Exempt users invited to a paid namespace from identity verification
What does this MR do and why?
Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/572
Currently, users are only exempt from identity verification (IV) if they are invited to a paid top-level namespace. This MR adds a check to exempt a user from IV if they are invited to a paid sub-group or project.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Configure SaaS mode in GDK by setting the environment variable
GITLAB_SIMULATE_SAAS=1
- Configure the following settings. Development credentials for Telesign and Arkose are available in 1Password.
::Gitlab::CurrentSettings.update(email_confirmation_setting: 'hard')
::Gitlab::CurrentSettings.update(require_admin_approval_after_user_signup: false)
::Gitlab::CurrentSettings.update(arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client')
::Gitlab::CurrentSettings.update(telesign_customer_xid: CUSTOMER_ID, telesign_api_key: API_KEY)
- Enable the following feature flags.
Feature.enable(:identity_verification)
Feature.enable(:identity_verification_phone_number)
Feature.enable(:identity_verification_credit_card)
- Apply the following patch to force the user to have a
High
arkose risk band.
diff --git a/ee/app/services/arkose/record_user_data_service.rb b/ee/app/services/arkose/record_user_data_service.rb
index 32b1908f717c..353e62f514ed 100644
--- a/ee/app/services/arkose/record_user_data_service.rb
+++ b/ee/app/services/arkose/record_user_data_service.rb
@@ -33,7 +33,7 @@ def custom_attributes
custom_attributes = []
custom_attributes.push({ key: 'arkose_session', value: response.session_id })
custom_attributes.push({ key: 'arkose_device_id', value: response.device_id }) unless response.device_id.nil?
- custom_attributes.push({ key: UserCustomAttribute::ARKOSE_RISK_BAND, value: response.risk_band })
+ custom_attributes.push({ key: UserCustomAttribute::ARKOSE_RISK_BAND, value: 'High' })
custom_attributes.push({ key: 'arkose_global_score', value: response.global_score })
custom_attributes.push({ key: 'arkose_custom_score', value: response.custom_score })
- Create a paid group and invite a non-existent user to a sub-group of that group using an email address.
- Use the rails letter opener to accept the invite. The user should be registered without having to complete identity verification.
- Invite another non-existent user to a free group. When you accept the invite you should be prompted to validate a phone number.