feat: convert external key manager feature flag to runtime config with enum-based validation pattern (#155)

Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>

Author: itsharshvb

Cargo.toml

@@ -9,17 +9,15 @@ rust-version = "1.85"
 
 [features]
 default = ["caching"]
-release = ["kms-aws", "middleware", "key_custodian", "limit", "kms-hashicorp-vault", "caching", "external_key_manager_mtls"]
-dev = ["kms-aws", "middleware", "key_custodian", "limit", "kms-hashicorp-vault", "caching"]
+release = ["kms-aws", "middleware", "key_custodian", "limit", "kms-hashicorp-vault", "caching", "external_key_manager"]
 kms-aws = ["dep:aws-config", "dep:aws-sdk-kms"]
 kms-hashicorp-vault = ["dep:vaultrs"]
 limit = []
 middleware = []
 key_custodian = []
 caching = ["dep:moka"]
 console = ["tokio/tracing", "dep:console-subscriber"]
-external_key_manager = []
-external_key_manager_mtls = ["external_key_manager", "reqwest/rustls-tls"]
+external_key_manager = ["reqwest/rustls-tls"]
 
 [dependencies]
 async-trait = "0.1.81"

config.example.toml config/config.example.tomlconfig.example.toml renamed to config/config.example.toml

@@ -69,7 +69,17 @@ client_idle_timeout = 90    # timeout for idle sockets being kept-alive
 pool_max_idle_per_host = 10 # maximum idle connection per host allowed in the pool.
 identity = ""               # identity to be used for client certificate authentication in mtls.
 
-# Configuration for the external Key Manager Service
+# External key manager configuration
 [external_key_manager]
-url = "http://localhost:5000" # URL of the encryption service
-cert = ""                     # Represents a server X509 certificate for mtls
+mode = "disabled"  # Options: "disabled", "enabled", "enabled_with_mtls"
+
+# Required when mode is "enabled" or "enabled_with_mtls"
+# url = "https://external-key-manager.example.com"
+
+# Required when mode is "enabled_with_mtls"
+# ca_cert = """
+# -----BEGIN CERTIFICATE-----
+# ...
+# -----END CERTIFICATE-----
+# """
+

config/development.toml

@@ -29,4 +29,4 @@ locker_private_key = ""
 public = { master_key = "feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308", public_key = "", schema = "public" }
 
 [external_key_manager]
-url = "http://localhost:5000"
+mode = "disabled"

src/api_client.rs

@@ -1,11 +1,13 @@
 use std::str::FromStr;
 
+#[cfg(feature = "external_key_manager")]
+use crate::config::ExternalKeyManagerConfig;
 use crate::{
     config::GlobalConfig,
     error::{self, ResultContainerExt},
 };
 use masking::Maskable;
-#[cfg(feature = "external_key_manager_mtls")]
+#[cfg(feature = "external_key_manager")]
 use masking::PeekInterface;
 use reqwest::StatusCode;
 use reqwest::{
@@ -51,10 +53,29 @@ pub struct ApiClientConfig {
     pub client_idle_timeout: u64,
     pub pool_max_idle_per_host: usize,
     // KMS encrypted
-    #[cfg(feature = "external_key_manager_mtls")]
+    #[cfg(feature = "external_key_manager")]
     pub identity: masking::Secret<String>,
 }
 
+impl ApiClientConfig {
+    #[cfg(feature = "external_key_manager")]
+    pub fn validate_for_mtls(
+        &self,
+        external_key_manager_config: &ExternalKeyManagerConfig,
+    ) -> Result<(), crate::error::ConfigurationError> {
+        // Only validate if external key manager is enabled with mTLS
+        if external_key_manager_config.is_mtls_enabled() && self.identity.peek().is_empty() {
+            return Err(
+                crate::error::ConfigurationError::InvalidConfigurationValueError(
+                    "api_client.identity is required when mTLS is enabled".into(),
+                ),
+            );
+        }
+
+        Ok(())
+    }
+}
+
 #[derive(Clone)]
 pub struct ApiClient {
     pub inner: reqwest::Client,
@@ -80,24 +101,36 @@ impl ApiClient {
             ))
             .pool_max_idle_per_host(global_config.api_client.pool_max_idle_per_host);
 
-        #[cfg(feature = "external_key_manager_mtls")]
+        #[cfg(feature = "external_key_manager")]
         {
-            let client_identity =
-                reqwest::Identity::from_pem(global_config.api_client.identity.peek().as_ref())
-                    .change_error(error::ApiClientError::IdentityParseFailed)?;
-
-            let external_key_manager_cert = reqwest::Certificate::from_pem(
-                global_config.external_key_manager.cert.peek().as_ref(),
-            )
-            .change_error(error::ApiClientError::CertificateParseFailed {
-                service: "external_key_manager",
-            })?;
-
-            client = client
-                .use_rustls_tls()
-                .identity(client_identity)
-                .add_root_certificate(external_key_manager_cert)
-                .https_only(true);
+            // mTLS-specific configuration
+            if global_config.external_key_manager.is_mtls_enabled() {
+                let client_identity =
+                    reqwest::Identity::from_pem(global_config.api_client.identity.peek().as_ref())
+                        .change_error(error::ApiClientError::IdentityParseFailed)?;
+
+                let ca_cert = global_config
+                    .external_key_manager
+                    .get_ca_cert()
+                    .ok_or_else(|| {
+                        error::ApiClientError::MissingConfigurationError(
+                            "CA certificate not configured for mTLS",
+                        )
+                    })?;
+
+                let key_manager_ca_cert = reqwest::Certificate::from_pem(ca_cert.peek().as_ref())
+                    .change_error(
+                    error::ApiClientError::CertificateParseFailed {
+                        service: "external_key_manager",
+                    },
+                )?;
+
+                client = client
+                    .use_rustls_tls()
+                    .identity(client_identity)
+                    .add_root_certificate(key_manager_ca_cert)
+                    .https_only(true);
+            }
         }
 
         let client = client

src/app.rs

@@ -113,7 +113,15 @@ where
         );
 
     // v2 routes
-    let router = router.nest(
+    #[cfg_attr(
+        all(
+            not(feature = "middleware"),
+            not(feature = "external_key_manager"),
+            not(feature = "key_custodian")
+        ),
+        allow(unused_mut)
+    )]
+    let mut router = router.nest(
         "/api/v2/vault",
         axum::Router::new()
             .route("/delete", post(routes_v2::data::delete_data))
@@ -126,16 +134,28 @@ where
     );
 
     #[cfg(feature = "middleware")]
-    let router = router.layer(middleware::from_fn_with_state(
-        global_app_state.clone(),
-        custom_middleware::middleware,
-    ));
+    {
+        router = router.layer(middleware::from_fn_with_state(
+            global_app_state.clone(),
+            custom_middleware::middleware,
+        ));
+    }
 
     #[cfg(feature = "external_key_manager")]
-    let router = router.route("/key/transfer", post(routes::key_migration::transfer_keys));
+    {
+        if global_app_state
+            .global_config
+            .external_key_manager
+            .is_external()
+        {
+            router = router.route("/key/transfer", post(routes::key_migration::transfer_keys));
+        }
+    }
 
     #[cfg(feature = "key_custodian")]
-    let router = router.nest("/custodian", routes::key_custodian::serve());
+    {
+        router = router.nest("/custodian", routes::key_custodian::serve());
+    }
 
     let router = router.layer(
         tower_trace::TraceLayer::new_for_http()

src/bin/locker.rs

@@ -3,10 +3,6 @@ use tartarus::{logger, tenant::GlobalAppState};
 #[allow(clippy::expect_used)]
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
-    if cfg!(feature = "dev") {
-        eprintln!("This is a dev build, not for production use");
-    }
-
     let mut global_config =
         tartarus::config::GlobalConfig::new().expect("Failed while parsing config");