSystemPath,
+      enclavedExpressUrl,
+      enclavedExpressSSLCert,
+    } = config;
     /* eslint-disable no-console */
     console.log('BitGo-Express running');
     console.log(`Environment: ${env}`);
@@ -137,6 +146,12 @@ export function startup(config: Config, baseUri: string): () => void {
     if (lightningSignerFileSystemPath) {
       console.log(`Lightning signer file system path: ${lightningSignerFileSystemPath}`);
     }
+    if (enclavedExpressUrl) {
+      console.log(`Enclaved Express URL: ${enclavedExpressUrl}`);
+      if (enclavedExpressSSLCert) {
+        console.log('Enclaved Express SSL certificate configured');
+      }
+    }
     /* eslint-enable no-console */
   };
 }
@@ -271,6 +286,8 @@ function checkPreconditions(config: Config) {
 export function setupRoutes(app: express.Application, config: Config): void {
   if (config.signerMode) {
     clientRoutes.setupSigningRoutes(app, config);
+  } else if (config.enclavedExpressUrl && config.enclavedExpressSSLCert) {
+    clientRoutes.setupEnclavedSigningRoutes(app, config);
   } else {
     if (config.lightningSignerFileSystemPath) {
       clientRoutes.setupLightningSignerNodeRoutes(app, config);