Merge branch 'arkose-labs-captcha-header-guard' into 'master'

Guard ArkoseLabs challenge behind a header check See merge request gitlab-org/gitlab!83903

Merge branch 'arkose-labs-captcha-header-guard' into 'master'
Guard ArkoseLabs challenge behind a header check See merge request gitlab-org/gitlab!83903
f7fa7c1f · Ash McKenzie · d0510240 · ccd1bb75 · f7fa7c1f · f7fa7c1f
Commit f7fa7c1f authored Mar 31, 2022 by Ash McKenzie
7 changed files
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -39,7 +39,7 @@ class SessionsController < Devise::SessionsController
  after_action :log_failed_login, if: :action_new_and_failed_login?
  after_action :verify_known_sign_in, only: [:create]

-  helper_method :captcha_enabled?, :captcha_on_login_required?
+  helper_method :captcha_enabled?, :captcha_on_login_required?, :arkose_labs_enabled?

  # protect_from_forgery is already prepended in ApplicationController but
  # authenticate_with_two_factor which signs in the user is prepended before
@@ -111,6 +111,10 @@ class SessionsController < Devise::SessionsController
    Gitlab::Recaptcha.enabled_on_login? && unverified_anonymous_user?
  end

+  def arkose_labs_enabled?
+    false
+  end
+
  # From https://github.com/plataformatec/devise/wiki/How-To:-Use-Recaptcha-with-Devise#devisepasswordscontroller
  def check_captcha
    return unless user_params[:password].present?

--- a/app/views/devise/sessions/_new_base.html.haml
+++ b/app/views/devise/sessions/_new_base.html.haml
@@ -16,7 +16,7 @@
        - else
          = link_to _('Forgot your password?'), new_password_path(:user)
    %div
-    - if Feature.enabled?(:arkose_labs_login_challenge)
+    - if arkose_labs_enabled?
      = render_if_exists 'devise/sessions/arkose_labs'
    - elsif captcha_enabled? || captcha_on_login_required?
      = recaptcha_tags nonce: content_security_policy_nonce

--- a/ee/app/controllers/ee/sessions_controller.rb
+++ b/ee/app/controllers/ee/sessions_controller.rb
@@ -24,7 +24,7 @@ module EE
        redirect_to oauth_geo_auth_url(host: current_node_uri.host, port: current_node_uri.port, state: state)
      else
        if ::Feature.enabled?(:arkose_labs_login_challenge)
-          @arkose_labs_public_key ||= ENV['ARKOSE_LABS_PUBLIC_KEY'] # rubocop:disable Gitlab/ModuleWithInstanceVariables
+          @arkose_labs_public_key ||= Settings.arkose['public_key'] # rubocop:disable Gitlab/ModuleWithInstanceVariables
        end

        super
@@ -79,6 +79,11 @@ module EE
      super
    end

+    override :arkose_labs_enabled?
+    def arkose_labs_enabled?
+      ::Feature.enabled?(:arkose_labs_login_challenge, default_enabled: :yaml) && request.headers[::SessionsController::CAPTCHA_HEADER]
+    end
+
    override :check_captcha
    def check_captcha
      if ::Feature.enabled?(:arkose_labs_login_challenge, default_enabled: :yaml)

--- a/ee/spec/views/devise/sessions/new.html.haml_spec.rb
+++ b/ee/spec/views/devise/sessions/new.html.haml_spec.rb
@@ -16,9 +16,9 @@ RSpec.describe 'devise/sessions/new' do
      allow(Gitlab).to receive(:com?).and_return(true)
    end

-    context 'when the :arkose_labs_login_challenge feature flag is enabled' do
+    context 'when arkose_labs_enabled? is enabled' do
      before do
-        stub_feature_flags(arkose_labs_login_challenge: true)
+        stub_arkose_labs(enabled: true)

        subject
      end
@@ -32,9 +32,9 @@ RSpec.describe 'devise/sessions/new' do
      end
    end

-    context 'when the :arkose_labs_login_challenge feature flag is disabled' do
+    context 'when arkose_labs_enabled? is disabled' do
      before do
-        stub_feature_flags(arkose_labs_login_challenge: false)
+        stub_arkose_labs(enabled: false)

        subject
      end
@@ -55,4 +55,8 @@ RSpec.describe 'devise/sessions/new' do
    allow(view).to receive(:captcha_enabled?).and_return(false)
    allow(view).to receive(:captcha_on_login_required?).and_return(false)
  end
+
+  def stub_arkose_labs(enabled:)
+    allow(view).to receive(:arkose_labs_enabled?).and_return(enabled)
+  end
 end
--- a/spec/frontend/fixtures/sessions.rb
+++ b/spec/frontend/fixtures/sessions.rb
@@ -12,6 +12,7 @@ RSpec.describe 'Sessions (JavaScript fixtures)' do

    before do
      set_devise_mapping(context: @request)
+      allow(controller).to receive(:arkose_labs_enabled?).and_return(true)
    end

    it 'sessions/new.html' do

--- a/spec/views/devise/sessions/new.html.haml_spec.rb
+++ b/spec/views/devise/sessions/new.html.haml_spec.rb
@@ -9,6 +9,7 @@ RSpec.describe 'devise/sessions/new' do
    before do
      stub_devise
      disable_captcha
+      allow(view).to receive(:arkose_labs_enabled?).and_return(false)
      allow(Gitlab).to receive(:com?).and_return(true)
    end


--- a/spec/views/devise/shared/_signin_box.html.haml_spec.rb
+++ b/spec/views/devise/shared/_signin_box.html.haml_spec.rb
@@ -11,6 +11,7 @@ RSpec.describe 'devise/shared/_signin_box' do
      allow(view).to receive(:captcha_enabled?).and_return(false)
      allow(view).to receive(:captcha_on_login_required?).and_return(false)
      allow(view).to receive(:experiment_enabled?).and_return(false)
+      allow(view).to receive(:arkose_labs_enabled?).and_return(false)
    end

    it 'is shown when Crowd is enabled' do