Modify creating resource access token to create email with random part

Changelog: fixed

Modify creating resource access token to create email with random part
Changelog: fixed
ecf3e480 · Gosia Ksionek · Bogdan Denkovych · d971243d · ecf3e480 · ecf3e480
--- a/app/services/resource_access_tokens/create_service.rb
+++ b/app/services/resource_access_tokens/create_service.rb
 # frozen_string_literal: true
+require 'securerandom'
 module ResourceAccessTokens
  class CreateService < BaseService
    def initialize(current_user, resource, params = {})
@@ -71,21 +73,15 @@ def default_user_params
    end
    def generate_username
-      base_username = "#{resource_type}_#{resource.id}_bot"
+      username
-      uniquify.string(base_username) { |s| User.find_by_username(s) }
    end
    def generate_email
-      email_pattern = "#{resource_type}#{resource.id}_bot%s@noreply.#{Gitlab.config.gitlab.host}"
+      "#{username}@noreply.#{Gitlab.config.gitlab.host}"
-      uniquify.string(-> (n) { Kernel.sprintf(email_pattern, n) }) do |s|
-        User.find_by_email(s)
-      end
    end
-    def uniquify
+    def username
-      Gitlab::Utils::Uniquify.new
+      @username ||= "#{resource_type}_#{resource.id}_bot_#{SecureRandom.hex(8)}"
    end
    def create_personal_access_token(user)

--- a/doc/user/group/settings/group_access_tokens.md
+++ b/doc/user/group/settings/group_access_tokens.md
@@ -87,8 +87,8 @@ or API. However, administrators can use a workaround:
   # Set the group group you want to create a token for. For example, group with ID 109.
   group = Group.find(109)
-   # Create the group bot user. For further group access tokens, the username should be group_#{group.id}_bot#{bot_count}. For example, group_109_bot2 and email address group_109_bot2@example.com.
+   # Create the group bot user. For further group access tokens, the username should be group_#{group.id}_bot#{bot_count}. For example, group_109_bot2 and email address group_109_bot_{random_string}@example.com.
-   bot = Users::CreateService.new(admin, { name: 'group_token', username: "group_#{group.id}_bot", email: "group_#{group.id}_bot@example.com", user_type: :project_bot }).execute
+   bot = Users::CreateService.new(admin, { name: 'group_token', username: "group_#{group.id}_bot", email: "group_#{group.id}_bot_4ffca233d8298ea1@example.com", user_type: :project_bot }).execute
   # Confirm the group bot.
   bot.confirm
@@ -172,7 +172,7 @@ to groups instead of projects. Bot users for groups:
 - Do not count as licensed seats.
 - Can have a maximum role of Owner for a group. For more information, see
  [Create a group access token](../../../api/group_access_tokens.md#create-a-group-access-token).
- Have a username set to `group_{group_id}_bot` for the first access token. For example, `group_123_bot`.  
+- Have a username set to `group_{group_id}_bot_{random_string}`. For example, `group_123_bot_4ffca233d8298ea1`.  
- Have an email set to `group{group_id}_bot@noreply.{Gitlab.config.gitlab.host}`. For example, `group123_bot@noreply.example.com`.
+- Have an email set to `group{group_id}_bot_{random_string}@noreply.{Gitlab.config.gitlab.host}`. For example, `group123_bot_4ffca233d8298ea1@noreply.example.com`.
 All other properties are similar to [bot users for projects](../../project/settings/project_access_tokens.md#bot-users-for-projects).
--- a/doc/user/project/settings/project_access_tokens.md
+++ b/doc/user/project/settings/project_access_tokens.md
@@ -121,12 +121,8 @@ The bot users for projects have [permissions](../../permissions.md#project-membe
 selected role and [scope](#scopes-for-a-project-access-token) of the project access token.
 - The name is set to the name of the token.
- The username is set to `project_{project_id}_bot` for the first access token. For example, `project_123_bot`.
+- The username is set to `project_{project_id}_bot_{random_string}`. For example, `project_123_bot_4ffca233d8298ea1`.
- The email is set to `project{project_id}_bot@noreply.{Gitlab.config.gitlab.host}`. For example, `project123_bot@noreply.example.com`.
+- The email is set to `project{project_id}_bot_{random_string}@noreply.{Gitlab.config.gitlab.host}`. For example, `project123_bot_4ffca233d8298ea1@noreply.example.com`.
- For additional access tokens in the same project, the username is set to `project_{project_id}_bot{bot_count}`. For
-  example, `project_123_bot1`.
- For additional access tokens in the same project, the email is set to `project{project_id}_bot{bot_count}@noreply.{Gitlab.config.gitlab.host}`.
-  For example, `project123_bot1@noreply.example.com`.
 API calls made with a project access token are associated with the corresponding bot user.

--- a/spec/services/resource_access_tokens/create_service_spec.rb
+++ b/spec/services/resource_access_tokens/create_service_spec.rb
@@ -2,7 +2,7 @@
 require 'spec_helper'
-RSpec.describe ResourceAccessTokens::CreateService do
+RSpec.describe ResourceAccessTokens::CreateService, feature_category: :system_access do
  subject { described_class.new(user, resource, params).execute }
  let_it_be(:user) { create(:user) }
@@ -99,6 +99,22 @@
          expect(access_token.user.email).to end_with("@noreply.#{Gitlab.config.gitlab.host}")
        end
+        it 'contains SecureRandom part' do
+          expect(SecureRandom).to receive(:hex).at_least(:once).and_return('randomhex')
+          response = subject
+          access_token = response.payload[:access_token]
+          expect(access_token.user.email).to include('_randomhex@noreply')
+        end
+        it 'email is the same as username' do
+          expect(SecureRandom).to receive(:hex).at_least(:once).and_return('randomhex')
+          response = subject
+          access_token = response.payload[:access_token]
+          expect(access_token.user.email).to include(access_token.user.username)
+        end
      end
      context 'access level' do