feat(aw): improve and organize mtls logs

pranavjain97 · pranavjain97 · commit e5a9dfcab6da · 2025-08-07T15:07:10.000-04:00
Ticket: WP-5523
diff --git a/src/advancedWalletManagerApp.ts b/src/advancedWalletManagerApp.ts
@@ -29,12 +29,29 @@ export function startup(config: AdvancedWalletManagerConfig, baseUri: string): (
   return () => {
     logger.info('Advanced Wallet Manager starting...');
     logger.info(`Base URI: ${baseUri}`);
-    logger.info(`mTLS Mode: ${config.tlsMode}`);
-    logger.info(`Allow Self-Signed Certificates: ${config.clientCertAllowSelfSigned}`);
     logger.info(`Port: ${config.port}`);
     logger.info(`Bind: ${config.bind}`);
     logger.info(`KMS URL: ${config.kmsUrl}`);
     logger.info(`Recovery Mode: ${config.recoveryMode}`);
+
+    // mTLS Configuration Section
+    logger.info('=== mTLS Configuration ===');
+    logger.info(`TLS Mode: ${config.tlsMode}`);
+    if (config.tlsMode === 'mtls') {
+      logger.info('Server Settings (incoming connections):');
+      logger.info(`  • Allow Self-Signed Client Certificates: ${config.allowSelfSigned}`);
+      if (config.mtlsAllowedClientFingerprints && config.mtlsAllowedClientFingerprints.length > 0) {
+        logger.info(
+          `  • Allowed Client Fingerprints: ${config.mtlsAllowedClientFingerprints.join(', ')}`,
+        );
+      }
+      logger.info('Client Settings (outbound to KMS):');
+      logger.info(
+        `  • Allow Self-Signed KMS Server Certificates: ${config.kmsServerCertAllowSelfSigned}`,
+      );
+    }
+    logger.info('========================');
+
     logger.info('Advanced Wallet Manager started successfully');
   };
 }
diff --git a/src/api/master/clients/advancedWalletManagerClient.ts b/src/api/master/clients/advancedWalletManagerClient.ts
@@ -260,7 +260,7 @@ export class AdvancedWalletManagerClient {
     // Build the type-safe API client
     this.apiClient = buildApiClient(requestFactory, AdvancedWalletManagerApiSpec);
 
-    logger.info('Advanced Wallet Manager initialized with URL: %s', this.baseUrl);
+    logger.info('✓ AWM Client initialized with URL: %s', this.baseUrl);
   }
 
   private createHttpsAgent(): https.Agent {
diff --git a/src/initConfig.ts b/src/initConfig.ts
@@ -161,19 +161,22 @@ function configureAdvancedWalletManagaerMode(): AdvancedWalletManagerConfig {
   const env = advancedWalletManagerEnvConfig();
   let config = mergeAkmConfigs(env);
 
+  // Certificate Loading Section
+  logger.info('=== Certificate Loading ===');
+
   // Only load certificates if TLS is enabled
   if (config.tlsMode !== TlsMode.DISABLED) {
     // Handle file loading for TLS certificates
     if (!config.serverTlsKey && config.serverTlsKeyPath) {
       try {
         config = { ...config, serverTlsKey: fs.readFileSync(config.serverTlsKeyPath, 'utf-8') };
-        logger.info(`Successfully loaded TLS private key from file: ${config.serverTlsKeyPath}`);
+        logger.info(`✓ TLS private key loaded from file: ${config.serverTlsKeyPath}`);
       } catch (e) {
         const err = e instanceof Error ? e : new Error(String(e));
         throw new Error(`Failed to read TLS key from serverTlsKeyPath: ${err.message}`);
       }
     } else if (config.serverTlsKey) {
-      logger.info('Using TLS private key from environment variable');
+      logger.info('✓ TLS private key loaded from environment variable');
     }
 
     if (!config.serverTlsCert && config.serverTlsCertPath) {
@@ -182,13 +185,13 @@ function configureAdvancedWalletManagaerMode(): AdvancedWalletManagerConfig {
           ...config,
           serverTlsCert: fs.readFileSync(config.serverTlsCertPath, 'utf-8'),
         };
-        logger.info(`Successfully loaded TLS certificate from file: ${config.serverTlsCertPath}`);
+        logger.info(`✓ TLS certificate loaded from file: ${config.serverTlsCertPath}`);
       } catch (e) {
         const err = e instanceof Error ? e : new Error(String(e));
         throw new Error(`Failed to read TLS certificate from serverTlsCertPath: ${err.message}`);
       }
     } else if (config.serverTlsCert) {
-      logger.info('Using TLS certificate from environment variable');
+      logger.info('✓ TLS certificate loaded from environment variable');
     }
 
     if (!config.kmsServerCaCertPath) {
@@ -197,9 +200,7 @@ function configureAdvancedWalletManagaerMode(): AdvancedWalletManagerConfig {
     if (config.kmsServerCaCertPath) {
       try {
         config.kmsServerCaCert = fs.readFileSync(config.kmsServerCaCertPath, 'utf-8');
-        logger.info(
-          `Successfully loaded KMS TLS certificate from file: ${config.kmsServerCaCertPath}`,
-        );
+        logger.info(`✓ KMS server CA certificate loaded from file: ${config.kmsServerCaCertPath}`);
       } catch (e) {
         const err = e instanceof Error ? e : new Error(String(e));
         throw new Error(`Failed to read KMS TLS certificate from kmsTlsCert: ${err.message}`);
@@ -209,7 +210,7 @@ function configureAdvancedWalletManagaerMode(): AdvancedWalletManagerConfig {
     if (config.kmsClientTlsKeyPath) {
       try {
         config.kmsClientTlsKey = fs.readFileSync(config.kmsClientTlsKeyPath, 'utf-8');
-        logger.info(`Successfully loaded KMS client key from file: ${config.kmsClientTlsKeyPath}`);
+        logger.info(`✓ KMS client key loaded from file: ${config.kmsClientTlsKeyPath}`);
       } catch (e) {
         const err = e instanceof Error ? e : new Error(String(e));
         throw new Error(`Failed to read KMS client key from kmsClientTlsKeyPath: ${err.message}`);
@@ -219,9 +220,7 @@ function configureAdvancedWalletManagaerMode(): AdvancedWalletManagerConfig {
     if (config.kmsClientTlsCertPath) {
       try {
         config.kmsClientTlsCert = fs.readFileSync(config.kmsClientTlsCertPath, 'utf-8');
-        logger.info(
-          `Successfully loaded KMS client cert from file: ${config.kmsClientTlsCertPath}`,
-        );
+        logger.info(`✓ KMS client certificate loaded from file: ${config.kmsClientTlsCertPath}`);
       } catch (e) {
         const err = e instanceof Error ? e : new Error(String(e));
         throw new Error(`Failed to read KMS client cert from kmsClientTlsCertPath: ${err.message}`);
@@ -240,6 +239,8 @@ function configureAdvancedWalletManagaerMode(): AdvancedWalletManagerConfig {
     validateTlsCertificates(config);
   }
 
+  logger.info('==========================');
+
   return config;
 }
 
@@ -385,19 +386,22 @@ export function configureMasterExpressMode(): MasterExpressConfig {
   }
   config = { ...config, ...updates };
 
+  // Certificate Loading Section
+  logger.info('=== Certificate Loading ===');
+
   // Only load certificates if TLS is enabled
   if (config.tlsMode !== TlsMode.DISABLED) {
     // Handle file loading for TLS certificates
     if (!config.serverTlsKey && config.serverTlsKeyPath) {
       try {
         config = { ...config, serverTlsKey: fs.readFileSync(config.serverTlsKeyPath, 'utf-8') };
-        logger.info(`Successfully loaded TLS private key from file: ${config.serverTlsKeyPath}`);
+        logger.info(`✓ TLS private key loaded from file: ${config.serverTlsKeyPath}`);
       } catch (e) {
         const err = e instanceof Error ? e : new Error(String(e));
         throw new Error(`Failed to read TLS key from serverTlsKeyPath: ${err.message}`);
       }
     } else if (config.serverTlsKey) {
-      logger.info('Using TLS private key from environment variable');
+      logger.info('✓ TLS private key loaded from environment variable');
     }
 
     if (!config.serverTlsCert && config.serverTlsCertPath) {
@@ -406,13 +410,13 @@ export function configureMasterExpressMode(): MasterExpressConfig {
           ...config,
           serverTlsCert: fs.readFileSync(config.serverTlsCertPath, 'utf-8'),
         };
-        logger.info(`Successfully loaded TLS certificate from file: ${config.serverTlsCertPath}`);
+        logger.info(`✓ TLS certificate loaded from file: ${config.serverTlsCertPath}`);
       } catch (e) {
         const err = e instanceof Error ? e : new Error(String(e));
         throw new Error(`Failed to read TLS certificate from serverTlsCertPath: ${err.message}`);
       }
     } else if (config.serverTlsCert) {
-      logger.info('Using TLS certificate from environment variable');
+      logger.info('✓ TLS certificate loaded from environment variable');
     }
 
     // Validate that certificates are properly loaded when TLS is enabled
@@ -428,7 +432,7 @@ export function configureMasterExpressMode(): MasterExpressConfig {
           awmServerCaCert: fs.readFileSync(config.awmServerCaCertPath, 'utf-8'),
         };
         logger.info(
-          `Successfully loaded Advanced Wallet Manager certificate from file: ${config.awmServerCaCertPath?.substring(
+          `✓ AWM server CA certificate loaded from file: ${config.awmServerCaCertPath?.substring(
             0,
             50,
           )}...`,
@@ -445,7 +449,7 @@ export function configureMasterExpressMode(): MasterExpressConfig {
   if (config.awmClientTlsKeyPath) {
     try {
       config.awmClientTlsKey = fs.readFileSync(config.awmClientTlsKeyPath, 'utf-8');
-      logger.info(`Successfully loaded AWM client key from file: ${config.awmClientTlsKeyPath}`);
+      logger.info(`✓ AWM client key loaded from file: ${config.awmClientTlsKeyPath}`);
     } catch (e) {
       const err = e instanceof Error ? e : new Error(String(e));
       throw new Error(`Failed to read AWM client key from awmClientTlsKeyPath: ${err.message}`);
@@ -455,13 +459,15 @@ export function configureMasterExpressMode(): MasterExpressConfig {
   if (config.awmClientTlsCertPath) {
     try {
       config.awmClientTlsCert = fs.readFileSync(config.awmClientTlsCertPath, 'utf-8');
-      logger.info(`Successfully loaded AWM client cert from file: ${config.awmClientTlsCertPath}`);
+      logger.info(`✓ AWM client certificate loaded from file: ${config.awmClientTlsCertPath}`);
     } catch (e) {
       const err = e instanceof Error ? e : new Error(String(e));
       throw new Error(`Failed to read AWM client cert from awmClientTlsCertPath: ${err.message}`);
     }
   }
 
+  logger.info('==========================');
+
   // Fallback to server certs if client certs are not provided
   if (!config.awmClientTlsKey) {
     config.awmClientTlsKey = config.serverTlsKey;
diff --git a/src/masterBitGoExpressApp.ts b/src/masterBitGoExpressApp.ts
@@ -24,11 +24,29 @@ export function startup(config: MasterExpressConfig, baseUri: string): () => voi
   return () => {
     logger.info('Master Express server starting...');
     logger.info(`Base URI: ${baseUri}`);
-    logger.info(`TLS Mode: ${config.tlsMode}`);
     logger.info(`Port: ${config.port}`);
     logger.info(`Bind: ${config.bind}`);
     logger.info(`Recovery Mode: ${config.recoveryMode}`);
     logger.info(`Advanced Wallet Manager URL: ${config.advancedWalletManagerUrl}`);
+
+    // mTLS Configuration Section
+    logger.info('=== mTLS Configuration ===');
+    logger.info(`TLS Mode: ${config.tlsMode}`);
+    if (config.tlsMode === 'mtls') {
+      logger.info('Server Settings (incoming connections):');
+      logger.info(`  • Allow Self-Signed Client Certificates: ${config.allowSelfSigned}`);
+      if (config.mtlsAllowedClientFingerprints && config.mtlsAllowedClientFingerprints.length > 0) {
+        logger.info(
+          `  • Allowed Client Fingerprints: ${config.mtlsAllowedClientFingerprints.join(', ')}`,
+        );
+      }
+      logger.info('Client Settings (outbound to AWM):');
+      logger.info(
+        `  • Allow Self-Signed AWM Server Certificates: ${config.awmServerCertAllowSelfSigned}`,
+      );
+    }
+    logger.info('========================');
+
     logger.info('Master Express server started successfully');
   };
 }
diff --git a/src/masterExpressApp.ts b/src/masterExpressApp.ts
@@ -24,10 +24,28 @@ export function startup(config: MasterExpressConfig, baseUri: string): () => voi
   return () => {
     logger.info('Master Express server starting...');
     logger.info(`Base URI: ${baseUri}`);
-    logger.info(`TLS Mode: ${config.tlsMode}`);
     logger.info(`Port: ${config.port}`);
     logger.info(`Bind: ${config.bind}`);
     logger.info(`Advanced Wallet Manager URL: ${config.advancedWalletManagerUrl}`);
+
+    // mTLS Configuration Section
+    logger.info('=== mTLS Configuration ===');
+    logger.info(`TLS Mode: ${config.tlsMode}`);
+    if (config.tlsMode === 'mtls') {
+      logger.info('Server Settings (incoming connections):');
+      logger.info(`  • Allow Self-Signed Client Certificates: ${config.allowSelfSigned}`);
+      if (config.mtlsAllowedClientFingerprints && config.mtlsAllowedClientFingerprints.length > 0) {
+        logger.info(
+          `  • Allowed Client Fingerprints: ${config.mtlsAllowedClientFingerprints.join(', ')}`,
+        );
+      }
+      logger.info('Client Settings (outbound to AWM):');
+      logger.info(
+        `  • Allow Self-Signed AWM Server Certificates: ${config.awmServerCertAllowSelfSigned}`,
+      );
+    }
+    logger.info('========================');
+
     logger.info('Master Express server started successfully');
   };
 }

Original file line number	Diff line number	Diff line change
`@@ -260,7 +260,7 @@ export class AdvancedWalletManagerClient {`
`260`	`260`	`// Build the type-safe API client`
`261`	`261`	`this.apiClient = buildApiClient(requestFactory, AdvancedWalletManagerApiSpec);`
`262`	`262`
`263`		`- logger.info('Advanced Wallet Manager initialized with URL: %s', this.baseUrl);`
	`263`	`+ logger.info('✓ AWM Client initialized with URL: %s', this.baseUrl);`
`264`	`264`	`}`
`265`	`265`
`266`	`266`	`private createHttpsAgent(): https.Agent {`