From 812e45674c2b35f359a4690b01c6a9ea5d42e214 Mon Sep 17 00:00:00 2001
From: Nick Santos <nick.santos@docker.com>
Date: Wed, 16 Nov 2022 12:23:33 -0500
Subject: [PATCH] tilt-apiserver: refresh cached certs that have expired
 (#5975)

fixes https://github.com/tilt-dev/tilt/issues/5974

Signed-off-by: Nick Santos <nick.santos@docker.com>

Signed-off-by: Nick Santos <nick.santos@docker.com>
---
 go.mod                                        |  2 +-
 go.sum                                        |  4 +-
 .../pkg/server/options/serving.go             | 41 ++++++++++++++++++-
 vendor/modules.txt                            |  2 +-
 4 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/go.mod b/go.mod
index 3bb2195e1e..be7be1c574 100644
--- a/go.mod
+++ b/go.mod
@@ -53,7 +53,7 @@ require (
 	github.com/tilt-dev/localregistry-go v0.0.0-20201021185044-ffc4c827f097
 	github.com/tilt-dev/probe v0.3.1
 	github.com/tilt-dev/starlark-lsp v0.0.0-20220812175527-c0c1958f8166
-	github.com/tilt-dev/tilt-apiserver v0.7.0
+	github.com/tilt-dev/tilt-apiserver v0.7.1
 	github.com/tilt-dev/wmclient v0.0.0-20201109174454-1839d0355fbc
 	github.com/tonistiigi/fsutil v0.0.0-20210609172227-d72af97c0eaf
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea
diff --git a/go.sum b/go.sum
index b93d00d9f8..50c749b8a2 100644
--- a/go.sum
+++ b/go.sum
@@ -1432,8 +1432,8 @@ github.com/tilt-dev/probe v0.3.1 h1:PQhXSBkgcGBUU/eKt4vgAUKsAWWjBr2F53xNAc0E7zs=
 github.com/tilt-dev/probe v0.3.1/go.mod h1:F53NFbqblwu5oyIk2t+BPkswiboxuF8e5D3wbPnY4JA=
 github.com/tilt-dev/starlark-lsp v0.0.0-20220812175527-c0c1958f8166 h1:q8XpS99WmxxaAE9A088mcigxllgyJ1skLJ86bIORbEQ=
 github.com/tilt-dev/starlark-lsp v0.0.0-20220812175527-c0c1958f8166/go.mod h1:bnkWmNDRqs9DgHgrImOSt6dFAcVcN14pqhR3iZsWWaE=
-github.com/tilt-dev/tilt-apiserver v0.7.0 h1:mJtJ9VJwV2vRhR/p6Q5Ie5C35B1mpUggR8yC7nMkgE4=
-github.com/tilt-dev/tilt-apiserver v0.7.0/go.mod h1:lLroVFhXpkdkGxC31N/KqmIMZiROlXzXFCGRcr5K5J8=
+github.com/tilt-dev/tilt-apiserver v0.7.1 h1:aFZLTijtFT7yEJiP6XAvgKMT7fl2x8cMXYak0EiO6rM=
+github.com/tilt-dev/tilt-apiserver v0.7.1/go.mod h1:lLroVFhXpkdkGxC31N/KqmIMZiROlXzXFCGRcr5K5J8=
 github.com/tilt-dev/wmclient v0.0.0-20201109174454-1839d0355fbc h1:wGkAoZhrvnmq93B4W2v+agiPl7xzqUaxXkxmKrwJ6bc=
 github.com/tilt-dev/wmclient v0.0.0-20201109174454-1839d0355fbc/go.mod h1:n01fG3LbImzxBP3GGCTHkgXuPeJusWg6xv0QYGm9HtE=
 github.com/timakin/bodyclose v0.0.0-20190930140734-f7f2e9bca95e/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk=
diff --git a/vendor/github.com/tilt-dev/tilt-apiserver/pkg/server/options/serving.go b/vendor/github.com/tilt-dev/tilt-apiserver/pkg/server/options/serving.go
index bd260d01f5..c6fe04194c 100644
--- a/vendor/github.com/tilt-dev/tilt-apiserver/pkg/server/options/serving.go
+++ b/vendor/github.com/tilt-dev/tilt-apiserver/pkg/server/options/serving.go
@@ -24,11 +24,15 @@ package options
 
 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"net"
+	"os"
 	"path"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/spf13/pflag"
 
@@ -296,7 +300,7 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
 		}
 		keyCert.CertFile = path.Join(s.ServerCert.CertDirectory, s.ServerCert.PairName+".crt")
 		keyCert.KeyFile = path.Join(s.ServerCert.CertDirectory, s.ServerCert.PairName+".key")
-		if canRead, err := certutil.CanReadCertAndKey(keyCert.CertFile, keyCert.KeyFile); err != nil {
+		if canRead, err := checkCertAndKeyReadableAndValid(keyCert.CertFile, keyCert.KeyFile); err != nil {
 			return err
 		} else {
 			canReadCertAndKey = canRead
@@ -350,3 +354,38 @@ func CreateListener(network, addr string, config net.ListenConfig) (net.Listener
 
 	return ln, tcpAddr.Port, nil
 }
+
+func checkCertAndKeyReadableAndValid(certFile, keyFile string) (bool, error) {
+	canRead, err := certutil.CanReadCertAndKey(certFile, keyFile)
+	if err != nil || !canRead {
+		return false, err
+	}
+
+	bytes, err := os.ReadFile(certFile)
+	if err != nil {
+		return false, nil
+	}
+
+	block, _ := pem.Decode(bytes)
+	if block == nil {
+		return false, nil
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		// Ignore parse errors and pretend we can't read the cert.
+		return false, nil
+	}
+
+	// Check if the cert isn't valid yet.
+	if time.Now().Before(cert.NotBefore) {
+		return false, nil
+	}
+
+	// Check if the cert will expire in less than a month.
+	if time.Now().Add(24 * 30 * time.Hour).After(cert.NotAfter) {
+		return false, nil
+	}
+
+	return true, nil
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index fd20053f84..a8be6864e7 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -681,7 +681,7 @@ github.com/tilt-dev/starlark-lsp/pkg/document
 github.com/tilt-dev/starlark-lsp/pkg/middleware
 github.com/tilt-dev/starlark-lsp/pkg/query
 github.com/tilt-dev/starlark-lsp/pkg/server
-# github.com/tilt-dev/tilt-apiserver v0.7.0
+# github.com/tilt-dev/tilt-apiserver v0.7.1
 ## explicit; go 1.19
 github.com/tilt-dev/tilt-apiserver/pkg/server/apiserver
 github.com/tilt-dev/tilt-apiserver/pkg/server/builder