Skip to content

Exempt users invited to a paid namespace from identity verification

Ian Anderson requested to merge exempt-paid-users-from-identity-verification into master

What does this MR do and why?

Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/572

Currently, users are only exempt from identity verification (IV) if they are invited to a paid top-level namespace. This MR adds a check to exempt a user from IV if they are invited to a paid sub-group or project.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Configure SaaS mode in GDK by setting the environment variable GITLAB_SIMULATE_SAAS=1
  2. Configure the following settings. Development credentials for Telesign and Arkose are available in 1Password.
::Gitlab::CurrentSettings.update(email_confirmation_setting: 'hard')
::Gitlab::CurrentSettings.update(require_admin_approval_after_user_signup: false)
::Gitlab::CurrentSettings.update(arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client')
::Gitlab::CurrentSettings.update(telesign_customer_xid: CUSTOMER_ID, telesign_api_key: API_KEY)
  1. Enable the following feature flags.
Feature.enable(:identity_verification)
Feature.enable(:identity_verification_phone_number)
Feature.enable(:identity_verification_credit_card)
  1. Apply the following patch to force the user to have a High arkose risk band.
diff --git a/ee/app/services/arkose/record_user_data_service.rb b/ee/app/services/arkose/record_user_data_service.rb
index 32b1908f717c..353e62f514ed 100644
--- a/ee/app/services/arkose/record_user_data_service.rb
+++ b/ee/app/services/arkose/record_user_data_service.rb
@@ -33,7 +33,7 @@ def custom_attributes
     custom_attributes = []
     custom_attributes.push({ key: 'arkose_session', value: response.session_id })
     custom_attributes.push({ key: 'arkose_device_id', value: response.device_id }) unless response.device_id.nil?
-      custom_attributes.push({ key: UserCustomAttribute::ARKOSE_RISK_BAND, value: response.risk_band })
+      custom_attributes.push({ key: UserCustomAttribute::ARKOSE_RISK_BAND, value: 'High' })
     custom_attributes.push({ key: 'arkose_global_score', value: response.global_score })
     custom_attributes.push({ key: 'arkose_custom_score', value: response.custom_score })
  1. Create a paid group and invite a non-existent user to a sub-group of that group using an email address.
  2. Use the rails letter opener to accept the invite. The user should be registered without having to complete identity verification.
  3. Invite another non-existent user to a free group. When you accept the invite you should be prompted to validate a phone number.
Edited by Eugie Limpin

Merge request reports