Allow team syncing if user creation is disabled

Before this change, if user creation was disabled, team sync would fail to sync over users that had not yet been invited/logged in, because their accounts could not be created. Following this change, team syncing of users not yet in the system will create those user accounts, allowing users to be "auto invited" via team sync.

Fixes https://jira.coreos.com/browse/QUAY-910

data/users/federated.py

@@ -60,8 +60,9 @@ class FederatedUsers(object):
 
     return self.get_and_link_federated_user_info(user_info)
 
-  def get_and_link_federated_user_info(self, user_info):
-    return self._get_and_link_federated_user_info(user_info.username, user_info.email)
+  def get_and_link_federated_user_info(self, user_info, internal_create=False):
+    return self._get_and_link_federated_user_info(user_info.username, user_info.email,
+                                                  internal_create=internal_create)
 
   def verify_and_link_user(self, username_or_email, password):
     """ Verifies the given credentials and, if valid, creates/links a database user to the
@@ -109,11 +110,12 @@ class FederatedUsers(object):
     """
     return (None, 'Not supported')
 
-  def _get_and_link_federated_user_info(self, username, email):
+  def _get_and_link_federated_user_info(self, username, email, internal_create=False):
     db_user = model.user.verify_federated_login(self._federated_service, username)
     if not db_user:
-      # We must create the user in our db. Check to see if this is allowed.
-      if not can_create_user(email):
+      # We must create the user in our db. Check to see if this is allowed (except for internal
+      # creation, which is always allowed).
+      if not internal_create and not can_create_user(email):
         return (None, DISABLED_MESSAGE)
 
       valid_username = None