Class: Readiness::TicketProcessor::AccountBlocked

Inherits:

Client

• Object
• Client
• Readiness::TicketProcessor::AccountBlocked

Defined in:

lib/support_readiness/ticket_processor/account_blocked.rb

Overview

Defines the class AccountBlocked within the module Zendesk.

Author:

• Jason Colyer

Since:

• 1.0.44

Class Method Summary

• .block_sources(custom_attributes) ⇒ Object
• .blocked_category(custom_attributes) ⇒ Object
• .blocked_issue_body ⇒ Object
• .blocked_user_comment(issue) ⇒ Object
• .embargo_comment ⇒ Object
• .failed_ps_block ⇒ Object
• .no_user_comment(email) ⇒ Object
• .not_blocked_comment ⇒ Object
• .process!(zendesk_client, gitlab_client, gitlab_admin_client, ticket_id, sandbox_mode = false) ⇒ Object

  Process a Blocked Account request.

• .ps_block_rejected_comment ⇒ Object
• .ps_block_removed_comment ⇒ Object
• .ticket_link ⇒ Object

Methods inherited from Client

auth_error, bad_request_error, convert_actions, convert_conditions, convert_standard_names_to_ids, convert_ticket_form_agent_conditions, convert_ticket_form_brands, convert_ticket_form_end_user_conditions, convert_ticket_form_names_to_ids, convert_view_names_to_ids, convert_view_restrictions, covert_ticket_form_field_ids, create_package!, erb_renderer, handle_request_error, not_found_error, not_processible_error, put_into_archive, recursively_deflate_directory, timestamp_filename, to_clean_json, to_clean_json_with_key, to_hash, to_nearly_clean_json, to_nearly_clean_json_with_key, to_param_string, write_entries

Class Method Details

.block_sources(custom_attributes) ⇒ Object

Since:

• 1.0.44

# File 'lib/support_readiness/ticket_processor/account_blocked.rb', line 197

def self.block_sources(custom_attributes)
  sources = []
  omamori = custom_attributes.detect { |c| c['key'] == 'omamori_mitigation_plan' }
  sources.push("Omamori ([mitigation plan](https://omamori.sec.gitlab.net/mitigation_plans/#{omamori['value']}))") unless omamori.nil?
  sources.push('Bouncer') if custom_attributes.detect { |c| c['key'] == 'block_enacted_by' && c['value'] =~ /^bouncer\:/ }
  sources.push('Bouncer') if custom_attributes.detect { |c| c['key'] == 'ban_enacted_by' && c['value'] =~ /^bouncer\:/ }
  admin_check = custom_attributes.detect { |c| c['key'] == 'blocked_by' }
  unless admin_check.nil?
    sources.push(admin_check['value'].split('/').first) unless admin_check['value'] =~ /^service\-/
  end
  autoban_check = custom_attributes.detect { |c| c['key'] == 'auto_banned_by' }
  unless autoban_check.nil?
    sources.push(autoban_check['value']) unless autoban_check.nil?
  end
  return 'Other (unknown)' if sources.uniq.compact.count.zero?

  sources.uniq.compact.join(', ')
end

.blocked_category(custom_attributes) ⇒ Object

Since:

• 1.0.44

# File 'lib/support_readiness/ticket_processor/account_blocked.rb', line 189

def self.blocked_category(custom_attributes)
  category = custom_attributes.detect { |c| c['key'] == 'blocked_category' }
  feature = custom_attributes.detect { |c| c['key'] == 'blocked_feature' }
  return 'Unknown' if category.nil? || feature.nil?

  "#{category} / #{feature}"
end

.blocked_issue_body ⇒ Object

Since:

• 1.0.44

# File 'lib/support_readiness/ticket_processor/account_blocked.rb', line 224

def self.blocked_issue_body
  request = @gitlab_admin_client.connection.get "users/#{@user.id}?with_custom_attributes=true"
  custom_attributes = Oj.load(request.body)['custom_attributes']
  <<~STRING
    ## Account Reinstatement request

    Template [Instructions](https://gitlab.com/groups/gitlab-com/gl-security/security-operations/trust-and-safety/-/wikis/Account%20Reinstatements)

    ---
    
    #### **Zendesk Message:**

    ```
    #{@ticket.description}
    ```
    
    <table>
    <tr>
    <th>Account Information</th>
    </tr>
    <tr>
    <td>

    | Related information             | :link: |
    | --------------------------------|--------|
    | **Zendesk**                     | #{ticket_link} |
    | **Account URL**                 | [Admin link](https://gitlab.com/admin/users/#{@user.username}) / [Profile link](https://gitlab.com/#{@user.username}) |
    | **Project/Group/File**          | |
    | **Requestor email address**.    | #{@user.email} |
    | **Block category/feature**      | #{blocked_category(custom_attributes)} |
    | **Block source(s)**             | #{block_sources(custom_attributes)} |
    | **Admin note on the Account**   | #{@user.note} |
    | **Related Issues or Incidents** | |

    </td>
    </tr>
    </table>

    /label ~"Account Reinstatement" ~"Type::Operational" ~"Status::Triage" ~"Department::Trust & Safety" ~"T&S::Operations" ~"type::internal_request" ~"priority::2"

    /due tomorrow

    /weight 1
  STRING
end

.blocked_user_comment(issue) ⇒ Object

Since:

• 1.0.44

# File 'lib/support_readiness/ticket_processor/account_blocked.rb', line 216

def self.blocked_user_comment(issue)
  <<~STRING
    Please follow the [reinstating blocked accounts workflow](https://handbook.gitlab.com/handbook/support/workflows/reinstating-blocked-accounts/) using the following Trust & Safety issue:

    #{issue.web_url}
  STRING
end

.embargo_comment ⇒ Object

Since:

• 1.0.44

# File 'lib/support_readiness/ticket_processor/account_blocked.rb', line 168

def self.embargo_comment
  <<~STRING
    Hi,

    Thanks for contacting GitLab Support.

    In accordance with the guidance provided by the U.S. government, and not determined by GitLab, there may be some countries that cannot access our platform.  Your account may have been blocked as the result of a recent discovery where some user access was inadvertently granted in US embargoed regions.

    GitLab is unable to conduct business with individuals or companies located in US embargoed countries. This is required under US Export Regulations, as well as, our status as a federal contractor.

    For more information, please visit our [Trade Compliance page](https://about.gitlab.com/handbook/people-operations/code-of-conduct/#trade-compliance-exportimport-control).

    If you believe your account has been blocked in error, you may contest this action.  To do this, you will need to provide:

    1. Explanation of how your IP address was connected to an embargoed country.
    1. Attach digital copies of documentation proving you do not reside in an embargoed country.

    Once you have provided the requested information, GitLab will review the matter.
  STRING
end

.failed_ps_block ⇒ Object

Since:

• 1.0.44

# File 'lib/support_readiness/ticket_processor/account_blocked.rb', line 127

def self.failed_ps_block
  print 'PS block, but user is not qualified to request release, updating ticket...'
  new_ticket = Readiness::Zendesk::Tickets.new
  new_ticket.id = @ticket.id
  new_ticket.status = 'solved'
  new_ticket.comment = { body: ps_block_rejected_comment }
  new_ticket.custom_fields = [
    { id: @ticket_stage_field.id, value: 'stage-frt' }
  ]
  Readiness::Zendesk::Tickets.update!(@zendesk_client, new_ticket)
  puts 'done'
end

.no_user_comment(email) ⇒ Object

Since:

• 1.0.44

# File 'lib/support_readiness/ticket_processor/account_blocked.rb', line 140

def self.no_user_comment(email)
  <<~STRING
    Hi,

    Thanks for contacting GitLab Support.

    Could you please let us know whether you've registered an account #{email} on GitLab.com or on a self-hosted GitLab instance?

    If the account was registered on GitLab.com, please confirm the username and email address, as we cannot find an account under your email or the username you've provided.

    If the account was registered on a self-hosted GitLab instance (e.g., `gitlab.yourcompany.com`), please reach out to an administrator of that instance, as it is managed separately from GitLab.com.
  STRING
end

.not_blocked_comment ⇒ Object

Since:

• 1.0.44

# File 'lib/support_readiness/ticket_processor/account_blocked.rb', line 154

def self.not_blocked_comment
  <<~STRING
    Hi,

    Thank you for contacting GitLab support.

    The account in question, #{@user.email}, is not blocked. However, the account may be locked if the system has registered too many login attempts during a short period of time. It will be locked for 30 minutes, after which it will be unlocked automatically.

    On GitLab.com, we can also lock an account when there are 3 or more failed login attempts within 24 hours. Upon successful login, you may be redirected to a verification page and an email message with a 6-digit code is sent to your _primary_ email account. Please check your email (including the spam folder) for a message with a 6-digit code to unlock your account.

    Please let us know if you have any further questions or are unable to receive any emails for your account.
  STRING
end

.process!(zendesk_client, gitlab_client, gitlab_admin_client, ticket_id, sandbox_mode = false) ⇒ Object

Process a Blocked Account request

Author:

• Jason Colyer

Since:

• 1.0.44

# File 'lib/support_readiness/ticket_processor/account_blocked.rb', line 18

def self.process!(zendesk_client, gitlab_client, gitlab_admin_client, ticket_id, sandbox_mode = false)
  @sandbox_mode = sandbox_mode
  @zendesk_client = zendesk_client
  @gitlab_client = gitlab_client
  @gitlab_admin_client = gitlab_admin_client
  @ticket_id = ticket_id
  @ticket = Readiness::Zendesk::Tickets.find(@zendesk_client, @ticket_id)
  puts 'No ticket found, so nothing to autowork' if @ticket.is_a? Hash
  exit 0 if @ticket.is_a? Hash

  @ticket_fields = Readiness::Zendesk::TicketFields.list(@zendesk_client)
  @impacted_email_field = Readiness::Zendesk::TicketFields.find_by_name(@zendesk_client, 'Impacted email address', @ticket_fields)
  @ticket_stage_field = Readiness::Zendesk::TicketFields.find_by_name(@zendesk_client, 'Ticket Stage', @ticket_fields)
  email = @ticket.custom_fields.detect { |t| t['id'] == @impacted_email_field.id }['value']        
  if email.to_s == ''
    puts 'No email in the field, so nothing to autowork'
    exit 0
  end

  search = Readiness::GitLab::Users.search_by_email(@gitlab_admin_client, email)
  @user = search.detect { |s| s.email.downcase == email.downcase }
  if @user.nil?
    print 'No user found, updating ticket...'
    new_ticket = Readiness::Zendesk::Tickets.new
    new_ticket.id = @ticket.id
    new_ticket.status = 'pending'
    new_ticket.comment = { body: no_user_comment(email) }
    new_ticket.custom_fields = [
      { id: @ticket_stage_field.id, value: 'stage-frt' }
    ]
    Readiness::Zendesk::Tickets.update!(@zendesk_client, new_ticket)
    puts 'done'
  else
    if %w[blocked banned].include? @user.state
      if @user.note =~ /Sanctioned Location/i
        print 'Blocked by embargo, updating ticket...'
        new_ticket = Readiness::Zendesk::Tickets.new
        new_ticket.id = @ticket.id
        new_ticket.status = 'solved'
        new_ticket.comment = { body: embargo_comment }
        new_ticket.custom_fields = [
          { id: @ticket_stage_field.id, value: 'stage-frt' }
        ]
        Readiness::Zendesk::Tickets.update!(@zendesk_client, new_ticket)
        puts 'done'
      elsif @user.note =~ /^User blocked as part of GitLab PS user migration/
        @requester = Readiness::Zendesk::Users.find!(@zendesk_client, @ticket.submitter_id)
        search = Readiness::GitLab::Users.search_by_email(@gitlab_admin_client, @requester.email)
        @requester_gitlab = search.detect { |s| s.email.downcase == @requester.email.downcase }
        return failed_ps_block if @requester_gitlab.nil?

        memberships = Readiness::GitLab::Users.memberships(@gitlab_admin_client, @requester_gitlab, ['type=Namespace'])
        has_paid = false
        memberships.select { |m| m['access_level'] == 50 }.each do |m|
          namespace = Readiness::GitLab::Namespaces.find(@gitlab_admin_client, m['source_id'])
          next if namespace.is_a? Hash

          has_paid = Readiness::GitLab::Namespaces.is_paid?(@gitlab_admin_client, namespace)
          break if has_paid
        end
        return failed_ps_block unless has_paid

        print 'Blocked by PS, unblocking and updating ticket...'
        Readiness::GitLab::Users.unblock!(@gitlab_admin_client, @user)
        new_user = Readiness::GitLab::Users.new
        new_user.id = @user.id
        new_user.note = "PS migration block removed automatically via ticket ##{@ticket.id}"
        Readiness::GitLab::Users.update!(@gitlab_admin_client, new_user)
        new_ticket = Readiness::Zendesk::Tickets.new
        new_ticket.id = @ticket.id
        new_ticket.status = 'solved'
        new_ticket.comment = { body: ps_block_removed_comment }
        new_ticket.custom_fields = [
          { id: @ticket_stage_field.id, value: 'stage-frt' }
        ]
        Readiness::Zendesk::Tickets.update!(@zendesk_client, new_ticket)
        puts 'done'
      else
        print 'Legit block, creating T&S issue...'
        project = Readiness::GitLab::Projects.find!(@gitlab_client, 40182479)
        issue = Readiness::GitLab::Issues.new
        issue.title = "Account Reinstatement - #{@user.username}"
        issue.description = blocked_issue_body
        created = Readiness::GitLab::Issues.create!(@gitlab_client, project, issue)
        puts 'done'
        print 'Updating ticket...'
        
        new_ticket = Readiness::Zendesk::Tickets.new
        new_ticket.id = @ticket.id
        new_ticket.comment = { body: blocked_user_comment(created), public: false }
        Readiness::Zendesk::Tickets.update!(@zendesk_client, new_ticket)
        puts 'done'
      end
    else
      print 'User is not blocked, updating ticket...'
      new_ticket = Readiness::Zendesk::Tickets.new
      new_ticket.id = @ticket.id
      new_ticket.status = 'pending'
      new_ticket.comment = { body: not_blocked_comment }
      new_ticket.custom_fields = [
        { id: @ticket_stage_field.id, value: 'stage-frt' }
      ]
      Readiness::Zendesk::Tickets.update!(@zendesk_client, new_ticket)
      puts 'done'
    end
    puts 'Just right'
  end
end

.ps_block_rejected_comment ⇒ Object

Since:

• 1.0.44

# File 'lib/support_readiness/ticket_processor/account_blocked.rb', line 276

def self.ps_block_rejected_comment
  <<~STRING
    Greetings,

    We are not able to proceed with this request, as the user is blocked by a Professional Services migration.

    To process the removal, an Owner of a top-level paid subscription must make the request.

    Please consider having an Owner of a top-level paid subscription must make the request submit a new ticket to have this automated process unblock the requested user.

    Thank you,

    GitLab Support
  STRING
end

.ps_block_removed_comment ⇒ Object

Since:

• 1.0.44

# File 'lib/support_readiness/ticket_processor/account_blocked.rb', line 292

def self.ps_block_removed_comment
  <<~STRING
    Greetings,

    As the block on user #{@user.email} was put in place by Professional Services for a migration and you are an Owner on a top-level paid namespace, we have removed it at this time.

    If that user encounters any issues logging in and accessing their account, please reply back letting us know.

    GitLab Support
  STRING
end

.ticket_link ⇒ Object

Since:

• 1.0.44

# File 'lib/support_readiness/ticket_processor/account_blocked.rb', line 270

def self.ticket_link
  return "https://gitlab1707170878.zendesk.com/agent/tickets/#{@ticket.id}" if @sandbox_mode

  "https://gitlab.zendesk.com/agent/tickets/#{@ticket.id}"
end