chore(mbe, awm): seperate allowSelfSigned cert's

pranavjain97 · pranavjain97 · commit ff329e240659 · 2025-08-06T15:23:17.000-04:00
Ticket: WP-5522
diff --git a/src/api/master/clients/advancedWalletManagerClient.ts b/src/api/master/clients/advancedWalletManagerClient.ts
@@ -239,16 +239,18 @@ export class AdvancedWalletManagerClient {
     }
     if (
       cfg.tlsMode === TlsMode.MTLS &&
-      (!cfg.tlsKey || !cfg.tlsCert || !cfg.advancedWalletManagerUrl)
+      (!cfg.tlsKey || !cfg.tlsCert || !cfg.advancedWalletManagerCert)
     ) {
-      throw new Error('tlsKey and tlsCert are required for mTLS communication');
+      throw new Error(
+        'tlsKey, tlsCert and advancedWalletManagerCert are required for mTLS communication',
+      );
     }
 
     this.baseUrl = cfg.advancedWalletManagerUrl;
-    this.advancedWalletManagerCert = cfg.advancedWalletManagerCert;
+    this.advancedWalletManagerCert = cfg.advancedWalletManagerCert as string;
     this.tlsKey = cfg.tlsKey;
     this.tlsCert = cfg.tlsCert;
-    this.allowSelfSigned = cfg.allowSelfSigned ?? false;
+    this.allowSelfSigned = cfg.advancedWalletManagerAllowSelfSigned ?? false;
     this.coin = coin;
     this.tlsMode = cfg.tlsMode;
 
diff --git a/src/initConfig.ts b/src/initConfig.ts
@@ -103,6 +103,7 @@ function advancedWalletManagerEnvConfig(): Partial<AdvancedWalletManagerConfig>
     // KMS settings
     kmsUrl,
     kmsTlsCertPath: readEnvVar('KMS_TLS_CERT_PATH'),
+    kmsAllowSelfSigned: readEnvVar('KMS_ALLOW_SELF_SIGNED') === 'true',
     // mTLS settings
     keyPath: readEnvVar('TLS_KEY_PATH'),
     crtPath: readEnvVar('TLS_CERT_PATH'),
@@ -137,6 +138,8 @@ function mergeAkmConfigs(
     headersTimeout: get('headersTimeout'),
     kmsUrl: get('kmsUrl'),
     kmsTlsCertPath: get('kmsTlsCertPath'),
+    kmsTlsCert: get('kmsTlsCert'),
+    kmsAllowSelfSigned: get('kmsAllowSelfSigned'),
     keyPath: get('keyPath'),
     crtPath: get('crtPath'),
     tlsKey: get('tlsKey'),
@@ -230,6 +233,8 @@ function determineProtocol(url: string, tlsMode: TlsMode, isBitGo = false): stri
 function masterExpressEnvConfig(): Partial<MasterExpressConfig> {
   const advancedWalletManagerUrl = readEnvVar('ADVANCED_WALLET_MANAGER_URL');
   const advancedWalletManagerCert = readEnvVar('ADVANCED_WALLET_MANAGER_CERT');
+  const advancedWalletManagerAllowSelfSigned =
+    readEnvVar('ADVANCED_WALLET_MANAGER_ALLOW_SELF_SIGNED') === 'true';
   const tlsMode = determineTlsMode();
 
   if (!advancedWalletManagerUrl) {
@@ -262,6 +267,7 @@ function masterExpressEnvConfig(): Partial<MasterExpressConfig> {
     authVersion: Number(readEnvVar('BITGO_AUTH_VERSION')),
     advancedWalletManagerUrl: advancedWalletManagerUrl,
     advancedWalletManagerCert: advancedWalletManagerCert,
+    advancedWalletManagerAllowSelfSigned,
     customBitcoinNetwork: readEnvVar('BITGO_CUSTOM_BITCOIN_NETWORK'),
     // mTLS settings
     keyPath: readEnvVar('TLS_KEY_PATH'),
@@ -301,6 +307,7 @@ function mergeMasterExpressConfigs(
     authVersion: get('authVersion'),
     advancedWalletManagerUrl: get('advancedWalletManagerUrl'),
     advancedWalletManagerCert: get('advancedWalletManagerCert'),
+    advancedWalletManagerAllowSelfSigned: get('advancedWalletManagerAllowSelfSigned'),
     customBitcoinNetwork: get('customBitcoinNetwork'),
     keyPath: get('keyPath'),
     crtPath: get('crtPath'),
@@ -371,7 +378,7 @@ export function configureMasterExpressMode(): MasterExpressConfig {
           advancedWalletManagerCert: fs.readFileSync(config.advancedWalletManagerCert, 'utf-8'),
         };
         logger.info(
-          `Successfully loaded Advanced Wallet Manager certificate from file: ${config.advancedWalletManagerCert.substring(
+          `Successfully loaded Advanced Wallet Manager certificate from file: ${config.advancedWalletManagerCert?.substring(
             0,
             50,
           )}...`,
diff --git a/src/kms/kmsClient.ts b/src/kms/kmsClient.ts
@@ -35,11 +35,12 @@ export class KmsClient {
     const kmsUrlObj = new URL(cfg.kmsUrl);
     if (cfg.tlsMode === TlsMode.MTLS) {
       kmsUrlObj.protocol = 'https:';
-      if (cfg.kmsTlsCert) {
+      if (cfg.kmsTlsCert || cfg.kmsAllowSelfSigned) {
         this.agent = new https.Agent({
           ca: cfg.kmsTlsCert,
           cert: cfg.tlsCert,
           key: cfg.tlsKey,
+          rejectUnauthorized: !cfg.kmsAllowSelfSigned,
         });
       }
     } else {
diff --git a/src/shared/types/index.ts b/src/shared/types/index.ts
@@ -30,6 +30,7 @@ export interface AdvancedWalletManagerConfig extends BaseConfig {
   kmsUrl: string;
   kmsTlsCertPath?: string;
   kmsTlsCert?: string;
+  kmsAllowSelfSigned?: boolean;
   // mTLS settings
   keyPath?: string;
   crtPath?: string;
@@ -49,7 +50,8 @@ export interface MasterExpressConfig extends BaseConfig {
   disableEnvCheck?: boolean;
   authVersion?: number;
   advancedWalletManagerUrl: string;
-  advancedWalletManagerCert: string;
+  advancedWalletManagerCert?: string;
+  advancedWalletManagerAllowSelfSigned?: boolean;
   customBitcoinNetwork?: string;
   // mTLS settings
   keyPath?: string;
