chore: fix tests and use tls mode

Ticket: WP-4663

Author: pranavjain97

.gitignore

@@ -2,4 +2,4 @@ dist/
 node_modules/
 coverage/
 .idea/
-logs/
+logs/

README.md

@@ -51,7 +51,11 @@ Configuration is managed through environment variables:
 
 Both modes use the same TLS configuration variables:
 
-#### Certificate Configuration (choose one approach)
+#### TLS Mode
+
+- `TLS_MODE` - Set to either "mtls" or "disabled" (defaults to "mtls" if not set)
+
+#### Certificate Configuration (required when TLS_MODE=mtls)
 
 **Option 1: Certificate Files**
 
@@ -63,12 +67,11 @@ Both modes use the same TLS configuration variables:
 - `TLS_KEY` - Private key content (PEM format)
 - `TLS_CERT` - Certificate content (PEM format)
 
-#### mTLS Settings
+#### mTLS Settings (when TLS_MODE=mtls)
 
 - `MTLS_REQUEST_CERT` - Request client certificates (default: true)
 - `ALLOW_SELF_SIGNED` - Allow self-signed certificates (default: false)
 - `MTLS_ALLOWED_CLIENT_FINGERPRINTS` - Comma-separated list of allowed client certificate fingerprints (optional)
-- `MASTER_BITGO_EXPRESS_DISABLE_TLS` - Disable TLS completely (default: false)
 
 ### Logging and Debug
 

src/__tests__/config.test.ts

@@ -2,13 +2,14 @@ import { config, isEnclavedConfig, TlsMode } from '../config';
 
 describe('Configuration', () => {
   const originalEnv = process.env;
+  const mockTlsKey = '-----BEGIN PRIVATE KEY-----\nMOCK_KEY\n-----END PRIVATE KEY-----';
+  const mockTlsCert = '-----BEGIN CERTIFICATE-----\nMOCK_CERT\n-----END CERTIFICATE-----';
 
   beforeEach(() => {
     jest.resetModules();
     process.env = { ...originalEnv };
-    // Explicitly clear MTLS-related environment variables
-    delete process.env.MTLS_ENABLED;
-    delete process.env.MASTER_BITGO_EXPRESS_DISABLE_TLS;
+    // Clear TLS-related environment variables
+    delete process.env.TLS_MODE;
   });
 
   afterAll(() => {
@@ -27,6 +28,10 @@ describe('Configuration', () => {
   describe('Enclaved Mode', () => {
     beforeEach(() => {
       process.env.APP_MODE = 'enclaved';
+      process.env.KMS_URL = 'http://localhost:3000';
+      // Set default TLS certificates
+      process.env.TLS_KEY = mockTlsKey;
+      process.env.TLS_CERT = mockTlsCert;
     });
 
     it('should use default configuration when no environment variables are set', () => {
@@ -35,45 +40,64 @@ describe('Configuration', () => {
       if (isEnclavedConfig(cfg)) {
         expect(cfg.port).toBe(3080);
         expect(cfg.bind).toBe('localhost');
-        expect(cfg.tlsMode).toBe(TlsMode.ENABLED);
+        expect(cfg.tlsMode).toBe(TlsMode.MTLS);
         expect(cfg.timeout).toBe(305 * 1000);
+        expect(cfg.kmsUrl).toBe('http://localhost:3000');
+        expect(cfg.tlsKey).toBe(mockTlsKey);
+        expect(cfg.tlsCert).toBe(mockTlsCert);
       }
     });
 
     it('should read port from environment variable', () => {
-      process.env.MASTER_BITGO_EXPRESS_PORT = '4000';
+      process.env.ENCLAVED_EXPRESS_PORT = '4000';
       const cfg = config();
       expect(isEnclavedConfig(cfg)).toBe(true);
       if (isEnclavedConfig(cfg)) {
         expect(cfg.port).toBe(4000);
+        expect(cfg.kmsUrl).toBe('http://localhost:3000');
+        expect(cfg.tlsKey).toBe(mockTlsKey);
+        expect(cfg.tlsCert).toBe(mockTlsCert);
       }
     });
 
     it('should read TLS mode from environment variables', () => {
-      process.env.MASTER_BITGO_EXPRESS_DISABLE_TLS = 'true';
+      // Test with TLS disabled
+      process.env.TLS_MODE = 'disabled';
       let cfg = config();
       expect(isEnclavedConfig(cfg)).toBe(true);
       if (isEnclavedConfig(cfg)) {
         expect(cfg.tlsMode).toBe(TlsMode.DISABLED);
+        expect(cfg.kmsUrl).toBe('http://localhost:3000');
       }
 
-      process.env.MASTER_BITGO_EXPRESS_DISABLE_TLS = 'false';
-      process.env.MTLS_ENABLED = 'true';
+      // Test with mTLS explicitly enabled
+      process.env.TLS_MODE = 'mtls';
       cfg = config();
       expect(isEnclavedConfig(cfg)).toBe(true);
       if (isEnclavedConfig(cfg)) {
         expect(cfg.tlsMode).toBe(TlsMode.MTLS);
+        expect(cfg.kmsUrl).toBe('http://localhost:3000');
+        expect(cfg.tlsKey).toBe(mockTlsKey);
+        expect(cfg.tlsCert).toBe(mockTlsCert);
       }
-    });
 
-    it('should throw error when both TLS disabled and mTLS enabled', () => {
-      process.env.MASTER_BITGO_EXPRESS_DISABLE_TLS = 'true';
-      process.env.MTLS_ENABLED = 'true';
-      expect(() => config()).toThrow('Cannot have both TLS disabled and mTLS enabled');
+      // Test with invalid TLS mode
+      process.env.TLS_MODE = 'invalid';
+      expect(() => config()).toThrow('Invalid TLS_MODE: invalid');
+
+      // Test with no TLS mode (should default to MTLS)
+      delete process.env.TLS_MODE;
+      cfg = config();
+      expect(isEnclavedConfig(cfg)).toBe(true);
+      if (isEnclavedConfig(cfg)) {
+        expect(cfg.tlsMode).toBe(TlsMode.MTLS);
+        expect(cfg.kmsUrl).toBe('http://localhost:3000');
+        expect(cfg.tlsKey).toBe(mockTlsKey);
+        expect(cfg.tlsCert).toBe(mockTlsCert);
+      }
     });
 
     it('should read mTLS settings from environment variables', () => {
-      process.env.MTLS_ENABLED = 'true';
       process.env.MTLS_REQUEST_CERT = 'true';
       process.env.MTLS_REJECT_UNAUTHORIZED = 'true';
       process.env.MTLS_ALLOWED_CLIENT_FINGERPRINTS = 'ABC123,DEF456';
@@ -82,8 +106,10 @@ describe('Configuration', () => {
       expect(isEnclavedConfig(cfg)).toBe(true);
       if (isEnclavedConfig(cfg)) {
         expect(cfg.mtlsRequestCert).toBe(true);
-        expect(cfg.mtlsRejectUnauthorized).toBe(true);
         expect(cfg.mtlsAllowedClientFingerprints).toEqual(['ABC123', 'DEF456']);
+        expect(cfg.kmsUrl).toBe('http://localhost:3000');
+        expect(cfg.tlsKey).toBe(mockTlsKey);
+        expect(cfg.tlsCert).toBe(mockTlsCert);
       }
     });
   });

src/config.ts

@@ -57,9 +57,22 @@ const defaultEnclavedConfig: EnclavedConfig = {
 };
 
 function determineTlsMode(): TlsMode {
-  const disableTls = readEnvVar('MASTER_BITGO_EXPRESS_DISABLE_TLS') === 'true';
-  if (disableTls) return TlsMode.DISABLED;
-  return TlsMode.MTLS;
+  const tlsMode = readEnvVar('TLS_MODE')?.toLowerCase();
+
+  if (!tlsMode) {
+    logger.warn('TLS_MODE not set, defaulting to MTLS. Set TLS_MODE=disabled to disable TLS.');
+    return TlsMode.MTLS;
+  }
+
+  if (tlsMode === 'disabled') {
+    return TlsMode.DISABLED;
+  }
+
+  if (tlsMode === 'mtls') {
+    return TlsMode.MTLS;
+  }
+
+  throw new Error(`Invalid TLS_MODE: ${tlsMode}. Must be either "disabled" or "mtls"`);
 }
 
 function enclavedEnvConfig(): Partial<EnclavedConfig> {
@@ -129,33 +142,36 @@ function configureEnclavedMode(): EnclavedConfig {
   const env = enclavedEnvConfig();
   let config = mergeEnclavedConfigs(env);
 
-  // Handle file loading for TLS certificates
-  if (!config.tlsKey && config.keyPath) {
-    try {
-      config = { ...config, tlsKey: fs.readFileSync(config.keyPath, 'utf-8') };
-      logger.info(`Successfully loaded TLS private key from file: ${config.keyPath}`);
-    } catch (e) {
-      const err = e instanceof Error ? e : new Error(String(e));
-      throw new Error(`Failed to read TLS key from keyPath: ${err.message}`);
+  // Only load certificates if TLS is enabled
+  if (config.tlsMode !== TlsMode.DISABLED) {
+    // Handle file loading for TLS certificates
+    if (!config.tlsKey && config.keyPath) {
+      try {
+        config = { ...config, tlsKey: fs.readFileSync(config.keyPath, 'utf-8') };
+        logger.info(`Successfully loaded TLS private key from file: ${config.keyPath}`);
+      } catch (e) {
+        const err = e instanceof Error ? e : new Error(String(e));
+        throw new Error(`Failed to read TLS key from keyPath: ${err.message}`);
+      }
+    } else if (config.tlsKey) {
+      logger.debug('Using TLS private key from environment variable');
     }
-  } else if (config.tlsKey) {
-    logger.debug('Using TLS private key from environment variable');
-  }
 
-  if (!config.tlsCert && config.crtPath) {
-    try {
-      config = { ...config, tlsCert: fs.readFileSync(config.crtPath, 'utf-8') };
-      logger.info(`Successfully loaded TLS certificate from file: ${config.crtPath}`);
-    } catch (e) {
-      const err = e instanceof Error ? e : new Error(String(e));
-      throw new Error(`Failed to read TLS certificate from crtPath: ${err.message}`);
+    if (!config.tlsCert && config.crtPath) {
+      try {
+        config = { ...config, tlsCert: fs.readFileSync(config.crtPath, 'utf-8') };
+        logger.info(`Successfully loaded TLS certificate from file: ${config.crtPath}`);
+      } catch (e) {
+        const err = e instanceof Error ? e : new Error(String(e));
+        throw new Error(`Failed to read TLS certificate from crtPath: ${err.message}`);
+      }
+    } else if (config.tlsCert) {
+      logger.debug('Using TLS certificate from environment variable');
     }
-  } else if (config.tlsCert) {
-    logger.debug('Using TLS certificate from environment variable');
-  }
 
-  // Validate that certificates are properly loaded when TLS is enabled
-  validateTlsCertificates(config);
+    // Validate that certificates are properly loaded when TLS is enabled
+    validateTlsCertificates(config);
+  }
 
   return config;
 }
@@ -289,32 +305,38 @@ export function configureMasterExpressMode(): MasterExpressConfig {
   }
   config = { ...config, ...updates };
 
-  // Handle file loading for TLS certificates
-  if (!config.tlsKey && config.keyPath) {
-    try {
-      config = { ...config, tlsKey: fs.readFileSync(config.keyPath, 'utf-8') };
-      logger.info(`Successfully loaded TLS private key from file: ${config.keyPath}`);
-    } catch (e) {
-      const err = e instanceof Error ? e : new Error(String(e));
-      throw new Error(`Failed to read TLS key from keyPath: ${err.message}`);
+  // Only load certificates if TLS is enabled
+  if (config.tlsMode !== TlsMode.DISABLED) {
+    // Handle file loading for TLS certificates
+    if (!config.tlsKey && config.keyPath) {
+      try {
+        config = { ...config, tlsKey: fs.readFileSync(config.keyPath, 'utf-8') };
+        logger.info(`Successfully loaded TLS private key from file: ${config.keyPath}`);
+      } catch (e) {
+        const err = e instanceof Error ? e : new Error(String(e));
+        throw new Error(`Failed to read TLS key from keyPath: ${err.message}`);
+      }
+    } else if (config.tlsKey) {
+      logger.debug('Using TLS private key from environment variable');
     }
-  } else if (config.tlsKey) {
-    logger.debug('Using TLS private key from environment variable');
-  }
 
-  if (!config.tlsCert && config.crtPath) {
-    try {
-      config = { ...config, tlsCert: fs.readFileSync(config.crtPath, 'utf-8') };
-      logger.info(`Successfully loaded TLS certificate from file: ${config.crtPath}`);
-    } catch (e) {
-      const err = e instanceof Error ? e : new Error(String(e));
-      throw new Error(`Failed to read TLS certificate from crtPath: ${err.message}`);
+    if (!config.tlsCert && config.crtPath) {
+      try {
+        config = { ...config, tlsCert: fs.readFileSync(config.crtPath, 'utf-8') };
+        logger.info(`Successfully loaded TLS certificate from file: ${config.crtPath}`);
+      } catch (e) {
+        const err = e instanceof Error ? e : new Error(String(e));
+        throw new Error(`Failed to read TLS certificate from crtPath: ${err.message}`);
+      }
+    } else if (config.tlsCert) {
+      logger.debug('Using TLS certificate from environment variable');
     }
-  } else if (config.tlsCert) {
-    logger.debug('Using TLS certificate from environment variable');
+
+    // Validate that certificates are properly loaded when TLS is enabled
+    validateTlsCertificates(config);
   }
 
-  // Handle cert loading
+  // Handle cert loading for Enclaved Express (always required for Master Express)
   if (config.enclavedExpressCert) {
     try {
       if (fs.existsSync(config.enclavedExpressCert)) {
@@ -337,9 +359,6 @@ export function configureMasterExpressMode(): MasterExpressConfig {
     }
   }
 
-  // Validate that certificates are properly loaded when TLS is enabled
-  validateTlsCertificates(config);
-
   // Validate Master Express configuration
   validateMasterExpressConfig(config);
 

src/enclavedApp.ts

@@ -39,13 +39,6 @@ export function startup(config: EnclavedConfig, baseUri: string): () => void {
 
 function isTLS(config: EnclavedConfig): boolean {
   const { keyPath, crtPath, tlsKey, tlsCert, tlsMode } = config;
-  logger.debug('TLS Configuration:', {
-    tlsMode,
-    hasKeyPath: Boolean(keyPath),
-    hasCrtPath: Boolean(crtPath),
-    hasTlsKey: Boolean(tlsKey),
-    hasTlsCert: Boolean(tlsCert),
-  });
   if (tlsMode === TlsMode.DISABLED) return false;
   return Boolean((keyPath && crtPath) || (tlsKey && tlsCert));
 }

src/masterExpressApp.ts

@@ -49,13 +49,6 @@ export function startup(config: MasterExpressConfig, baseUri: string): () => voi
 
 function isTLS(config: MasterExpressConfig): boolean {
   const { keyPath, crtPath, tlsKey, tlsCert, tlsMode } = config;
-  logger.debug('TLS Configuration:', {
-    tlsMode,
-    hasKeyPath: Boolean(keyPath),
-    hasCrtPath: Boolean(crtPath),
-    hasTlsKey: Boolean(tlsKey),
-    hasTlsCert: Boolean(tlsCert),
-  });
   if (tlsMode === TlsMode.DISABLED) return false;
   return Boolean((keyPath && crtPath) || (tlsKey && tlsCert));
 }
@@ -159,13 +152,6 @@ function setupMasterExpressRoutes(app: express.Application, cfg: MasterExpressCo
   // Setup common health check routes
   setupHealthCheckRoutes(app, 'master express');
 
-  logger.debug('TLS Configuration:', {
-    tlsMode: cfg.tlsMode,
-    enclavedExpressUrl: cfg.enclavedExpressUrl,
-    hasCertificate: Boolean(cfg.enclavedExpressCert),
-    certificateLength: cfg.enclavedExpressCert.length,
-  });
-
   // Add enclaved express ping route
   app.post('/ping/enclavedExpress', async (req, res) => {
     try {