Project Access Token and Sign Up Restrictions
Summary
We have a customer that is encountering an error when creating project access tokens. After further troubleshooting, it seems that they have enabled email domain whitelisting for signing up in their instance.
The email address of the user that tries to create the token is not on the whitelisted domain.
Steps to reproduce
- Add a user.
- Whitelist an email domain. Make sure that the whitelisted email domain is different from the email domain of the created user.
- Create a new project access token.
What is the current bug behavior?
Shows an error 500 page. Bots have a user created for them behind the scenes. We autogenerate an email for the users behind bot and their email is not in the allow list for emails.
What is the expected correct behavior?
Create the project access token.
Relevant logs and/or screenshots
production_json.log
shows the following error:
"exception.class": "ActionView::Template::Error",
"exception.message": "First argument in form cannot contain nil or be empty",
"exception.backtrace": [
"app/views/shared/access_tokens/_form.html.haml:9",
"app/views/projects/settings/access_tokens/index.html.haml:22",
"app/controllers/application_controller.rb:134:in `render'",
"app/controllers/projects/settings/access_tokens_controller.rb:24:in `create'",
"ee/lib/gitlab/ip_address_state.rb:10:in `with'",
"ee/app/controllers/ee/application_controller.rb:44:in `set_current_ip_address'",
"app/controllers/application_controller.rb:491:in `set_current_admin'",
"lib/gitlab/session.rb:11:in `with_session'",
"app/controllers/application_controller.rb:482:in `set_session_storage'",
"app/controllers/application_controller.rb:476:in `set_locale'",
"lib/gitlab/error_tracking.rb:50:in `with_context'",
"app/controllers/application_controller.rb:541:in `sentry_context'",
"app/controllers/application_controller.rb:469:in `block in set_current_context'",
"lib/gitlab/application_context.rb:52:in `block in use'",
"lib/gitlab/application_context.rb:52:in `use'",
"lib/gitlab/application_context.rb:20:in `with_context'",
"app/controllers/application_controller.rb:462:in `set_current_context'",
"ee/lib/gitlab/jira/middleware.rb:19:in `call'"
],
Trying to create the token manually using the rails console show the following error:
token_response = ResourceAccessTokens::CreateService.new(current_user, project, {}).execute
=> #<ServiceResponse:0x00007fc370963df0 @status=:error, @message="Email domain is not authorized for sign-up", @payload={}, @http_status=nil>=
Output of checks
This is tested on Omnibus install of 13.2.4
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)