Add Feature flag to whitelist users from recaptcha check(PROJQUAY-3697) (#1454)

Signed-off-by: harishsurf <hgovinda@redhat.com>

config.py

@@ -592,6 +592,9 @@ class DefaultConfig(ImmutableConfig):
     RECAPTCHA_SITE_KEY: Optional[str] = None
     RECAPTCHA_SECRET_KEY: Optional[str] = None
 
+    # List of users allowed to pass through recaptcha security check to enable org/user creation via API
+    RECAPTCHA_WHITELISTED_USERS: List[str] = []
+
     # Server where TUF metadata can be found
     TUF_SERVER = None
 

endpoints/api/organization.py

@@ -173,11 +173,12 @@ class OrganizationList(ApiResource):
 
         # If recaptcha is enabled, then verify the user is a human.
         if features.RECAPTCHA:
+            # check if the user is whitelisted to bypass recaptcha security check
+            if user.username not in app.config["RECAPTCHA_WHITELISTED_USERS"]:
                 recaptcha_response = org_data.get("recaptcha_response", "")
                 result = recaptcha2.verify(
                     app.config["RECAPTCHA_SECRET_KEY"], recaptcha_response, get_request_ip()
                 )
-
                 if not result["success"]:
                     return {"message": "Are you a bot? If not, please revalidate the captcha."}, 400
 

endpoints/api/user.py

@@ -516,6 +516,9 @@ class User(ApiResource):
 
         # If recaptcha is enabled, then verify the user is a human.
         if features.RECAPTCHA:
+            user = get_authenticated_user()
+            # check if the user is whitelisted to bypass recaptcha security check
+            if user is None or (user.username not in app.config["RECAPTCHA_WHITELISTED_USERS"]):
                 recaptcha_response = user_data.get("recaptcha_response", "")
                 result = recaptcha2.verify(
                     app.config["RECAPTCHA_SECRET_KEY"], recaptcha_response, get_request_ip()

features/__init__.pyi

@@ -128,6 +128,9 @@ REPO_MIRROR: FeatureNameValue
 # Site key and secret key for using recaptcha.
 RECAPTCHA: FeatureNameValue
 
+# List of users allowed to pass through recaptcha security check to enable org/user creation via API
+RECAPTCHA_WHITELISTED_USERS: FeatureNameValue
+
 # Feature Flag: Whether team syncing from the backing auth is enabled.
 TEAM_SYNCING: FeatureNameValue
 

test/test_api_usage.py

@@ -814,6 +814,12 @@ class TestCreateNewUser(ApiTestCase):
                 details["recaptcha_response"] = "somecode"
                 self.postResponse(User, data=details, expected_code=200)
 
+    def test_recaptcha_whitelisted_users(self):
+        self.login(READ_ACCESS_USER)
+        with (self.toggleFeature("RECAPTCHA", True)):
+            app.config["RECAPTCHA_WHITELISTED_USERS"] = READ_ACCESS_USER
+            self.postResponse(User, data=NEW_USER_DETAILS, expected_code=200)
+
     def test_createuser_withteaminvite(self):
         inviter = model.user.get_user(ADMIN_ACCESS_USER)
         team = model.team.get_organization_team(ORGANIZATION, "owners")

test/testconfig.py

@@ -90,6 +90,7 @@ class TestConfig(DefaultConfig):
 
     RECAPTCHA_SITE_KEY = "somekey"
     RECAPTCHA_SECRET_KEY = "somesecretkey"
+    RECAPTCHA_WHITELISTED_USERS: List[str] = []
 
     FEATURE_APP_REGISTRY = True
     FEATURE_TEAM_SYNCING = True

util/config/schema.py

@@ -811,6 +811,15 @@ CONFIG_SCHEMA = {
             "type": ["string", "null"],
             "description": "If recaptcha is enabled, the secret key for the Recaptcha service",
         },
+        # Pass through recaptcha for whitelisted users to support org/user creation via API
+        "RECAPTCHA_WHITELISTED_USERS": {
+            "type": "array",
+            "description": "Quay usernames of those users allowed to create org/user via API bypassing recaptcha security check",
+            "uniqueItems": True,
+            "items": {
+                "type": "string",
+            },
+        },
         # External application tokens.
         "FEATURE_APP_SPECIFIC_TOKENS": {
             "type": "boolean",