fix(config): dont read cert and url if keymanager is disabled (#6091)

config/development.toml

@@ -13,7 +13,7 @@ use_xray_generator = false
 bg_metrics_collection_interval_in_secs = 15
 
 [key_manager]
-url = "http://localhost:5000"
+enabled = false
 
 # TODO: Update database credentials before running application
 [master_database]

crates/common_utils/src/types/keymanager.rs

@@ -25,7 +25,7 @@ use crate::{
 
 #[derive(Debug, Clone)]
 pub struct KeyManagerState {
-    pub enabled: Option<bool>,
+    pub enabled: bool,
     pub url: String,
     pub client_idle_timeout: Option<u64>,
     #[cfg(feature = "km_forward_x_request_id")]

crates/hyperswitch_domain_models/src/type_encryption.rs

@@ -101,7 +101,7 @@ mod encrypt {
     fn is_encryption_service_enabled(_state: &KeyManagerState) -> bool {
         #[cfg(feature = "encryption_service")]
         {
-            _state.enabled.unwrap_or_default()
+            _state.enabled
         }
         #[cfg(not(feature = "encryption_service"))]
         {

crates/router/src/configs/defaults.rs

@@ -12495,16 +12495,3 @@ pub fn get_shipping_required_fields() -> HashMap<String, RequiredFieldInfo> {
         ),
     ])
 }
-
-impl Default for super::settings::KeyManagerConfig {
-    fn default() -> Self {
-        Self {
-            enabled: None,
-            url: String::from("localhost:5000"),
-            #[cfg(feature = "keymanager_mtls")]
-            ca: String::default().into(),
-            #[cfg(feature = "keymanager_mtls")]
-            cert: String::default().into(),
-        }
-    }
-}

crates/router/src/configs/secrets_transformers.rs

@@ -232,14 +232,22 @@ impl SecretsHandler for settings::KeyManagerConfig {
         let keyconfig = value.get_inner();
 
         #[cfg(feature = "keymanager_mtls")]
-        let ca = _secret_management_client
+        let ca = if keyconfig.enabled {
+            _secret_management_client
                 .get_secret(keyconfig.ca.clone())
-            .await?;
+                .await?
+        } else {
+            keyconfig.ca.clone()
+        };
 
         #[cfg(feature = "keymanager_mtls")]
-        let cert = _secret_management_client
+        let cert = if keyconfig.enabled {
+            _secret_management_client
                 .get_secret(keyconfig.cert.clone())
-            .await?;
+                .await?
+        } else {
+            keyconfig.ca.clone()
+        };
 
         Ok(value.transition_state(|keyconfig| Self {
             #[cfg(feature = "keymanager_mtls")]

crates/router/src/configs/settings.rs

@@ -215,9 +215,10 @@ pub struct KvConfig {
     pub soft_kill: Option<bool>,
 }
 
-#[derive(Debug, Deserialize, Clone)]
+#[derive(Debug, Deserialize, Clone, Default)]
+#[serde(default)]
 pub struct KeyManagerConfig {
-    pub enabled: Option<bool>,
+    pub enabled: bool,
     pub url: String,
     #[cfg(feature = "keymanager_mtls")]
     pub cert: Secret<String>,
@@ -863,6 +864,8 @@ impl Settings<SecuredSecret> {
             .map(|x| x.get_inner().validate())
             .transpose()?;
 
+        self.key_manager.get_inner().validate()?;
+
         Ok(())
     }
 }

crates/router/src/configs/validations.rs

@@ -235,3 +235,25 @@ impl super::settings::NetworkTokenizationService {
         })
     }
 }
+
+impl super::settings::KeyManagerConfig {
+    pub fn validate(&self) -> Result<(), ApplicationError> {
+        use common_utils::fp_utils::when;
+
+        #[cfg(feature = "keymanager_mtls")]
+        when(
+            self.enabled && (self.ca.is_default_or_empty() || self.cert.is_default_or_empty()),
+            || {
+                Err(ApplicationError::InvalidConfigurationValueError(
+                    "Invalid CA or Certificate for Keymanager.".into(),
+                ))
+            },
+        )?;
+
+        when(self.enabled && self.url.is_default_or_empty(), || {
+            Err(ApplicationError::InvalidConfigurationValueError(
+                "Invalid URL for Keymanager".into(),
+            ))
+        })
+    }
+}