Skip to content

Log Arkose challenge events

Eugie Limpin requested to merge el-log-arkose-challenge-events into master

Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/747

What does this MR do and why?

Log when:

  • Interactive or transparent challenge is solved in signup form
  • Interactive challenge is solved before Identity Verification phone number or credit card verification step

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Sample log after solving interactive challenge in signup form

{
  "severity": "INFO",
  "time": "2024-06-05T02:45:51.339Z",
  "correlation_id": "01HZK4KP0JXPCM1Y4QSS4NGKDA",
  "meta.caller_id": "RegistrationsController#create",
  "meta.remote_ip": "127.0.0.1",
  "meta.feature_category": "instance_resiliency",
  "meta.client_id": "ip/127.0.0.1",
  "username": "jun2451045",
  "message": "Arkose challenge",
  "event": "interactive challenge solved"
}

Sample log after solving interactive challenge before phone number verification code send

{
  "severity": "INFO",
  "time": "2024-06-05T02:50:05.965Z",
  "correlation_id": "01HZK4VFBKP2361DEQX0T0JSXT",
  "meta.caller_id": "Users::RegistrationsIdentityVerificationController#send_phone_verification_code",
  "meta.remote_ip": "127.0.0.1",
  "meta.feature_category": "instance_resiliency",
  "meta.client_id": "ip/127.0.0.1",
  "username": "jun2451045",
  "message": "Arkose challenge",
  "event": "interactive challenge solved"
}

How to set up and validate locally

  1. Start GDK simulating SaaS

    $ export GITLAB_SIMULATE_SAAS=1
    $ gdk start
  2. Enable FFs

    $ rails c
    > Feature.enable(:identity_verification)
    > Feature.enable(:identity_verification_phone_number)
    > Feature.enable(:identity_verification_arkose_challenge)
  3. Setup Telesign

    $ rails c
    > ApplicationSetting.first.update(telesign_customer_xid: '<value_is_in_1Pass>', telesign_api_key: '<value_is_in_1Pass>')

    Credentials are in 1Password under Telesign API Keys (use GITLAB - DEVELOPMENT)

  4. Setup Arkose

    > ApplicationSetting.first.update(arkose_labs_public_api_key: "XXX", arkose_labs_private_api_key: "YYY", )
    > ApplicationSetting.first.update(arkose_labs_data_exchange_key: "ZZZ")

    Note: credentials are in 1Password under ArkoseLabs API keys (DEVELOPMENT)

  5. Update ee/app/helpers/ee/registrations_helper.rb so that an Arkose challenge is shown and required before a user can be created

    diff --git a/ee/app/helpers/ee/registrations_helper.rb b/ee/app/helpers/ee/registrations_helper.rb
    index d784a60b791cf..10b8a9486b3a3 100644
    --- a/ee/app/helpers/ee/registrations_helper.rb
    +++ b/ee/app/helpers/ee/registrations_helper.rb
    @@ -51,7 +51,7 @@ def registration_objective_options
         def signup_arkose_data_exchange_payload
           use_case = Arkose::DataExchangePayload::USE_CASE_SIGN_UP
           show_challenge =
    -        PhoneVerification::Users::RateLimitService.daily_transaction_hard_limit_exceeded?
    +        PhoneVerification::Users::RateLimitService.daily_transaction_hard_limit_exceeded? || true
     
           Arkose::DataExchangePayload.new(
             request,
  6. Tail logs

    tail -f log/application_json.log
  7. Go to http://localhost:3000/users/sign_up, fill in the signup form, solve the Arkose challenge, and then click Register

  8. Verify that a log similar to the following is recorded

    {
      "severity": "INFO",
      "time": "2024-06-05T02:45:51.339Z",
      "correlation_id": "01HZK4KP0JXPCM1Y4QSS4NGKDA",
      "meta.caller_id": "RegistrationsController#create",
      "meta.remote_ip": "127.0.0.1",
      "meta.feature_category": "instance_resiliency",
      "meta.client_id": "ip/127.0.0.1",
      "username": "jun2451045",
      "message": "Arkose challenge",
      "event": "interactive challenge solved"
    }
  9. Set the new user's Arkose risk score to 'Medium'. This will require the user to verify their email, and phone number.

    $ rails c
    > User.last.custom_attributes.find_by_key('arkose_risk_band').update(value: 'Medium')
  10. Update the user's confirmed_at in Rails console. This marks them as email-verified and move them on to phone number verification step

    $ rails c
    > User.last.update(confirmed_at: Time.now)
  11. Open an incognito browser tab and login with the user again

  12. Verify that Arkose challenge is shown on the phone number verification step

  13. Enter a phone number, solve the challenge, and click Send code

  14. Verify that a log similar to the following is recorded

    {
      "severity": "INFO",
      "time": "2024-06-05T02:50:05.965Z",
      "correlation_id": "01HZK4VFBKP2361DEQX0T0JSXT",
      "meta.caller_id": "Users::RegistrationsIdentityVerificationController#send_phone_verification_code",
      "meta.remote_ip": "127.0.0.1",
      "meta.feature_category": "instance_resiliency",
      "meta.client_id": "ip/127.0.0.1",
      "username": "jun2451045",
      "message": "Arkose challenge",
      "event": "interactive challenge solved"
    }
Edited by Eugie Limpin

Merge request reports

Loading