Merge pull request #6121 from BitGo/WP-4376/mbe-enclave-url-cert

WIP: add enclaved express configurations

Author: pranavjain97

modules/express/README.md

@@ -96,6 +96,14 @@ parser.addArgument(['--externalSignerUrl'], {
   help: 'URL which specifies the external signing API.',
 });
 
+parser.addArgument(['--enclavedExpressUrl'], {
+  help: 'URL to an Express instance in a secure environment.',
+});
+
+parser.addArgument(['--enclavedExpressSSLCert'], {
+  help: 'Path to the SSL certificate file for communicating with enclavedExpressUrl.',
+});
+
 parser.addArgument(['--signerMode'], {
   action: 'storeConst',
   constant: true,

modules/express/src/args.ts

@@ -38,6 +38,7 @@ import type { ParamsDictionary } from 'express-serve-static-core';
 import * as _ from 'lodash';
 import * as url from 'url';
 import * as superagent from 'superagent';
+import { handlePingEnclavedExpress } from './enclavedExpressRoutes';
 
 // RequestTracer should be extracted into a separate npm package (along with
 // the rest of the BitGoJS HTTP request machinery)
@@ -1770,6 +1771,11 @@ export function setupSigningRoutes(app: express.Application, config: Config): vo
   );
 }
 
+export function setupEnclavedExpressRoutes(app: express.Application, config: Config): void {
+  // Keep the ping endpoint for health checks
+  app.get('/ping/enclavedExpress', parseBody, prepareBitGo(config), promiseWrapper(handlePingEnclavedExpress));
+}
+
 export function setupLightningSignerNodeRoutes(app: express.Application, config: Config): void {
   app.post(
     '/api/v2/:coin/wallet/:id/initwallet',

modules/express/src/clientRoutes.ts

@@ -1,5 +1,6 @@
 import { EnvironmentName, V1Network } from 'bitgo';
 import { isNil, isNumber } from 'lodash';
+import { readFileSync, existsSync } from 'fs';
 import 'dotenv/config';
 
 import { args } from './args';
@@ -38,6 +39,8 @@ export interface Config {
   customBitcoinNetwork?: V1Network;
   authVersion: number;
   externalSignerUrl?: string;
+  enclavedExpressUrl?: string;
+  enclavedExpressSSLCert?: string;
   signerMode?: boolean;
   signerFileSystemPath?: string;
   lightningSignerFileSystemPath?: string;
@@ -64,6 +67,8 @@ export const ArgConfig = (args): Partial<Config> => ({
   customBitcoinNetwork: args.custombitcoinnetwork,
   authVersion: args.authVersion,
   externalSignerUrl: args.externalSignerUrl,
+  enclavedExpressUrl: args.enclavedExpressUrl,
+  enclavedExpressSSLCert: args.enclavedExpressSSLCert,
   signerMode: args.signerMode,
   signerFileSystemPath: args.signerFileSystemPath,
   lightningSignerFileSystemPath: args.lightningSignerFileSystemPath,
@@ -90,6 +95,8 @@ export const EnvConfig = (): Partial<Config> => ({
   customBitcoinNetwork: readEnvVar('BITGO_CUSTOM_BITCOIN_NETWORK') as V1Network,
   authVersion: Number(readEnvVar('BITGO_AUTH_VERSION')),
   externalSignerUrl: readEnvVar('BITGO_EXTERNAL_SIGNER_URL'),
+  enclavedExpressUrl: readEnvVar('BITGO_ENCLAVED_EXPRESS_URL'),
+  enclavedExpressSSLCert: readEnvVar('BITGO_ENCLAVED_EXPRESS_SSL_CERT'),
   signerMode: readEnvVar('BITGO_SIGNER_MODE') ? true : undefined,
   signerFileSystemPath: readEnvVar('BITGO_SIGNER_FILE_SYSTEM_PATH'),
   lightningSignerFileSystemPath: readEnvVar('BITGO_LIGHTNING_SIGNER_FILE_SYSTEM_PATH'),
@@ -110,6 +117,8 @@ export const DefaultConfig: Config = {
   disableEnvCheck: true,
   timeout: 305 * 1000,
   authVersion: 2,
+  enclavedExpressUrl: undefined,
+  enclavedExpressSSLCert: undefined,
 };
 
 /**
@@ -147,6 +156,8 @@ function mergeConfigs(...configs: Partial<Config>[]): Config {
   const disableSSL = get('disableSSL') || false;
   let customRootUri = get('customRootUri');
   let externalSignerUrl = get('externalSignerUrl');
+  let enclavedExpressUrl = get('enclavedExpressUrl');
+  let enclavedExpressSSLCert: string | undefined;
 
   if (disableSSL !== true) {
     if (customRootUri) {
@@ -155,6 +166,24 @@ function mergeConfigs(...configs: Partial<Config>[]): Config {
     if (externalSignerUrl) {
       externalSignerUrl = forceSecureUrl(externalSignerUrl);
     }
+    if (enclavedExpressUrl) {
+      enclavedExpressUrl = forceSecureUrl(enclavedExpressUrl);
+      console.log('Using secure enclaved express URL:', enclavedExpressUrl);
+    }
+    const enclavedExpressSSLCertValue = get('enclavedExpressSSLCert');
+    if (enclavedExpressSSLCertValue) {
+      try {
+        // First try to read it as a file path
+        enclavedExpressSSLCert = existsSync(enclavedExpressSSLCertValue)
+          ? readFileSync(enclavedExpressSSLCertValue, { encoding: 'utf8' })
+          : enclavedExpressSSLCertValue; // If not a file, use the value directly
+        if (existsSync(enclavedExpressSSLCertValue)) {
+          console.log('Successfully loaded SSL cert from:', enclavedExpressSSLCertValue);
+        }
+      } catch (e) {
+        console.error(`Failed to process enclaved express SSL cert: ${enclavedExpressSSLCertValue}`, e);
+      }
+    }
   }
 
   return {
@@ -176,6 +205,8 @@ function mergeConfigs(...configs: Partial<Config>[]): Config {
     customBitcoinNetwork: get('customBitcoinNetwork'),
     authVersion: get('authVersion'),
     externalSignerUrl,
+    enclavedExpressUrl,
+    enclavedExpressSSLCert,
     signerMode: get('signerMode'),
     signerFileSystemPath: get('signerFileSystemPath'),
     lightningSignerFileSystemPath: get('lightningSignerFileSystemPath'),
@@ -184,8 +215,8 @@ function mergeConfigs(...configs: Partial<Config>[]): Config {
   };
 }
 
-export const config = () => {
+export function config(): Config {
   const arg = ArgConfig(args());
   const env = EnvConfig();
   return mergeConfigs(env, arg);
-};
+}

modules/express/src/config.ts

@@ -0,0 +1,18 @@
+import * as superagent from 'superagent';
+import * as debug from 'debug';
+import * as express from 'express';
+import { retryPromise } from '../retryPromise';
+
+export async function handlePingEnclavedExpress(req: express.Request) {
+  console.log('Making enclaved express request with SSL cert to:', req.config?.enclavedExpressUrl);
+  return await retryPromise(
+    () =>
+      superagent
+        .get(`${req.config?.enclavedExpressUrl}/ping`)
+        .ca(req.config?.enclavedExpressSSLCert as string)
+        .send(),
+    (err, tryCount) => {
+      debug(`Failed to ping enclavedExpress: ${err.message}`);
+    }
+  );
+}

modules/express/src/enclavedExpressRoutes/enclavedExpressRoutes.ts

@@ -0,0 +1 @@
+export * from './enclavedExpressRoutes';

modules/express/src/enclavedExpressRoutes/index.ts

@@ -116,7 +116,16 @@ function createHttpServer(app: express.Application): http.Server {
  */
 export function startup(config: Config, baseUri: string): () => void {
   return function () {
-    const { env, ipc, customRootUri, customBitcoinNetwork, signerMode, lightningSignerFileSystemPath } = config;
+    const {
+      env,
+      ipc,
+      customRootUri,
+      customBitcoinNetwork,
+      signerMode,
+      lightningSignerFileSystemPath,
+      enclavedExpressUrl,
+      enclavedExpressSSLCert,
+    } = config;
     /* eslint-disable no-console */
     console.log('BitGo-Express running');
     console.log(`Environment: ${env}`);
@@ -137,6 +146,12 @@ export function startup(config: Config, baseUri: string): () => void {
     if (lightningSignerFileSystemPath) {
       console.log(`Lightning signer file system path: ${lightningSignerFileSystemPath}`);
     }
+    if (enclavedExpressUrl) {
+      console.log(`Enclaved Express URL: ${enclavedExpressUrl}`);
+      if (enclavedExpressSSLCert) {
+        console.log('Enclaved Express SSL certificate configured');
+      }
+    }
     /* eslint-enable no-console */
   };
 }
@@ -271,6 +286,8 @@ function checkPreconditions(config: Config) {
 export function setupRoutes(app: express.Application, config: Config): void {
   if (config.signerMode) {
     clientRoutes.setupSigningRoutes(app, config);
+  } else if (config.enclavedExpressUrl && config.enclavedExpressSSLCert) {
+    clientRoutes.setupEnclavedExpressRoutes(app, config);
   } else {
     if (config.lightningSignerFileSystemPath) {
       clientRoutes.setupLightningSignerNodeRoutes(app, config);

modules/express/src/expressApp.ts

@@ -83,6 +83,8 @@ describe('Config:', () => {
       customrooturi: 'argcustomRootUri',
       custombitcoinnetwork: 'argcustomBitcoinNetwork',
       externalSignerUrl: 'argexternalSignerUrl',
+      enclavedExpressUrl: 'argenclavedExpressUrl',
+      enclavedExpressSSLCert: 'argenclavedExpressSSLCert',
       signerMode: 'argsignerMode',
       signerFileSystemPath: 'argsignerFileSystemPath',
       lightningSignerFileSystemPath: 'arglightningSignerFileSystemPath',
@@ -107,6 +109,8 @@ describe('Config:', () => {
       BITGO_CUSTOM_ROOT_URI: 'envcustomRootUri',
       BITGO_CUSTOM_BITCOIN_NETWORK: 'envcustomBitcoinNetwork',
       BITGO_EXTERNAL_SIGNER_URL: 'envexternalSignerUrl',
+      BITGO_ENCLAVED_EXPRESS_URL: 'envenclavedExpressUrl',
+      BITGO_ENCLAVED_EXPRESS_SSL_CERT: 'envenclavedExpressSSLCert',
       BITGO_SIGNER_MODE: 'envsignerMode',
       BITGO_SIGNER_FILE_SYSTEM_PATH: 'envsignerFileSystemPath',
       BITGO_LIGHTNING_SIGNER_FILE_SYSTEM_PATH: 'envlightningSignerFileSystemPath',
@@ -132,6 +136,8 @@ describe('Config:', () => {
       customBitcoinNetwork: 'argcustomBitcoinNetwork',
       authVersion: 2,
       externalSignerUrl: 'https://argexternalSignerUrl',
+      enclavedExpressUrl: 'https://argenclavedExpressUrl',
+      enclavedExpressSSLCert: 'argenclavedExpressSSLCert',
       signerMode: 'argsignerMode',
       signerFileSystemPath: 'argsignerFileSystemPath',
       lightningSignerFileSystemPath: 'arglightningSignerFileSystemPath',