config: added a configurable option for the expiration time of a JWT token

config/config.yml

@@ -82,3 +82,12 @@ first_user_admin:
 # By default require ssl to be enabled when running on production
 check_ssl_usage:
   enabled: true
+
+# Set the expiration time for the JWT Token that Portus uses to authenticate
+# with the registry. Note that this is just a work-around on the fact that the
+# registry does not try to get a new token again after the current one has
+# expired. Once a solution is issued upstream, we can deprecate this option.
+#
+# See: https://github.com/SUSE/Portus/issues/510
+jwt_expiration_time:
+  value: "5.minutes"

lib/portus/jwt_token.rb

@@ -30,7 +30,7 @@ def claim
         hash[:aud]    = @service
         hash[:iat]    = issued_at
         hash[:nbf]    = issued_at - 5.seconds
-        hash[:exp]    = issued_at + 5.minutes
+        hash[:exp]    = issued_at + expiration_time
         hash[:jti]    = jwt_id
         hash[:access] = authorized_access if @scope
       end
@@ -47,6 +47,13 @@ def private_key
 
     protected
 
+    # The expiration time to be added to the current token.
+    def expiration_time
+      # rubocop:disable Lint/Eval
+      eval(APP_CONFIG["jwt_expiration_time"]["value"])
+      # rubocop:enable Lint/Eval
+    end
+
     # Returns an array with the authorized actions hash.
     def authorized_access
       [{

spec/lib/portus/jwt_token_spec.rb

@@ -74,6 +74,15 @@
 
       describe ":exp" do
         it "is set to #expires_at" do
+          APP_CONFIG["jwt_expiration_time"] = { "value" => "6.minutes" }
+
+          now = Time.zone.now
+          expected = now + 6.minutes
+          allow(subject).to receive(:issued_at).and_return(now)
+          expect(subject.claim[:exp]).to eq expected
+        end
+
+        it "uses the default expiration time if nothing is specified" do
           now = Time.zone.now
           expected = now + 5.minutes
           allow(subject).to receive(:issued_at).and_return(now)