Skip ArkoseLabs token verification when request is for QA
What does this MR do and why?
Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/334+
Problem
During e2e test execution a test user that is already confirmed
(skip_confirmation=true
) is created via API. When the created user is logged in
they are assigned either Medium or High ArkoseLabs risk score. This happens
because QA test runs use a custom user agent and ArkoseLabs treats a session
with a user agent that looks tampered risky.
When identity_verification_phone_number
or identity_verification_credit_card
is
enabled the Medium/High risk score of the QA user cancels out their confirmed
status because they will be required to verify their identity using a phone
number or a credit card. This causes e2e tests to fail on login displaying
"Your account is not activated yet" error.:
Solution
This MR updates controllers that have ArkoseLabs session token
verification step to skip it when request.user_agent
matches
GITLAB_QA_USER_AGENT
env var value. This condition is true only for QA test
runs and results in QA users not being assigned an ArkoseLabs risk score.
When a user does not have an associated arkose_risk_band
they will only be
required to confirm their email address (considered done because of
skip_confirmation=true
during user creation) to be considered
confirmed/activated which is what we want for most QA tests.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
Set up
-
Set needed environment variables in your terminal then start GDK
$ export GITLAB_SIMULATE_SAAS=1 $ gdk start
-
Configure GDK instance
$ rails console > ApplicationSetting.first.update(require_admin_approval_after_user_signup: false) > ApplicationSetting.first.update(email_confirmation_setting: 'hard') > ApplicationSetting.first.update({ arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client' })
Notes:
- Credentials are available in GitLab 1Password Engineering Vault
-
Enable feature flags
$ rails console > Feature.enable(:arkose_labs_login_challenge) > Feature.enable(:identity_verification) > Feature.enable(:identity_verification_phone_number)
Reproduce error
-
Create a user via Rails console with
skip_confirmation=true
$ rails console > user = User.new(username: 'test_user4171', email: 'test_user4171@example.com', name: 'Test User', password: 'strong_password1', password_confirmation: 'strong_password1') > user.skip_confirmation! > user.save
-
Using Chrome, set the user agent to
gitlab-arkose-test-med-risk-ua
then visit the login page -
Fill in the credentials for the newly created user, solve the challenge, and click on
Sign in
. This will assignMedium
risk score to the user -
Validate that login fails and
Your account is not activated yet
error is shown
Validate fix
-
Create another user via Rails console with
skip_confirmation=true
$ rails console > user = User.new(username: 'test_user4172', email: 'test_user4172@example.com', name: 'Test User', password: 'strong_password1', password_confirmation: 'strong_password1') > user.skip_confirmation! > user.save
-
Set
GITLAB_QA_USER_AGENT
variable in your terminal then restart GDK$ export GITLAB_QA_USER_AGENT=gitlab-arkose-test-med-risk-ua $ gdk restart
-
Using Chrome, set the user agent to
gitlab-arkose-test-med-risk-ua
then visit the login page -
Fill in the credentials for the newly created user, solve the challenge, and click on
Sign in
-
Validate that login succeeds
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.