* Replace hardcoded test passwords with model.NewTestPassword()
Add model.NewTestPassword() utility that generates 14+ character
passwords meeting complexity requirements for FIPS compliance. Replace
all short hardcoded test passwords across the test suite with calls to
this function.
* Enforce FIPS compliance for passwords and HMAC keys
FIPS OpenSSL requires HMAC keys to be at least 14 bytes. PBKDF2 uses
the password as the HMAC key internally, so short passwords cause
PKCS5_PBKDF2_HMAC to fail.
- Add FIPSEnabled and PasswordFIPSMinimumLength build-tag constants
- Raise the password minimum length floor to 14 when compiled with
requirefips, applied in SetDefaults only when unset and validated
independently in IsValid
- Return ErrMismatchedHashAndPassword for too-short passwords in
PBKDF2 CompareHashAndPassword rather than a cryptic OpenSSL error
- Validate atmos/camo HMAC key length under FIPS and lengthen test
keys accordingly
- Adjust password validation tests to use PasswordFIPSMinimumLength
so they work under both FIPS and non-FIPS builds
* CI: shard FIPS test suite and extract merge template
Run FIPS tests on PRs that touch go.mod or have 'fips' in the branch
name. Shard FIPS tests across 4 runners matching the normal Postgres
suite. Extract the test result merge logic into a reusable workflow
template to deduplicate the normal and FIPS merge jobs.
* more
* Fix email test helper to respect FIPS minimum password length
* Fix test helpers to respect FIPS minimum password length
* Remove unnecessary "disable strict password requirements" blocks from test helpers
* Fix CodeRabbit review comments on PR #35905
- Add server-test-merge-template.yml to server-ci.yml pull_request.paths
so changes to the reusable merge workflow trigger Server CI validation
- Skip merge-postgres-fips-test-results job when test-postgres-normal-fips
was skipped, preventing failures due to missing artifacts
- Set guest.Password on returned guest in CreateGuestAndClient helper
to keep contract consistent with CreateUserWithClient
- Use shared LowercaseLetters/UppercaseLetters/NUMBERS/PasswordFIPSMinimumLength
constants in NewTestPassword() to avoid drift if FIPS floor changes
https://claude.ai/code/session_01HmE9QkZM3cAoXn2J7XrK2f
* Rename FIPS test artifact to match server-ci-report pattern
The server-ci-report job searches for artifacts matching "*-test-logs",
so rename from postgres-server-test-logs-fips to
postgres-server-fips-test-logs to be included in the report.
---------
Co-authored-by: Claude <noreply@anthropic.com>
* MM-63652: Transition gossip encryption functionality to GA
Create a new config setting, and migrate the old values to new.
https://mattermost.atlassian.net/browse/MM-63652
Skip-Enterprise-PR: true
```release-note
NONE
```
* fix i18n
also fix unit tests
```release-note
NONE
```
* For fresh installations, default to true
```release-note
NONE
```
* gofmt files
```release-note
NONE
```
* Fixing some more strings
```release-note
NONE
```
* Update e2e tests
```release-note
NONE
```
* Reject emails within angle brackets
mail.ParseAddress is RFC-compliant, which means that it accepts emails
with names, as in "Billy Bob <billy@example.com>". It even accepts this
form *without* a name; e.g. "<billy@example.com>". We want to store the
plain address, so we compare the user input with the Address field of
the result from mail.ParseAddress, which should contain only
"billy@example.com", thus only accepting emails that do not contain
names nor angle brackets.
* Log a warning for admins with clear next steps
* Fix wording of comment
* And a typo
* Add specific command example to log message
* Add input email to log message
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
* POC for API handler opts modifier
* Made upload POSt api a file upload API
* Specified file upload local API
* Specified file upload local API
* Specified file upload API
* Simplified handler params
* Added basic security checks
* Fixed i18n
* used type for API handler options
* Removed limited reader from util deserializers (#26263)
* update ArrayFromJSON to use LimitedReader
* update for bad merge
* fix lint errors
* update test code
* update unit tests
* update unit tests
* fix unit tests
* use consts, other cleanup
* add non sorting duplicate check
* set config to default value, then config setting if available
* fix lint errors
* fixes and debugs
* fix log test
* remove setting from Client, add unlimited Parser to client
* a couple more fixes
* another fix
* rename some variables
* remove superflous call
* check for valid MaximumPayloadSize
* update language file
* fix for e2e-tests
* update util function to return error
* lint fix
* update config property name to include unit
* fix for unit test
* add new config to telemetry
* call function to create LimitedReader
* Deprecate old function, use new function name
* return new AppError on failed parse
* return new AppError on failed parse
* return new AppError on failed parse
* add constant for i18n valid constants
* Update server/public/model/utils_test.go
Co-authored-by: Miguel de la Cruz <mgdelacroix@gmail.com>
* Apply suggestions from code review
Co-authored-by: Miguel de la Cruz <mgdelacroix@gmail.com>
* update error variable, remove unnecessary check
* Update function names
* fix errors from merge
* update unit test to create unique ids
---------
Co-authored-by: Mattermost Build <build@mattermost.com>
Co-authored-by: Miguel de la Cruz <mgdelacroix@gmail.com>
