Merge branch 'mc_rocha-add-feature-flag-to-prevent-login' into 'master'

Add a feature flag to control when the login can be prevented

See merge request gitlab-org/gitlab!84971

config/feature_flags/development/arkose_labs_prevent_login.yml

+---
+name: arkose_labs_prevent_login
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/358838
+milestone: '14.10'
+type: development
+group: group::antiabuse
+default_enabled: false

ee/app/services/arkose/user_verification_service.rb

@@ -122,6 +122,8 @@ module Arkose
     end
 
     def low_risk?(response)
+      return true unless Feature.enabled?(:arkose_labs_prevent_login, default_enabled: :yaml)
+
       risk_band = risk_band(response)
       risk_band.present? ? risk_band != 'High' : true
     end

ee/spec/services/arkose/user_verification_service_spec.rb

@@ -21,84 +21,86 @@ RSpec.describe Arkose::UserVerificationService do
       end
     end
 
-    context 'when the user solved the challenge' do
-      context 'when the risk score is not high' do
-        let(:arkose_ec_response) { Gitlab::Json.parse(File.read(Rails.root.join('ee/spec/fixtures/arkose/successfully_solved_ec_response.json'))) }
-
-        it 'returns true' do
-          allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
-          expect(subject).to be_truthy
-        end
-
-        it 'adds arkose data to custom attributes' do
-          allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
-          subject
-          expect(user.custom_attributes.count).to eq(4)
+    context 'when feature arkose_labs_prevent_login is enabled' do
+      context 'when the user solved the challenge' do
+        context 'when the risk score is not high' do
+          let(:arkose_ec_response) { Gitlab::Json.parse(File.read(Rails.root.join('ee/spec/fixtures/arkose/successfully_solved_ec_response.json'))) }
 
-          expect(user.custom_attributes.find_by(key: 'arkose_session').value).to eq('22612c147bb418c8.2570749403')
-          expect(user.custom_attributes.find_by(key: 'arkose_risk_band').value).to eq('Low')
-          expect(user.custom_attributes.find_by(key: 'arkose_global_score').value).to eq('0')
-          expect(user.custom_attributes.find_by(key: 'arkose_custom_score').value).to eq('0')
-        end
+          it 'returns true' do
+            allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
+            expect(subject).to be_truthy
+          end
 
-        it 'logs Arkose verify response' do
-          allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
-          allow(Gitlab::AppLogger).to receive(:info)
-          allow(Gitlab::ApplicationContext).to receive(:current).and_return({ 'correlation_id': 'be025cf83013ac4f52ffd2bf712b11a2' })
-
-          subject
-
-          expect(Gitlab::AppLogger).to have_received(:info).with(correlation_id: 'be025cf83013ac4f52ffd2bf712b11a2',
-                                                                 message: 'Arkose verify response',
-                                                                 response: arkose_ec_response,
-                                                                 username: user.username,
-                                                                 'arkose.session_id': '22612c147bb418c8.2570749403',
-                                                                 'arkose.global_score': '0',
-                                                                 'arkose.global_telltale_list': [],
-                                                                 'arkose.custom_score': '0',
-                                                                 'arkose.custom_telltale_list': [],
-                                                                 'arkose.risk_band': 'Low',
-                                                                 'arkose.risk_category': 'NO-THREAT')
-        end
+          it 'adds arkose data to custom attributes' do
+            allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
+            subject
+            expect(user.custom_attributes.count).to eq(4)
 
-        context 'when the risk score is high' do
-          let(:arkose_ec_response) { Gitlab::Json.parse(File.read(Rails.root.join('ee/spec/fixtures/arkose/successfully_solved_ec_response_high_risk.json'))) }
+            expect(user.custom_attributes.find_by(key: 'arkose_session').value).to eq('22612c147bb418c8.2570749403')
+            expect(user.custom_attributes.find_by(key: 'arkose_risk_band').value).to eq('Low')
+            expect(user.custom_attributes.find_by(key: 'arkose_global_score').value).to eq('0')
+            expect(user.custom_attributes.find_by(key: 'arkose_custom_score').value).to eq('0')
+          end
 
-          it 'returns false' do
+          it 'logs Arkose verify response' do
             allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
-            expect(subject).to be_falsey
+            allow(Gitlab::AppLogger).to receive(:info)
+            allow(Gitlab::ApplicationContext).to receive(:current).and_return({ 'correlation_id': 'be025cf83013ac4f52ffd2bf712b11a2' })
+
+            subject
+
+            expect(Gitlab::AppLogger).to have_received(:info).with(correlation_id: 'be025cf83013ac4f52ffd2bf712b11a2',
+                                                                   message: 'Arkose verify response',
+                                                                   response: arkose_ec_response,
+                                                                   username: user.username,
+                                                                   'arkose.session_id': '22612c147bb418c8.2570749403',
+                                                                   'arkose.global_score': '0',
+                                                                   'arkose.global_telltale_list': [],
+                                                                   'arkose.custom_score': '0',
+                                                                   'arkose.custom_telltale_list': [],
+                                                                   'arkose.risk_band': 'Low',
+                                                                   'arkose.risk_category': 'NO-THREAT')
           end
 
-          context 'when the session is allowlisted' do
-            before do
-              arkose_ec_response['session_details']['telltale_list'].push(Arkose::UserVerificationService::ALLOWLIST_TELLTALE)
-            end
+          context 'when the risk score is high' do
+            let(:arkose_ec_response) { Gitlab::Json.parse(File.read(Rails.root.join('ee/spec/fixtures/arkose/successfully_solved_ec_response_high_risk.json'))) }
 
-            it 'returns true' do
+            it 'returns false' do
               allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
-              expect(subject).to be_truthy
+              expect(subject).to be_falsey
+            end
+
+            context 'when the session is allowlisted' do
+              before do
+                arkose_ec_response['session_details']['telltale_list'].push(Arkose::UserVerificationService::ALLOWLIST_TELLTALE)
+              end
+
+              it 'returns true' do
+                allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
+                expect(subject).to be_truthy
+              end
             end
           end
         end
       end
-    end
 
-    context 'when the response does not include the risk session' do
-      context 'when the user solved the challenge' do
-        let(:arkose_ec_response) { Gitlab::Json.parse(File.read(Rails.root.join('ee/spec/fixtures/arkose/successfully_solved_ec_response_without_session_risk.json'))) }
+      context 'when the response does not include the risk session' do
+        context 'when the user solved the challenge' do
+          let(:arkose_ec_response) { Gitlab::Json.parse(File.read(Rails.root.join('ee/spec/fixtures/arkose/successfully_solved_ec_response_without_session_risk.json'))) }
 
-        it 'returns true' do
-          allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
-          expect(subject).to be_truthy
+          it 'returns true' do
+            allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
+            expect(subject).to be_truthy
+          end
         end
-      end
 
-      context 'when the user did not solve the challenge' do
-        let(:arkose_ec_response) { Gitlab::Json.parse(File.read(Rails.root.join('ee/spec/fixtures/arkose/failed_ec_response_without_risk_session.json'))) }
+        context 'when the user did not solve the challenge' do
+          let(:arkose_ec_response) { Gitlab::Json.parse(File.read(Rails.root.join('ee/spec/fixtures/arkose/failed_ec_response_without_risk_session.json'))) }
 
-        it 'returns false' do
-          allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
-          expect(subject).to be_falsey
+          it 'returns false' do
+            allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
+            expect(subject).to be_falsey
+          end
         end
       end
     end
@@ -109,5 +111,20 @@ RSpec.describe Arkose::UserVerificationService do
         expect(subject).to be_truthy
       end
     end
+
+    context 'when feature arkose_labs_prevent_login is disabled' do
+      before do
+        stub_feature_flags(arkose_labs_prevent_login: false)
+      end
+
+      context 'when the risk score is high' do
+        let(:arkose_ec_response) { Gitlab::Json.parse(File.read(Rails.root.join('ee/spec/fixtures/arkose/successfully_solved_ec_response_high_risk.json'))) }
+
+        it 'returns true' do
+          allow(Gitlab::HTTP).to receive(:perform_request).and_return(response)
+          expect(subject).to be_truthy
+        end
+      end
+    end
   end
 end