Handle bot users during identity verification flow
What does this MR do and why?
Related to: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/768
As part of Iteration 1 for identity verification we rolled out the ability for a user to verify their identity after registration to gain in-app privileges such as the ability to create pipelines. This MR introduces logic to handle bot users. Bot users are created and added as a members to a group or project when a user creates a group or project access token. In order to verify that bot users can access the application features that requiring identity verification we are checking the identity verification state of the user who created the token. If the creator is identity verified then the bot will be treated as identity verified and vice-versa. In the case a user account is deleted and the bot creator is nil then the account will be treated as identity verified if it was created before the feature release date.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Start GDK with SaaS simulation
$ export GITLAB_SIMULATE_SAAS=1 $ gdk start
- Ensure that you have a runner setup in GDK.
- Enable the relevant feature flags
> Feature.enable(:opt_in_identity_verification) > Feature.enable(:identity_verification_phone_number) > Feature.enable(:identity_verification_credit_card)
- Create a project with a new user and generate a project access token.
- Attempt to trigger a pipeline using the project access token. You should see that identity verification is required.
▶ curl -i -X POST --header "PRIVATE-TOKEN: $TOKEN" 'http://gdk.test:3000/api/v4/projects/20/pipeline?ref=main' HTTP/1.1 400 Bad Request Cache-Control: no-cache Content-Length: 82 Content-Security-Policy: default-src 'none' Content-Type: application/json Vary: Origin X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Gitlab-Meta: {"correlation_id":"01J01R44YWQ4GXNT7643H38GZC","version":"1"} X-Request-Id: 01J01R44YWQ4GXNT7643H38GZC X-Runtime: 4.738679 Date: Mon, 10 Jun 2024 18:56:19 GMT {"message":{"base":["Identity verification is required in order to run CI jobs"]}}
- Create a phone validation for the user that created the access token.
[7] pry(main)> FactoryBot.create(:phone_number_validation, :validated, user: user)
- Re-run the curl command to trigger a pipeline. It should be successful.