Assume new OAuth user is low risk when Arkose is down
What does this MR do and why?
This MR implements Handle outage on OAuth signup sub-task of When Arkose api.js fails to load, registration and sign in are not blocked.
Previously, if the Arkose challenge initialization fails during OAuth signup for some reason (e.g. script download failed, etc.) we display an error message and prevent the user from proceeding. In this situation, the user cannot do anything but to refresh the page until the Arkose challenge is initialized (e.g. when Arkose comes back up again) and they are assigned a risk score.
This MR updates the current implementation such that if there is an error initializing the Arkose challenge on the front-end during OAuth sign-up, we log the error then check if Arkose's status API shows an outage. If Arkose's status API confirms that there is an outage the challenge is skipped for the user, they are assumed low-risk, and allowed to proceed with the sign-up.
Reference: Arkose's troubleshooting docs
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screen_Recording_2024-01-17_at_4.26.04_PM
| Before | After |
|---|---|
How to set up and validate locally
Set up
-
Set up GDK with Google OAuth2. Follow these instructions
This should be what your gitlab.yml should look like
development: <<: *base gitlab: host: 1-2-3-4.ngrok-free.app omniauth: allow_single_sign_on: true block_auto_created_users: false providers: - { name: 'google_oauth2', app_id: '***', app_secret: '***', args: { access_type: 'offline', approval_prompt: '' } }Check that you have the correct omniauth config via Rails console:
> Gitlab.config.omniauth => #<GitlabSettings::Options:0x000000011d9fb190 @options= {"allow_single_sign_on"=>true, "block_auto_created_users"=>false, "providers"=> [#<GitlabSettings::Options:0x000000011d9fb370 @options= {"name"=>"google_oauth2", "app_id"=>"***", "app_secret"=>"***", ...Reference Google Credentials page
-
Toggle relevant feature flags and configure ArkoseLabs integration:
$ rails console > Feature.enable(:identity_verification) > Feature.enable(:arkose_labs_oauth_signup_challenge) > ApplicationSetting.first.update({ arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client' })Notes:
- Credentials are available in GitLab 1Password Engineering Vault
Simulate Arkose outage
Since there is no easy way of doing this, we will need to simulate an Arkose outage on both the front-end & back-end.
-
Go to the
/users/sign_uppage and open your Network tab. -
Block the
https://client-api.arkoselabs.comdomain so the arkose JS script doesn't load on the client-side. -
Simulate an arkose outage by applying the following patch:
diff --git a/ee/app/services/arkose/status_service.rb b/ee/app/services/arkose/status_service.rb index aee9f73b7c6b..88e2bb121448 100644 --- a/ee/app/services/arkose/status_service.rb +++ b/ee/app/services/arkose/status_service.rb @@ -10,7 +10,7 @@ def execute response = Gitlab::HTTP.get(ARKOSE_STATUS_URL) if response.success? - indicator = Gitlab::Json.parse(response.body).dig('status', 'indicator') + indicator = 'critical' #Gitlab::Json.parse(response.body).dig('status', 'indicator') return success if ARKOSE_SUCCESS_INDICATOR.include?(indicator)
Validate
-
Visit the registration page
-
Click
Register with: Google -
Sign in with Google using any test user you configured in your Google OAuth client
-
Validate that after signing up (user record is created at this point) you are redirected to the Identity Verification page
-
From the Rails console, validate that the new user has a custom attribute with
key = 'assumed_low_risk_reason'withvalue = 'Arkose is down'> User.last.custom_attributes.by_key('assumed_low_risk_reason').first.value => "Arkose is down"
User record from the Rails console with the following command: User.last.destroy