Merge remote-tracking branch 'upstream/master' into no-ivar-in-modules

* upstream/master: (126 commits)
  Update VERSION to 10.3.0-pre
  Update CHANGELOG.md for 10.2.0
  default fill color for SVGs
  ignore hashed repos (for now) when using `rake gitlab:cleanup:repos`
  Use Redis cache for branch existence checks
  Update CONTRIBUTING.md: Link definition of done to criteria
  Use `make install` for Gitaly setups in non-test environments
  FileUploader should check for hashed_storage?(:attachments) to use disk_path
  Set the default gitlab-shell timeout to 3 hours
  Update composite pipelines index to include "id"
  Use arrays in Pipeline#latest_builds_with_artifacts
  Fix blank states using old css
  Skip confirmation user api
  Custom issue tracker
  Revert "check for `read_only?` first before seeing if request is disallowed"
  add `#with_metadata` scope to remove a N+1 from the notes' API
  Fix promoting milestone updating all issuables without milestone
  Batchload blobs for diff generation
  check for `read_only?` first before seeing if request is disallowed
  use `Gitlab::Routing.url_helpers` instead of `Rails.application.routes.url_helpers`
  ...

13 files changed, 403 insertions, 15 deletions

diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb
new file mode 100644
index 00000000000..ffcd90b9fcb
--- /dev/null
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -0,0 +1,67 @@
+require 'spec_helper'
+
+describe Gitlab::Auth::RequestAuthenticator do
+  let(:env) do
+    {
+      'rack.input' => '',
+      'REQUEST_METHOD' => 'GET'
+    }
+  end
+  let(:request) { ActionDispatch::Request.new(env) }
+
+  subject { described_class.new(request) }
+
+  describe '#user' do
+    let!(:sessionless_user) { build(:user) }
+    let!(:session_user) { build(:user) }
+
+    it 'returns sessionless user first' do
+      allow_any_instance_of(described_class).to receive(:find_sessionless_user).and_return(sessionless_user)
+      allow_any_instance_of(described_class).to receive(:find_user_from_warden).and_return(session_user)
+
+      expect(subject.user).to eq sessionless_user
+    end
+
+    it 'returns session user if no sessionless user found' do
+      allow_any_instance_of(described_class).to receive(:find_user_from_warden).and_return(session_user)
+
+      expect(subject.user).to eq session_user
+    end
+
+    it 'returns nil if no user found' do
+      expect(subject.user).to be_blank
+    end
+
+    it 'bubbles up exceptions' do
+      allow_any_instance_of(described_class).to receive(:find_user_from_warden).and_raise(Gitlab::Auth::UnauthorizedError)
+    end
+  end
+
+  describe '#find_sessionless_user' do
+    let!(:access_token_user) { build(:user) }
+    let!(:rss_token_user) { build(:user) }
+
+    it 'returns access_token user first' do
+      allow_any_instance_of(described_class).to receive(:find_user_from_access_token).and_return(access_token_user)
+      allow_any_instance_of(described_class).to receive(:find_user_from_rss_token).and_return(rss_token_user)
+
+      expect(subject.find_sessionless_user).to eq access_token_user
+    end
+
+    it 'returns rss_token user if no access_token user found' do
+      allow_any_instance_of(described_class).to receive(:find_user_from_rss_token).and_return(rss_token_user)
+
+      expect(subject.find_sessionless_user).to eq rss_token_user
+    end
+
+    it 'returns nil if no user found' do
+      expect(subject.find_sessionless_user).to be_blank
+    end
+
+    it 'rescue Gitlab::Auth::AuthenticationError exceptions' do
+      allow_any_instance_of(described_class).to receive(:find_user_from_access_token).and_raise(Gitlab::Auth::UnauthorizedError)
+
+      expect(subject.find_sessionless_user).to be_blank
+    end
+  end
+end
diff --git a/spec/lib/gitlab/auth/user_auth_finders_spec.rb b/spec/lib/gitlab/auth/user_auth_finders_spec.rb
new file mode 100644
index 00000000000..4637816570c
--- /dev/null
+++ b/spec/lib/gitlab/auth/user_auth_finders_spec.rb
@@ -0,0 +1,194 @@
+require 'spec_helper'
+
+describe Gitlab::Auth::UserAuthFinders do
+  include described_class
+
+  let(:user) { create(:user) }
+  let(:env) do
+    {
+      'rack.input' => ''
+    }
+  end
+  let(:request) { Rack::Request.new(env)}
+
+  def set_param(key, value)
+    request.update_param(key, value)
+  end
+
+  describe '#find_user_from_warden' do
+    context 'with CSRF token' do
+      before do
+        allow(Gitlab::RequestForgeryProtection).to receive(:verified?).and_return(true)
+      end
+
+      context 'with invalid credentials' do
+        it 'returns nil' do
+          expect(find_user_from_warden).to be_nil
+        end
+      end
+
+      context 'with valid credentials' do
+        it 'returns the user' do
+          env['warden'] = double("warden", authenticate: user)
+
+          expect(find_user_from_warden).to eq user
+        end
+      end
+    end
+
+    context 'without CSRF token' do
+      it 'returns nil' do
+        allow(Gitlab::RequestForgeryProtection).to receive(:verified?).and_return(false)
+        env['warden'] = double("warden", authenticate: user)
+
+        expect(find_user_from_warden).to be_nil
+      end
+    end
+  end
+
+  describe '#find_user_from_rss_token' do
+    context 'when the request format is atom' do
+      before do
+        env['HTTP_ACCEPT'] = 'application/atom+xml'
+      end
+
+      it 'returns user if valid rss_token' do
+        set_param(:rss_token, user.rss_token)
+
+        expect(find_user_from_rss_token).to eq user
+      end
+
+      it 'returns nil if rss_token is blank' do
+        expect(find_user_from_rss_token).to be_nil
+      end
+
+      it 'returns exception if invalid rss_token' do
+        set_param(:rss_token, 'invalid_token')
+
+        expect { find_user_from_rss_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
+      end
+    end
+
+    context 'when the request format is not atom' do
+      it 'returns nil' do
+        set_param(:rss_token, user.rss_token)
+
+        expect(find_user_from_rss_token).to be_nil
+      end
+    end
+  end
+
+  describe '#find_user_from_access_token' do
+    let(:personal_access_token) { create(:personal_access_token, user: user) }
+
+    it 'returns nil if no access_token present' do
+      expect(find_personal_access_token).to be_nil
+    end
+
+    context 'when validate_access_token! returns valid' do
+      it 'returns user' do
+        env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
+
+        expect(find_user_from_access_token).to eq user
+      end
+
+      it 'returns exception if token has no user' do
+        env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
+        allow_any_instance_of(PersonalAccessToken).to receive(:user).and_return(nil)
+
+        expect { find_user_from_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
+      end
+    end
+  end
+
+  describe '#find_personal_access_token' do
+    let(:personal_access_token) { create(:personal_access_token, user: user) }
+
+    context 'passed as header' do
+      it 'returns token if valid personal_access_token' do
+        env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = personal_access_token.token
+
+        expect(find_personal_access_token).to eq personal_access_token
+      end
+    end
+
+    context 'passed as param' do
+      it 'returns token if valid personal_access_token' do
+        set_param(Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_PARAM, personal_access_token.token)
+
+        expect(find_personal_access_token).to eq personal_access_token
+      end
+    end
+
+    it 'returns nil if no personal_access_token' do
+      expect(find_personal_access_token).to be_nil
+    end
+
+    it 'returns exception if invalid personal_access_token' do
+      env[Gitlab::Auth::UserAuthFinders::PRIVATE_TOKEN_HEADER] = 'invalid_token'
+
+      expect { find_personal_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
+    end
+  end
+
+  describe '#find_oauth_access_token' do
+    let(:application) { Doorkeeper::Application.create!(name: 'MyApp', redirect_uri: 'https://app.com', owner: user) }
+    let(:token) { Doorkeeper::AccessToken.create!(application_id: application.id, resource_owner_id: user.id, scopes: 'api') }
+
+    context 'passed as header' do
+      it 'returns token if valid oauth_access_token' do
+        env['HTTP_AUTHORIZATION'] = "Bearer #{token.token}"
+
+        expect(find_oauth_access_token.token).to eq token.token
+      end
+    end
+
+    context 'passed as param' do
+      it 'returns user if valid oauth_access_token' do
+        set_param(:access_token, token.token)
+
+        expect(find_oauth_access_token.token).to eq token.token
+      end
+    end
+
+    it 'returns nil if no oauth_access_token' do
+      expect(find_oauth_access_token).to be_nil
+    end
+
+    it 'returns exception if invalid oauth_access_token' do
+      env['HTTP_AUTHORIZATION'] = "Bearer invalid_token"
+
+      expect { find_oauth_access_token }.to raise_error(Gitlab::Auth::UnauthorizedError)
+    end
+  end
+
+  describe '#validate_access_token!' do
+    let(:personal_access_token) { create(:personal_access_token, user: user) }
+
+    it 'returns nil if no access_token present' do
+      expect(validate_access_token!).to be_nil
+    end
+
+    context 'token is not valid' do
+      before do
+        allow_any_instance_of(described_class).to receive(:access_token).and_return(personal_access_token)
+      end
+
+      it 'returns Gitlab::Auth::ExpiredError if token expired' do
+        personal_access_token.expires_at = 1.day.ago
+
+        expect { validate_access_token! }.to raise_error(Gitlab::Auth::ExpiredError)
+      end
+
+      it 'returns Gitlab::Auth::RevokedError if token revoked' do
+        personal_access_token.revoke!
+
+        expect { validate_access_token! }.to raise_error(Gitlab::Auth::RevokedError)
+      end
+
+      it 'returns Gitlab::Auth::InsufficientScopeError if invalid token scope' do
+        expect { validate_access_token!(scopes: [:sudo]) }.to raise_error(Gitlab::Auth::InsufficientScopeError)
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/bitbucket_import/importer_spec.rb b/spec/lib/gitlab/bitbucket_import/importer_spec.rb
index a66347ead76..a6a1d9e619f 100644
--- a/spec/lib/gitlab/bitbucket_import/importer_spec.rb
+++ b/spec/lib/gitlab/bitbucket_import/importer_spec.rb
@@ -54,11 +54,13 @@ describe Gitlab::BitbucketImport::Importer do
     create(
       :project,
       import_source: project_identifier,
+      import_url: "https://bitbucket.org/#{project_identifier}.git",
       import_data_attributes: { credentials: data }
     )
   end
 
   let(:importer) { described_class.new(project) }
+  let(:gitlab_shell) { double }
 
   let(:issues_statuses_sample_data) do
     {
@@ -67,6 +69,10 @@ describe Gitlab::BitbucketImport::Importer do
     }
   end
 
+  before do
+    allow(importer).to receive(:gitlab_shell) { gitlab_shell }
+  end
+
   context 'issues statuses' do
     before do
       # HACK: Bitbucket::Representation.const_get('Issue') seems to return ::Issue without this
@@ -110,15 +116,36 @@ describe Gitlab::BitbucketImport::Importer do
     end
 
     it 'maps statuses to open or closed' do
+      allow(importer).to receive(:import_wiki)
+
       importer.execute
 
       expect(project.issues.where(state: "closed").size).to eq(5)
       expect(project.issues.where(state: "opened").size).to eq(2)
     end
 
-    it 'calls import_wiki' do
-      expect(importer).to receive(:import_wiki)
-      importer.execute
+    describe 'wiki import' do
+      it 'is skipped when the wiki exists' do
+        expect(project.wiki).to receive(:repository_exists?) { true }
+        expect(importer.gitlab_shell).not_to receive(:import_repository)
+
+        importer.execute
+
+        expect(importer.errors).to be_empty
+      end
+
+      it 'imports to the project disk_path' do
+        expect(project.wiki).to receive(:repository_exists?) { false }
+        expect(importer.gitlab_shell).to receive(:import_repository).with(
+          project.repository_storage_path,
+          project.wiki.disk_path,
+          project.import_url + '/wiki'
+        )
+
+        importer.execute
+
+        expect(importer.errors).to be_empty
+      end
     end
   end
 end
diff --git a/spec/lib/gitlab/conflict/file_spec.rb b/spec/lib/gitlab/conflict/file_spec.rb
index bf981d2f6f6..92792144429 100644
--- a/spec/lib/gitlab/conflict/file_spec.rb
+++ b/spec/lib/gitlab/conflict/file_spec.rb
@@ -84,6 +84,13 @@ describe Gitlab::Conflict::File do
         expect(line.text).to eq(html_to_text(line.rich_text))
       end
     end
+
+    # This spec will break if Rouge's highlighting changes, but we need to
+    # ensure that the lines are actually highlighted.
+    it 'highlights the lines correctly' do
+      expect(conflict_file.lines.first.rich_text)
+        .to eq("<span id=\"LC1\" class=\"line\" lang=\"ruby\"><span class=\"k\">module</span> <span class=\"nn\">Gitlab</span></span>\n")
+    end
   end
 
   describe '#sections' do
diff --git a/spec/lib/gitlab/database/rename_reserved_paths_migration/v1/rename_projects_spec.rb b/spec/lib/gitlab/database/rename_reserved_paths_migration/v1/rename_projects_spec.rb
index 8922370b0a0..e850b5cd6a4 100644
--- a/spec/lib/gitlab/database/rename_reserved_paths_migration/v1/rename_projects_spec.rb
+++ b/spec/lib/gitlab/database/rename_reserved_paths_migration/v1/rename_projects_spec.rb
@@ -87,6 +87,14 @@ describe Gitlab::Database::RenameReservedPathsMigration::V1::RenameProjects, :tr
       subject.move_project_folders(project, 'known-parent/the-path', 'known-parent/the-path0')
     end
 
+    it 'does not move the repositories when hashed storage is enabled' do
+      project.update!(storage_version: Project::HASHED_STORAGE_FEATURES[:repository])
+
+      expect(subject).not_to receive(:move_repository)
+
+      subject.move_project_folders(project, 'known-parent/the-path', 'known-parent/the-path0')
+    end
+
     it 'moves uploads' do
       expect(subject).to receive(:move_uploads)
                            .with('known-parent/the-path', 'known-parent/the-path0')
@@ -94,6 +102,14 @@ describe Gitlab::Database::RenameReservedPathsMigration::V1::RenameProjects, :tr
       subject.move_project_folders(project, 'known-parent/the-path', 'known-parent/the-path0')
     end
 
+    it 'does not move uploads when hashed storage is enabled for attachments' do
+      project.update!(storage_version: Project::HASHED_STORAGE_FEATURES[:attachments])
+
+      expect(subject).not_to receive(:move_uploads)
+
+      subject.move_project_folders(project, 'known-parent/the-path', 'known-parent/the-path0')
+    end
+
     it 'moves pages' do
       expect(subject).to receive(:move_pages)
                            .with('known-parent/the-path', 'known-parent/the-path0')
diff --git a/spec/lib/gitlab/diff/file_spec.rb b/spec/lib/gitlab/diff/file_spec.rb
index c91895cedc3..ff9acfd08b9 100644
--- a/spec/lib/gitlab/diff/file_spec.rb
+++ b/spec/lib/gitlab/diff/file_spec.rb
@@ -116,12 +116,8 @@ describe Gitlab::Diff::File do
     end
 
     context 'when renamed' do
-      let(:commit) { project.commit('6907208d755b60ebeacb2e9dfea74c92c3449a1f') }
-      let(:diff_file) { commit.diffs.diff_file_with_new_path('files/js/commit.coffee') }
-
-      before do
-        allow(diff_file.new_blob).to receive(:id).and_return(diff_file.old_blob.id)
-      end
+      let(:commit) { project.commit('94bb47ca1297b7b3731ff2a36923640991e9236f') }
+      let(:diff_file) { commit.diffs.diff_file_with_new_path('CHANGELOG.md') }
 
       it 'returns false' do
         expect(diff_file.content_changed?).to be_falsey
diff --git a/spec/lib/gitlab/git/diff_collection_spec.rb b/spec/lib/gitlab/git/diff_collection_spec.rb
index ee657101f4c..65edc750f39 100644
--- a/spec/lib/gitlab/git/diff_collection_spec.rb
+++ b/spec/lib/gitlab/git/diff_collection_spec.rb
@@ -487,6 +487,7 @@ describe Gitlab::Git::DiffCollection, seed_helper: true do
 
       loop do
         break if @count.zero?
+
         # It is critical to decrement before yielding. We may never reach the lines after 'yield'.
         @count -= 1
         yield @value
diff --git a/spec/lib/gitlab/git/repository_spec.rb b/spec/lib/gitlab/git/repository_spec.rb
index 5d990b42c24..f0da77c61bb 100644
--- a/spec/lib/gitlab/git/repository_spec.rb
+++ b/spec/lib/gitlab/git/repository_spec.rb
@@ -629,16 +629,29 @@ describe Gitlab::Git::Repository, seed_helper: true do
   end
 
   describe '#remote_tags' do
+    let(:remote_name) { 'upstream' }
     let(:target_commit_id) { SeedRepo::Commit::ID }
+    let(:user) { create(:user) }
+    let(:tag_name) { 'v0.0.1' }
+    let(:tag_message) { 'My tag' }
+    let(:remote_repository) do
+      Gitlab::Git::Repository.new('default', TEST_MUTABLE_REPO_PATH, '')
+    end
 
-    subject { repository.remote_tags('upstream') }
+    subject { repository.remote_tags(remote_name) }
 
-    it 'gets the remote tags' do
-      expect(repository).to receive(:list_remote_tags).with('upstream')
-        .and_return(["#{target_commit_id}\trefs/tags/v0.0.1\n"])
+    before do
+      repository.add_remote(remote_name, remote_repository.path)
+      remote_repository.add_tag(tag_name, user: user, target: target_commit_id)
+    end
+
+    after do
+      ensure_seeds
+    end
 
+    it 'gets the remote tags' do
       expect(subject.first).to be_an_instance_of(Gitlab::Git::Tag)
-      expect(subject.first.name).to eq('v0.0.1')
+      expect(subject.first.name).to eq(tag_name)
       expect(subject.first.dereferenced_target.id).to eq(target_commit_id)
     end
   end
@@ -1770,6 +1783,32 @@ describe Gitlab::Git::Repository, seed_helper: true do
     end
   end
 
+  describe '#delete_all_refs_except' do
+    let(:repository) do
+      Gitlab::Git::Repository.new('default', TEST_MUTABLE_REPO_PATH, '')
+    end
+
+    before do
+      repository.write_ref("refs/delete/a", "0b4bc9a49b562e85de7cc9e834518ea6828729b9")
+      repository.write_ref("refs/also-delete/b", "12d65c8dd2b2676fa3ac47d955accc085a37a9c1")
+      repository.write_ref("refs/keep/c", "6473c90867124755509e100d0d35ebdc85a0b6ae")
+      repository.write_ref("refs/also-keep/d", "0b4bc9a49b562e85de7cc9e834518ea6828729b9")
+    end
+
+    after do
+      ensure_seeds
+    end
+
+    it 'deletes all refs except those with the specified prefixes' do
+      repository.delete_all_refs_except(%w(refs/keep refs/also-keep refs/heads))
+      expect(repository.ref_exists?("refs/delete/a")).to be(false)
+      expect(repository.ref_exists?("refs/also-delete/b")).to be(false)
+      expect(repository.ref_exists?("refs/keep/c")).to be(true)
+      expect(repository.ref_exists?("refs/also-keep/d")).to be(true)
+      expect(repository.ref_exists?("refs/heads/master")).to be(true)
+    end
+  end
+
   def create_remote_branch(repository, remote_name, branch_name, source_branch_name)
     source_branch = repository.branches.find { |branch| branch.name == source_branch_name }
     rugged = repository.rugged
diff --git a/spec/lib/gitlab/gitaly_client/ref_service_spec.rb b/spec/lib/gitlab/gitaly_client/ref_service_spec.rb
index 8127b4842b7..951e146a30a 100644
--- a/spec/lib/gitlab/gitaly_client/ref_service_spec.rb
+++ b/spec/lib/gitlab/gitaly_client/ref_service_spec.rb
@@ -104,4 +104,17 @@ describe Gitlab::GitalyClient::RefService do
       expect { client.ref_exists?('reXXXXX') }.to raise_error(ArgumentError)
     end
   end
+
+  describe '#delete_refs' do
+    let(:prefixes) { %w(refs/heads refs/keep-around) }
+
+    it 'sends a delete_refs message' do
+      expect_any_instance_of(Gitaly::RefService::Stub)
+        .to receive(:delete_refs)
+        .with(gitaly_request_with_params(except_with_prefix: prefixes), kind_of(Hash))
+        .and_return(double('delete_refs_response'))
+
+      client.delete_refs(except_with_prefixes: prefixes)
+    end
+  end
 end
diff --git a/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb b/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
index e4b4cf5ba85..c2bda6f8821 100644
--- a/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
+++ b/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
@@ -155,7 +155,7 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
         end
 
         it 'has no source if source/target differ' do
-          expect(MergeRequest.find_by_title('MR2').source_project_id).to eq(-1)
+          expect(MergeRequest.find_by_title('MR2').source_project_id).to be_nil
         end
       end
 
diff --git a/spec/lib/gitlab/middleware/go_spec.rb b/spec/lib/gitlab/middleware/go_spec.rb
index 67121937398..60a134be939 100644
--- a/spec/lib/gitlab/middleware/go_spec.rb
+++ b/spec/lib/gitlab/middleware/go_spec.rb
@@ -127,6 +127,14 @@ describe Gitlab::Middleware::Go do
 
         include_examples 'go-get=1', enabled_protocol: nil
       end
+
+      context 'with nothing disabled (blank string)' do
+        before do
+          stub_application_setting(enabled_git_access_protocol: '')
+        end
+
+        include_examples 'go-get=1', enabled_protocol: nil
+      end
     end
 
     def go
diff --git a/spec/lib/gitlab/middleware/read_only_spec.rb b/spec/lib/gitlab/middleware/read_only_spec.rb
index b14735943a5..07ba11b93a3 100644
--- a/spec/lib/gitlab/middleware/read_only_spec.rb
+++ b/spec/lib/gitlab/middleware/read_only_spec.rb
@@ -84,14 +84,23 @@ describe Gitlab::Middleware::ReadOnly do
     end
 
     it 'expects POST of new file that looks like an LFS batch url to be disallowed' do
+      expect(Rails.application.routes).to receive(:recognize_path).and_call_original
       response = request.post('/root/gitlab-ce/new/master/app/info/lfs/objects/batch')
 
       expect(response).to be_a_redirect
       expect(subject).to disallow_request
     end
 
+    it 'returns last_vistited_url for disallowed request' do
+      response = request.post('/test_request')
+
+      expect(response.location).to eq 'http://localhost/'
+    end
+
     context 'whitelisted requests' do
       it 'expects a POST internal request to be allowed' do
+        expect(Rails.application.routes).not_to receive(:recognize_path)
+
         response = request.post("/api/#{API::API.version}/internal")
 
         expect(response).not_to be_a_redirect
@@ -99,6 +108,7 @@ describe Gitlab::Middleware::ReadOnly do
       end
 
       it 'expects a POST LFS request to batch URL to be allowed' do
+        expect(Rails.application.routes).to receive(:recognize_path).and_call_original
         response = request.post('/root/rouge.git/info/lfs/objects/batch')
 
         expect(response).not_to be_a_redirect
@@ -106,6 +116,7 @@ describe Gitlab::Middleware::ReadOnly do
       end
 
       it 'expects a POST request to git-upload-pack URL to be allowed' do
+        expect(Rails.application.routes).to receive(:recognize_path).and_call_original
         response = request.post('/root/rouge.git/git-upload-pack')
 
         expect(response).not_to be_a_redirect
diff --git a/spec/lib/gitlab/o_auth/user_spec.rb b/spec/lib/gitlab/o_auth/user_spec.rb
index c7471a21fda..2f19fb7312d 100644
--- a/spec/lib/gitlab/o_auth/user_spec.rb
+++ b/spec/lib/gitlab/o_auth/user_spec.rb
@@ -662,4 +662,13 @@ describe Gitlab::OAuth::User do
       end
     end
   end
+
+  describe '.find_by_uid_and_provider' do
+    let!(:existing_user) { create(:omniauth_user, extern_uid: 'my-uid', provider: 'my-provider') }
+
+    it 'normalizes extern_uid' do
+      allow(oauth_user.auth_hash).to receive(:uid).and_return('MY-UID')
+      expect(oauth_user.find_user).to eql gl_user
+    end
+  end
 end