Merge branch 'master' into chart.html.haml-refactorchart.html.haml-refactor

* master: (484 commits)
  migrate admin:users:* to static bundle
  correct for missing break statement in dispatcher.js
  alias create and update actions to new and edit
  migrate projects:merge_requests:edit to static bundle
  migrate projects:merge_requests:creations:diffs to static bundle
  migrate projects:merge_requests:creations:new to static bundle
  migrate projects:issues:new and projects:issues:edit to static bundle
  migrate projects:branches:index to static bundle
  migrate projects:branches:new to static bundle
  migrate projects:compare:show to static bundle
  migrate projects:environments:metrics to static bundle
  migrate projects:milestones:* and groups:milestones:* to static bundle
  migrate explore:groups:index to static bundle
  migrate explore:projects:* to static bundle
  migrate dashboard:projects:* to static bundle
  migrate admin:jobs:index to static bundle
  migrate dashboard:todos:index to static bundle
  migrate groups:merge_requests to static bundle
  migrate groups:issues to static bundle
  migrate dashboard:merge_requests to static bundle
  ...

17 files changed, 744 insertions, 67 deletions

diff --git a/spec/requests/api/commits_spec.rb b/spec/requests/api/commits_spec.rb
index ff5f207487b..31959d28fee 100644
--- a/spec/requests/api/commits_spec.rb
+++ b/spec/requests/api/commits_spec.rb
@@ -465,6 +465,72 @@ describe API::Commits do
     end
   end
 
+  describe 'GET /projects/:id/repository/commits/:sha/refs' do
+    let(:project) { create(:project, :public, :repository) }
+    let(:tag) { project.repository.find_tag('v1.1.0') }
+    let(:commit_id) { tag.dereferenced_target.id }
+    let(:route) { "/projects/#{project_id}/repository/commits/#{commit_id}/refs" }
+
+    context 'when ref does not exist' do
+      let(:commit_id) { 'unknown' }
+
+      it_behaves_like '404 response' do
+        let(:request) { get api(route, current_user) }
+        let(:message) { '404 Commit Not Found' }
+      end
+    end
+
+    context 'when repository is disabled' do
+      include_context 'disabled repository'
+
+      it_behaves_like '403 response' do
+        let(:request) { get api(route, current_user) }
+      end
+    end
+
+    context 'for a valid commit' do
+      it 'returns all refs with no scope' do
+        get api(route, current_user), per_page: 100
+
+        refs = project.repository.branch_names_contains(commit_id).map {|name| ['branch', name]}
+        refs.concat(project.repository.tag_names_contains(commit_id).map {|name| ['tag', name]})
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to include_pagination_headers
+        expect(json_response).to be_an Array
+        expect(json_response.map { |r| [r['type'], r['name']] }.compact).to eq(refs)
+      end
+
+      it 'returns all refs' do
+        get api(route, current_user), type: 'all', per_page: 100
+
+        refs = project.repository.branch_names_contains(commit_id).map {|name| ['branch', name]}
+        refs.concat(project.repository.tag_names_contains(commit_id).map {|name| ['tag', name]})
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response.map { |r| [r['type'], r['name']] }.compact).to eq(refs)
+      end
+
+      it 'returns the branch refs' do
+        get api(route, current_user), type: 'branch', per_page: 100
+
+        refs = project.repository.branch_names_contains(commit_id).map {|name| ['branch', name]}
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response.map { |r| [r['type'], r['name']] }.compact).to eq(refs)
+      end
+
+      it 'returns the tag refs' do
+        get api(route, current_user), type: 'tag', per_page: 100
+
+        refs = project.repository.tag_names_contains(commit_id).map {|name| ['tag', name]}
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response.map { |r| [r['type'], r['name']] }.compact).to eq(refs)
+      end
+    end
+  end
+
   describe 'GET /projects/:id/repository/commits/:sha' do
     let(:commit) { project.repository.commit }
     let(:commit_id) { commit.id }
diff --git a/spec/requests/api/group_variables_spec.rb b/spec/requests/api/group_variables_spec.rb
index a4f198eb5c9..64fa7dc824c 100644
--- a/spec/requests/api/group_variables_spec.rb
+++ b/spec/requests/api/group_variables_spec.rb
@@ -142,12 +142,12 @@ describe API::GroupVariables do
       end
 
       it 'updates variable data' do
-        initial_variable = group.variables.first
+        initial_variable = group.variables.reload.first
         value_before = initial_variable.value
 
         put api("/groups/#{group.id}/variables/#{variable.key}", user), value: 'VALUE_1_UP', protected: true
 
-        updated_variable = group.variables.first
+        updated_variable = group.variables.reload.first
 
         expect(response).to have_gitlab_http_status(200)
         expect(value_before).to eq(variable.value)
diff --git a/spec/requests/api/internal_spec.rb b/spec/requests/api/internal_spec.rb
index ea6b0a71849..c7df6251d74 100644
--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@@ -366,20 +366,9 @@ describe API::Internal do
           end
         end
 
-        context 'project as /namespace/project' do
-          it do
-            push(key, project_with_repo_path('/' + project.full_path))
-
-            expect(response).to have_gitlab_http_status(200)
-            expect(json_response["status"]).to be_truthy
-            expect(json_response["repository_path"]).to eq(project.repository.path_to_repo)
-            expect(json_response["gl_repository"]).to eq("project-#{project.id}")
-          end
-        end
-
         context 'project as namespace/project' do
           it do
-            push(key, project_with_repo_path(project.full_path))
+            push(key, project)
 
             expect(response).to have_gitlab_http_status(200)
             expect(json_response["status"]).to be_truthy
@@ -496,8 +485,10 @@ describe API::Internal do
     end
 
     context 'project does not exist' do
-      it do
-        pull(key, project_with_repo_path('gitlab/notexist'))
+      it 'returns a 200 response with status: false' do
+        project.destroy
+
+        pull(key, project)
 
         expect(response).to have_gitlab_http_status(200)
         expect(json_response["status"]).to be_falsey
@@ -569,6 +560,7 @@ describe API::Internal do
     end
 
     context 'the project path was changed' do
+      let(:project) { create(:project, :repository, :legacy_storage) }
       let!(:old_path_to_repo) { project.repository.path_to_repo }
       let!(:repository) { project.repository }
 
@@ -858,9 +850,14 @@ describe API::Internal do
     end
   end
 
-  def project_with_repo_path(path)
-    double().tap do |fake_project|
-      allow(fake_project).to receive_message_chain('repository.path_to_repo' => path)
+  def gl_repository_for(project_or_wiki)
+    case project_or_wiki
+    when ProjectWiki
+      project_or_wiki.project.gl_repository(is_wiki: true)
+    when Project
+      project_or_wiki.gl_repository(is_wiki: false)
+    else
+      nil
     end
   end
 
@@ -868,18 +865,8 @@ describe API::Internal do
     post(
       api("/internal/allowed"),
       key_id: key.id,
-      project: project.repository.path_to_repo,
-      action: 'git-upload-pack',
-      secret_token: secret_token,
-      protocol: protocol
-    )
-  end
-
-  def pull_with_path(key, path_to_repo, protocol = 'ssh')
-    post(
-      api("/internal/allowed"),
-      key_id: key.id,
-      project: path_to_repo,
+      project: project.full_path,
+      gl_repository: gl_repository_for(project),
       action: 'git-upload-pack',
       secret_token: secret_token,
       protocol: protocol
@@ -891,20 +878,8 @@ describe API::Internal do
       api("/internal/allowed"),
       changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
       key_id: key.id,
-      project: project.repository.path_to_repo,
-      action: 'git-receive-pack',
-      secret_token: secret_token,
-      protocol: protocol,
-      env: env
-    )
-  end
-
-  def push_with_path(key, path_to_repo, protocol = 'ssh', env: nil)
-    post(
-      api("/internal/allowed"),
-      changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
-      key_id: key.id,
-      project: path_to_repo,
+      project: project.full_path,
+      gl_repository: gl_repository_for(project),
       action: 'git-receive-pack',
       secret_token: secret_token,
       protocol: protocol,
@@ -917,7 +892,8 @@ describe API::Internal do
       api("/internal/allowed"),
       ref: 'master',
       key_id: key.id,
-      project: project.repository.path_to_repo,
+      project: project.full_path,
+      gl_repository: gl_repository_for(project),
       action: 'git-upload-archive',
       secret_token: secret_token,
       protocol: 'ssh'
@@ -929,7 +905,7 @@ describe API::Internal do
       api("/internal/lfs_authenticate"),
       key_id: key_id,
       secret_token: secret_token,
-      project: project.repository.path_to_repo
+      project: project.full_path
     )
   end
 end
diff --git a/spec/requests/api/project_import_spec.rb b/spec/requests/api/project_import_spec.rb
new file mode 100644
index 00000000000..987f6e26971
--- /dev/null
+++ b/spec/requests/api/project_import_spec.rb
@@ -0,0 +1,102 @@
+require 'spec_helper'
+
+describe API::ProjectImport do
+  let(:export_path) { "#{Dir.tmpdir}/project_export_spec" }
+  let(:user) { create(:user) }
+  let(:file) { File.join(Rails.root, 'spec', 'features', 'projects', 'import_export', 'test_project_export.tar.gz') }
+  let(:namespace) { create(:group) }
+  before do
+    allow_any_instance_of(Gitlab::ImportExport).to receive(:storage_path).and_return(export_path)
+
+    namespace.add_owner(user)
+  end
+
+  after do
+    FileUtils.rm_rf(export_path, secure: true)
+  end
+
+  describe 'POST /projects/import' do
+    it 'schedules an import using a namespace' do
+      stub_import(namespace)
+
+      post api('/projects/import', user), path: 'test-import', file: fixture_file_upload(file), namespace: namespace.id
+
+      expect(response).to have_gitlab_http_status(201)
+    end
+
+    it 'schedules an import using the namespace path' do
+      stub_import(namespace)
+
+      post api('/projects/import', user), path: 'test-import', file: fixture_file_upload(file), namespace: namespace.full_path
+
+      expect(response).to have_gitlab_http_status(201)
+    end
+
+    it 'schedules an import at the user namespace level' do
+      stub_import(user.namespace)
+
+      post api('/projects/import', user), path: 'test-import2', file: fixture_file_upload(file)
+
+      expect(response).to have_gitlab_http_status(201)
+    end
+
+    it 'schedules an import at the user namespace level' do
+      expect_any_instance_of(Project).not_to receive(:import_schedule)
+      expect(::Projects::CreateService).not_to receive(:new)
+
+      post api('/projects/import', user), namespace: 'nonexistent', path: 'test-import2', file: fixture_file_upload(file)
+
+      expect(response).to have_gitlab_http_status(404)
+      expect(json_response['message']).to eq('404 Namespace Not Found')
+    end
+
+    it 'does not schedule an import if the user has no permission to the namespace' do
+      expect_any_instance_of(Project).not_to receive(:import_schedule)
+
+      post(api('/projects/import', create(:user)),
+           path: 'test-import3',
+           file: fixture_file_upload(file),
+           namespace: namespace.full_path)
+
+      expect(response).to have_gitlab_http_status(404)
+      expect(json_response['message']).to eq('404 Namespace Not Found')
+    end
+
+    it 'does not schedule an import if the user uploads no valid file' do
+      expect_any_instance_of(Project).not_to receive(:import_schedule)
+
+      post api('/projects/import', user), path: 'test-import3', file: './random/test'
+
+      expect(response).to have_gitlab_http_status(400)
+      expect(json_response['error']).to eq('file is invalid')
+    end
+
+    def stub_import(namespace)
+      expect_any_instance_of(Project).to receive(:import_schedule)
+      expect(::Projects::CreateService).to receive(:new).with(user, hash_including(namespace_id: namespace.id)).and_call_original
+    end
+  end
+
+  describe 'GET /projects/:id/import' do
+    it 'returns the import status' do
+      project = create(:project, import_status: 'started')
+      project.add_master(user)
+
+      get api("/projects/#{project.id}/import", user)
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(json_response).to include('import_status' => 'started')
+    end
+
+    it 'returns the import status and the error if failed' do
+      project = create(:project, import_status: 'failed', import_error: 'error')
+      project.add_master(user)
+
+      get api("/projects/#{project.id}/import", user)
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(json_response).to include('import_status' => 'failed',
+                                       'import_error' => 'error')
+    end
+  end
+end
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index f11cd638d96..00dd8897e6a 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -460,7 +460,7 @@ describe API::Projects do
       expect(response).to have_gitlab_http_status(201)
 
       project.each_pair do |k, v|
-        next if %i[has_external_issue_tracker issues_enabled merge_requests_enabled wiki_enabled].include?(k)
+        next if %i[has_external_issue_tracker issues_enabled merge_requests_enabled wiki_enabled storage_version].include?(k)
 
         expect(json_response[k.to_s]).to eq(v)
       end
@@ -622,12 +622,8 @@ describe API::Projects do
   end
 
   describe 'POST /projects/user/:id' do
-    before do
-      expect(project).to be_persisted
-    end
-
     it 'creates new project without path but with name and return 201' do
-      expect { post api("/projects/user/#{user.id}", admin), name: 'Foo Project' }.to change {Project.count}.by(1)
+      expect { post api("/projects/user/#{user.id}", admin), name: 'Foo Project' }.to change { Project.count }.by(1)
       expect(response).to have_gitlab_http_status(201)
 
       project = Project.last
@@ -666,8 +662,9 @@ describe API::Projects do
       post api("/projects/user/#{user.id}", admin), project
 
       expect(response).to have_gitlab_http_status(201)
+
       project.each_pair do |k, v|
-        next if %i[has_external_issue_tracker path].include?(k)
+        next if %i[has_external_issue_tracker path storage_version].include?(k)
 
         expect(json_response[k.to_s]).to eq(v)
       end
diff --git a/spec/requests/api/runner_spec.rb b/spec/requests/api/runner_spec.rb
index 0bd88748479..f10b6e43d09 100644
--- a/spec/requests/api/runner_spec.rb
+++ b/spec/requests/api/runner_spec.rb
@@ -8,6 +8,7 @@ describe API::Runner do
   before do
     stub_gitlab_calls
     stub_application_setting(runners_registration_token: registration_token)
+    allow_any_instance_of(Ci::Runner).to receive(:cache_attributes)
   end
 
   describe '/api/v4/runners' do
@@ -408,7 +409,7 @@ describe API::Runner do
             expect { request_job }.to change { runner.reload.contacted_at }
           end
 
-          %w(name version revision platform architecture).each do |param|
+          %w(version revision platform architecture).each do |param|
             context "when info parameter '#{param}' is present" do
               let(:value) { "#{param}_value" }
 
diff --git a/spec/requests/api/search_spec.rb b/spec/requests/api/search_spec.rb
new file mode 100644
index 00000000000..9052a18c60b
--- /dev/null
+++ b/spec/requests/api/search_spec.rb
@@ -0,0 +1,318 @@
+require 'spec_helper'
+
+describe API::Search do
+  set(:user) { create(:user) }
+  set(:group) { create(:group) }
+  set(:project) { create(:project, :public, name: 'awesome project', group: group) }
+  set(:repo_project) { create(:project, :public, :repository, group: group) }
+
+  shared_examples 'response is correct' do |schema:, size: 1|
+    it { expect(response).to have_gitlab_http_status(200) }
+    it { expect(response).to match_response_schema(schema) }
+    it { expect(response).to include_limited_pagination_headers }
+    it { expect(json_response.size).to eq(size) }
+  end
+
+  describe 'GET /search'  do
+    context 'when user is not authenticated' do
+      it 'returns 401 error' do
+        get api('/search'), scope: 'projects', search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(401)
+      end
+    end
+
+    context 'when scope is not supported' do
+      it 'returns 400 error' do
+        get api('/search', user), scope: 'unsupported', search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+    end
+
+    context 'when scope is missing' do
+      it 'returns 400 error' do
+        get api('/search', user), search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+    end
+
+    context 'with correct params' do
+      context 'for projects scope' do
+        before do
+          get api('/search', user), scope: 'projects', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/projects'
+      end
+
+      context 'for issues scope' do
+        before do
+          create(:issue, project: project, title: 'awesome issue')
+
+          get api('/search', user), scope: 'issues', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/issues'
+      end
+
+      context 'for merge_requests scope' do
+        before do
+          create(:merge_request, source_project: repo_project, title: 'awesome mr')
+
+          get api('/search', user), scope: 'merge_requests', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/merge_requests'
+      end
+
+      context 'for milestones scope' do
+        before do
+          create(:milestone, project: project, title: 'awesome milestone')
+
+          get api('/search', user), scope: 'milestones', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
+      end
+
+      context 'for snippet_titles scope' do
+        before do
+          create(:snippet, :public, title: 'awesome snippet', content: 'snippet content')
+
+          get api('/search', user), scope: 'snippet_titles', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/snippets'
+      end
+
+      context 'for snippet_blobs scope' do
+        before do
+          create(:snippet, :public, title: 'awesome snippet', content: 'snippet content')
+
+          get api('/search', user), scope: 'snippet_blobs', search: 'content'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/snippets'
+      end
+    end
+  end
+
+  describe "GET /groups/:id/-/search" do
+    context 'when user is not authenticated' do
+      it 'returns 401 error' do
+        get api("/groups/#{group.id}/-/search"), scope: 'projects', search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(401)
+      end
+    end
+
+    context 'when scope is not supported' do
+      it 'returns 400 error' do
+        get api("/groups/#{group.id}/-/search", user), scope: 'unsupported', search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+    end
+
+    context 'when scope is missing' do
+      it 'returns 400 error' do
+        get api("/groups/#{group.id}/-/search", user), search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+    end
+
+    context 'when group does not exist' do
+      it 'returns 404 error' do
+        get api('/groups/9999/-/search', user), scope: 'issues', search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
+    context 'when user does can not see the group' do
+      it 'returns 404 error' do
+        private_group = create(:group, :private)
+
+        get api("/groups/#{private_group.id}/-/search", user), scope: 'issues', search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
+    context 'with correct params' do
+      context 'for projects scope' do
+        before do
+          get api("/groups/#{group.id}/-/search", user), scope: 'projects', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/projects'
+      end
+
+      context 'for issues scope' do
+        before do
+          create(:issue, project: project, title: 'awesome issue')
+
+          get api("/groups/#{group.id}/-/search", user), scope: 'issues', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/issues'
+      end
+
+      context 'for merge_requests scope' do
+        before do
+          create(:merge_request, source_project: repo_project, title: 'awesome mr')
+
+          get api("/groups/#{group.id}/-/search", user), scope: 'merge_requests', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/merge_requests'
+      end
+
+      context 'for milestones scope' do
+        before do
+          create(:milestone, project: project, title: 'awesome milestone')
+
+          get api("/groups/#{group.id}/-/search", user), scope: 'milestones', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
+      end
+
+      context 'for milestones scope with group path as id' do
+        before do
+          another_project = create(:project, :public)
+          create(:milestone, project: project, title: 'awesome milestone')
+          create(:milestone, project: another_project, title: 'awesome milestone other project')
+
+          get api("/groups/#{CGI.escape(group.full_path)}/-/search", user), scope: 'milestones', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
+      end
+    end
+  end
+
+  describe "GET /projects/:id/search" do
+    context 'when user is not authenticated' do
+      it 'returns 401 error' do
+        get api("/projects/#{project.id}/-/search"), scope: 'issues', search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(401)
+      end
+    end
+
+    context 'when scope is not supported' do
+      it 'returns 400 error' do
+        get api("/projects/#{project.id}/-/search", user), scope: 'unsupported', search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+    end
+
+    context 'when scope is missing' do
+      it 'returns 400 error' do
+        get api("/projects/#{project.id}/-/search", user), search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+    end
+
+    context 'when project does not exist' do
+      it 'returns 404 error' do
+        get api('/projects/9999/-/search', user), scope: 'issues', search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
+    context 'when user does can not see the project' do
+      it 'returns 404 error' do
+        project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+
+        get api("/projects/#{project.id}/-/search", user), scope: 'issues', search: 'awesome'
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
+    context 'with correct params' do
+      context 'for issues scope' do
+        before do
+          create(:issue, project: project, title: 'awesome issue')
+
+          get api("/projects/#{project.id}/-/search", user), scope: 'issues', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/issues'
+      end
+
+      context 'for merge_requests scope' do
+        before do
+          create(:merge_request, source_project: repo_project, title: 'awesome mr')
+
+          get api("/projects/#{repo_project.id}/-/search", user), scope: 'merge_requests', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/merge_requests'
+      end
+
+      context 'for milestones scope' do
+        before do
+          create(:milestone, project: project, title: 'awesome milestone')
+
+          get api("/projects/#{project.id}/-/search", user), scope: 'milestones', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
+      end
+
+      context 'for notes scope' do
+        before do
+          create(:note_on_merge_request, project: project, note: 'awesome note')
+
+          get api("/projects/#{project.id}/-/search", user), scope: 'notes', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/notes'
+      end
+
+      context 'for wiki_blobs scope' do
+        before do
+          wiki = create(:project_wiki, project: project)
+          create(:wiki_page, wiki: wiki, attrs: { title: 'home', content: "Awesome page" })
+
+          get api("/projects/#{project.id}/-/search", user), scope: 'wiki_blobs', search: 'awesome'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/blobs'
+      end
+
+      context 'for commits scope' do
+        before do
+          get api("/projects/#{repo_project.id}/-/search", user), scope: 'commits', search: '498214de67004b1da3d820901307bed2a68a8ef6'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/commits_details'
+      end
+
+      context 'for commits scope with project path as id' do
+        before do
+          get api("/projects/#{CGI.escape(repo_project.full_path)}/-/search", user), scope: 'commits', search: '498214de67004b1da3d820901307bed2a68a8ef6'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/commits_details'
+      end
+
+      context 'for blobs scope' do
+        before do
+          get api("/projects/#{repo_project.id}/-/search", user), scope: 'blobs', search: 'monitors'
+        end
+
+        it_behaves_like 'response is correct', schema: 'public_api/v4/blobs', size: 2
+      end
+    end
+  end
+end
diff --git a/spec/requests/api/snippets_spec.rb b/spec/requests/api/snippets_spec.rb
index 74198c8eb4f..b3e253befc6 100644
--- a/spec/requests/api/snippets_spec.rb
+++ b/spec/requests/api/snippets_spec.rb
@@ -32,6 +32,27 @@ describe API::Snippets do
       expect(json_response).to be_an Array
       expect(json_response.size).to eq(0)
     end
+
+    it 'returns 404 for non-authenticated' do
+      create(:personal_snippet, :internal)
+
+      get api("/snippets/")
+
+      expect(response).to have_gitlab_http_status(401)
+    end
+
+    it 'does not return snippets related to a project with disable feature visibility' do
+      project = create(:project)
+      create(:project_member, project: project, user: user)
+      public_snippet = create(:personal_snippet, :public, author: user, project: project)
+      project.project_feature.update_attribute(:snippets_access_level, 0)
+
+      get api("/snippets/", user)
+
+      json_response.each do |snippet|
+        expect(snippet["id"]).not_to eq(public_snippet.id)
+      end
+    end
   end
 
   describe 'GET /snippets/public' do
diff --git a/spec/requests/api/todos_spec.rb b/spec/requests/api/todos_spec.rb
index fb3a33cadff..2ee8d150dc8 100644
--- a/spec/requests/api/todos_spec.rb
+++ b/spec/requests/api/todos_spec.rb
@@ -129,6 +129,12 @@ describe API::Todos do
 
         post api("/todos/#{pending_1.id}/mark_as_done", john_doe)
       end
+
+      it 'returns 404 if the todo does not belong to the current user' do
+        post api("/todos/#{pending_1.id}/mark_as_done", author_1)
+
+        expect(response.status).to eq(404)
+      end
     end
   end
 
diff --git a/spec/requests/api/v3/projects_spec.rb b/spec/requests/api/v3/projects_spec.rb
index 5d99d9495f3..bf36d3e245a 100644
--- a/spec/requests/api/v3/projects_spec.rb
+++ b/spec/requests/api/v3/projects_spec.rb
@@ -401,7 +401,7 @@ describe API::V3::Projects do
       post v3_api('/projects', user), project
 
       project.each_pair do |k, v|
-        next if %i[has_external_issue_tracker issues_enabled merge_requests_enabled wiki_enabled].include?(k)
+        next if %i[storage_version has_external_issue_tracker issues_enabled merge_requests_enabled wiki_enabled].include?(k)
 
         expect(json_response[k.to_s]).to eq(v)
       end
@@ -545,7 +545,7 @@ describe API::V3::Projects do
 
       expect(response).to have_gitlab_http_status(201)
       project.each_pair do |k, v|
-        next if %i[has_external_issue_tracker path].include?(k)
+        next if %i[storage_version has_external_issue_tracker path].include?(k)
 
         expect(json_response[k.to_s]).to eq(v)
       end
diff --git a/spec/requests/api/v3/todos_spec.rb b/spec/requests/api/v3/todos_spec.rb
index 53fd962272a..ea648e3917f 100644
--- a/spec/requests/api/v3/todos_spec.rb
+++ b/spec/requests/api/v3/todos_spec.rb
@@ -38,6 +38,12 @@ describe API::V3::Todos do
 
         delete v3_api("/todos/#{pending_1.id}", john_doe)
       end
+
+      it 'returns 404 if the todo does not belong to the current user' do
+        delete v3_api("/todos/#{pending_1.id}", author_1)
+
+        expect(response.status).to eq(404)
+      end
     end
   end
 
diff --git a/spec/requests/api/variables_spec.rb b/spec/requests/api/variables_spec.rb
index 79ee6c126f6..62215ea3d7d 100644
--- a/spec/requests/api/variables_spec.rb
+++ b/spec/requests/api/variables_spec.rb
@@ -122,12 +122,12 @@ describe API::Variables do
   describe 'PUT /projects/:id/variables/:key' do
     context 'authorized user with proper permissions' do
       it 'updates variable data' do
-        initial_variable = project.variables.first
+        initial_variable = project.variables.reload.first
         value_before = initial_variable.value
 
         put api("/projects/#{project.id}/variables/#{variable.key}", user), value: 'VALUE_1_UP', protected: true
 
-        updated_variable = project.variables.first
+        updated_variable = project.variables.reload.first
 
         expect(response).to have_gitlab_http_status(200)
         expect(value_before).to eq(variable.value)
diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb
index 2e2dccdafad..942e5b2bb1b 100644
--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -163,7 +163,7 @@ describe 'Git HTTP requests' do
             download(path) do |response|
               json_body = ActiveSupport::JSON.decode(response.body)
 
-              expect(json_body['RepoPath']).to include(wiki.repository.full_path)
+              expect(json_body['RepoPath']).to include(wiki.repository.disk_path)
             end
           end
         end
diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb
index 930ef49b7f3..971b45c411d 100644
--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -1208,7 +1208,7 @@ describe 'Git LFS API and storage' do
   end
 
   def post_lfs_json(url, body = nil, headers = nil)
-    post(url, body.try(:to_json), (headers || {}).merge('Content-Type' => 'application/vnd.git-lfs+json'))
+    post(url, body.try(:to_json), (headers || {}).merge('Content-Type' => LfsRequest::CONTENT_TYPE))
   end
 
   def json_response
diff --git a/spec/requests/lfs_locks_api_spec.rb b/spec/requests/lfs_locks_api_spec.rb
new file mode 100644
index 00000000000..e44a11a7232
--- /dev/null
+++ b/spec/requests/lfs_locks_api_spec.rb
@@ -0,0 +1,159 @@
+require 'spec_helper'
+
+describe 'Git LFS File Locking API' do
+  include WorkhorseHelpers
+
+  let(:project)   { create(:project) }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:guest)     { create(:user) }
+  let(:path)      { 'README.md' }
+  let(:headers) do
+    {
+      'Authorization' => authorization
+    }.compact
+  end
+
+  shared_examples 'unauthorized request' do
+    context 'when user is not authorized' do
+      let(:authorization) { authorize_user(guest) }
+
+      it 'returns a forbidden 403 response' do
+        post_lfs_json url, body, headers
+
+        expect(response).to have_gitlab_http_status(403)
+      end
+    end
+  end
+
+  before do
+    allow(Gitlab.config.lfs).to receive(:enabled).and_return(true)
+
+    project.add_developer(master)
+    project.add_developer(developer)
+    project.add_guest(guest)
+  end
+
+  describe 'Create File Lock endpoint' do
+    let(:url)           { "#{project.http_url_to_repo}/info/lfs/locks" }
+    let(:authorization) { authorize_user(developer) }
+    let(:body)          { { path: path } }
+
+    include_examples 'unauthorized request'
+
+    context 'with an existent lock' do
+      before do
+        lock_file('README.md', developer)
+      end
+
+      it 'return an error message' do
+        post_lfs_json url, body, headers
+
+        expect(response).to have_gitlab_http_status(409)
+
+        expect(json_response.keys).to match_array(%w(lock message documentation_url))
+        expect(json_response['message']).to match(/already locked/)
+      end
+
+      it 'returns the existen lock' do
+        post_lfs_json url, body, headers
+
+        expect(json_response['lock']['path']).to eq('README.md')
+      end
+    end
+
+    context 'without an existent lock' do
+      it 'creates the lock' do
+        post_lfs_json url, body, headers
+
+        expect(response).to have_gitlab_http_status(201)
+
+        expect(json_response['lock'].keys).to match_array(%w(id path locked_at owner))
+      end
+    end
+  end
+
+  describe 'Listing File Locks endpoint' do
+    let(:url)           { "#{project.http_url_to_repo}/info/lfs/locks" }
+    let(:authorization) { authorize_user(developer) }
+
+    include_examples 'unauthorized request'
+
+    it 'returns the list of locked files' do
+      lock_file('README.md', developer)
+      lock_file('README', developer)
+
+      do_get url, nil, headers
+
+      expect(response).to have_gitlab_http_status(200)
+
+      expect(json_response['locks'].size).to eq(2)
+      expect(json_response['locks'].first.keys).to match_array(%w(id path locked_at owner))
+    end
+  end
+
+  describe 'List File Locks for verification endpoint' do
+    let(:url)           { "#{project.http_url_to_repo}/info/lfs/locks/verify" }
+    let(:authorization) { authorize_user(developer) }
+
+    include_examples 'unauthorized request'
+
+    it 'returns the list of locked files grouped by owner' do
+      lock_file('README.md', master)
+      lock_file('README', developer)
+
+      post_lfs_json url, nil, headers
+
+      expect(response).to have_gitlab_http_status(200)
+
+      expect(json_response['ours'].size).to eq(1)
+      expect(json_response['ours'].first['path']).to eq('README')
+      expect(json_response['theirs'].size).to eq(1)
+      expect(json_response['theirs'].first['path']).to eq('README.md')
+    end
+  end
+
+  describe 'Delete File Lock endpoint' do
+    let!(:lock)         { lock_file('README.md', developer) }
+    let(:url)           { "#{project.http_url_to_repo}/info/lfs/locks/#{lock[:id]}/unlock" }
+    let(:authorization) { authorize_user(developer) }
+
+    include_examples 'unauthorized request'
+
+    context 'with an existent lock' do
+      it 'deletes the lock' do
+        post_lfs_json url, nil, headers
+
+        expect(response).to have_gitlab_http_status(200)
+      end
+
+      it 'returns the deleted lock' do
+        post_lfs_json url, nil, headers
+
+        expect(json_response['lock'].keys).to match_array(%w(id path locked_at owner))
+      end
+    end
+  end
+
+  def lock_file(path, author)
+    result = Lfs::LockFileService.new(project, author, { path: path }).execute
+
+    result[:lock]
+  end
+
+  def authorize_user(user)
+    ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)
+  end
+
+  def post_lfs_json(url, body = nil, headers = nil)
+    post(url, body.try(:to_json), (headers || {}).merge('Content-Type' => LfsRequest::CONTENT_TYPE))
+  end
+
+  def do_get(url, params = nil,  headers = nil)
+    get(url, (params || {}), (headers || {}).merge('Content-Type' => LfsRequest::CONTENT_TYPE))
+  end
+
+  def json_response
+    @json_response ||= JSON.parse(response.body)
+  end
+end
diff --git a/spec/requests/openid_connect_spec.rb b/spec/requests/openid_connect_spec.rb
index 1a5ad9b04e4..de829011e58 100644
--- a/spec/requests/openid_connect_spec.rb
+++ b/spec/requests/openid_connect_spec.rb
@@ -65,13 +65,23 @@ describe 'OpenID Connect requests' do
         )
       end
 
-      let(:public_email) { build :email, email: 'public@example.com' }
-      let(:private_email) { build :email, email: 'private@example.com' }
+      let!(:public_email) { build :email, email: 'public@example.com' }
+      let!(:private_email) { build :email, email: 'private@example.com' }
 
-      it 'includes all user information' do
+      let!(:group1) { create :group, path: 'group1' }
+      let!(:group2) { create :group, path: 'group2' }
+      let!(:group3) { create :group, path: 'group3', parent: group2 }
+      let!(:group4) { create :group, path: 'group4', parent: group3 }
+
+      before do
+        group1.add_user(user, GroupMember::OWNER)
+        group3.add_user(user, Gitlab::Access::DEVELOPER)
+      end
+
+      it 'includes all user information and group memberships' do
         request_user_info
 
-        expect(json_response).to eq({
+        expect(json_response).to match(a_hash_including({
           'sub'            => hashed_subject,
           'name'           => 'Alice',
           'nickname'       => 'alice',
@@ -79,8 +89,13 @@ describe 'OpenID Connect requests' do
           'email_verified' => true,
           'website'        => 'https://example.com',
           'profile'        => 'http://localhost/alice',
-          'picture'        => "http://localhost/uploads/-/system/user/avatar/#{user.id}/dk.png"
-        })
+          'picture'        => "http://localhost/uploads/-/system/user/avatar/#{user.id}/dk.png",
+          'groups'         => anything
+        }))
+
+        expected_groups = %w[group1 group2/group3]
+        expected_groups << 'group2/group3/group4' if Group.supports_nested_groups?
+        expect(json_response['groups']).to match_array(expected_groups)
       end
     end
 
diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb
index 0fec14d0cce..b18e922b063 100644
--- a/spec/requests/rack_attack_global_spec.rb
+++ b/spec/requests/rack_attack_global_spec.rb
@@ -22,6 +22,7 @@ describe 'Rack Attack global throttles' do
 
   let(:url_that_does_not_require_authentication) { '/users/sign_in' }
   let(:url_that_requires_authentication) { '/dashboard/snippets' }
+  let(:url_api_internal) { '/api/v4/internal/check' }
   let(:api_partial_url) { '/todos' }
 
   around do |example|
@@ -172,6 +173,15 @@ describe 'Rack Attack global throttles' do
         get url_that_does_not_require_authentication
         expect(response).to have_http_status 200
       end
+
+      context 'when the request is to the api internal endpoints' do
+        it 'allows requests over the rate limit' do
+          (1 + requests_per_period).times do
+            get url_api_internal, secret_token: Gitlab::Shell.secret_token
+            expect(response).to have_http_status 200
+          end
+        end
+      end
     end
 
     context 'when the throttle is disabled' do