test(mbe): add more config tests for master express

Ticket: WP-5339

Author: pranavjain97

src/__tests__/config.test.ts

@@ -12,13 +12,14 @@ describe('Configuration', () => {
   beforeEach(() => {
     // Reset to original environment and clear all relevant variables
     process.env = { ...originalEnv };
+    delete process.env.APP_MODE;
+    delete process.env.BITGO_APP_MODE;
     delete process.env.KMS_URL;
     delete process.env.ENCLAVED_EXPRESS_URL;
     delete process.env.ENCLAVED_EXPRESS_CERT;
     delete process.env.TLS_MODE;
     delete process.env.TLS_KEY;
     delete process.env.TLS_CERT;
-    delete process.env.MTLS_REQUEST_CERT;
     delete process.env.MTLS_REJECT_UNAUTHORIZED;
     delete process.env.MTLS_ALLOWED_CLIENT_FINGERPRINTS;
     delete process.env.ALLOW_SELF_SIGNED;
@@ -140,14 +141,12 @@ describe('Configuration', () => {
       process.env.KMS_URL = 'http://localhost:3000';
       process.env.TLS_KEY = mockTlsKey;
       process.env.TLS_CERT = mockTlsCert;
-      process.env.MTLS_REQUEST_CERT = 'true';
       process.env.MTLS_REJECT_UNAUTHORIZED = 'true';
       process.env.MTLS_ALLOWED_CLIENT_FINGERPRINTS = 'ABC123,DEF456';
 
       const cfg = initConfig();
       isEnclavedConfig(cfg).should.be.true();
       if (isEnclavedConfig(cfg)) {
-        cfg.mtlsRequestCert!.should.be.true();
         cfg.mtlsAllowedClientFingerprints!.should.deepEqual(['ABC123', 'DEF456']);
         cfg.kmsUrl.should.equal('http://localhost:3000');
         cfg.tlsKey!.should.equal(mockTlsKey);
@@ -261,36 +260,13 @@ describe('Configuration', () => {
       }
     });
 
-    it('should read mTLS settings from environment variables', () => {
-      process.env.MTLS_REQUEST_CERT = 'true';
-      process.env.ALLOW_SELF_SIGNED = 'true';
-      process.env.MTLS_ALLOWED_CLIENT_FINGERPRINTS = 'ABC123,DEF456';
-
-      const cfg = initConfig();
-      isMasterExpressConfig(cfg).should.be.true();
-      if (isMasterExpressConfig(cfg)) {
-        cfg.mtlsRequestCert!.should.be.true();
-        cfg.allowSelfSigned!.should.be.true();
-        cfg.mtlsAllowedClientFingerprints!.should.deepEqual(['ABC123', 'DEF456']);
-        cfg.enclavedExpressUrl.should.equal('https://localhost:3080');
-      }
-    });
-
     it('should throw error when ENCLAVED_EXPRESS_URL is not set', () => {
       delete process.env.ENCLAVED_EXPRESS_URL;
       (() => initConfig()).should.throw(
         'ENCLAVED_EXPRESS_URL environment variable is required and cannot be empty',
       );
     });
 
-    it('should suceed if mTLS mode is enabled but mTLS_REQUEST_CERT is false', () => {
-      process.env.MTLS_REQUEST_CERT = 'false';
-      const cfg = initConfig();
-      isMasterExpressConfig(cfg).should.be.true();
-      if (isMasterExpressConfig(cfg)) {
-        cfg.mtlsRequestCert!.should.be.false();
-      }
-
     it('should throw error when ENCLAVED_EXPRESS_URL is empty', () => {
       process.env.ENCLAVED_EXPRESS_URL = '';
       (() => initConfig()).should.throw(
@@ -327,8 +303,6 @@ describe('Configuration', () => {
     });
 
     it('should handle URL protocol conversion correctly', () => {
-      process.env.ENCLAVED_EXPRESS_CERT = mockSecuredExpressCert;
-
       // Test with URL that already has protocol
       process.env.ENCLAVED_EXPRESS_URL = 'https://enclaved.example.com:3080';
       let cfg = initConfig();
@@ -356,8 +330,6 @@ describe('Configuration', () => {
     });
 
     it('should handle custom BitGo root URI protocol conversion', () => {
-      process.env.ENCLAVED_EXPRESS_URL = 'http://localhost:3080';
-      process.env.ENCLAVED_EXPRESS_CERT = mockSecuredExpressCert;
       process.env.BITGO_CUSTOM_ROOT_URI = 'bitgo.example.com';
       const cfg = initConfig();
       isMasterExpressConfig(cfg).should.be.true();

src/enclavedApp.ts

@@ -22,19 +22,15 @@ import logger from './logger';
  * Create a startup function which will be run upon server initialization
  */
 export function startup(config: EnclavedConfig, baseUri: string): () => void {
-  return function () {
-    logger.info('BitGo Enclaved Express running');
+  return () => {
+    logger.info('Enclaved Express server starting...');
     logger.info(`Base URI: ${baseUri}`);
-    logger.info(`TLS Mode: ${config.tlsMode}`);
-    logger.info(`mTLS Enabled: ${config.tlsMode === TlsMode.MTLS}`);
-    logger.info(`Request Client Cert: ${config.mtlsRequestCert}`);
-    logger.info(`Allow Self-Signed: ${config.allowSelfSigned}`);
+    logger.info(`mTLS Mode: ${config.tlsMode}`);
+    logger.info(`Allow Self-Signed Certificates: ${config.allowSelfSigned}`);
+    logger.info(`Port: ${config.port}`);
+    logger.info(`Bind: ${config.bind}`);
     logger.info(`KMS URL: ${config.kmsUrl}`);
-    if (config.mtlsAllowedClientFingerprints?.length) {
-      logger.info(
-        `Allowed Client Fingerprints: ${config.mtlsAllowedClientFingerprints.length} configured`,
-      );
-    }
+    logger.info('Enclaved Express server started successfully');
   };
 }
 
@@ -48,7 +44,7 @@ async function createHttpsServer(
   app: express.Application,
   config: EnclavedConfig,
 ): Promise<https.Server> {
-  const { tlsKey, tlsCert, tlsMode, mtlsRequestCert } = config;
+  const { tlsKey, tlsCert, tlsMode } = config;
 
   if (!tlsKey || !tlsCert) {
     throw new Error('TLS key and certificate must be provided for HTTPS server');
@@ -58,9 +54,8 @@ async function createHttpsServer(
     secureOptions: SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1,
     key: tlsKey,
     cert: tlsCert,
-    // Only request cert if mTLS is enabled AND we want to request certs
-    // This prevents TLS handshake failures when no cert is provided
-    requestCert: tlsMode === TlsMode.MTLS && mtlsRequestCert,
+    // Always request cert if mTLS is enabled
+    requestCert: tlsMode === TlsMode.MTLS,
     rejectUnauthorized: false, // Handle authorization in middleware
   };
 

src/initConfig.ts

@@ -50,9 +50,9 @@ const defaultEnclavedConfig: EnclavedConfig = {
   bind: 'localhost',
   timeout: 305 * 1000,
   logFile: '',
+  debugNamespace: [],
   kmsUrl: '', // Will be overridden by environment variable
   tlsMode: TlsMode.MTLS,
-  mtlsRequestCert: true,
   allowSelfSigned: false,
 };
 
@@ -101,7 +101,6 @@ function enclavedEnvConfig(): Partial<EnclavedConfig> {
     tlsKey: readEnvVar('TLS_KEY'),
     tlsCert: readEnvVar('TLS_CERT'),
     tlsMode: determineTlsMode(),
-    mtlsRequestCert: readEnvVar('MTLS_REQUEST_CERT')?.toLowerCase() !== 'false',
     mtlsAllowedClientFingerprints: readEnvVar('MTLS_ALLOWED_CLIENT_FINGERPRINTS')?.split(','),
     allowSelfSigned: readEnvVar('ALLOW_SELF_SIGNED') === 'true',
   };
@@ -132,7 +131,6 @@ function mergeEnclavedConfigs(...configs: Partial<EnclavedConfig>[]): EnclavedCo
     tlsKey: get('tlsKey'),
     tlsCert: get('tlsCert'),
     tlsMode: get('tlsMode'),
-    mtlsRequestCert: get('mtlsRequestCert'),
     mtlsAllowedClientFingerprints: get('mtlsAllowedClientFingerprints'),
     allowSelfSigned: get('allowSelfSigned'),
   };
@@ -186,13 +184,13 @@ const defaultMasterExpressConfig: MasterExpressConfig = {
   bind: 'localhost',
   timeout: 305 * 1000,
   logFile: '',
+  debugNamespace: [],
   env: 'test',
   disableEnvCheck: true,
   authVersion: 2,
   enclavedExpressUrl: '', // Will be overridden by environment variable
   enclavedExpressCert: '', // Will be overridden by environment variable
   tlsMode: TlsMode.MTLS,
-  mtlsRequestCert: true,
   allowSelfSigned: false,
 };
 
@@ -219,9 +217,7 @@ function masterExpressEnvConfig(): Partial<MasterExpressConfig> {
   }
 
   // Debug mTLS environment variables
-  const mtlsRequestCertRaw = readEnvVar('MTLS_REQUEST_CERT');
   const allowSelfSignedRaw = readEnvVar('ALLOW_SELF_SIGNED');
-  const mtlsRequestCert = mtlsRequestCertRaw?.toLowerCase() !== 'false';
   const allowSelfSigned = allowSelfSignedRaw === 'true';
 
   return {
@@ -248,7 +244,6 @@ function masterExpressEnvConfig(): Partial<MasterExpressConfig> {
     tlsKey: readEnvVar('TLS_KEY'),
     tlsCert: readEnvVar('TLS_CERT'),
     tlsMode,
-    mtlsRequestCert,
     mtlsAllowedClientFingerprints: readEnvVar('MTLS_ALLOWED_CLIENT_FINGERPRINTS')?.split(','),
     allowSelfSigned,
   };
@@ -287,7 +282,6 @@ function mergeMasterExpressConfigs(
     tlsKey: get('tlsKey'),
     tlsCert: get('tlsCert'),
     tlsMode: get('tlsMode'),
-    mtlsRequestCert: get('mtlsRequestCert'),
     mtlsAllowedClientFingerprints: get('mtlsAllowedClientFingerprints'),
     allowSelfSigned: get('allowSelfSigned'),
   };

src/masterExpressApp.ts

@@ -21,19 +21,14 @@ import { setupRoutes } from './routes/master';
  * Create a startup function which will be run upon server initialization
  */
 export function startup(config: MasterExpressConfig, baseUri: string): () => void {
-  return function () {
-    logger.info('BitGo Master Express running');
+  return () => {
+    logger.info('Master Express server starting...');
     logger.info(`Base URI: ${baseUri}`);
-    logger.info(`Environment: ${config.env}`);
     logger.info(`TLS Mode: ${config.tlsMode}`);
-    logger.info(`mTLS Enabled: ${config.tlsMode === TlsMode.MTLS}`);
-    logger.info(`Request Client Cert: ${config.mtlsRequestCert}`);
-    logger.info(`Allow Self-Signed: ${config.allowSelfSigned}`);
-    if (config.mtlsAllowedClientFingerprints?.length) {
-      logger.info(
-        `Allowed Client Fingerprints: ${config.mtlsAllowedClientFingerprints.length} configured`,
-      );
-    }
+    logger.info(`Port: ${config.port}`);
+    logger.info(`Bind: ${config.bind}`);
+    logger.info(`Enclaved Express URL: ${config.enclavedExpressUrl}`);
+    logger.info('Master Express server started successfully');
   };
 }
 
@@ -47,7 +42,7 @@ async function createHttpsServer(
   app: express.Application,
   config: MasterExpressConfig,
 ): Promise<https.Server> {
-  const { tlsKey, tlsCert, tlsMode, mtlsRequestCert } = config;
+  const { tlsKey, tlsCert, tlsMode } = config;
 
   if (!tlsKey || !tlsCert) {
     throw new Error('TLS key and certificate must be provided for HTTPS server');
@@ -57,9 +52,8 @@ async function createHttpsServer(
     secureOptions: SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1,
     key: tlsKey,
     cert: tlsCert,
-    // Only request cert if mTLS is enabled AND we want to request certs
-    // This prevents TLS handshake failures when no cert is provided
-    requestCert: tlsMode === TlsMode.MTLS && mtlsRequestCert,
+    // Always request cert if mTLS is enabled
+    requestCert: tlsMode === TlsMode.MTLS,
     rejectUnauthorized: false, // Handle authorization in middleware
   };
 

src/shared/appUtils.ts

@@ -9,7 +9,7 @@ import bodyParser from 'body-parser';
 import pjson from '../../package.json';
 import logger from '../logger';
 
-import { Config, TlsMode } from '../shared/types';
+import { Config, TlsMode, MasterExpressConfig } from '../shared/types';
 
 /**
  * Set up the logging middleware provided by morgan
@@ -121,7 +121,6 @@ export async function prepareIpc(ipcSocketFilePath: string): Promise<void> {
  */
 export function createMtlsMiddleware(config: {
   tlsMode: TlsMode;
-  mtlsRequestCert: boolean;
   allowSelfSigned?: boolean;
   mtlsAllowedClientFingerprints?: string[];
 }): express.RequestHandler {
@@ -132,8 +131,8 @@ export function createMtlsMiddleware(config: {
     const hasValidClientCert =
       clientCert && Object.keys(clientCert).length > 0 && clientCert.subject;
 
-    // If client cert is required but not provided
-    if (config.mtlsRequestCert && !hasValidClientCert) {
+    // If mTLS is enabled, client certificate is always required
+    if (config.tlsMode === TlsMode.MTLS && !hasValidClientCert) {
       return res.status(403).json({
         error: 'mTLS Authentication Failed',
         message: 'Client certificate is required for this endpoint',
@@ -176,30 +175,53 @@ export function createMtlsMiddleware(config: {
 /**
  * Validate that TLS certificates are properly loaded when TLS is enabled
  */
-export function validateTlsCertificates(config: {
-  tlsMode: TlsMode;
-  tlsKey?: string;
-  tlsCert?: string;
-}): void {
-  if (config.tlsMode !== TlsMode.DISABLED) {
-    if (!config.tlsKey || !config.tlsCert) {
-      throw new Error('TLS is enabled but certificates are not properly loaded');
+export function validateTlsCertificates(config: Config): void {
+  if (config.tlsMode === TlsMode.DISABLED) {
+    return;
+  }
+
+  if (!config.tlsKey || !config.tlsCert) {
+    throw new Error('TLS key and certificate must be provided when TLS is enabled');
+  }
+
+  // Validate certificate format
+  try {
+    // Basic PEM format validation
+    if (
+      !config.tlsKey.includes('-----BEGIN PRIVATE KEY-----') &&
+      !config.tlsKey.includes('-----BEGIN RSA PRIVATE KEY-----')
+    ) {
+      throw new Error('Invalid TLS private key format');
     }
+    if (!config.tlsCert.includes('-----BEGIN CERTIFICATE-----')) {
+      throw new Error('Invalid TLS certificate format');
+    }
+  } catch (error) {
+    throw new Error(
+      `TLS certificate validation failed: ${
+        error instanceof Error ? error.message : String(error)
+      }`,
+    );
   }
 }
 
 /**
  * Validate Master Express configuration
  */
-export function validateMasterExpressConfig(config: {
-  tlsMode: TlsMode;
-  enclavedExpressUrl: string;
-  enclavedExpressCert: string;
-}): void {
-  if (!config.enclavedExpressUrl) {
-    throw new Error('ENCLAVED_EXPRESS_URL is required for Master Express mode');
+export function validateMasterExpressConfig(config: MasterExpressConfig): void {
+  // Validate that we have the required enclaved express certificate for mTLS
+  if (config.tlsMode === TlsMode.MTLS && !config.enclavedExpressCert) {
+    throw new Error('Enclaved Express certificate is required for mTLS mode');
   }
-  if (config.tlsMode === 'mtls' && !config.enclavedExpressCert) {
-    throw new Error('ENCLAVED_EXPRESS_CERT is required for Master Express mode');
+
+  // Validate client certificate if mTLS is enabled
+  if (config.tlsMode === TlsMode.MTLS) {
+    const hasValidClientCert =
+      config.enclavedExpressCert &&
+      config.enclavedExpressCert.includes('-----BEGIN CERTIFICATE-----');
+
+    if (!hasValidClientCert) {
+      throw new Error('Valid client certificate is required for mTLS mode');
+    }
   }
 }