20 files changed, 83 insertions, 23 deletions

diff --git a/.rubocop_todo/gitlab/namespaced_class.yml b/.rubocop_todo/gitlab/namespaced_class.yml
index 103628c577c..ffa0f4d0b2f 100644
--- a/.rubocop_todo/gitlab/namespaced_class.yml
+++ b/.rubocop_todo/gitlab/namespaced_class.yml
@@ -1105,11 +1105,6 @@ Gitlab/NamespacedClass:
     - 'lib/carrier_wave_string_file.rb'
     - 'lib/csv_builder.rb'
     - 'lib/event_filter.rb'
-    - 'lib/feature.rb'
-    - 'lib/feature/definition.rb'
-    - 'lib/feature/gitaly.rb'
-    - 'lib/feature/logger.rb'
-    - 'lib/feature/shared.rb'
     - 'lib/file_size_validator.rb'
     - 'lib/forever.rb'
     - 'lib/generators/gitlab/snowplow_event_definition_generator.rb'
diff --git a/app/helpers/storage_helper.rb b/app/helpers/storage_helper.rb
index f978b9f51f3..ca81d5af4af 100644
--- a/app/helpers/storage_helper.rb
+++ b/app/helpers/storage_helper.rb
@@ -31,6 +31,7 @@ module StorageHelper
     return if root_ancestor.paid?
     return unless future_enforcement_date?(root_ancestor)
     return if user_dismissed_storage_enforcement_banner?(root_ancestor)
+    return unless ::Feature.enabled?(:namespace_storage_limit_show_preenforcement_banner, root_ancestor)
 
     {
       text: html_escape_once(s_("UsageQuota|From %{storage_enforcement_date} storage limits will apply to this namespace. " \
diff --git a/app/models/x509_certificate.rb b/app/models/x509_certificate.rb
index 2c1d0110b7c..7c2581b8bb2 100644
--- a/app/models/x509_certificate.rb
+++ b/app/models/x509_certificate.rb
@@ -16,7 +16,7 @@ class X509Certificate < ApplicationRecord
   has_many :x509_commit_signatures, class_name: 'CommitSignatures::X509CommitSignature', inverse_of: 'x509_certificate'
 
   # rfc 5280 - 4.2.1.2  Subject Key Identifier
-  validates :subject_key_identifier, presence: true, format: { with: /\A(\h{2}:){19}\h{2}\z/ }
+  validates :subject_key_identifier, presence: true, format: { with: Gitlab::Regex.x509_subject_key_identifier_regex }
   # rfc 5280 - 4.1.2.6  Subject
   validates :subject, presence: true
   # rfc 5280 - 4.1.2.6  Subject (subjectAltName contains the email address)
diff --git a/app/models/x509_issuer.rb b/app/models/x509_issuer.rb
index 4b75e38bbde..81491d8e507 100644
--- a/app/models/x509_issuer.rb
+++ b/app/models/x509_issuer.rb
@@ -4,7 +4,7 @@ class X509Issuer < ApplicationRecord
   has_many :x509_certificates, inverse_of: 'x509_issuer'
 
   # rfc 5280 - 4.2.1.1  Authority Key Identifier
-  validates :subject_key_identifier, presence: true, format: { with: /\A(\h{2}:){19}\h{2}\z/ }
+  validates :subject_key_identifier, presence: true, format: { with: Gitlab::Regex.x509_subject_key_identifier_regex }
   # rfc 5280 - 4.1.2.4  Issuer
   validates :subject, presence: true
   # rfc 5280 - 4.2.1.13  CRL Distribution Points
diff --git a/config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml b/config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml
new file mode 100644
index 00000000000..754a6a16356
--- /dev/null
+++ b/config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml
@@ -0,0 +1,8 @@
+---
+name: namespace_storage_limit_show_preenforcement_banner
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/issues/350632
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/362340
+milestone: '15.2'
+type: development
+group: group::utilization
+default_enabled: false
diff --git a/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md b/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md
index a2f50fdc741..5356ebb84f1 100644
--- a/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md
+++ b/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md
@@ -256,13 +256,26 @@ Since this service is shared by all review apps, there is a limitation that only
 
 ### Configure SAST
 
-Using [SAST](../../../user/application_security/sast/index.md) with ECS requires no extra configuration. For more
-details about how to configure SAST, see the SAST [documentation](../../../user/application_security/sast/index.md).
+To use [SAST](../../../user/application_security/sast/index.md) with ECS, add the following to your `.gitlab-ci.yml` file:
+
+```yaml
+include:
+   - template: Security/SAST.gitlab-ci.yml
+```
+
+For more details and configuration options, see the [SAST documentation](../../../user/application_security/sast/index.md#configuration).
 
 ### Configure DAST
 
 To use [DAST](../../../user/application_security/dast/index.md) on non-default branches, [set up review apps](#set-up-review-apps)
-and then follow the steps outlined in the DAST [documentation](../../../user/application_security/dast/index.md).
+and add the following to your `.gitlab-ci.yml` file:
+
+```yaml
+include:
+  - template: Security/DAST.gitlab-ci.yml
+```
+
+For more details and configuration options, see the [DAST documentation](../../../user/application_security/dast/index.md).
 
 ## Further reading
 
diff --git a/doc/development/migration_style_guide.md b/doc/development/migration_style_guide.md
index c9b59ba66b5..4a1d4389ceb 100644
--- a/doc/development/migration_style_guide.md
+++ b/doc/development/migration_style_guide.md
@@ -90,6 +90,14 @@ Keep in mind that all durations should be measured against GitLab.com.
 | Post-deployment migrations | `<= 10 minutes` | A valid exception are schema changes, since they must not happen in background migrations. |
 | Background migrations | `> 10 minutes` | Since these are suitable for larger tables, it's not possible to set a precise timing guideline, however, any single query must stay below [`1 second` execution time](query_performance.md#timing-guidelines-for-queries) with cold caches. |
 
+## Decide which database to target
+
+GitLab connects to two different Postgres databases: `main` and `ci`. This split can affect migrations
+as they may run on either or both of these databases.
+
+Read [Migrations for Multiple databases](database/migrations_for_multiple_databases.md) to understand if or how
+a migration you add should account for this.
+
 ## Create a regular schema migration
 
 To create a migration you can use the following Rails generator:
diff --git a/lib/feature.rb b/lib/feature.rb
index 3bba4be7514..36d2456ec6f 100644
--- a/lib/feature.rb
+++ b/lib/feature.rb
@@ -3,7 +3,7 @@
 require 'flipper/adapters/active_record'
 require 'flipper/adapters/active_support_cache_store'
 
-class Feature
+module Feature
   # Classes to override flipper table names
   class FlipperFeature < Flipper::Adapters::ActiveRecord::Feature
     include DatabaseReflection
diff --git a/lib/feature/definition.rb b/lib/feature/definition.rb
index 1551af730db..270bf46221d 100644
--- a/lib/feature/definition.rb
+++ b/lib/feature/definition.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class Feature
+module Feature
   class Definition
     include ::Feature::Shared
 
diff --git a/lib/feature/gitaly.rb b/lib/feature/gitaly.rb
index 04ed78b8a51..0c6b9dfde7a 100644
--- a/lib/feature/gitaly.rb
+++ b/lib/feature/gitaly.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class Feature
+module Feature
   class Gitaly
     PREFIX = "gitaly_"
 
diff --git a/lib/feature/logger.rb b/lib/feature/logger.rb
index 784a619e182..95e160273b6 100644
--- a/lib/feature/logger.rb
+++ b/lib/feature/logger.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class Feature
+module Feature
   class Logger < ::Gitlab::JsonLogger
     def self.file_name_noext
       'features_json'
diff --git a/lib/feature/shared.rb b/lib/feature/shared.rb
index 40f21fc4f50..edfc39aea0c 100644
--- a/lib/feature/shared.rb
+++ b/lib/feature/shared.rb
@@ -4,7 +4,7 @@
 # 1. `Pure Ruby`: `bin/feature-flag`
 # 2. `GitLab Rails`: `lib/feature/definition.rb`
 
-class Feature
+module Feature
   module Shared
     # optional: defines if a on-disk definition is required for this feature flag type
     # rollout_issue: defines if `bin/feature-flag` asks for rollout issue
diff --git a/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml b/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml
index 17e49440784..1ac9c319429 100644
--- a/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml
@@ -7,6 +7,7 @@ stages:
   - build
   - test
   - review
+  - dast
   - deploy
   - production
   - cleanup
diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb
index b0f4194b7a0..0534f890152 100644
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -486,6 +486,10 @@ module Gitlab
     def sep_by_1(separator, part)
       %r(#{part} (#{separator} #{part})*)x
     end
+
+    def x509_subject_key_identifier_regex
+      @x509_subject_key_identifier_regex ||= /\A(?:\h{2}:)*\h{2}\z/.freeze
+    end
   end
 end
 
diff --git a/lib/tasks/gitlab/graphql.rake b/lib/tasks/gitlab/graphql.rake
index b9137aa0d4c..a05b749a60e 100644
--- a/lib/tasks/gitlab/graphql.rake
+++ b/lib/tasks/gitlab/graphql.rake
@@ -15,10 +15,8 @@ namespace :gitlab do
   # Also avoids pipeline failures in case developer
   # dumps schema with flags disabled locally before pushing
   task enable_feature_flags: :environment do
-    class Feature
-      def self.enabled?(*args)
-        true
-      end
+    def Feature.enabled?(*args)
+      true
     end
   end
 
diff --git a/spec/helpers/storage_helper_spec.rb b/spec/helpers/storage_helper_spec.rb
index 4732076ab13..cd5701db83b 100644
--- a/spec/helpers/storage_helper_spec.rb
+++ b/spec/helpers/storage_helper_spec.rb
@@ -89,6 +89,12 @@ RSpec.describe StorageHelper do
           expect(helper.storage_enforcement_banner_info(free_group)).to be(nil)
         end
 
+        it 'returns nil when namespace_storage_limit_show_preenforcement_banner FF is disabled' do
+          stub_feature_flags(namespace_storage_limit_show_preenforcement_banner: false)
+
+          expect(helper.storage_enforcement_banner_info(free_group)).to be(nil)
+        end
+
         context 'when current_user can access the usage quotas page' do
           it 'returns a hash' do
             expect(helper.storage_enforcement_banner_info(free_group)).to eql({
diff --git a/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb b/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb
index 27de8324206..65fd2b016ac 100644
--- a/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb
@@ -34,6 +34,16 @@ RSpec.describe 'Deploy-ECS.gitlab-ci.yml' do
       expect(build_names).to include('production_ecs')
     end
 
+    context 'when the DAST template is also included' do
+      let(:dast_template) { Gitlab::Template::GitlabCiYmlTemplate.find('Security/DAST') }
+
+      before do
+        stub_ci_pipeline_yaml_file(template.content + dast_template.content)
+      end
+
+      include_examples 'no pipeline yaml error'
+    end
+
     context 'when running a pipeline for a branch' do
       let(:pipeline_branch) { 'test_branch' }
 
diff --git a/spec/lib/gitlab/regex_spec.rb b/spec/lib/gitlab/regex_spec.rb
index d48e8183650..a3afbed18e2 100644
--- a/spec/lib/gitlab/regex_spec.rb
+++ b/spec/lib/gitlab/regex_spec.rb
@@ -968,4 +968,18 @@ RSpec.describe Gitlab::Regex do
     it { is_expected.not_to match('abc!abc') }
     it { is_expected.not_to match((['abc'] * 100).join('.') + '!') }
   end
+
+  describe '.x509_subject_key_identifier_regex' do
+    subject { described_class.x509_subject_key_identifier_regex }
+
+    it { is_expected.to match('AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB') }
+    it { is_expected.to match('CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD') }
+    it { is_expected.to match('79:FB:C1:E5:6B:53:8B:0A') }
+    it { is_expected.to match('79:fb:c1:e5:6b:53:8b:0a') }
+
+    it { is_expected.not_to match('') }
+    it { is_expected.not_to match('CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG') }
+    it { is_expected.not_to match('random string') }
+    it { is_expected.not_to match('12321342545356434523412341245452345623453542345234523453245') }
+  end
 end
diff --git a/spec/models/x509_certificate_spec.rb b/spec/models/x509_certificate_spec.rb
index d3b4470d3f4..5723bd80739 100644
--- a/spec/models/x509_certificate_spec.rb
+++ b/spec/models/x509_certificate_spec.rb
@@ -73,7 +73,9 @@ RSpec.describe X509Certificate do
     it 'accepts correct subject_key_identifier' do
       subject_key_identifiers = [
         'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
-        'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD'
+        'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD',
+        '79:FB:C1:E5:6B:53:8B:0A',
+        '79:fb:c1:e5:6b:53:8b:0a'
       ]
 
       subject_key_identifiers.each do |identifier|
@@ -83,7 +85,6 @@ RSpec.describe X509Certificate do
 
     it 'rejects invalid subject_key_identifier' do
       subject_key_identifiers = [
-        'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
         'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG',
         'random string',
         '12321342545356434523412341245452345623453542345234523453245'
diff --git a/spec/models/x509_issuer_spec.rb b/spec/models/x509_issuer_spec.rb
index f1067cad655..3d04adf7e26 100644
--- a/spec/models/x509_issuer_spec.rb
+++ b/spec/models/x509_issuer_spec.rb
@@ -39,7 +39,9 @@ RSpec.describe X509Issuer do
     it 'accepts correct subject_key_identifier' do
       subject_key_identifiers = [
         'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
-        'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD'
+        'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD',
+        '79:FB:C1:E5:6B:53:8B:0A',
+        '79:fb:c1:e5:6b:53:8b:0a'
       ]
 
       subject_key_identifiers.each do |identifier|
@@ -49,7 +51,6 @@ RSpec.describe X509Issuer do
 
     it 'rejects invalid subject_key_identifier' do
       subject_key_identifiers = [
-        'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
         'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG',
         'random string',
         '12321342545356434523412341245452345623453542345234523453245'