feat(sdk-core): added OFC BitGo signing on trading accounts object

Ticket: WCN-217-1

Author: alextse-bg

modules/sdk-core/src/bitgo/trading/iTradingAccount.ts

@@ -2,7 +2,7 @@ import { ITradingNetwork } from './network';
 
 export interface SignPayloadParameters {
   payload: string | Record<string, unknown>;
-  walletPassphrase: string;
+  walletPassphrase?: string;
 }
 
 export interface ITradingAccount {

modules/sdk-core/src/bitgo/trading/tradingAccount.ts

@@ -23,13 +23,47 @@ export class TradingAccount implements ITradingAccount {
   }
 
   /**
-   * Signs an arbitrary payload with the user key on this trading account
+   * Signs an arbitrary payload. Use the user key if passphrase is provided, or the BitGo key if not.
    * @param params
    * @param params.payload arbitrary payload object (string | Record<string, unknown>)
    * @param params.walletPassphrase passphrase on this trading account, used to unlock the account user key
    * @returns hex-encoded signature of the payload
    */
   async signPayload(params: SignPayloadParameters): Promise<string> {
+    // if no passphrase is provided, attempt to sign using the wallet's bitgo key remotely
+    if (!params.walletPassphrase) {
+      return this.signPayloadByBitGoKey(params);
+    }
+    // if a passphrase is provided, we must be trying to sign using the user private key - decrypt and sign locally
+    return this.signPayloadByUserKey(params);
+  }
+
+  /**
+   * Signs the payload of a trading account via the trading account BitGo key stored in a remote KMS
+   * @param params
+   * @private
+   */
+  private async signPayloadByBitGoKey(params: Omit<SignPayloadParameters, 'walletPassphrase'>): Promise<string> {
+    const walletData = this.wallet.toJSON();
+    if (walletData.userKeySigningRequired) {
+      throw new Error('Wallet must use user key to sign ofc transaction, please provide the wallet passphrase');
+    }
+    if (walletData.keys.length < 2) {
+      throw new Error('Wallet does not support BitGo signing');
+    }
+
+    const url = this.wallet.url('/tx/sign');
+    const { signature } = await this.wallet.bitgo.post(url).send(params.payload).result();
+
+    return signature;
+  }
+
+  /**
+   * Signs the payload of a trading account locally by fetching the user's encrypted private key and decrypt using passphrase
+   * @param params
+   * @private
+   */
+  private async signPayloadByUserKey(params: SignPayloadParameters): Promise<string> {
     const key = (await this.wallet.baseCoin.keychains().get({ id: this.wallet.keyIds()[0] })) as any;
     const prv = this.wallet.bitgo.decrypt({
       input: key.encryptedPrv,

modules/sdk-core/src/bitgo/wallet/iWallet.ts

@@ -909,6 +909,7 @@ export interface WalletData {
   evmKeyRingReferenceWalletId?: string;
   isParent?: boolean;
   enabledChildChains?: string[];
+  userKeySigningRequired?: string;
 }
 
 export interface RecoverTokenOptions {

modules/sdk-core/test/unit/bitgo/trading/tradingAccount.ts

@@ -0,0 +1,130 @@
+/**
+ * @prettier
+ */
+import sinon from 'sinon';
+import 'should';
+import { TradingAccount } from '../../../../src/bitgo/trading/tradingAccount';
+
+describe('TradingAccount', function () {
+  let tradingAccount: TradingAccount;
+  let mockBitGo: any;
+  let mockWallet: any;
+  let mockBaseCoin: any;
+
+  const enterpriseId = 'test-enterprise-id';
+  const walletPassphrase = 'test-passphrase';
+  const encryptedPrv = 'encrypted-prv';
+  const decryptedPrv = 'decrypted-prv';
+  const signature = 'aabbccdd';
+
+  beforeEach(function () {
+    const postStub = sinon.stub();
+    postStub.returns({
+      send: sinon.stub().returns({
+        result: sinon.stub().resolves({ signature }),
+      }),
+    });
+
+    mockBitGo = {
+      post: postStub,
+      decrypt: sinon.stub().returns(decryptedPrv),
+    };
+
+    mockBaseCoin = {
+      keychains: sinon.stub().returns({
+        get: sinon.stub().resolves({ encryptedPrv }),
+      }),
+      signMessage: sinon.stub().resolves(Buffer.from(signature, 'hex')),
+    };
+
+    mockWallet = {
+      id: sinon.stub().returns('test-wallet-id'),
+      keyIds: sinon.stub().returns(['user-key-id', 'backup-key-id', 'bitgo-key-id']),
+      url: sinon.stub().returns('https://example.com/wallet/test-wallet-id/tx/sign'),
+      toJSON: sinon.stub().returns({
+        id: 'test-wallet-id',
+        keys: ['user-key-id', 'backup-key-id', 'bitgo-key-id'],
+        userKeySigningRequired: undefined,
+      }),
+      baseCoin: mockBaseCoin,
+      bitgo: mockBitGo,
+    };
+
+    tradingAccount = new TradingAccount(enterpriseId, mockWallet, mockBitGo);
+  });
+
+  afterEach(function () {
+    sinon.restore();
+  });
+
+  describe('signPayload', function () {
+    const payload = { data: 'test-payload' };
+    const payloadString = 'test-payload-string';
+
+    describe('without walletPassphrase (BitGo remote signing)', function () {
+      it('should sign using the BitGo key remotely when no passphrase is provided', async function () {
+        const result = await tradingAccount.signPayload({ payload });
+
+        mockWallet.toJSON.calledOnce.should.be.true();
+        mockWallet.url.calledWith('/tx/sign').should.be.true();
+        mockBitGo.post.calledOnce.should.be.true();
+        result.should.equal(signature);
+      });
+
+      it('should sign a string payload remotely when no passphrase is provided', async function () {
+        const result = await tradingAccount.signPayload({ payload: payloadString });
+
+        result.should.equal(signature);
+      });
+
+      it('should throw if userKeySigningRequired is set and no passphrase is provided', async function () {
+        mockWallet.toJSON.returns({
+          id: 'test-wallet-id',
+          keys: ['user-key-id', 'backup-key-id', 'bitgo-key-id'],
+          userKeySigningRequired: 'true',
+        });
+
+        await tradingAccount
+          .signPayload({ payload })
+          .should.be.rejectedWith(
+            'Wallet must use user key to sign ofc transaction, please provide the wallet passphrase'
+          );
+      });
+
+      it('should throw if wallet has fewer than 2 keys and no passphrase is provided', async function () {
+        mockWallet.toJSON.returns({
+          id: 'test-wallet-id',
+          keys: ['user-key-id'],
+          userKeySigningRequired: undefined,
+        });
+
+        await tradingAccount.signPayload({ payload }).should.be.rejectedWith('Wallet does not support BitGo signing');
+      });
+    });
+
+    describe('with walletPassphrase (local user key signing)', function () {
+      it('should decrypt the user key and sign the payload locally', async function () {
+        const result = await tradingAccount.signPayload({ payload, walletPassphrase });
+
+        mockBaseCoin.keychains().get.calledWith({ id: 'user-key-id' }).should.be.true();
+        mockBitGo.decrypt.calledWith({ input: encryptedPrv, password: walletPassphrase }).should.be.true();
+        mockBaseCoin.signMessage.calledOnce.should.be.true();
+        result.should.equal(Buffer.from(signature, 'hex').toString('hex'));
+      });
+
+      it('should stringify a Record payload before signing locally', async function () {
+        await tradingAccount.signPayload({ payload, walletPassphrase });
+
+        const signMessageCall = mockBaseCoin.signMessage.getCall(0);
+        signMessageCall.args[1].should.equal(JSON.stringify(payload));
+      });
+
+      it('should pass a string payload directly to signMessage', async function () {
+        await tradingAccount.signPayload({ payload: payloadString, walletPassphrase });
+
+        const signMessageCall = mockBaseCoin.signMessage.getCall(0);
+        signMessageCall.args[1].should.equal(payloadString);
+      });
+    });
+  });
+});