enhance: Reload cert if 401 response from LAPI

[LaurenceJJones]

fixes: #2810

Quick fix for now till a better solution could be achieved, if the response code from LAPI is 401 and we have certs configured simply re-read them even if they have expired and havent been updated on disk, the retry method will continue to backoff and fail if ultimately if the setup is errored.

[github-actions]

@LaurenceJJones: There are no 'kind' label on this PR. You need a 'kind' label to generate the release automatically.

• /kind feature
• /kind enhancement
• /kind refactoring
• /kind fix
• /kind chore
• /kind dependencies

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[github-actions]

@LaurenceJJones: There are no area labels on this PR. You can add as many areas as you see fit.

• /area agent
• /area local-api
• /area cscli
• /area appsec
• /area security
• /area configuration

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[LaurenceJJones]

@mmetc will kill me for more global vars, but atm they are held globally and scope of PR is a quick fix rather than a re implementation.

[LaurenceJJones]

Might want to breakdown into happy path EG: !ok and == nil and return context errors as it may silently pass here even though we read the cert into memory

[LaurenceJJones]

      44 +  httpTransport, ok := transport.(*http.Transport)
      45 +  if !ok {
      46 +    return fmt.Errorf("cannot reload certificate: transport is %T, expected *http.Transport", transport)
      47 +  }
      48 +
      49 +  if httpTransport.TLSClientConfig == nil {
      50 +    return errors.New("cannot reload certificate: transport has no TLS config")
      51 +  }
      52 +
      53    cert, err := tls.LoadX509KeyPair(CertPath, KeyPath)
      54    if err != nil {
      55      return fmt.Errorf("failed to reload certificate: %w", err)
      56    }
      57
      58    Cert = &cert
      59 +  httpTransport.TLSClientConfig.Certificates = []tls.Certificate{cert}

[codecov]

Codecov Report

❌ Patch coverage is 35.29412% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.08%. Comparing base (a08725e) to head (6f2a17d).
⚠️ Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/apiclient/client.go	30.00%	7 Missing ⚠️
pkg/apiclient/auth_jwt.go	20.00%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4269   +/-   ##
=======================================
  Coverage   63.08%   63.08%           
=======================================
  Files         472      472           
  Lines       33426    33443   +17     
=======================================
+ Hits        21088    21099   +11     
- Misses      10220    10228    +8     
+ Partials     2118     2116    -2     

Flag	Coverage Δ
bats	46.61% <35.29%> (+<0.01%)	⬆️
unit-linux	35.96% <0.00%> (+0.05%)	⬆️
unit-windows	24.34% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.