BitGo
diff --git a/‎src/__tests__/api/master/awmBackupClient.test.ts‎
Lines changed: 132 additions & 0 deletions b/‎src/__tests__/api/master/awmBackupClient.test.ts‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎src/__tests__/api/master/generateWallet.test.ts‎
Lines changed: 122 additions & 0 deletions b/‎src/__tests__/api/master/generateWallet.test.ts‎
Lines changed: 122 additions & 0 deletions
diff --git a/‎src/__tests__/config.test.ts‎
Lines changed: 71 additions & 0 deletions b/‎src/__tests__/config.test.ts‎
Lines changed: 71 additions & 0 deletions
@@ -0,0 +1,132 @@
+import 'should';
+import { AppMode, MasterExpressConfig, TlsMode } from '../../../shared/types';
+import {
+  createawmClient,
+  createAwmBackupClient,
+} from '../../../masterBitgoExpress/clients/advancedWalletManagerClient';
+
+describe('AWM Backup Client', () => {
+  const baseConfig: MasterExpressConfig = {
+    appMode: AppMode.MASTER_EXPRESS,
+    port: 3081,
+    bind: 'localhost',
+    timeout: 60000,
+    httpLoggerFile: '',
+    env: 'test',
+    disableEnvCheck: true,
+    authVersion: 2,
+    advancedWalletManagerUrl: 'http://primary-awm.invalid',
+    awmServerCaCert: 'dummy-cert',
+    tlsMode: TlsMode.DISABLED,
+    clientCertAllowSelfSigned: true,
+  };
+
+  describe('createAwmBackupClient', () => {
+    it('should return undefined when no backup URL is configured', () => {
+      const result = createAwmBackupClient(baseConfig, 'tbtc');
+      (result === undefined).should.be.true();
+    });
+
+    it('should create a client when backup URL is configured', () => {
+      const config: MasterExpressConfig = {
+        ...baseConfig,
+        advancedWalletManagerBackupUrl: 'http://backup-awm.invalid',
+      };
+      const result = createAwmBackupClient(config, 'tbtc');
+      (result !== undefined).should.be.true();
+    });
+
+    it('should create a client pointing to the backup URL, not the primary', () => {
+      const config: MasterExpressConfig = {
+        ...baseConfig,
+        advancedWalletManagerBackupUrl: 'http://backup-awm.invalid',
+      };
+      const backupClient = createAwmBackupClient(config, 'tbtc');
+      const primaryClient = createawmClient(config, 'tbtc');
+
+      // Both clients should exist
+      (backupClient !== undefined).should.be.true();
+      (primaryClient !== undefined).should.be.true();
+
+      // They should be different instances
+      (backupClient !== primaryClient).should.be.true();
+    });
+
+    it('should fall back to primary certs when backup-specific certs are not set', () => {
+      const config: MasterExpressConfig = {
+        ...baseConfig,
+        tlsMode: TlsMode.MTLS,
+        advancedWalletManagerBackupUrl: 'https://backup-awm.invalid',
+        awmServerCaCert: 'primary-ca-cert',
+        awmClientTlsKey: 'primary-client-key',
+        awmClientTlsCert: 'primary-client-cert',
+        // No backup-specific certs set — should fall back to primary
+      };
+      const result = createAwmBackupClient(config, 'tbtc');
+      // Should succeed using the primary certs as fallback
+      (result !== undefined).should.be.true();
+    });
+
+    it('should use backup-specific certs when provided', () => {
+      const config: MasterExpressConfig = {
+        ...baseConfig,
+        tlsMode: TlsMode.MTLS,
+        advancedWalletManagerBackupUrl: 'https://backup-awm.invalid',
+        awmServerCaCert: 'primary-ca-cert',
+        awmClientTlsKey: 'primary-client-key',
+        awmClientTlsCert: 'primary-client-cert',
+        awmBackupServerCaCert: 'backup-ca-cert',
+        awmBackupClientTlsKey: 'backup-client-key',
+        awmBackupClientTlsCert: 'backup-client-cert',
+      };
+      const result = createAwmBackupClient(config, 'tbtc');
+      (result !== undefined).should.be.true();
+    });
+
+    it('should return undefined when backup URL is set but mTLS certs are missing', () => {
+      const config: MasterExpressConfig = {
+        ...baseConfig,
+        tlsMode: TlsMode.MTLS,
+        advancedWalletManagerBackupUrl: 'https://backup-awm.invalid',
+        // No certs at all — constructor should throw, factory should catch and return undefined
+        awmServerCaCert: undefined as any,
+        awmClientTlsKey: undefined,
+        awmClientTlsCert: undefined,
+      };
+      const result = createAwmBackupClient(config, 'tbtc');
+      (result === undefined).should.be.true();
+    });
+  });
+
+  describe('fallback behavior in middleware', () => {
+    it('should use primary client for both user and backup when no backup URL is set', () => {
+      const primaryClient = createawmClient(baseConfig, 'tbtc');
+      const backupClient = createAwmBackupClient(baseConfig, 'tbtc');
+
+      (primaryClient !== undefined).should.be.true();
+      // No backup URL → backup client is undefined → middleware falls back to primary
+      (backupClient === undefined).should.be.true();
+
+      // Middleware would do: awmBackupClient = backupClient ?? primaryClient
+      const effectiveBackupClient = backupClient ?? primaryClient;
+      (effectiveBackupClient === primaryClient).should.be.true();
+    });
+
+    it('should use separate client for backup when backup URL is set', () => {
+      const config: MasterExpressConfig = {
+        ...baseConfig,
+        advancedWalletManagerBackupUrl: 'http://backup-awm.invalid',
+      };
+      const primaryClient = createawmClient(config, 'tbtc');
+      const backupClient = createAwmBackupClient(config, 'tbtc');
+
+      (primaryClient !== undefined).should.be.true();
+      (backupClient !== undefined).should.be.true();
+
+      // Middleware would do: awmBackupClient = backupClient ?? primaryClient
+      const effectiveBackupClient = backupClient ?? primaryClient;
+      (effectiveBackupClient === backupClient).should.be.true();
+      (effectiveBackupClient !== primaryClient).should.be.true();
+    });
+  });
+});
@@ -112,6 +112,128 @@ describe('POST /api/v1/:coin/advancedwallet/generate', () => {
     sinon.restore();
   });
 
+  it('should generate an onchain wallet with separate backup AWM (separate-HSM mode)', async () => {
+    const backupAwmUrl = 'http://backup-awm.invalid';
+
+    // Override middleware to inject a separate backup client
+    sinon.restore();
+    const backupBitgo = new BitGoAPI({ env: 'test' });
+    const configWithBackup: MasterExpressConfig = {
+      appMode: AppMode.MASTER_EXPRESS,
+      port: 0,
+      bind: 'localhost',
+      timeout: 60000,
+      httpLoggerFile: '',
+      env: 'test',
+      disableEnvCheck: true,
+      authVersion: 2,
+      advancedWalletManagerUrl: advancedWalletManagerUrl,
+      advancedWalletManagerBackupUrl: backupAwmUrl,
+      awmServerCaCert: 'dummy-cert',
+      tlsMode: TlsMode.DISABLED,
+      clientCertAllowSelfSigned: true,
+    };
+
+    sinon.stub(middleware, 'prepareBitGo').callsFake(() => (req, res, next) => {
+      (req as BitGoRequest<MasterExpressConfig>).bitgo = backupBitgo;
+      (req as BitGoRequest<MasterExpressConfig>).config = configWithBackup;
+      next();
+    });
+
+    const app = expressApp(configWithBackup);
+    const backupAgent = request.agent(app);
+
+    // User keychain goes to primary AWM
+    const userKeychainNock = nock(advancedWalletManagerUrl)
+      .post(`/api/${coin}/key/independent`, {
+        source: 'user',
+      })
+      .reply(200, {
+        pub: 'xpub_user',
+        source: 'user',
+        type: 'independent',
+      });
+
+    // Backup keychain goes to backup AWM
+    const backupKeychainNock = nock(backupAwmUrl)
+      .post(`/api/${coin}/key/independent`, {
+        source: 'backup',
+      })
+      .reply(200, {
+        pub: 'xpub_backup',
+        source: 'backup',
+        type: 'independent',
+      });
+
+    const bitgoAddUserKeyNock = nock(bitgoApiUrl)
+      .post(`/api/v2/${coin}/key`, {
+        pub: 'xpub_user',
+        keyType: 'independent',
+        source: 'user',
+      })
+      .matchHeader('any', () => true)
+      .reply(200, { id: 'user-key-id', pub: 'xpub_user' });
+
+    const bitgoAddBackupKeyNock = nock(bitgoApiUrl)
+      .post(`/api/v2/${coin}/key`, {
+        pub: 'xpub_backup',
+        keyType: 'independent',
+        source: 'backup',
+      })
+      .matchHeader('any', () => true)
+      .reply(200, { id: 'backup-key-id', pub: 'xpub_backup' });
+
+    const bitgoAddBitGoKeyNock = nock(bitgoApiUrl)
+      .post(`/api/v2/${coin}/key`, {
+        source: 'bitgo',
+        keyType: 'independent',
+        enterprise: 'test_enterprise',
+      })
+      .reply(200, {
+        id: 'bitgo-key-id',
+        pub: 'xpub_bitgo',
+        source: 'bitgo',
+        type: 'independent',
+        isBitGo: true,
+        isTrust: false,
+        hsmType: 'institutional',
+      });
+
+    const bitgoAddWalletNock = nock(bitgoApiUrl)
+      .post(`/api/v2/${coin}/wallet/add`)
+      .matchHeader('any', () => true)
+      .reply(
+        200,
+        mockWalletResponse('new-wallet-id', coin, {
+          isCold: true,
+          pendingApprovals: [],
+          multisigType: 'onchain',
+          type: 'advanced',
+        }),
+      );
+
+    const response = await backupAgent
+      .post(`/api/v1/${coin}/advancedwallet/generate`)
+      .set('Authorization', `Bearer ${accessToken}`)
+      .send({
+        label: 'test_wallet',
+        enterprise: 'test_enterprise',
+        multisigType: 'onchain',
+      });
+
+    response.status.should.equal(200);
+    response.body.should.have.property('wallet');
+
+    // Verify user keychain went to primary AWM
+    userKeychainNock.done();
+    // Verify backup keychain went to backup AWM (separate HSM)
+    backupKeychainNock.done();
+    bitgoAddUserKeyNock.done();
+    bitgoAddBackupKeyNock.done();
+    bitgoAddBitGoKeyNock.done();
+    bitgoAddWalletNock.done();
+  });
+
   it('should generate a wallet by calling the advanced wallet manager service', async () => {
     const userKeychainNock = nock(advancedWalletManagerUrl)
       .post(`/api/${coin}/key/independent`, {
 
@@ -53,6 +53,12 @@ describe('Configuration', () => {
     delete process.env.AWM_CLIENT_TLS_CERT_PATH;
     delete process.env.KMS_SERVER_CA_CERT_PATH;
     delete process.env.RECOVERY_MODE;
+    delete process.env.ADVANCED_WALLET_MANAGER_BACKUP_URL;
+    delete process.env.AWM_BACKUP_SERVER_CA_CERT_PATH;
+    delete process.env.AWM_BACKUP_CLIENT_TLS_KEY_PATH;
+    delete process.env.AWM_BACKUP_CLIENT_TLS_CERT_PATH;
+    delete process.env.AWM_BACKUP_CLIENT_TLS_KEY;
+    delete process.env.AWM_BACKUP_CLIENT_TLS_CERT;
   });
 
   after(() => {
@@ -432,5 +438,70 @@ describe('Configuration', () => {
         cfg.httpLoggerFile.should.equal('/tmp/test-http-access.log');
       }
     });
+
+    it('should not set backup URL when ADVANCED_WALLET_MANAGER_BACKUP_URL is not set', () => {
+      const cfg = initConfig();
+      isMasterExpressConfig(cfg).should.be.true();
+      if (isMasterExpressConfig(cfg)) {
+        (cfg.advancedWalletManagerBackupUrl === undefined).should.be.true();
+      }
+    });
+
+    it('should read and protocol-process backup URL when configured', () => {
+      process.env.ADVANCED_WALLET_MANAGER_BACKUP_URL = 'backup-awm.example.com:3080';
+      process.env.AWM_BACKUP_SERVER_CA_CERT_PATH = path.resolve(
+        __dirname,
+        'mocks/certs/advanced-wallet-manager-cert.pem',
+      );
+      const cfg = initConfig();
+      isMasterExpressConfig(cfg).should.be.true();
+      if (isMasterExpressConfig(cfg)) {
+        cfg.advancedWalletManagerBackupUrl!.should.equal('https://backup-awm.example.com:3080');
+      }
+    });
+
+    it('should use http protocol for backup URL when TLS is disabled', () => {
+      process.env.TLS_MODE = 'disabled';
+      delete process.env.AWM_SERVER_CA_CERT_PATH;
+      delete process.env.SERVER_TLS_KEY_PATH;
+      delete process.env.SERVER_TLS_CERT_PATH;
+      process.env.ADVANCED_WALLET_MANAGER_BACKUP_URL = 'backup-awm.example.com:3080';
+      const cfg = initConfig();
+      isMasterExpressConfig(cfg).should.be.true();
+      if (isMasterExpressConfig(cfg)) {
+        cfg.advancedWalletManagerBackupUrl!.should.equal('http://backup-awm.example.com:3080');
+      }
+    });
+
+    it('should throw error when backup URL is set without AWM_BACKUP_SERVER_CA_CERT_PATH in MTLS mode', () => {
+      process.env.ADVANCED_WALLET_MANAGER_BACKUP_URL = 'https://backup-awm.example.com:3080';
+      (() => initConfig()).should.throw(
+        'AWM_BACKUP_SERVER_CA_CERT_PATH environment variable is required for MTLS mode when provisioning a backup AWM URL.',
+      );
+    });
+
+    it('should load backup server CA cert from file', () => {
+      process.env.ADVANCED_WALLET_MANAGER_BACKUP_URL = 'backup-awm.example.com:3080';
+      process.env.AWM_BACKUP_SERVER_CA_CERT_PATH = path.resolve(
+        __dirname,
+        'mocks/certs/advanced-wallet-manager-cert.pem',
+      );
+      const cfg = initConfig();
+      isMasterExpressConfig(cfg).should.be.true();
+      if (isMasterExpressConfig(cfg)) {
+        cfg.awmBackupServerCaCert!.should.be.a.String();
+        cfg.awmBackupServerCaCert!.length.should.be.greaterThan(0);
+      }
+    });
+
+    it('should not require backup cert paths when backup URL is not set in MTLS mode', () => {
+      // This verifies backward compatibility — no backup URL means no backup cert validation
+      const cfg = initConfig();
+      isMasterExpressConfig(cfg).should.be.true();
+      if (isMasterExpressConfig(cfg)) {
+        (cfg.advancedWalletManagerBackupUrl === undefined).should.be.true();
+        (cfg.awmBackupServerCaCert === undefined).should.be.true();
+      }
+    });
   });
 });