User can keep their commit email private43521-keep-personal-emails-private

The private commit email is automatically generated in the format:
id-username@noreply.HOSTNAME

GitLab instance admins are able to change the HOSTNAME portion,
that defaults to Gitlab's hostname, to whatever they prefer.

8 files changed, 67 insertions, 8 deletions

diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index 9a1c2a4c9e1..086bb38ce9a 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -217,7 +217,8 @@ module ApplicationSettingsHelper
       :user_oauth_applications,
       :version_check_enabled,
       :web_ide_clientside_preview_enabled,
-      :diff_max_patch_bytes
+      :diff_max_patch_bytes,
+      :commit_email_hostname
     ]
   end
 
diff --git a/app/helpers/avatars_helper.rb b/app/helpers/avatars_helper.rb
index 7fc4c1a023f..5906ddabee4 100644
--- a/app/helpers/avatars_helper.rb
+++ b/app/helpers/avatars_helper.rb
@@ -22,7 +22,7 @@ module AvatarsHelper
   end
 
   def avatar_icon_for_email(email = nil, size = nil, scale = 2, only_path: true)
-    user = User.find_by_any_email(email.try(:downcase))
+    user = User.find_by_any_email(email)
     if user
       avatar_icon_for_user(user, size, scale, only_path: only_path)
     else
diff --git a/app/helpers/profiles_helper.rb b/app/helpers/profiles_helper.rb
index 55674e37a34..42f9a1213e9 100644
--- a/app/helpers/profiles_helper.rb
+++ b/app/helpers/profiles_helper.rb
@@ -1,6 +1,20 @@
 # frozen_string_literal: true
 
 module ProfilesHelper
+  def commit_email_select_options(user)
+    private_email = user.private_commit_email
+    verified_emails = user.verified_emails - [private_email]
+
+    [
+      [s_("Profiles|Use a private email - %{email}").html_safe % { email: private_email }, Gitlab::PrivateCommitEmail::TOKEN],
+      verified_emails
+    ]
+  end
+
+  def selected_commit_email(user)
+    user.read_attribute(:commit_email) || user.commit_email
+  end
+
   def attribute_provider_label(attribute)
     user_synced_attributes_metadata = current_user.user_synced_attributes_metadata
     if user_synced_attributes_metadata&.synced?(attribute)
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 704310f53f0..207ffae873a 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -187,6 +187,8 @@ class ApplicationSetting < ActiveRecord::Base
 
   validates :user_default_internal_regex, js_regex: true, allow_nil: true
 
+  validates :commit_email_hostname, format: { with: /\A[^@]+\z/ }
+
   validates :archive_builds_in_seconds,
             allow_nil: true,
             numericality: { only_integer: true, greater_than_or_equal_to: 1.day.seconds }
@@ -299,10 +301,15 @@ class ApplicationSetting < ActiveRecord::Base
       user_default_internal_regex: nil,
       user_show_add_ssh_key_message: true,
       usage_stats_set_by_user_id: nil,
-      diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES
+      diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES,
+      commit_email_hostname: default_commit_email_hostname
     }
   end
 
+  def self.default_commit_email_hostname
+    "users.noreply.#{Gitlab.config.gitlab.host}"
+  end
+
   def self.create_from_defaults
     create(defaults)
   end
@@ -358,6 +365,10 @@ class ApplicationSetting < ActiveRecord::Base
     Array(read_attribute(:repository_storages))
   end
 
+  def commit_email_hostname
+    super.presence || self.class.default_commit_email_hostname
+  end
+
   def default_project_visibility=(level)
     super(Gitlab::VisibilityLevel.level_value(level))
   end
diff --git a/app/models/commit.rb b/app/models/commit.rb
index a61ed03cf35..9dd0cbacd9e 100644
--- a/app/models/commit.rb
+++ b/app/models/commit.rb
@@ -260,7 +260,7 @@ class Commit
   request_cache(:author) { author_email.downcase }
 
   def committer
-    @committer ||= User.find_by_any_email(committer_email.downcase)
+    @committer ||= User.find_by_any_email(committer_email)
   end
 
   def parents
diff --git a/app/models/user.rb b/app/models/user.rb
index 039a3854edb..a400058e87e 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -347,7 +347,11 @@ class User < ActiveRecord::Base
 
     # Find a User by their primary email or any associated secondary email
     def find_by_any_email(email, confirmed: false)
-      by_any_email(email, confirmed: confirmed).take
+      return unless email
+
+      downcased = email.downcase
+
+      find_by_private_commit_email(downcased) || by_any_email(downcased, confirmed: confirmed).take
     end
 
     # Returns a relation containing all the users for the given Email address
@@ -361,6 +365,12 @@ class User < ActiveRecord::Base
       from_union([users, emails])
     end
 
+    def find_by_private_commit_email(email)
+      user_id = Gitlab::PrivateCommitEmail.user_id_for_email(email)
+
+      find_by(id: user_id)
+    end
+
     def filter(filter_name)
       case filter_name
       when 'admins'
@@ -633,6 +643,10 @@ class User < ActiveRecord::Base
   def commit_email
     return self.email unless has_attribute?(:commit_email)
 
+    if super == Gitlab::PrivateCommitEmail::TOKEN
+      return private_commit_email
+    end
+
     # The commit email is the same as the primary email if undefined
     super.presence || self.email
   end
@@ -645,6 +659,10 @@ class User < ActiveRecord::Base
     has_attribute?(:commit_email) && super
   end
 
+  def private_commit_email
+    Gitlab::PrivateCommitEmail.for_user(self)
+  end
+
   # see if the new email is already a verified secondary email
   def check_for_verified_email
     skip_reconfirmation! if emails.confirmed.where(email: self.email).any?
@@ -1020,13 +1038,21 @@ class User < ActiveRecord::Base
   def verified_emails
     verified_emails = []
     verified_emails << email if primary_email_verified?
+    verified_emails << private_commit_email
     verified_emails.concat(emails.confirmed.pluck(:email))
     verified_emails
   end
 
   def verified_email?(check_email)
     downcased = check_email.downcase
-    email == downcased ? primary_email_verified? : emails.confirmed.where(email: downcased).exists?
+
+    if email == downcased
+      primary_email_verified?
+    else
+      user_id = Gitlab::PrivateCommitEmail.user_id_for_email(downcased)
+
+      user_id == id || emails.confirmed.where(email: downcased).exists?
+    end
   end
 
   def hook_attrs
diff --git a/app/views/admin/application_settings/_email.html.haml b/app/views/admin/application_settings/_email.html.haml
index 86339e61215..60a6be731ea 100644
--- a/app/views/admin/application_settings/_email.html.haml
+++ b/app/views/admin/application_settings/_email.html.haml
@@ -20,5 +20,11 @@
           By default GitLab sends emails in HTML and plain text formats so mail
           clients can choose what format to use. Disable this option if you only
           want to send emails in plain text format.
+    .form-group
+      = f.label :commit_email_hostname, _('Custom hostname (for private commit emails)'), class: 'label-bold'
+      = f.text_field :commit_email_hostname, class: 'form-control'
+      .form-text.text-muted
+        - commit_email_hostname_docs_link = link_to _('Learn more'), help_page_path('user/admin_area/settings/email', anchor: 'custom-private-commit-email-hostname'), target: '_blank'
+        = _("This setting will update the hostname that is used to generate private commit emails. %{learn_more}").html_safe % { learn_more: commit_email_hostname_docs_link }
 
   = f.submit 'Save changes', class: "btn btn-success"
diff --git a/app/views/profiles/show.html.haml b/app/views/profiles/show.html.haml
index ea215e3e718..2603c558c0f 100644
--- a/app/views/profiles/show.html.haml
+++ b/app/views/profiles/show.html.haml
@@ -91,8 +91,9 @@
       = f.select :public_email, options_for_select(@user.all_emails, selected: @user.public_email),
         { help: s_("Profiles|This email will be displayed on your public profile."), include_blank: s_("Profiles|Do not show on profile") },
         control_class: 'select2'
-      = f.select :commit_email, options_for_select(@user.verified_emails, selected: @user.commit_email),
-        { help: 'This email will be used for web based operations, such as edits and merges.' },
+      - commit_email_docs_link = link_to s_('Profiles|Learn more'), help_page_path('user/profile/index', anchor: 'commit-email', target: '_blank')
+      = f.select :commit_email, options_for_select(commit_email_select_options(@user), selected: selected_commit_email(@user)),
+        { help: s_("Profiles|This email will be used for web based operations, such as edits and merges. %{learn_more}").html_safe % { learn_more: commit_email_docs_link } },
         control_class: 'select2'
       = f.select :preferred_language, Gitlab::I18n::AVAILABLE_LANGUAGES.map { |value, label| [label, value] },
         { help: s_("Profiles|This feature is experimental and translations are not complete yet.") },