Merge branch 'email-domain-blacklist' into 'master'

Added the ability to block sign ups using a domain blacklist.

As part of this MR, I restructured the Application Settings form to separate **Sign up** related settings from **Sign in** related settings and make everything cleaner and easier to read.

Fixes #19749 

Related to #5573

See merge request !5259

4 files changed, 30 insertions, 6 deletions

diff --git a/doc/administration/access_restrictions.md b/doc/administration/access_restrictions.md
index 51d7996effd..eb08cf139d4 100644
--- a/doc/administration/access_restrictions.md
+++ b/doc/administration/access_restrictions.md
@@ -1,6 +1,6 @@
 # Access Restrictions
 
-> **Note:** This feature is only available on versions 8.10 and above.
+> **Note:** These features are only available on versions 8.10 and above.
 
 With GitLab's Access restrictions you can choose which Git access protocols you
 want your users to use to communicate with GitLab. This feature can be enabled
@@ -35,4 +35,22 @@ not selected.
 > **Note:** Please keep in mind that disabling an access protocol does not actually
   block access to the server itself. The ports used for the protocol, be it SSH or
   HTTP, will still be accessible. What GitLab does is restrict access on the
-  application level.
\ No newline at end of file
+  application level.
+
+## Blacklist email domains
+
+With this feature enabled, you can block email addresses of a specific domain
+from creating an account on your GitLab server. This is particularly useful to
+prevent spam. Disposable email addresses are usually used by malicious users to
+create dummy accounts and spam issues.
+
+This feature can be activated via the `Application Settings` in the Admin area,
+and you have the option of entering the list manually, or uploading a file with
+the list.
+
+The blacklist accepts wildcards, so you can use `*.test.com` to block every
+`test.com` subdomain, or `*.io` to block all domains ending in `.io`. Domains
+should be separated by a whitespace, semicolon, comma, or a new line.
+
+![Domain Blacklist](img/domain_blacklist.png)
+
diff --git a/doc/administration/img/domain_blacklist.png b/doc/administration/img/domain_blacklist.png
new file mode 100644
index 00000000000..a7894e5f08d
--- /dev/null
+++ b/doc/administration/img/domain_blacklist.png
diff --git a/doc/api/settings.md b/doc/api/settings.md
index d9b68eaeadf..ea39b32561c 100644
--- a/doc/api/settings.md
+++ b/doc/api/settings.md
@@ -33,7 +33,9 @@ Example response:
    "session_expire_delay" : 10080,
    "home_page_url" : null,
    "default_snippet_visibility" : 0,
-   "restricted_signup_domains" : [],
+   "domain_whitelist" : [],
+   "domain_blacklist_enabled" : false,
+   "domain_blacklist" : [],
    "created_at" : "2016-01-04T15:44:55.176Z",
    "default_project_visibility" : 0,
    "gravatar_enabled" : true,
@@ -63,7 +65,9 @@ PUT /application/settings
 | `session_expire_delay` | integer | no | Session duration in minutes. GitLab restart is required to apply changes |
 | `default_project_visibility` | integer | no | What visibility level new projects receive. Can take `0` _(Private)_, `1` _(Internal)_ and `2` _(Public)_ as a parameter. Default is `0`.|
 | `default_snippet_visibility` | integer | no | What visibility level new snippets receive. Can take `0` _(Private)_, `1` _(Internal)_ and `2` _(Public)_ as a parameter. Default is `0`.|
-| `restricted_signup_domains` | array of strings | no | Force people to use only corporate emails for sign-up. Default is null, meaning there is no restriction. |
+| `domain_whitelist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is null, meaning there is no restriction. |
+| `domain_blacklist_enabled` | boolean | no | Enable/disable the `domain_blacklist` |
+| `domain_blacklist` | array of strings | yes (if `domain_whitelist_enabled` is `true` | People trying to sign-up with emails from this domain will not be allowed to do so. |
 | `user_oauth_applications` | boolean | no | Allow users to register any application to use GitLab as an OAuth provider |
 | `after_sign_out_path` | string | no | Where to redirect users after logout |
 | `container_registry_token_expire_delay` | integer | no | Container Registry token duration in minutes |
@@ -93,7 +97,9 @@ Example response:
   "session_expire_delay": 10080,
   "default_project_visibility": 1,
   "default_snippet_visibility": 0,
-  "restricted_signup_domains": [],
+  "domain_whitelist": [],
+  "domain_blacklist_enabled" : false,
+  "domain_blacklist" : [],
   "user_oauth_applications": true,
   "after_sign_out_path": "",
   "container_registry_token_expire_delay": 5,
diff --git a/doc/development/doc_styleguide.md b/doc/development/doc_styleguide.md
index fac35ec964d..6ee7b3cfeeb 100644
--- a/doc/development/doc_styleguide.md
+++ b/doc/development/doc_styleguide.md
@@ -359,7 +359,7 @@ restrict the sign-up e-mail domains of a GitLab instance to `*.example.com` and
 `example.net`, you would do something like this:
 
 ```bash
-curl -X PUT -H "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" -d "restricted_signup_domains[]=*.example.com" -d "restricted_signup_domains[]=example.net" https://gitlab.example.com/api/v3/application/settings
+curl -X PUT -H "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" -d "domain_whitelist[]=*.example.com" -d "domain_whitelist[]=example.net" https://gitlab.example.com/api/v3/application/settings
 ```
 
 [cURL]: http://curl.haxx.se/ "cURL website"