Bump Geo JWT timeout from 1 minute to 10 minutes

In repositories where there are a lot of refs, the git info-refs endpoint can
take longer than one minute to return, by which time the upload-pack will fail
because the JWT token will be invalidated.

Closes #4881

changelogs/unreleased-ee/sh-bump-jwt-timeout.yml

+---
+title: Bump Geo JWT timeout from 1 minute to 10 minutes
+merge_request:
+author:
+type: performance

ee/app/services/geo/base_sync_service.rb

@@ -80,7 +80,7 @@ module Geo
       url = Gitlab::Geo.primary_node.url + repository.full_path + '.git'
 
       # Fetch the repository, using a JWT header for authentication
-      authorization = ::Gitlab::Geo::BaseRequest.new.authorization
+      authorization = ::Gitlab::Geo::RepoSyncRequest.new.authorization
       header = { "http.#{url}.extraHeader" => "Authorization: #{authorization}" }
 
       repository.with_config(header) do

ee/app/services/geo/file_upload_service.rb

 module Geo
   class FileUploadService < FileService
-    IAT_LEEWAY = 60.seconds.to_i
-
     attr_reader :auth_header
 
     def initialize(params, auth_header)

ee/lib/gitlab/geo/base_request.rb

@@ -20,6 +20,10 @@ module Gitlab
         geo_auth_token(request_data)
       end
 
+      def expiration_time
+        1.minute
+      end
+
       private
 
       def geo_auth_token(message)
@@ -27,6 +31,7 @@ module Gitlab
         raise GeoNodeNotFoundError unless geo_node
 
         token = JSONWebToken::HMACToken.new(geo_node.secret_access_key)
+        token.expire_time = Time.now + expiration_time
         token[:data] = message.to_json
 
         "#{GITLAB_GEO_AUTH_TOKEN_TYPE} #{geo_node.access_key}:#{token.encoded}"

ee/lib/gitlab/geo/repo_sync_request.rb

+module Gitlab
+  module Geo
+    class RepoSyncRequest < BaseRequest
+      def expiration_time
+        10.minutes
+      end
+    end
+  end
+end

ee/spec/requests/git_http_geo_spec.rb

@@ -38,13 +38,13 @@ describe "Git HTTP requests (Geo)" do
     context 'post-dated Geo JWT token' do
       let(:env) { valid_geo_env }
 
-      it { travel_to(2.minutes.ago) { is_expected.to have_gitlab_http_status(:unauthorized) } }
+      it { travel_to(11.minutes.ago) { is_expected.to have_gitlab_http_status(:unauthorized) } }
     end
 
     context 'expired Geo JWT token' do
       let(:env) { valid_geo_env }
 
-      it { travel_to(Time.now + 2.minutes) { is_expected.to have_gitlab_http_status(:unauthorized) } }
+      it { travel_to(Time.now + 11.minutes) { is_expected.to have_gitlab_http_status(:unauthorized) } }
     end
 
     context 'invalid Geo JWT token' do

spec/ee/spec/lib/gitlab/geo/base_request_spec.rb

+require 'spec_helper'
+
+describe Gitlab::Geo::BaseRequest, :geo do
+  include ::EE::GeoHelpers
+
+  let(:geo_node) { create(:geo_node) }
+
+  before do
+    stub_current_geo_node(geo_node)
+  end
+
+  describe '#authorization' do
+    let(:request) { described_class.new }
+    let(:token) { request.authorization }
+    let(:data) { token.split(' ').second.split(':') }
+    let(:access_key) { data.first }
+    let(:encoded_jwt) { data.second }
+    let(:jwt) { JWT.decode(encoded_jwt, geo_node.secret_access_key) }
+
+    it 'token is formatted properly' do
+      expect(access_key).to eq(geo_node.access_key)
+      expect(token).to start_with(Gitlab::Geo::BaseRequest::GITLAB_GEO_AUTH_TOKEN_TYPE)
+    end
+
+    it 'defaults to 1-minute expiration time' do
+      Timecop.freeze do
+        expect(jwt.first['exp']).to eq((Time.now + 1.minute).to_i)
+      end
+    end
+  end
+end