fix(guard): service account syntehtic email to match deployment base domain

Author: hamir-suspect

guard/lib/guard/front_repo/user.ex

@@ -251,6 +251,9 @@ defmodule Guard.FrontRepo.User do
   This validates the specific requirements for service account users.
   """
   def service_account_changeset(user, params) do
+    base_domain = Application.fetch_env!(:guard, :base_domain)
+    escaped_domain = Regex.escape(base_domain)
+
     user
     |> cast(params, [
       :email,
@@ -267,9 +270,9 @@ defmodule Guard.FrontRepo.User do
     |> validate_length(:name, max: 255, message: "Name cannot exceed 255 characters")
     |> validate_inclusion(:creation_source, [:service_account])
     |> put_change(:single_org_user, true)
-    |> validate_format(:email, ~r/^[\w\-\.]+@sa\.[\w\-\.]+\.semaphoreci\.com$/i,
+    |> validate_format(:email, ~r/^[\w\-\.]+@service_accounts\.[\w\-\.]+\.#{escaped_domain}$/i,
       message:
-        "Service account email must follow the format: name@sa.organization.semaphoreci.com"
+        "Service account email must follow the format: name@service_accounts.organization.#{base_domain}"
     )
     |> unique_constraint(:email, name: :index_users_on_email)
     |> unique_constraint(:authentication_token, name: :index_users_on_authentication_token)
@@ -283,8 +286,9 @@ defmodule Guard.FrontRepo.User do
     # Sanitize names to ensure valid email format
     sanitized_sa_name = sanitize_email_part(service_account_name)
     sanitized_org_name = sanitize_email_part(organization_name)
+    base_domain = Application.fetch_env!(:guard, :base_domain)
 
-    "#{sanitized_sa_name}@sa.#{sanitized_org_name}.semaphoreci.com"
+    "#{sanitized_sa_name}@service_accounts.#{sanitized_org_name}.#{base_domain}"
   end
 
   defp sanitize_email_part(name) do

guard/lib/guard/store/service_account.ex

@@ -516,14 +516,14 @@ defmodule Guard.Store.ServiceAccount do
           String.downcase(service_account_name) |> String.replace(~r/[^a-z0-9\-]/, "-")
 
         sanitized_org = String.downcase(org_username) |> String.replace(~r/[^a-z0-9\-]/, "-")
-        "#{sanitized_name}@sa.#{sanitized_org}.#{base_domain}"
+        "#{sanitized_name}@service_accounts.#{sanitized_org}.#{base_domain}"
 
       _ ->
         # Fallback if org not found (shouldn't happen in normal flow)
         sanitized_name =
           String.downcase(service_account_name) |> String.replace(~r/[^a-z0-9\-]/, "-")
 
-        "#{sanitized_name}@sa.unknown.#{base_domain}"
+        "#{sanitized_name}@service_accounts.unknown.#{base_domain}"
     end
   end
 

guard/test/guard/grpc_servers/user_server_test.exs

@@ -1386,7 +1386,7 @@ defmodule Guard.GrpcServers.UserServerTest do
       assert user_id == user.id
       assert user_email == user.email
       assert user_name == user.name
-      assert String.contains?(user_email, "@sa.")
+      assert String.contains?(user_email, "@service_accounts.")
       assert String.contains?(user_email, ".#{Application.fetch_env!(:guard, :base_domain)}")
     end
 

guard/test/guard/service_account/actions_test.exs

@@ -92,7 +92,8 @@ defmodule Guard.ServiceAccount.ActionsTest do
                   org_id: "org-id",
                   creator_id: "creator-id",
                   deactivated: false,
-                  email: "[email protected].#{Application.fetch_env!(:guard, :base_domain)}"
+                  email:
+                    "test@service_accounts.test-org.#{Application.fetch_env!(:guard, :base_domain)}"
                 },
                 api_token: "test-token"
               }}
@@ -102,7 +103,10 @@ defmodule Guard.ServiceAccount.ActionsTest do
          [
            create: fn user_id, email, name, "service_account" ->
              assert user_id == "user-id"
-             assert email == "[email protected].#{Application.fetch_env!(:guard, :base_domain)}"
+
+             assert email ==
+                      "test@service_accounts.test-org.#{Application.fetch_env!(:guard, :base_domain)}"
+
              assert name == "Test SA"
              :ok
            end,
@@ -120,7 +124,7 @@ defmodule Guard.ServiceAccount.ActionsTest do
         assert_called(
           Guard.Store.RbacUser.create(
             "user-id",
-            "test@sa.test-org.#{Application.fetch_env!(:guard, :base_domain)}",
+            "test@service_accounts.test-org.#{Application.fetch_env!(:guard, :base_domain)}",
             "Test SA",
             "service_account"
           )
@@ -394,7 +398,7 @@ defmodule Guard.ServiceAccount.ActionsTest do
 
         assert String.contains?(
                  service_account.email,
-                 "@sa.test-org.#{Application.fetch_env!(:guard, :base_domain)}"
+                 "@service_accounts.test-org.#{Application.fetch_env!(:guard, :base_domain)}"
                )
 
         # Verify event was published

guard/test/guard/store/service_account_test.exs

@@ -222,7 +222,7 @@ defmodule Guard.Store.ServiceAccountTest do
 
         assert String.contains?(
                  result.service_account.email,
-                 "@sa.test-org.#{Application.fetch_env!(:guard, :base_domain)}"
+                 "@service_accounts.test-org.#{Application.fetch_env!(:guard, :base_domain)}"
                )
       end
     end
@@ -263,7 +263,7 @@ defmodule Guard.Store.ServiceAccountTest do
 
         # Should sanitize both name and org username
         assert result.service_account.email ==
-                 "my-service-account-@sa.myorg-123.#{Application.fetch_env!(:guard, :base_domain)}"
+                 "my-service-account-@service_accounts.myorg-123.#{Application.fetch_env!(:guard, :base_domain)}"
       end
     end
 
@@ -280,7 +280,7 @@ defmodule Guard.Store.ServiceAccountTest do
         # Should use fallback email
         assert String.contains?(
                  result.service_account.email,
-                 "@sa.unknown.#{Application.fetch_env!(:guard, :base_domain)}"
+                 "@service_accounts.unknown.#{Application.fetch_env!(:guard, :base_domain)}"
                )
       end
     end
@@ -337,7 +337,7 @@ defmodule Guard.Store.ServiceAccountTest do
 
         assert String.contains?(
                  updated_sa.user.email,
-                 "new-name@sa.test-org.#{Application.fetch_env!(:guard, :base_domain)}"
+                 "new-name@service_accounts.test-org.#{Application.fetch_env!(:guard, :base_domain)}"
                )
       end
     end

guard/test/guard/user/actions_test.exs

@@ -133,14 +133,17 @@ defmodule Guard.User.ActionsTest do
   describe "service account user interactions" do
     test "should not allow creating regular user with service account email pattern" do
       with_mock Guard.Events.UserCreated, publish: fn _, _ -> :ok end do
+        base_domain = Application.fetch_env!(:guard, :base_domain)
+        service_email = "test@service_accounts.org.#{base_domain}"
+
         user_params = %{
-          email: "[email protected]",
+          email: service_email,
           name: "Regular User"
         }
 
         {:ok, user} = Guard.User.Actions.create(user_params)
 
-        assert user.email == "[email protected]"
+        assert user.email == service_email
         assert user.name == "Regular User"
       end
     end
@@ -161,7 +164,7 @@ defmodule Guard.User.ActionsTest do
         assert updated_user.name == "Updated SA Name"
         assert updated_user.creation_source == :service_account
         assert updated_user.single_org_user == true
-        assert String.contains?(updated_user.email, "@sa.")
+        assert String.contains?(updated_user.email, "@service_accounts.")
       end
     end
 

guard/test/support/factories/service_account_factory.ex

@@ -109,7 +109,7 @@ defmodule Support.Factories.ServiceAccountFactory do
 
   defp generate_synthetic_email(name, _org_id) do
     sanitized_name = String.downcase(name) |> String.replace(~r/[^a-z0-9\-]/, "-")
-    "#{sanitized_name}@sa.test-org.#{Application.fetch_env!(:guard, :base_domain)}"
+    "#{sanitized_name}@service_accounts.test-org.#{Application.fetch_env!(:guard, :base_domain)}"
   end
 
   defp get_role_id(nil), do: UUID.generate()