diff --git a/.gitlab/ci/build-images.gitlab-ci.yml b/.gitlab/ci/build-images.gitlab-ci.yml
index 46d0bb2fb8f..c8c1557bbd9 100644
--- a/.gitlab/ci/build-images.gitlab-ci.yml
+++ b/.gitlab/ci/build-images.gitlab-ci.yml
@@ -37,6 +37,7 @@ build-qa-image:
--destination=${QA_IMAGE_BRANCH} \
--build-arg=CHROME_VERSION=${CHROME_VERSION} \
--build-arg=DOCKER_VERSION=${DOCKER_VERSION} \
+ --build-arg=QA_BUILD_TARGET=${QA_BUILD_TARGET:-qa} \
--cache=true
# This image is used by:
diff --git a/app/assets/javascripts/content_editor/components/bubble_menus/formatting.vue b/app/assets/javascripts/content_editor/components/bubble_menus/formatting.vue
index a1e18aa52e7..f0726ff3e63 100644
--- a/app/assets/javascripts/content_editor/components/bubble_menus/formatting.vue
+++ b/app/assets/javascripts/content_editor/components/bubble_menus/formatting.vue
@@ -90,19 +90,6 @@ export default {
:label="__('Code')"
@execute="trackToolbarControlExecution"
/>
-
+
diff --git a/app/controllers/concerns/google_analytics_csp.rb b/app/controllers/concerns/google_analytics_csp.rb
new file mode 100644
index 00000000000..1a8e405928d
--- /dev/null
+++ b/app/controllers/concerns/google_analytics_csp.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module GoogleAnalyticsCSP
+ extend ActiveSupport::Concern
+
+ included do
+ content_security_policy do |policy|
+ next unless helpers.google_tag_manager_enabled? || policy.directives.present?
+
+ default_script_src = policy.directives['script-src'] || policy.directives['default-src']
+ script_src_values = Array.wrap(default_script_src) | ['*.googletagmanager.com']
+ policy.script_src(*script_src_values)
+
+ default_img_src = policy.directives['img-src'] || policy.directives['default-src']
+ img_src_values = Array.wrap(default_img_src) | ['*.google-analytics.com', '*.googletagmanager.com']
+ policy.img_src(*img_src_values)
+
+ default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
+ connect_src_values =
+ Array.wrap(default_connect_src) | ['*.google-analytics.com', '*.analytics.google.com', '*.googletagmanager.com']
+ policy.connect_src(*connect_src_values)
+ end
+ end
+end
diff --git a/app/controllers/confirmations_controller.rb b/app/controllers/confirmations_controller.rb
index 704453fbf44..713231cbc6f 100644
--- a/app/controllers/confirmations_controller.rb
+++ b/app/controllers/confirmations_controller.rb
@@ -4,6 +4,7 @@ class ConfirmationsController < Devise::ConfirmationsController
include AcceptsPendingInvitations
include GitlabRecaptcha
include OneTrustCSP
+ include GoogleAnalyticsCSP
prepend_before_action :check_recaptcha, only: :create
before_action :load_recaptcha, only: :new
diff --git a/app/controllers/registrations/welcome_controller.rb b/app/controllers/registrations/welcome_controller.rb
index a2b25acae64..4e18e6a3b20 100644
--- a/app/controllers/registrations/welcome_controller.rb
+++ b/app/controllers/registrations/welcome_controller.rb
@@ -3,6 +3,7 @@
module Registrations
class WelcomeController < ApplicationController
include OneTrustCSP
+ include GoogleAnalyticsCSP
layout 'minimal'
skip_before_action :authenticate_user!, :required_signup_info, :check_two_factor_requirement, only: [:show, :update]
diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
index 206580d205a..55178a1a445 100644
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -7,6 +7,7 @@ class RegistrationsController < Devise::RegistrationsController
include InvisibleCaptchaOnSignup
include OneTrustCSP
include BizibleCSP
+ include GoogleAnalyticsCSP
layout 'devise'
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index fc51ee47bd2..6195d152f00 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -12,6 +12,7 @@ class SessionsController < Devise::SessionsController
include OneTrustCSP
include BizibleCSP
include VerifiesWithEmail
+ include GoogleAnalyticsCSP
skip_before_action :check_two_factor_requirement, only: [:destroy]
skip_before_action :check_password_expiration, only: [:destroy]
diff --git a/app/controllers/users/terms_controller.rb b/app/controllers/users/terms_controller.rb
index f7eb2aad9dc..3dfa717474e 100644
--- a/app/controllers/users/terms_controller.rb
+++ b/app/controllers/users/terms_controller.rb
@@ -4,6 +4,7 @@ module Users
class TermsController < ApplicationController
include InternalRedirect
include OneTrustCSP
+ include GoogleAnalyticsCSP
skip_before_action :authenticate_user!, only: [:index]
skip_before_action :enforce_terms!
diff --git a/app/models/concerns/packages/fips.rb b/app/models/concerns/packages/fips.rb
new file mode 100644
index 00000000000..b8589cdc991
--- /dev/null
+++ b/app/models/concerns/packages/fips.rb
@@ -0,0 +1,11 @@
+# rubocop:disable Naming/FileName
+# frozen_string_literal: true
+
+module Packages
+ module FIPS
+ extend ActiveSupport::Concern
+
+ DisabledError = Class.new(StandardError)
+ end
+end
+# rubocop:enable Naming/FileName
diff --git a/app/models/packages/debian/file_entry.rb b/app/models/packages/debian/file_entry.rb
index eb66f4acfa9..b70b6c460d2 100644
--- a/app/models/packages/debian/file_entry.rb
+++ b/app/models/packages/debian/file_entry.rb
@@ -4,6 +4,7 @@ module Packages
module Debian
class FileEntry
include ActiveModel::Model
+ include ::Packages::FIPS
DIGESTS = %i[md5 sha1 sha256].freeze
FILENAME_REGEX = %r{\A[a-zA-Z0-9][a-zA-Z0-9_.~+-]*\z}.freeze
@@ -31,6 +32,8 @@ module Packages
private
def valid_package_file_digests
+ raise DisabledError, 'Debian registry is not FIPS compliant' if Gitlab::FIPS.enabled?
+
DIGESTS.each do |digest|
package_file_digest = package_file["file_#{digest}"]
sum = public_send("#{digest}sum") # rubocop:disable GitlabSecurity/PublicSend
diff --git a/app/services/packages/debian/create_package_file_service.rb b/app/services/packages/debian/create_package_file_service.rb
index 2022a63a725..fbbc8159ca0 100644
--- a/app/services/packages/debian/create_package_file_service.rb
+++ b/app/services/packages/debian/create_package_file_service.rb
@@ -3,12 +3,15 @@
module Packages
module Debian
class CreatePackageFileService
+ include ::Packages::FIPS
+
def initialize(package, params)
@package = package
@params = params
end
def execute
+ raise DisabledError, 'Debian registry is not FIPS compliant' if Gitlab::FIPS.enabled?
raise ArgumentError, "Invalid package" unless package.present?
# Debian package file are first uploaded to incoming with empty metadata,
diff --git a/app/services/packages/debian/extract_changes_metadata_service.rb b/app/services/packages/debian/extract_changes_metadata_service.rb
index 43a4db5bdfc..30480834748 100644
--- a/app/services/packages/debian/extract_changes_metadata_service.rb
+++ b/app/services/packages/debian/extract_changes_metadata_service.rb
@@ -4,6 +4,7 @@ module Packages
module Debian
class ExtractChangesMetadataService
include Gitlab::Utils::StrongMemoize
+ include ::Packages::FIPS
ExtractionError = Class.new(StandardError)
@@ -13,6 +14,8 @@ module Packages
end
def execute
+ raise DisabledError, 'Debian registry is not FIPS compliant' if Gitlab::FIPS.enabled?
+
{
file_type: file_type,
architecture: metadata[:architecture],
diff --git a/app/services/packages/debian/generate_distribution_service.rb b/app/services/packages/debian/generate_distribution_service.rb
index 33bf877a153..7db27f9234d 100644
--- a/app/services/packages/debian/generate_distribution_service.rb
+++ b/app/services/packages/debian/generate_distribution_service.rb
@@ -4,6 +4,7 @@ module Packages
module Debian
class GenerateDistributionService
include Gitlab::Utils::StrongMemoize
+ include ::Packages::FIPS
include ExclusiveLeaseGuard
ONE_HOUR = 1.hour.freeze
@@ -70,6 +71,8 @@ module Packages
end
def execute
+ raise DisabledError, 'Debian registry is not FIPS compliant' if Gitlab::FIPS.enabled?
+
try_obtain_lease do
@distribution.transaction do
# We consider `apt-get update` can take at most one hour
diff --git a/app/workers/packages/debian/generate_distribution_worker.rb b/app/workers/packages/debian/generate_distribution_worker.rb
index 1eff3ea02dd..822fe5a1517 100644
--- a/app/workers/packages/debian/generate_distribution_worker.rb
+++ b/app/workers/packages/debian/generate_distribution_worker.rb
@@ -4,6 +4,7 @@ module Packages
module Debian
class GenerateDistributionWorker
include ApplicationWorker
+ include ::Packages::FIPS
data_consistency :always
include Gitlab::Utils::StrongMemoize
@@ -20,6 +21,8 @@ module Packages
loggable_arguments 0
def perform(container_type, distribution_id)
+ raise DisabledError, 'Debian registry is not FIPS compliant' if Gitlab::FIPS.enabled?
+
@container_type = container_type
@distribution_id = distribution_id
diff --git a/app/workers/packages/debian/process_changes_worker.rb b/app/workers/packages/debian/process_changes_worker.rb
index 0a716c61203..d477a6f2e1f 100644
--- a/app/workers/packages/debian/process_changes_worker.rb
+++ b/app/workers/packages/debian/process_changes_worker.rb
@@ -4,6 +4,7 @@ module Packages
module Debian
class ProcessChangesWorker
include ApplicationWorker
+ include ::Packages::FIPS
data_consistency :always
include Gitlab::Utils::StrongMemoize
@@ -15,6 +16,8 @@ module Packages
feature_category :package_registry
def perform(package_file_id, user_id)
+ raise DisabledError, 'Debian registry is not FIPS compliant' if Gitlab::FIPS.enabled?
+
@package_file_id = package_file_id
@user_id = user_id
@@ -22,6 +25,8 @@ module Packages
::Packages::Debian::ProcessChangesService.new(package_file, user).execute
rescue StandardError => e
+ raise if e.instance_of?(DisabledError)
+
Gitlab::ErrorTracking.log_exception(e, package_file_id: @package_file_id, user_id: @user_id)
package_file.destroy!
end
diff --git a/doc/administration/monitoring/prometheus/gitlab_metrics.md b/doc/administration/monitoring/prometheus/gitlab_metrics.md
index 00823d84763..7fd03ee137b 100644
--- a/doc/administration/monitoring/prometheus/gitlab_metrics.md
+++ b/doc/administration/monitoring/prometheus/gitlab_metrics.md
@@ -138,8 +138,8 @@ The following metrics are available:
| `pipeline_graph_links_per_job_ratio` | Histogram | 13.9 | Ratio of links to job per graph | |
| `gitlab_ci_pipeline_security_orchestration_policy_processing_duration_seconds` | Histogram | 13.12 | Time in seconds it takes to process Security Policies in CI/CD pipeline | |
| `gitlab_spamcheck_request_duration_seconds` | Histogram | 13.12 | The duration for requests between Rails and the anti-spam engine | |
-| `service_desk_thank_you_email` | Counter | 14.0 | Total number of email responses to new service desk emails | |
-| `service_desk_new_note_email` | Counter | 14.0 | Total number of email notifications on new service desk comment | |
+| `service_desk_thank_you_email` | Counter | 14.0 | Total number of email responses to new Service Desk emails | |
+| `service_desk_new_note_email` | Counter | 14.0 | Total number of email notifications on new Service Desk comment | |
| `email_receiver_error` | Counter | 14.1 | Total number of errors when processing incoming emails | |
| `gitlab_snowplow_events_total` | Counter | 14.1 | Total number of GitLab Snowplow product intelligence events emitted | |
| `gitlab_snowplow_failed_events_total` | Counter | 14.1 | Total number of GitLab Snowplow product intelligence events emission failures | |
diff --git a/doc/administration/packages/container_registry.md b/doc/administration/packages/container_registry.md
index 2a142d34d04..3bfb3ceca86 100644
--- a/doc/administration/packages/container_registry.md
+++ b/doc/administration/packages/container_registry.md
@@ -927,9 +927,9 @@ these controls should migrate to the GitLab interface.
Users who have the [Maintainer role](../../user/permissions.md) for the project can
[delete Container Registry tags in bulk](../../api/container_registry.md#delete-registry-repository-tags-in-bulk)
-periodically based on their own criteria, however, this alone does not recycle data,
+periodically based on their own criteria. However, deleting the tags alone does not recycle data,
it only unlinks tags from manifests and image blobs. To recycle the Container
-Registry data in the whole GitLab instance, you can use the built-in command
+Registry data in the whole GitLab instance, you can use the built-in garbage collection command
provided by `gitlab-ctl`.
Prerequisites:
diff --git a/doc/api/packages/debian.md b/doc/api/packages/debian.md
index 66377850c49..4abb7bc7112 100644
--- a/doc/api/packages/debian.md
+++ b/doc/api/packages/debian.md
@@ -21,6 +21,10 @@ for production use due to limited functionality.
For instructions on how to upload and install Debian packages from the GitLab
package registry, see the [Debian registry documentation](../../user/packages/debian_repository/index.md).
+NOTE:
+The Debian registry is not FIPS compliant and is disabled when [FIPS mode](../../development/fips_compliance.md) is enabled.
+These endpoints will all return `404 Not Found`.
+
NOTE:
These endpoints do not adhere to the standard API authentication methods.
See the [Debian registry documentation](../../user/packages/debian_repository/index.md)
diff --git a/doc/api/packages/debian_group_distributions.md b/doc/api/packages/debian_group_distributions.md
index 0a1b7b4571e..0d0a4cb2cde 100644
--- a/doc/api/packages/debian_group_distributions.md
+++ b/doc/api/packages/debian_group_distributions.md
@@ -18,6 +18,10 @@ This API is under development and is not meant for production use.
For more information about working with Debian packages, see the
[Debian package registry documentation](../../user/packages/debian_repository/index.md).
+NOTE:
+The Debian registry is not FIPS compliant and is disabled when [FIPS mode](../../development/fips_compliance.md) is enabled.
+These endpoints will all return `404 Not Found`.
+
## Enable the Debian group API
Debian group repository support is still a work in progress. It's gated behind a feature flag that's
diff --git a/doc/api/packages/debian_project_distributions.md b/doc/api/packages/debian_project_distributions.md
index 533742642fd..4f3ac62f576 100644
--- a/doc/api/packages/debian_project_distributions.md
+++ b/doc/api/packages/debian_project_distributions.md
@@ -18,6 +18,10 @@ This API is under development and is not meant for production use.
For more information about working with Debian packages, see the
[Debian package registry documentation](../../user/packages/debian_repository/index.md).
+NOTE:
+The Debian registry is not FIPS compliant and is disabled when [FIPS mode](../../development/fips_compliance.md) is enabled.
+These endpoints will all return `404 Not Found`.
+
## Enable the Debian API
The Debian API is behind a feature flag that is disabled by default.
diff --git a/doc/install/requirements.md b/doc/install/requirements.md
index 5423b597f78..1d4b7fe85e7 100644
--- a/doc/install/requirements.md
+++ b/doc/install/requirements.md
@@ -125,6 +125,12 @@ GitLab database. [Read more about this requirement, and troubleshooting](postgre
| `btree_gist` | 13.1 |
| `plpgsql` | 11.7 |
+The following managed PostgreSQL services are known to be incompatible and should not be used:
+
+| GitLab version | Managed service |
+|----------------|-------------------------------------------------------|
+| 14.4+ | Amazon Aurora (see [14.4.0](../update/index.md#1440)) |
+
NOTE:
Support for [PostgreSQL 9.6 and 10 was removed in GitLab 13.0](https://about.gitlab.com/releases/2020/05/22/gitlab-13-0-released/#postgresql-11-is-now-the-minimum-required-version-to-install-gitlab) so that GitLab can benefit from PostgreSQL 11 improvements, such as partitioning.
diff --git a/doc/subscriptions/gitlab_dedicated/index.md b/doc/subscriptions/gitlab_dedicated/index.md
index ba09990ec2f..218f6b7f824 100644
--- a/doc/subscriptions/gitlab_dedicated/index.md
+++ b/doc/subscriptions/gitlab_dedicated/index.md
@@ -42,7 +42,7 @@ Features that are not available but we plan to support in the future:
- GitLab-managed runners
- FortiAuthenticator/FortiToken 2FA
- Reply-by email
-- Service desk
+- Service Desk
Features that we do not plan to offer at all:
diff --git a/doc/update/index.md b/doc/update/index.md
index 7b065fcee9e..50bb6631e0e 100644
--- a/doc/update/index.md
+++ b/doc/update/index.md
@@ -703,6 +703,10 @@ or [init scripts](upgrading_from_source.md#configure-sysv-init-script) by [follo
as Sidekiq would continue using a bad connection. Geo and other features that rely on
cron jobs running regularly do not work until Sidekiq is restarted. We recommend
upgrading to GitLab 14.4.3 and later if this issue affects you.
+- After enabling database load balancing by default in 14.4.0, we found an issue where
+ [Database load balancing does not work with an AWS Aurora cluster](https://gitlab.com/gitlab-org/gitlab/-/issues/220617).
+ We recommend moving your databases from Aurora to RDS for PostgreSQL before
+ upgrading. Refer to [Moving GitLab databases to a different PostgreSQL instance](../administration/postgresql/moving.md).
- GitLab 14.4.0 includes a
[background migration `PopulateTopicsTotalProjectsCountCache`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/71033)
that may remain stuck permanently in a **pending** state when the instance lacks records that match the migration's target.
diff --git a/doc/user/packages/debian_repository/index.md b/doc/user/packages/debian_repository/index.md
index a8f0672e376..1d846a60281 100644
--- a/doc/user/packages/debian_repository/index.md
+++ b/doc/user/packages/debian_repository/index.md
@@ -15,6 +15,9 @@ The Debian package registry for GitLab is under development and isn't ready for
limited functionality. This [epic](https://gitlab.com/groups/gitlab-org/-/epics/6057) details the remaining
work and timelines to make it production ready.
+NOTE:
+The Debian registry is not FIPS compliant and is disabled when [FIPS mode](../../../development/fips_compliance.md) is enabled.
+
Publish Debian packages in your project's Package Registry. Then install the
packages whenever you need to use them as a dependency.
diff --git a/doc/user/packages/npm_registry/index.md b/doc/user/packages/npm_registry/index.md
index bdcbea68568..400881a4a6b 100644
--- a/doc/user/packages/npm_registry/index.md
+++ b/doc/user/packages/npm_registry/index.md
@@ -145,6 +145,9 @@ If you encounter an error with [Yarn](https://classic.yarnpkg.com/en/), view
#### Instance-level npm endpoint
+NOTE:
+Note: Using `CI_JOB_TOKEN` to install npm packages with dependencies in another project will give you 404 errors. You can use a [personal access token](../../profile/personal_access_tokens.md) as a workaround. [GitLab-#352962](https://gitlab.com/gitlab-org/gitlab/-/issues/352962) proposes a fix to this bug.
+
To use the [instance-level](#use-the-gitlab-endpoint-for-npm-packages) npm endpoint, set your npm configuration:
```shell
diff --git a/lib/api/debian_group_packages.rb b/lib/api/debian_group_packages.rb
index 1f640cc17d0..8bf4ac22802 100644
--- a/lib/api/debian_group_packages.rb
+++ b/lib/api/debian_group_packages.rb
@@ -6,6 +6,10 @@ module API
project_id: %r{[0-9]+}.freeze
).freeze
+ before do
+ not_found! if Gitlab::FIPS.enabled?
+ end
+
resource :groups, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
helpers do
def user_project
diff --git a/lib/api/debian_project_packages.rb b/lib/api/debian_project_packages.rb
index 5fb11db8938..ca576254c3d 100644
--- a/lib/api/debian_project_packages.rb
+++ b/lib/api/debian_project_packages.rb
@@ -14,6 +14,10 @@ module API
file_name: API::NO_SLASH_URL_PART_REGEX
}.freeze
+ before do
+ not_found! if Gitlab::FIPS.enabled?
+ end
+
resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
helpers do
def project_or_group
diff --git a/lib/api/group_debian_distributions.rb b/lib/api/group_debian_distributions.rb
index f0376fe2c9c..1f43bb0e2b3 100644
--- a/lib/api/group_debian_distributions.rb
+++ b/lib/api/group_debian_distributions.rb
@@ -6,6 +6,10 @@ module API
requires :id, type: String, desc: 'The ID of a group'
end
+ before do
+ not_found! if Gitlab::FIPS.enabled?
+ end
+
resource :groups, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
after_validation do
require_packages_enabled!
diff --git a/lib/api/project_debian_distributions.rb b/lib/api/project_debian_distributions.rb
index 2ba1ff85adb..b8ca9428fa3 100644
--- a/lib/api/project_debian_distributions.rb
+++ b/lib/api/project_debian_distributions.rb
@@ -6,6 +6,10 @@ module API
requires :id, type: String, desc: 'The ID of a project'
end
+ before do
+ not_found! if Gitlab::FIPS.enabled?
+ end
+
resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
after_validation do
require_packages_enabled!
diff --git a/qa/Dockerfile b/qa/Dockerfile
index 832ad8f7ebc..9611b3653eb 100644
--- a/qa/Dockerfile
+++ b/qa/Dockerfile
@@ -1,7 +1,8 @@
ARG DOCKER_VERSION=20.10.14
ARG CHROME_VERSION=101
+ARG QA_BUILD_TARGET=qa
-FROM registry.gitlab.com/gitlab-org/gitlab-build-images/debian-bullseye-ruby-2.7:bundler-2.3-git-2.33-lfs-2.9-chrome-${CHROME_VERSION}-docker-${DOCKER_VERSION}-gcloud-383-kubectl-1.23
+FROM registry.gitlab.com/gitlab-org/gitlab-build-images/debian-bullseye-ruby-2.7:bundler-2.3-git-2.33-lfs-2.9-chrome-${CHROME_VERSION}-docker-${DOCKER_VERSION}-gcloud-383-kubectl-1.23 AS qa
LABEL maintainer="GitLab Quality Department "
ENV DEBIAN_FRONTEND="noninteractive"
@@ -50,3 +51,11 @@ COPY ./INSTALLATION_TYPE ./VERSION /home/gitlab/
COPY ./qa /home/gitlab/qa
ENTRYPOINT ["bin/test"]
+
+# Add JH files when pass the parameter: `--build-arg QA_BUILD_TARGET=jhqa`
+FROM qa AS jhqa
+ONBUILD COPY ./jh/qa /home/gitlab/jh/qa
+ONBUILD COPY ./jh/lib /home/gitlab/jh/lib
+ONBUILD COPY ./jh/config/feature_flags /home/gitlab/jh/config/feature_flags
+
+FROM $QA_BUILD_TARGET
diff --git a/spec/features/users/google_analytics_csp_spec.rb b/spec/features/users/google_analytics_csp_spec.rb
new file mode 100644
index 00000000000..46a9b3be22f
--- /dev/null
+++ b/spec/features/users/google_analytics_csp_spec.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Google Analytics 4 content security policy' do
+ it 'includes the GA4 content security policy headers' do
+ visit root_path
+
+ expect(response_headers['Content-Security-Policy']).to include(
+ '*.googletagmanager.com',
+ '*.google-analytics.com',
+ '*.analytics.google.com'
+ )
+ end
+end
diff --git a/spec/frontend/content_editor/components/bubble_menus/formatting_spec.js b/spec/frontend/content_editor/components/bubble_menus/formatting_spec.js
index fba4cf7f680..1e2f58d9e40 100644
--- a/spec/frontend/content_editor/components/bubble_menus/formatting_spec.js
+++ b/spec/frontend/content_editor/components/bubble_menus/formatting_spec.js
@@ -51,9 +51,9 @@ describe('content_editor/components/bubble_menus/formatting', () => {
${'italic'} | ${{ contentType: 'italic', iconName: 'italic', label: 'Italic text', editorCommand: 'toggleItalic' }}
${'strike'} | ${{ contentType: 'strike', iconName: 'strikethrough', label: 'Strikethrough', editorCommand: 'toggleStrike' }}
${'code'} | ${{ contentType: 'code', iconName: 'code', label: 'Code', editorCommand: 'toggleCode' }}
- ${'link'} | ${{ contentType: 'link', iconName: 'link', label: 'Insert link', editorCommand: 'toggleLink', editorCommandParams: { href: '' } }}
${'superscript'} | ${{ contentType: 'superscript', iconName: 'superscript', label: 'Superscript', editorCommand: 'toggleSuperscript' }}
${'subscript'} | ${{ contentType: 'subscript', iconName: 'subscript', label: 'Subscript', editorCommand: 'toggleSubscript' }}
+ ${'link'} | ${{ contentType: 'link', iconName: 'link', label: 'Insert link', editorCommand: 'toggleLink', editorCommandParams: { href: '' } }}
`('given a $testId toolbar control', ({ testId, controlProps }) => {
beforeEach(() => {
buildWrapper();
diff --git a/spec/models/packages/debian/file_entry_spec.rb b/spec/models/packages/debian/file_entry_spec.rb
index e981adf69bc..ed6372f2873 100644
--- a/spec/models/packages/debian/file_entry_spec.rb
+++ b/spec/models/packages/debian/file_entry_spec.rb
@@ -31,6 +31,13 @@ RSpec.describe Packages::Debian::FileEntry, type: :model do
describe 'validations' do
it { is_expected.to be_valid }
+ context 'with FIPS mode', :fips_mode do
+ it 'raises an error' do
+ expect { subject.validate! }
+ .to raise_error(::Packages::FIPS::DisabledError, 'Debian registry is not FIPS compliant')
+ end
+ end
+
describe '#filename' do
it { is_expected.to validate_presence_of(:filename) }
it { is_expected.not_to allow_value('Hé').for(:filename) }
diff --git a/spec/services/packages/debian/create_package_file_service_spec.rb b/spec/services/packages/debian/create_package_file_service_spec.rb
index 74b97a4f941..c8292b2d5c2 100644
--- a/spec/services/packages/debian/create_package_file_service_spec.rb
+++ b/spec/services/packages/debian/create_package_file_service_spec.rb
@@ -102,5 +102,13 @@ RSpec.describe Packages::Debian::CreatePackageFileService do
expect { subject.execute }.to raise_error(ActiveRecord::RecordInvalid)
end
end
+
+ context 'FIPS mode enabled', :fips_mode do
+ let(:file) { nil }
+
+ it 'raises an error' do
+ expect { subject.execute }.to raise_error(::Packages::FIPS::DisabledError)
+ end
+ end
end
end
diff --git a/spec/services/packages/debian/extract_changes_metadata_service_spec.rb b/spec/services/packages/debian/extract_changes_metadata_service_spec.rb
index ced846866c2..4765e6c3bd4 100644
--- a/spec/services/packages/debian/extract_changes_metadata_service_spec.rb
+++ b/spec/services/packages/debian/extract_changes_metadata_service_spec.rb
@@ -13,6 +13,12 @@ RSpec.describe Packages::Debian::ExtractChangesMetadataService do
subject { service.execute }
+ context 'with FIPS mode enabled', :fips_mode do
+ it 'raises an error' do
+ expect { subject }.to raise_error(::Packages::FIPS::DisabledError)
+ end
+ end
+
context 'with valid package file' do
it 'extract metadata', :aggregate_failures do
expected_fields = { 'Architecture' => 'source amd64', 'Binary' => 'libsample0 sample-dev sample-udeb' }
diff --git a/spec/services/packages/debian/generate_distribution_service_spec.rb b/spec/services/packages/debian/generate_distribution_service_spec.rb
index 53805d03655..fe5fbfbbe1f 100644
--- a/spec/services/packages/debian/generate_distribution_service_spec.rb
+++ b/spec/services/packages/debian/generate_distribution_service_spec.rb
@@ -15,6 +15,12 @@ RSpec.describe Packages::Debian::GenerateDistributionService do
context "for #{container_type}" do
include_context 'with Debian distribution', container_type
+ context 'with FIPS mode enabled', :fips_mode do
+ it 'raises an error' do
+ expect { subject }.to raise_error(::Packages::FIPS::DisabledError)
+ end
+ end
+
it_behaves_like 'Generate Debian Distribution and component files'
end
end
diff --git a/spec/support/shared_examples/requests/api/debian_common_shared_examples.rb b/spec/support/shared_examples/requests/api/debian_common_shared_examples.rb
index e0225070986..2ba42b8e8fa 100644
--- a/spec/support/shared_examples/requests/api/debian_common_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/debian_common_shared_examples.rb
@@ -15,3 +15,9 @@ RSpec.shared_examples 'rejects Debian access with unknown container id' do |anon
end
end
end
+
+RSpec.shared_examples 'Debian API FIPS mode' do
+ context 'when FIPS mode is enabled', :fips_mode do
+ it_behaves_like 'returning response status', :not_found
+ end
+end
diff --git a/spec/support/shared_examples/requests/api/debian_distributions_shared_examples.rb b/spec/support/shared_examples/requests/api/debian_distributions_shared_examples.rb
index 5cd63c33936..f13ac05591c 100644
--- a/spec/support/shared_examples/requests/api/debian_distributions_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/debian_distributions_shared_examples.rb
@@ -3,6 +3,8 @@
RSpec.shared_examples 'Debian distributions GET request' do |status, body = nil|
and_body = body.nil? ? '' : ' and expected body'
+ it_behaves_like 'Debian API FIPS mode'
+
it "returns #{status}#{and_body}" do
subject
@@ -17,6 +19,8 @@ end
RSpec.shared_examples 'Debian distributions PUT request' do |status, body|
and_body = body.nil? ? '' : ' and expected body'
+ it_behaves_like 'Debian API FIPS mode'
+
if status == :success
it 'updates distribution', :aggregate_failures do
expect(::Packages::Debian::UpdateDistributionService).to receive(:new).with(distribution, api_params.except(:codename)).and_call_original
@@ -49,6 +53,8 @@ end
RSpec.shared_examples 'Debian distributions DELETE request' do |status, body|
and_body = body.nil? ? '' : ' and expected body'
+ it_behaves_like 'Debian API FIPS mode'
+
if status == :success
it 'updates distribution', :aggregate_failures do
expect { subject }
diff --git a/spec/support/shared_examples/requests/api/debian_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/debian_packages_shared_examples.rb
index 9f96cb2a164..de7032450a5 100644
--- a/spec/support/shared_examples/requests/api/debian_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/debian_packages_shared_examples.rb
@@ -3,6 +3,8 @@
RSpec.shared_examples 'Debian packages GET request' do |status, body = nil|
and_body = body.nil? ? '' : ' and expected body'
+ it_behaves_like 'Debian API FIPS mode'
+
it "returns #{status}#{and_body}" do
subject
@@ -17,6 +19,8 @@ end
RSpec.shared_examples 'Debian packages upload request' do |status, body = nil|
and_body = body.nil? ? '' : ' and expected body'
+ it_behaves_like 'Debian API FIPS mode'
+
if status == :created
it 'creates package files', :aggregate_failures do
expect(::Packages::Debian::FindOrCreateIncomingService).to receive(:new).with(container, user).and_call_original
diff --git a/spec/workers/packages/debian/generate_distribution_worker_spec.rb b/spec/workers/packages/debian/generate_distribution_worker_spec.rb
index a4627ec5d36..a3e956f14c8 100644
--- a/spec/workers/packages/debian/generate_distribution_worker_spec.rb
+++ b/spec/workers/packages/debian/generate_distribution_worker_spec.rb
@@ -18,6 +18,12 @@ RSpec.describe Packages::Debian::GenerateDistributionWorker, type: :worker do
context "for #{container_type}" do
include_context 'with Debian distribution', container_type
+ context 'with FIPS mode enabled', :fips_mode do
+ it 'raises an error' do
+ expect { subject }.to raise_error(::Packages::FIPS::DisabledError)
+ end
+ end
+
context 'with mocked service' do
it 'calls GenerateDistributionService' do
expect(Gitlab::ErrorTracking).not_to receive(:log_exception)
diff --git a/spec/workers/packages/debian/process_changes_worker_spec.rb b/spec/workers/packages/debian/process_changes_worker_spec.rb
index 4a8eb855398..93eba4bfa9a 100644
--- a/spec/workers/packages/debian/process_changes_worker_spec.rb
+++ b/spec/workers/packages/debian/process_changes_worker_spec.rb
@@ -16,6 +16,12 @@ RSpec.describe Packages::Debian::ProcessChangesWorker, type: :worker do
subject { worker.perform(package_file_id, user_id) }
+ context 'with FIPS mode enabled', :fips_mode do
+ it 'raises an error' do
+ expect { subject }.to raise_error(::Packages::FIPS::DisabledError)
+ end
+ end
+
context 'with mocked service' do
it 'calls ProcessChangesService' do
expect(Gitlab::ErrorTracking).not_to receive(:log_exception)
diff --git a/vendor/project_templates/gatsby.tar.gz b/vendor/project_templates/gatsby.tar.gz
index 52bb056630e..1c0e413b2ec 100644
Binary files a/vendor/project_templates/gatsby.tar.gz and b/vendor/project_templates/gatsby.tar.gz differ