Set ArkoseLab keys if provided and mask them
What does this MR do and why?
This adds credentials needed by GitLab when the ArkoseLabs signup challenge feature is enabled via the arkose_labs_signup_challenge flag.
- Sets the ArkoseLabs credentials for any GitLab instance in any scenario, as long as the env vars are set.
- Masks the credentials when they're shown as part of the omnibus-gitlab config settings.
- Allows other secrets to be masked via the
mask_secretskeyword arg.
gitlab!108668 (merged) must be merged first so that the CSP on the registration page is set correctly.
Background
The challenge is bypassed in e2e tests by setting the GITLAB_QA_USER_AGENT environment variable, but the bypass is implemented by ArkoseLabs allowlisting requests that include the env var. The credentials are also needed to allow GitLab to authenticate with ArkoseLabs so it can verify the request.
How to set up and validate locally
- Set the env vars
export ARKOSE_LABS_PRIVATE_KEY=<development key from 1Password> export ARKOSE_LABS_PUBLIC_KEY=<development key from 1Password> export GITLAB_QA_USER_AGENT=<from 1Password> - Run the registration e2e test via gitlab-qa with the
arkose_labs_signup_challengeflag enabledbundle exec exe/gitlab-qa Test::Instance::Image EE --enable-feature arkose_labs_signup_challenge -- qa/specs/features/browser_ui/1_manage/login/register_spec.rb
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Mark Lapierre