Skip to content

Send Arkose truth data when auto-banning users

Ian Anderson requested to merge ia-auto-ban-arkose-truth-data into master

What does this MR do and why?

Implements the auto-ban task of https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/548

Arkose is a third-party risk score service we use to determine how hard we challenge users when completing identity verification. If a user is high-risk we require more steps when they verify their identity. Arkose has a "truth data" API that allows us to send them data when we determine if a user session is good or bad. This MR will send truth data for users with is_legit = false when the auto-ban service is executed. By sending this data our Arkose risk scores should be more accurate over time.

In addition to reporting truth data, logging was added to the truth data service so that we can easily determine that the service is working as expected.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Start GDK with SaaS simulation

    $ export GITLAB_SIMULATE_SAAS=1
$ gdk start

  2. Apply needed application settings. Credentials are stored in 1Password under ArkoseLabs API keys.

    ::Gitlab::CurrentSettings.update(email_confirmation_setting: 'hard')
::Gitlab::CurrentSettings.update(require_admin_approval_after_user_signup: false)
::Gitlab::CurrentSettings.update(arkose_labs_public_api_key: 'KEY', arkose_labs_private_api_key: 'KEY', arkose_labs_namespace: 'client')
::Gitlab::CurrentSettings.update(arkose_labs_client_xid: 'CLIENT_ID', arkose_labs_client_secret: 'SECRET')

  3. Enable the relevant feature flags.

    Feature.enable(:identity_verification)
Feature.enable(:arkose_truth_data_auto_ban)

  4. Register a new user. When this happens Arkose data should be added to the user custom attributes. Verify that there is an arkose session for the user by executing the following.

    [5] pry(main)> u = User.last
=> #<User id:84 @new100>
[6] pry(main)> u.custom_attributes.by_key(UserCustomAttribute::ARKOSE_SESSION)
=> [#<UserCustomAttribute:0x00007f5654cfcd88
  id: 30,
  created_at: Mon, 24 Jun 2024 19:20:45.707563000 UTC +00:00,
  updated_at: Mon, 24 Jun 2024 19:20:45.707572000 UTC +00:00,
  user_id: 84,
  key: "[FILTERED]",
  value: "35617dc06fb328c55.8016872202">]

  5. Execute the auto-ban service against the new user.

    [8] pry(main)> result = Users::AutoBanService.new(user: u, reason: 'testing').execute
=> {:status=>:success}

  6. Examine log/application_json.log. You should see a message similar to the following.

    {
  "severity": "INFO",
  "time": "2024-06-24T19:25:12.965Z",
  "message": "sent arkose truth data",
  "event": "Arkose truth data",
  "status": "success",
  "username": "new100",
  "arkose_session": "35617dc06fb328c55.8016872202",
  "arkose_risk_band": "Low",
  "is_legit": false
}
Edited by Ian Anderson

Merge request reports