WIP: add enclaved express configurations

TICKET: WP-4376

Author: mohammadalfaiyazbitgo

modules/express/README.md

@@ -96,6 +96,14 @@ parser.addArgument(['--externalSignerUrl'], {
   help: 'URL which specifies the external signing API.',
 });
 
+parser.addArgument(['--enclavedlExpressUrl'], {
+  help: 'URL to an Express instance in a secure environment.',
+});
+
+parser.addArgument(['--enclavedExpressSSLCert'], {
+  help: 'Path to the SSL certificate file for communicating with enclavedlExpressUrl.',
+});
+
 parser.addArgument(['--signerMode'], {
   action: 'storeConst',
   constant: true,

modules/express/src/args.ts

@@ -38,6 +38,7 @@ import type { ParamsDictionary } from 'express-serve-static-core';
 import * as _ from 'lodash';
 import * as url from 'url';
 import * as superagent from 'superagent';
+import { handlePingEnclavedExpress } from './enclavedExpressRoutes';
 
 // RequestTracer should be extracted into a separate npm package (along with
 // the rest of the BitGoJS HTTP request machinery)
@@ -1770,6 +1771,10 @@ export function setupSigningRoutes(app: express.Application, config: Config): vo
   );
 }
 
+export function setupEnclavedSigningRoutes(app: express.Application, config: Config): void {
+  app.post('/ping/enclavedExpress', parseBody, prepareBitGo(config), promiseWrapper(handlePingEnclavedExpress));
+}
+
 export function setupLightningSignerNodeRoutes(app: express.Application, config: Config): void {
   app.post(
     '/api/v2/:coin/wallet/:id/initwallet',

modules/express/src/clientRoutes.ts

@@ -38,6 +38,8 @@ export interface Config {
   customBitcoinNetwork?: V1Network;
   authVersion: number;
   externalSignerUrl?: string;
+  enclavedlExpressUrl?: string;
+  enclavedExpressSSLCert?: string;
   signerMode?: boolean;
   signerFileSystemPath?: string;
   lightningSignerFileSystemPath?: string;
@@ -64,6 +66,8 @@ export const ArgConfig = (args): Partial<Config> => ({
   customBitcoinNetwork: args.custombitcoinnetwork,
   authVersion: args.authVersion,
   externalSignerUrl: args.externalSignerUrl,
+  enclavedlExpressUrl: args.enclavedlExpressUrl,
+  enclavedExpressSSLCert: args.enclavedExpressSSLCert,
   signerMode: args.signerMode,
   signerFileSystemPath: args.signerFileSystemPath,
   lightningSignerFileSystemPath: args.lightningSignerFileSystemPath,
@@ -90,6 +94,8 @@ export const EnvConfig = (): Partial<Config> => ({
   customBitcoinNetwork: readEnvVar('BITGO_CUSTOM_BITCOIN_NETWORK') as V1Network,
   authVersion: Number(readEnvVar('BITGO_AUTH_VERSION')),
   externalSignerUrl: readEnvVar('BITGO_EXTERNAL_SIGNER_URL'),
+  enclavedlExpressUrl: readEnvVar('BITGO_ENCLAVEDL_EXPRESS_URL'),
+  enclavedExpressSSLCert: readEnvVar('BITGO_ENCLAVED_EXPRESS_SSL_CERT'),
   signerMode: readEnvVar('BITGO_SIGNER_MODE') ? true : undefined,
   signerFileSystemPath: readEnvVar('BITGO_SIGNER_FILE_SYSTEM_PATH'),
   lightningSignerFileSystemPath: readEnvVar('BITGO_LIGHTNING_SIGNER_FILE_SYSTEM_PATH'),
@@ -110,6 +116,8 @@ export const DefaultConfig: Config = {
   disableEnvCheck: true,
   timeout: 305 * 1000,
   authVersion: 2,
+  enclavedlExpressUrl: undefined,
+  enclavedExpressSSLCert: undefined,
 };
 
 /**
@@ -147,6 +155,7 @@ function mergeConfigs(...configs: Partial<Config>[]): Config {
   const disableSSL = get('disableSSL') || false;
   let customRootUri = get('customRootUri');
   let externalSignerUrl = get('externalSignerUrl');
+  let enclavedlExpressUrl = get('enclavedlExpressUrl');
 
   if (disableSSL !== true) {
     if (customRootUri) {
@@ -155,6 +164,9 @@ function mergeConfigs(...configs: Partial<Config>[]): Config {
     if (externalSignerUrl) {
       externalSignerUrl = forceSecureUrl(externalSignerUrl);
     }
+    if (enclavedlExpressUrl) {
+      enclavedlExpressUrl = forceSecureUrl(enclavedlExpressUrl);
+    }
   }
 
   return {
@@ -176,6 +188,8 @@ function mergeConfigs(...configs: Partial<Config>[]): Config {
     customBitcoinNetwork: get('customBitcoinNetwork'),
     authVersion: get('authVersion'),
     externalSignerUrl,
+    enclavedlExpressUrl,
+    enclavedExpressSSLCert: get('enclavedExpressSSLCert'),
     signerMode: get('signerMode'),
     signerFileSystemPath: get('signerFileSystemPath'),
     lightningSignerFileSystemPath: get('lightningSignerFileSystemPath'),

modules/express/src/config.ts

@@ -0,0 +1,17 @@
+import * as superagent from 'superagent';
+import * as debug from 'debug';
+import * as express from 'express';
+import { retryPromise } from '../retryPromise';
+
+export async function handlePingEnclavedExpress(req: express.Request) {
+  return await retryPromise(
+    () =>
+      superagent
+        .post(`${req.config?.enclavedlExpressUrl}/ping`)
+        .ca(req.config?.enclavedExpressSSLCert as string)
+        .send({}),
+    (err, tryCount) => {
+      debug(`Failed to ping enclavedExpress: ${err.message}`);
+    }
+  );
+}

modules/express/src/enclavedExpressRoutes/enclavedExpressRoutes.ts

@@ -0,0 +1 @@
+export * from './enclavedExpressRoutes';

modules/express/src/enclavedExpressRoutes/index.ts

@@ -271,6 +271,8 @@ function checkPreconditions(config: Config) {
 export function setupRoutes(app: express.Application, config: Config): void {
   if (config.signerMode) {
     clientRoutes.setupSigningRoutes(app, config);
+  } else if (config.enclavedlExpressUrl && config.enclavedExpressSSLCert) {
+    clientRoutes.setupEnclavedSigningRoutes(app, config);
   } else {
     if (config.lightningSignerFileSystemPath) {
       clientRoutes.setupLightningSignerNodeRoutes(app, config);