Skip to content

Assume new OAuth user is low risk when Arkose is down

Eugie Limpin requested to merge el-skip-verify-token-when-arkose-is-down into master

What does this MR do and why?

This MR implements Handle outage on OAuth signup sub-task of When Arkose api.js fails to load, registration and sign in are not blocked.

Previously, if the Arkose challenge initialization fails during OAuth signup for some reason (e.g. script download failed, etc.) we display an error message and prevent the user from proceeding. In this situation, the user cannot do anything but to refresh the page until the Arkose challenge is initialized (e.g. when Arkose comes back up again) and they are assigned a risk score.

This MR updates the current implementation such that if there is an error initializing the Arkose challenge on the front-end during OAuth sign-up, we log the error then check if Arkose's status API shows an outage. If Arkose's status API confirms that there is an outage the challenge is skipped for the user, they are assumed low-risk, and allowed to proceed with the sign-up.

Reference: Arkose's troubleshooting docs

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screen_Recording_2024-01-17_at_4.26.04_PM

Before After

How to set up and validate locally

Set up

  1. Set up GDK with Google OAuth2. Follow these instructions

    This should be what your gitlab.yml should look like
    development:
      <<: *base
      gitlab:
        host: 1-2-3-4.ngrok-free.app
      omniauth:
        allow_single_sign_on: true
        block_auto_created_users: false
        providers:
        - { name: 'google_oauth2',
            app_id: '***',
            app_secret: '***',
            args: { access_type: 'offline', approval_prompt: '' } }
    Check that you have the correct omniauth config via Rails console:
    > Gitlab.config.omniauth
    => #<GitlabSettings::Options:0x000000011d9fb190
     @options=
      {"allow_single_sign_on"=>true,
       "block_auto_created_users"=>false,
       "providers"=>
        [#<GitlabSettings::Options:0x000000011d9fb370
          @options=
           {"name"=>"google_oauth2",
            "app_id"=>"***",
            "app_secret"=>"***",
            ...
    Reference Google Credentials page Screenshot_2024-01-17_at_3.46.01_PM
  2. Toggle relevant feature flags and configure ArkoseLabs integration:

    $ rails console
    > Feature.enable(:identity_verification)
    > Feature.enable(:arkose_labs_oauth_signup_challenge)
    > ApplicationSetting.first.update({ arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client' })

    Notes:

    • Credentials are available in GitLab 1Password Engineering Vault

Simulate Arkose outage

Since there is no easy way of doing this, we will need to simulate an Arkose outage on both the front-end & back-end.

  1. Go to the /users/sign_up page and open your Network tab.

  2. Block the https://client-api.arkoselabs.com domain so the arkose JS script doesn't load on the client-side.

    Screen_Recording_2024-01-17_at_4.05.25_PM
  3. Simulate an arkose outage by applying the following patch:

    diff --git a/ee/app/services/arkose/status_service.rb b/ee/app/services/arkose/status_service.rb
    index aee9f73b7c6b..88e2bb121448 100644
    --- a/ee/app/services/arkose/status_service.rb
    +++ b/ee/app/services/arkose/status_service.rb
    @@ -10,7 +10,7 @@ def execute
           response = Gitlab::HTTP.get(ARKOSE_STATUS_URL)
     
           if response.success?
    -        indicator = Gitlab::Json.parse(response.body).dig('status', 'indicator')
    +        indicator = 'critical' #Gitlab::Json.parse(response.body).dig('status', 'indicator')
     
             return success if ARKOSE_SUCCESS_INDICATOR.include?(indicator)

Validate

  1. Visit the registration page

  2. Click Register with: Google

  3. Sign in with Google using any test user you configured in your Google OAuth client

  4. Validate that after signing up (user record is created at this point) you are redirected to the Identity Verification page

  5. From the Rails console, validate that the new user has a custom attribute with key = 'assumed_low_risk_reason' with value = 'Arkose is down'

    > User.last.custom_attributes.by_key('assumed_low_risk_reason').first.value
    => "Arkose is down"

💡 If you want to test with the same user again, delete the User record from the Rails console with the following command: User.last.destroy

Edited by Eugie Limpin

Merge request reports

Loading