fix: increase default TLS Handshake Timeout to 63s (#1237)

* chore: add flag for TLS timeout

Signed-off-by: Darren Murray <[email protected]>

* refactor: set transport tls timeout as default

Signed-off-by: Darren Murray <[email protected]>

* style: linting

Signed-off-by: Darren Murray <[email protected]>

* refactor: address code review comments

Signed-off-by: Darren Murray <[email protected]>

---------

Signed-off-by: Darren Murray <[email protected]>

Author: dmurray-lacework

api/client.go

@@ -32,7 +32,10 @@ import (
 	"go.uber.org/zap"
 )
 
-const defaultTimeout = 60 * time.Second
+const (
+	defaultTimeout    = 60 * time.Second
+	defaultTLSTimeout = 63 * time.Second
+)
 
 type Client struct {
 	id         string
@@ -99,7 +102,8 @@ func NewClient(account string, opts ...Option) (*Client, error) {
 		auth: &authConfig{
 			expiration: DefaultTokenExpiryTime,
 		},
-		c: &http.Client{Timeout: defaultTimeout},
+		c: &http.Client{Timeout: defaultTimeout,
+			Transport: &http.Transport{TLSHandshakeTimeout: defaultTLSTimeout}},
 	}
 
 	c.V2 = NewV2Endpoints(c)
@@ -172,6 +176,14 @@ func WithTimeout(timeout time.Duration) Option {
 	})
 }
 
+// WithTransport changes the default transport to increase TLSHandshakeTimeout
+func WithTransport(transport *http.Transport) Option {
+	return clientFunc(func(c *Client) error {
+		c.c.Transport = transport
+		return nil
+	})
+}
+
 // WithURL sets the base URL, this options is only available for test purposes
 func WithURL(baseURL string) Option {
 	return clientFunc(func(c *Client) error {

api/client_test.go

@@ -19,6 +19,7 @@
 package api_test
 
 import (
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"testing"
@@ -190,3 +191,44 @@ func TestNewClientWithoutOrgAccess(t *testing.T) {
 	assert.Equal(t, false, c.OrgAccess(), "org access should be set to false")
 
 }
+
+func TestTLSHandshakeTimeout(t *testing.T) {
+	fakeServer := lacework.MockUnstartedServer()
+	fakeServer.Server.TLS = &tls.Config{InsecureSkipVerify: true}
+	fakeServer.UseApiV2()
+	apiPath := "AlertChannels"
+	fakeServer.MockToken("TOKEN")
+	fakeServer.Server.StartTLS()
+	defer fakeServer.Close()
+
+	fakeServer.MockAPI(apiPath, func(w http.ResponseWriter, r *http.Request) {
+		time.Sleep(time.Second * 1)
+		fmt.Fprintf(w, "{}")
+	})
+
+	shortTimeout := &http.Transport{TLSHandshakeTimeout: time.Millisecond * 1,
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
+
+	client, err := api.NewClient("test",
+		api.WithApiV2(),
+		api.WithToken("TOKEN"),
+		api.WithURL(fakeServer.URL()),
+		api.WithTransport(shortTimeout),
+	)
+
+	_, err = client.V2.AlertChannels.List()
+	assert.ErrorContains(t, err, "TLS handshake timeout", "Expected TLS timeout error")
+
+	longTimeout := &http.Transport{TLSHandshakeTimeout: time.Second * 2,
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
+
+	clientWithTimeout, err := api.NewClient("test",
+		api.WithApiV2(),
+		api.WithToken("TOKEN"),
+		api.WithURL(fakeServer.URL()),
+		api.WithTransport(longTimeout),
+	)
+
+	_, err = clientWithTimeout.V2.AlertChannels.List()
+	assert.NoError(t, err)
+}

internal/lacework/server.go

@@ -57,6 +57,15 @@ func MockServer() *Mock {
 	}
 }
 
+func MockUnstartedServer() *Mock {
+	mux := http.NewServeMux()
+	return &Mock{
+		Mux:        mux,
+		Server:     httptest.NewUnstartedServer(mux),
+		ApiVersion: "v2",
+	}
+}
+
 func (m *Mock) UseApiV2() {
 	m.ApiVersion = "v2"
 }