AAP-46641 Increase trusted header timeout (#831)

  * trusted_header_timeout_in_ns --> trusted_header_timeout
  * Increase default validity period .3s --> 1s
  * Use milliseconds instead of nanoseconds

Author: bhavenst

ansible_base/jwt_consumer/common/util.py

@@ -53,10 +53,11 @@ def validate_x_trusted_proxy_header(header_value: str, ignore_cache=False) -> bo
         logger.warning("Failed to validate x-trusted-proxy-header, malformed, expected value to contain a -")
         return False
 
-    # Validate that the header has been cut within the last 300ms (by default)
+    # Validate that the header has been cut within the last 1000ms (by default)
     try:
-        if time.time_ns() - int(timestamp) > get_setting('trusted_header_timeout_in_ns', 300000000):
-            logger.warning(f"Timestamp {timestamp} was too old to be valid alter trusted_header_timeout_in_ns if needed")
+        header_age_ms = round((time.time_ns() - int(timestamp)) / 1000000)
+        if header_age_ms > get_setting('trusted_header_timeout', 1000):
+            logger.warning(f"Timestamp {timestamp} was too old by {header_age_ms}ms to be valid-alter trusted_header_timeout if needed")
             return False
     except ValueError:
         logger.warning(f"Unable to convert timestamp (base64) {b64encode(timestamp.encode('UTF-8'))} into an integer")

test_app/tests/jwt_consumer/common/test_util.py

@@ -37,12 +37,12 @@ def test_header_timeout(self, expected_log, rsa_keypair):
             # Assert this header is valid if used right away
             assert validate_x_trusted_proxy_header(header) is True
 
-            # By default the header is only valid for 300ms so a 1/2 second sleep will expire it
-            time.sleep(0.5)
+            # By default the header is only valid for 1000ms so a 1.1 second sleep will expire it
+            time.sleep(1.1)
             with expected_log(
                 'ansible_base.jwt_consumer.common.util.logger',
                 'warning',
-                'was too old to be valid alter trusted_header_timeout_in_ns if needed',
+                'was too old by',
             ):
                 assert validate_x_trusted_proxy_header(header) is False