Skip to content

Allow GitLab QA users to bypass Identity Verification

Eugie Limpin requested to merge el-qa-user-identity-verification-bypass into master

What does this MR do and why?

We do not have QA tests that exercise Identity Verification yet. Until those tests are running, this MR allows GitLab QA users to bypass the feature. This enables us turn on the Identity Verification feature flag on environments where GITLAB_QA_USER_AGENT env var is set (staging, production) without introducing failing QA tests.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Set up

  1. Set needed environment variables in your terminal then start GDK

    $ export GITLAB_SIMULATE_SAAS=1 GITLAB_QA_USER_AGENT=test_ua
$ gdk start

  2. Enable identity_verification* feature flags and disable require_admin_approval_after_user_signup

    $ rails console
> Feature.enable(:arkose_labs_signup_challenge) # disable this. We'll just manually assign a risk band for the user in step 5
> Feature.enable(:identity_verification)
> Feature.enable(:identity_verification_credit_card)
> ApplicationSetting.first.update(require_admin_approval_after_user_signup: false)

  3. Create a new user from /users/sign_up

  4. Validate that you are redirected to the Identity Verification page with email verification step

    🖼

    Screenshot_2023-02-14_at_3.42.58_PM

  5. Assign "High" ArkoseLabs risk band to the user

    $ rails console
> UserCustomAttribute.create(user: User.last, key: 'arkose_risk_band', value: 'High')

  6. Refresh the page and validate that the page now shows credit card and email verification steps

    🖼

    Screenshot_2023-02-14_at_3.57.54_PM

Validate

  1. Confirm the user manually (GitLab QA users are all confirmed)

    $ rails console
> User.last.update_attribute('confirmed_at', Time.now)

  2. Using Chrome, set a custom user agent equal to the value of GITLAB_QA_USER_AGENT you set in Set up - step 1

  3. Login using the user you created

  4. Validate that you are redirected to the welcome page instead of the Identity Verification page

    🖼

    Screenshot_2023-02-14_at_4.03.14_PM

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugie Limpin

Merge request reports