Skip to content

Handle bot users during identity verification flow

Ian Anderson requested to merge ia-identity-verification-handle-bot-users into master

What does this MR do and why?

Related to: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/768

As part of Iteration 1 for identity verification we rolled out the ability for a user to verify their identity after registration to gain in-app privileges such as the ability to create pipelines. This MR introduces logic to handle bot users. Bot users are created and added as a members to a group or project when a user creates a group or project access token. In order to verify that bot users can access the application features that requiring identity verification we are checking the identity verification state of the user who created the token. If the creator is identity verified then the bot will be treated as identity verified and vice-versa. In the case a user account is deleted and the bot creator is nil then the account will be treated as identity verified if it was created before the feature release date.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Start GDK with SaaS simulation
    $ export GITLAB_SIMULATE_SAAS=1
    $ gdk start
  2. Ensure that you have a runner setup in GDK.
  3. Enable the relevant feature flags
    > Feature.enable(:opt_in_identity_verification)
    > Feature.enable(:identity_verification_phone_number)
    > Feature.enable(:identity_verification_credit_card)
  4. Create a project with a new user and generate a project access token.
  5. Attempt to trigger a pipeline using the project access token. You should see that identity verification is required.
    ▶ curl -i -X POST --header "PRIVATE-TOKEN: $TOKEN" 'http://gdk.test:3000/api/v4/projects/20/pipeline?ref=main'
    HTTP/1.1 400 Bad Request
    Cache-Control: no-cache
    Content-Length: 82
    Content-Security-Policy: default-src 'none'
    Content-Type: application/json
    Vary: Origin
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-Gitlab-Meta: {"correlation_id":"01J01R44YWQ4GXNT7643H38GZC","version":"1"}
    X-Request-Id: 01J01R44YWQ4GXNT7643H38GZC
    X-Runtime: 4.738679
    Date: Mon, 10 Jun 2024 18:56:19 GMT
    
    {"message":{"base":["Identity verification is required in order to run CI jobs"]}}
  6. Create a phone validation for the user that created the access token.
    [7] pry(main)> FactoryBot.create(:phone_number_validation, :validated, user: user)
  7. Re-run the curl command to trigger a pipeline. It should be successful.
Edited by Ian Anderson

Merge request reports

Loading