Commit bfe8946e authored by Stan Hu's avatar Stan Hu

Bump Geo JWT timeout from 1 minute to 10 minutes

In repositories where there are a lot of refs, the git info-refs endpoint can
take longer than one minute to return, by which time the upload-pack will fail
because the JWT token will be invalidated.

Closes #4881
parent faba2d7c
---
title: Bump Geo JWT timeout from 1 minute to 10 minutes
merge_request:
author:
type: performance
...@@ -80,7 +80,7 @@ module Geo ...@@ -80,7 +80,7 @@ module Geo
url = Gitlab::Geo.primary_node.url + repository.full_path + '.git' url = Gitlab::Geo.primary_node.url + repository.full_path + '.git'
# Fetch the repository, using a JWT header for authentication # Fetch the repository, using a JWT header for authentication
authorization = ::Gitlab::Geo::BaseRequest.new.authorization authorization = ::Gitlab::Geo::RepoSyncRequest.new.authorization
header = { "http.#{url}.extraHeader" => "Authorization: #{authorization}" } header = { "http.#{url}.extraHeader" => "Authorization: #{authorization}" }
repository.with_config(header) do repository.with_config(header) do
......
module Geo module Geo
class FileUploadService < FileService class FileUploadService < FileService
IAT_LEEWAY = 60.seconds.to_i
attr_reader :auth_header attr_reader :auth_header
def initialize(params, auth_header) def initialize(params, auth_header)
......
...@@ -20,6 +20,10 @@ module Gitlab ...@@ -20,6 +20,10 @@ module Gitlab
geo_auth_token(request_data) geo_auth_token(request_data)
end end
def expiration_time
1.minute
end
private private
def geo_auth_token(message) def geo_auth_token(message)
...@@ -27,6 +31,7 @@ module Gitlab ...@@ -27,6 +31,7 @@ module Gitlab
raise GeoNodeNotFoundError unless geo_node raise GeoNodeNotFoundError unless geo_node
token = JSONWebToken::HMACToken.new(geo_node.secret_access_key) token = JSONWebToken::HMACToken.new(geo_node.secret_access_key)
token.expire_time = Time.now + expiration_time
token[:data] = message.to_json token[:data] = message.to_json
"#{GITLAB_GEO_AUTH_TOKEN_TYPE} #{geo_node.access_key}:#{token.encoded}" "#{GITLAB_GEO_AUTH_TOKEN_TYPE} #{geo_node.access_key}:#{token.encoded}"
......
module Gitlab
module Geo
class RepoSyncRequest < BaseRequest
def expiration_time
10.minutes
end
end
end
end
...@@ -38,13 +38,13 @@ describe "Git HTTP requests (Geo)" do ...@@ -38,13 +38,13 @@ describe "Git HTTP requests (Geo)" do
context 'post-dated Geo JWT token' do context 'post-dated Geo JWT token' do
let(:env) { valid_geo_env } let(:env) { valid_geo_env }
it { travel_to(2.minutes.ago) { is_expected.to have_gitlab_http_status(:unauthorized) } } it { travel_to(11.minutes.ago) { is_expected.to have_gitlab_http_status(:unauthorized) } }
end end
context 'expired Geo JWT token' do context 'expired Geo JWT token' do
let(:env) { valid_geo_env } let(:env) { valid_geo_env }
it { travel_to(Time.now + 2.minutes) { is_expected.to have_gitlab_http_status(:unauthorized) } } it { travel_to(Time.now + 11.minutes) { is_expected.to have_gitlab_http_status(:unauthorized) } }
end end
context 'invalid Geo JWT token' do context 'invalid Geo JWT token' do
......
require 'spec_helper'
describe Gitlab::Geo::BaseRequest, :geo do
include ::EE::GeoHelpers
let(:geo_node) { create(:geo_node) }
before do
stub_current_geo_node(geo_node)
end
describe '#authorization' do
let(:request) { described_class.new }
let(:token) { request.authorization }
let(:data) { token.split(' ').second.split(':') }
let(:access_key) { data.first }
let(:encoded_jwt) { data.second }
let(:jwt) { JWT.decode(encoded_jwt, geo_node.secret_access_key) }
it 'token is formatted properly' do
expect(access_key).to eq(geo_node.access_key)
expect(token).to start_with(Gitlab::Geo::BaseRequest::GITLAB_GEO_AUTH_TOKEN_TYPE)
end
it 'defaults to 1-minute expiration time' do
Timecop.freeze do
expect(jwt.first['exp']).to eq((Time.now + 1.minute).to_i)
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment