Add Arkose fail open activiation

Matthew MacRae-Bovellrequested to merge
mmacrae-bovell/add-arkose-fail-open-activation into master

When anomalies are detected in the Arkose token verification rate, we bypass reaching out to arkose by activating our fail open.

NOTE: This MR needs to come after this one: !212132 (merged)

Reference

https://gitlab.com/gitlab-org/gitlab/-/work_items/578300

Verification Script

puts "\n[Arkose fail-open manual verification script]"

Feature.enable(:track_arkose_token_verification_results, :instance)
Feature.enable(:arkose_anomalous_verification_rate_fail_open, :instance)

fail_open   = AntiAbuse::IdentityVerification::ArkoseFailOpen
anomaly_mod = AntiAbuse::IdentityVerification::ArkoseAnomalyDetection
settings    = AntiAbuse::IdentityVerification::Settings

redis       = Gitlab::Redis::SharedState
fail_key    = AntiAbuse::IdentityVerification::ArkoseFailOpen::FAIL_OPEN_ACTIVE_KEY
ttl_seconds = AntiAbuse::IdentityVerification::ArkoseFailOpen::FAIL_OPEN_TTL_SECONDS
stream_key  = AntiAbuse::IdentityVerification::ArkoseFailOpen::VERIFICATION_RATE_STREAM_KEY

redis.with do |r|
  r.del(fail_key)
  r.del(stream_key) # optional
end

puts "\n[Step 1] Clean state:"
puts "  - ArkoseFailOpen.active? => #{fail_open.active?.inspect}"

# Trigger fail-open via synthetic anomalous decision
decision = anomaly_mod::Decision.new(
  anomalous: true,
  reason: 'manual test: zscore=-3.2 mean=95.0 std=1.0 current=50.0'
)

before_len = redis.with { |r| r.xlen(stream_key) }

puts "\n[Step 2] Triggering fail-open via private trigger_fail_open..."
fail_open.send(:trigger_fail_open, decision)

value = redis.with { |r| r.get(fail_key) }
ttl   = redis.with { |r| r.ttl(fail_key) }
after_len = redis.with { |r| r.xlen(stream_key) }

puts "  - FAIL_OPEN_ACTIVE_KEY value: #{value.inspect}"
puts "  - TTL (seconds): #{ttl.inspect} (expected > 0 and <= #{ttl_seconds})"
puts "  - ArkoseFailOpen.active? => #{fail_open.active?.inspect}"
puts "  - verification-rate stream length before: #{before_len}, after: #{after_len} (should be unchanged)"

# Arkose enablement short-circuit check
user = User.first

if user
  puts "\n[Step 3] Settings.arkose_enabled? with fail-open active"
  puts "  - Using user: #{user.id} / #{user.username}"

  enabled = settings.arkose_enabled?(user: user, user_agent: 'rails-console-test')
  puts "  - settings.arkose_enabled? => #{enabled.inspect} (should be false when fail-open is active)"
else
  puts "\n[Step 3] No users found, skipping arkose_enabled? check."
end

puts "\n[Done] Arkose fail-open activation script finished."
Edited by Matthew MacRae-Bovell

Merge request reports