16 files changed, 587 insertions, 50 deletions

diff --git a/spec/requests/api/commits_spec.rb b/spec/requests/api/commits_spec.rb
index bc892523cf8..066f1d6862a 100644
--- a/spec/requests/api/commits_spec.rb
+++ b/spec/requests/api/commits_spec.rb
@@ -1457,4 +1457,42 @@ describe API::Commits do
       expect(response).to have_gitlab_http_status(404)
     end
   end
+
+  describe 'GET /projects/:id/repository/commits/:sha/signature' do
+    let!(:project) { create(:project, :repository, :public) }
+    let(:project_id) { project.id }
+    let(:commit_id) { project.repository.commit.id }
+    let(:route) { "/projects/#{project_id}/repository/commits/#{commit_id}/signature" }
+
+    context 'when commit does not exist' do
+      let(:commit_id) { 'unknown' }
+
+      it_behaves_like '404 response' do
+        let(:request) { get api(route, current_user) }
+        let(:message) { '404 Commit Not Found' }
+      end
+    end
+
+    context 'unsigned commit' do
+      it_behaves_like '404 response' do
+        let(:request) { get api(route, current_user) }
+        let(:message) { '404 GPG Signature Not Found'}
+      end
+    end
+
+    context 'signed commit' do
+      let(:commit) { project.repository.commit(GpgHelpers::SIGNED_COMMIT_SHA) }
+      let(:commit_id) { commit.id }
+
+      it 'returns correct JSON' do
+        get api(route, current_user)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response['gpg_key_id']).to eq(commit.signature.gpg_key_id)
+        expect(json_response['gpg_key_subkey_id']).to eq(commit.signature.gpg_key_subkey_id)
+        expect(json_response['gpg_key_primary_keyid']).to eq(commit.signature.gpg_key_primary_keyid)
+        expect(json_response['verification_status']).to eq(commit.signature.verification_status)
+      end
+    end
+  end
 end
diff --git a/spec/requests/api/features_spec.rb b/spec/requests/api/features_spec.rb
index 22a9e36ca31..57a57e69a00 100644
--- a/spec/requests/api/features_spec.rb
+++ b/spec/requests/api/features_spec.rb
@@ -163,6 +163,40 @@ describe API::Features do
         end
       end
 
+      context 'when enabling for a group by path' do
+        context 'when the group exists' do
+          it 'sets the feature gate' do
+            group = create(:group)
+
+            post api("/features/#{feature_name}", admin), params: { value: 'true', group: group.full_path }
+
+            expect(response).to have_gitlab_http_status(201)
+            expect(json_response).to eq(
+              'name' => 'my_feature',
+              'state' => 'conditional',
+              'gates' => [
+                { 'key' => 'boolean', 'value' => false },
+                { 'key' => 'actors', 'value' => ["Group:#{group.id}"] }
+              ])
+          end
+        end
+
+        context 'when the group does not exist' do
+          it 'sets no new values and keeps the feature disabled' do
+            post api("/features/#{feature_name}", admin), params: { value: 'true', group: 'not/a/group' }
+
+            expect(response).to have_gitlab_http_status(201)
+            expect(json_response).to eq(
+              "name" => "my_feature",
+              "state" => "off",
+              "gates" => [
+                { "key" => "boolean", "value" => false }
+              ]
+            )
+          end
+        end
+      end
+
       it 'creates a feature with the given percentage if passed an integer' do
         post api("/features/#{feature_name}", admin), params: { value: '50' }
 
diff --git a/spec/requests/api/graphql/project/issues_spec.rb b/spec/requests/api/graphql/project/issues_spec.rb
index 355336ad7e2..c2934430821 100644
--- a/spec/requests/api/graphql/project/issues_spec.rb
+++ b/spec/requests/api/graphql/project/issues_spec.rb
@@ -56,4 +56,38 @@ describe 'getting an issue list for a project' do
       expect(issues_data).to eq []
     end
   end
+
+  context 'when there is a confidential issue' do
+    let!(:confidential_issue) do
+      create(:issue, :confidential, project: project)
+    end
+
+    context 'when the user cannot see confidential issues' do
+      it 'returns issues without confidential issues' do
+        post_graphql(query, current_user: current_user)
+
+        expect(issues_data.size).to eq(2)
+
+        issues_data.each do |issue|
+          expect(issue.dig('node', 'confidential')).to eq(false)
+        end
+      end
+    end
+
+    context 'when the user can see confidential issues' do
+      it 'returns issues with confidential issues' do
+        project.add_developer(current_user)
+
+        post_graphql(query, current_user: current_user)
+
+        expect(issues_data.size).to eq(3)
+
+        confidentials = issues_data.map do |issue|
+          issue.dig('node', 'confidential')
+        end
+
+        expect(confidentials).to eq([true, false, false])
+      end
+    end
+  end
 end
diff --git a/spec/requests/api/internal_spec.rb b/spec/requests/api/internal_spec.rb
index 6a943b5237a..cd85151ec1b 100644
--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@@ -167,6 +167,7 @@ describe API::Internal do
         expect(response).to have_gitlab_http_status(200)
         expect(json_response['username']).to eq(user.username)
         expect(json_response['repository_http_path']).to eq(project.http_url_to_repo)
+        expect(json_response['expires_in']).to eq(Gitlab::LfsToken::DEFAULT_EXPIRE_TIME)
         expect(Gitlab::LfsToken.new(key).token_valid?(json_response['lfs_token'])).to be_truthy
       end
 
@@ -324,6 +325,7 @@ describe API::Internal do
           expect(response).to have_gitlab_http_status(200)
           expect(json_response["status"]).to be_truthy
           expect(json_response["repository_path"]).to eq('/')
+          expect(json_response["gl_project_path"]).to eq(project.wiki.full_path)
           expect(json_response["gl_repository"]).to eq("wiki-#{project.id}")
           expect(user.reload.last_activity_on).to be_nil
         end
@@ -336,6 +338,7 @@ describe API::Internal do
           expect(response).to have_gitlab_http_status(200)
           expect(json_response["status"]).to be_truthy
           expect(json_response["repository_path"]).to eq('/')
+          expect(json_response["gl_project_path"]).to eq(project.wiki.full_path)
           expect(json_response["gl_repository"]).to eq("wiki-#{project.id}")
           expect(user.reload.last_activity_on).to eql(Date.today)
         end
@@ -349,6 +352,7 @@ describe API::Internal do
           expect(json_response["status"]).to be_truthy
           expect(json_response["repository_path"]).to eq('/')
           expect(json_response["gl_repository"]).to eq("project-#{project.id}")
+          expect(json_response["gl_project_path"]).to eq(project.full_path)
           expect(json_response["gitaly"]).not_to be_nil
           expect(json_response["gitaly"]["repository"]).not_to be_nil
           expect(json_response["gitaly"]["repository"]["storage_name"]).to eq(project.repository.gitaly_repository.storage_name)
@@ -368,6 +372,7 @@ describe API::Internal do
             expect(json_response["status"]).to be_truthy
             expect(json_response["repository_path"]).to eq('/')
             expect(json_response["gl_repository"]).to eq("project-#{project.id}")
+            expect(json_response["gl_project_path"]).to eq(project.full_path)
             expect(json_response["gitaly"]).not_to be_nil
             expect(json_response["gitaly"]["repository"]).not_to be_nil
             expect(json_response["gitaly"]["repository"]["storage_name"]).to eq(project.repository.gitaly_repository.storage_name)
diff --git a/spec/requests/api/issues_spec.rb b/spec/requests/api/issues_spec.rb
index 04908378a24..01bab2a1361 100644
--- a/spec/requests/api/issues_spec.rb
+++ b/spec/requests/api/issues_spec.rb
@@ -183,6 +183,18 @@ describe API::Issues do
         expect_paginated_array_response([issue.id, confidential_issue.id, closed_issue.id])
       end
 
+      it 'returns only confidential issues' do
+        get api('/issues', user), params: { confidential: true, scope: 'all' }
+
+        expect_paginated_array_response(confidential_issue.id)
+      end
+
+      it 'returns only public issues' do
+        get api('/issues', user), params: { confidential: false }
+
+        expect_paginated_array_response([issue.id, closed_issue.id])
+      end
+
       it 'returns issues reacted by the authenticated user' do
         issue2 = create(:issue, project: project, author: user, assignees: [user])
         create(:award_emoji, awardable: issue2, user: user2, name: 'star')
@@ -354,15 +366,43 @@ describe API::Issues do
       end
 
       it 'returns an empty array if iid does not exist' do
-        get api("/issues", user), params: { iids: [99999] }
+        get api("/issues", user), params: { iids: [0] }
 
         expect_paginated_array_response([])
       end
 
-      it 'sorts by created_at descending by default' do
-        get api('/issues', user)
+      context 'without sort params' do
+        it 'sorts by created_at descending by default' do
+          get api('/issues', user)
 
-        expect_paginated_array_response([issue.id, closed_issue.id])
+          expect_paginated_array_response([issue.id, closed_issue.id])
+        end
+
+        context 'with 2 issues with same created_at' do
+          let!(:closed_issue2) do
+            create :closed_issue,
+                   author: user,
+                   assignees: [user],
+                   project: project,
+                   milestone: milestone,
+                   created_at: closed_issue.created_at,
+                   updated_at: 1.hour.ago,
+                   title: issue_title,
+                   description: issue_description
+          end
+
+          it 'page breaks first page correctly' do
+            get api('/issues?per_page=2', user)
+
+            expect_paginated_array_response([issue.id, closed_issue2.id])
+          end
+
+          it 'page breaks second page correctly' do
+            get api('/issues?per_page=2&page=2', user)
+
+            expect_paginated_array_response([closed_issue.id])
+          end
+        end
       end
 
       it 'sorts ascending when requested' do
@@ -393,6 +433,24 @@ describe API::Issues do
         expect(response).to have_gitlab_http_status(200)
         expect(response).to match_response_schema('public_api/v4/issues')
       end
+
+      it 'returns a related merge request count of 0 if there are no related merge requests' do
+        get api('/issues', user)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to match_response_schema('public_api/v4/issues')
+        expect(json_response.first).to include('merge_requests_count' => 0)
+      end
+
+      it 'returns a related merge request count > 0 if there are related merge requests' do
+        create(:merge_requests_closing_issues, issue: issue)
+
+        get api('/issues', user)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to match_response_schema('public_api/v4/issues')
+        expect(json_response.first).to include('merge_requests_count' => 1)
+      end
     end
   end
 
@@ -511,6 +569,18 @@ describe API::Issues do
         expect_paginated_array_response([group_confidential_issue.id, group_issue.id])
       end
 
+      it 'returns only confidential issues' do
+        get api(base_url, user), params: { confidential: true }
+
+        expect_paginated_array_response(group_confidential_issue.id)
+      end
+
+      it 'returns only public issues' do
+        get api(base_url, user), params: { confidential: false }
+
+        expect_paginated_array_response([group_closed_issue.id, group_issue.id])
+      end
+
       it 'returns an array of labeled group issues' do
         get api(base_url, user), params: { labels: group_label.title }
 
@@ -557,7 +627,7 @@ describe API::Issues do
       end
 
       it 'returns an empty array if iid does not exist' do
-        get api(base_url, user), params: { iids: [99999] }
+        get api(base_url, user), params: { iids: [0] }
 
         expect_paginated_array_response([])
       end
@@ -613,10 +683,38 @@ describe API::Issues do
         expect_paginated_array_response(group_confidential_issue.id)
       end
 
-      it 'sorts by created_at descending by default' do
-        get api(base_url, user)
+      context 'without sort params' do
+        it 'sorts by created_at descending by default' do
+          get api(base_url, user)
 
-        expect_paginated_array_response([group_closed_issue.id, group_confidential_issue.id, group_issue.id])
+          expect_paginated_array_response([group_closed_issue.id, group_confidential_issue.id, group_issue.id])
+        end
+
+        context 'with 2 issues with same created_at' do
+          let!(:group_issue2) do
+            create :issue,
+                   author: user,
+                   assignees: [user],
+                   project: group_project,
+                   milestone: group_milestone,
+                   updated_at: 1.hour.ago,
+                   title: issue_title,
+                   description: issue_description,
+                   created_at: group_issue.created_at
+          end
+
+          it 'page breaks first page correctly' do
+            get api("#{base_url}?per_page=3", user)
+
+            expect_paginated_array_response([group_closed_issue.id, group_confidential_issue.id, group_issue2.id])
+          end
+
+          it 'page breaks second page correctly' do
+            get api("#{base_url}?per_page=3&page=2", user)
+
+            expect_paginated_array_response([group_issue.id])
+          end
+        end
       end
 
       it 'sorts ascending when requested' do
@@ -708,6 +806,18 @@ describe API::Issues do
       expect_paginated_array_response([issue.id, confidential_issue.id, closed_issue.id])
     end
 
+    it 'returns only confidential issues' do
+      get api("#{base_url}/issues", author), params: { confidential: true }
+
+      expect_paginated_array_response(confidential_issue.id)
+    end
+
+    it 'returns only public issues' do
+      get api("#{base_url}/issues", author), params: { confidential: false }
+
+      expect_paginated_array_response([issue.id, closed_issue.id])
+    end
+
     it 'returns project confidential issues for assignee' do
       get api("#{base_url}/issues", assignee)
 
@@ -763,7 +873,7 @@ describe API::Issues do
     end
 
     it 'returns an empty array if iid does not exist' do
-      get api("#{base_url}/issues", user), params: { iids: [99999] }
+      get api("#{base_url}/issues", user), params: { iids: [0] }
 
       expect_paginated_array_response([])
     end
@@ -828,10 +938,38 @@ describe API::Issues do
       expect_paginated_array_response([issue.id, closed_issue.id])
     end
 
-    it 'sorts by created_at descending by default' do
-      get api("#{base_url}/issues", user)
+    context 'without sort params' do
+      it 'sorts by created_at descending by default' do
+        get api("#{base_url}/issues", user)
 
-      expect_paginated_array_response([issue.id, confidential_issue.id, closed_issue.id])
+        expect_paginated_array_response([issue.id, confidential_issue.id, closed_issue.id])
+      end
+
+      context 'with 2 issues with same created_at' do
+        let!(:closed_issue2) do
+          create :closed_issue,
+                 author: user,
+                 assignees: [user],
+                 project: project,
+                 milestone: milestone,
+                 created_at: closed_issue.created_at,
+                 updated_at: 1.hour.ago,
+                 title: issue_title,
+                 description: issue_description
+        end
+
+        it 'page breaks first page correctly' do
+          get api("#{base_url}/issues?per_page=3", user)
+
+          expect_paginated_array_response([issue.id, confidential_issue.id, closed_issue2.id])
+        end
+
+        it 'page breaks second page correctly' do
+          get api("#{base_url}/issues?per_page=3&page=2", user)
+
+          expect_paginated_array_response([closed_issue.id])
+        end
+      end
     end
 
     it 'sorts ascending when requested' do
@@ -1771,7 +1909,7 @@ describe API::Issues do
     end
 
     it "returns 404 when issue doesn't exists" do
-      get api("/projects/#{project.id}/issues/9999/closed_by", user)
+      get api("/projects/#{project.id}/issues/0/closed_by", user)
 
       expect(response).to have_gitlab_http_status(404)
     end
@@ -1792,7 +1930,7 @@ describe API::Issues do
         description: "See #{issue.to_reference}"
       }
       create(:merge_request, attributes).tap do |merge_request|
-        create(:note, :system, project: project, noteable: issue, author: user, note: merge_request.to_reference(full: true))
+        create(:note, :system, project: issue.project, noteable: issue, author: user, note: merge_request.to_reference(full: true))
       end
     end
 
@@ -1829,6 +1967,24 @@ describe API::Issues do
       expect_paginated_array_response(related_mr.id)
     end
 
+    it 'returns merge requests cross-project wide' do
+      project2 = create(:project, :public, creator_id: user.id, namespace: user.namespace)
+      merge_request = create_referencing_mr(user, project2, issue)
+
+      get_related_merge_requests(project.id, issue.iid, user)
+
+      expect_paginated_array_response([related_mr.id, merge_request.id])
+    end
+
+    it 'does not generate references to projects with no access' do
+      private_project = create(:project, :private)
+      create_referencing_mr(private_project.creator, private_project, issue)
+
+      get_related_merge_requests(project.id, issue.iid, user)
+
+      expect_paginated_array_response(related_mr.id)
+    end
+
     context 'no merge request mentioned a issue' do
       it 'returns empty array' do
         get_related_merge_requests(project.id, closed_issue.iid, user)
@@ -1838,7 +1994,7 @@ describe API::Issues do
     end
 
     it "returns 404 when issue doesn't exists" do
-      get_related_merge_requests(project.id, 999999, user)
+      get_related_merge_requests(project.id, 0, user)
 
       expect(response).to have_gitlab_http_status(404)
     end
diff --git a/spec/requests/api/keys_spec.rb b/spec/requests/api/keys_spec.rb
index 3c4719964b6..f37d84fddef 100644
--- a/spec/requests/api/keys_spec.rb
+++ b/spec/requests/api/keys_spec.rb
@@ -16,7 +16,7 @@ describe API::Keys do
 
     context 'when authenticated' do
       it 'returns 404 for non-existing key' do
-        get api('/keys/999999', admin)
+        get api('/keys/0', admin)
         expect(response).to have_gitlab_http_status(404)
         expect(json_response['message']).to eq('404 Not found')
       end
diff --git a/spec/requests/api/merge_request_diffs_spec.rb b/spec/requests/api/merge_request_diffs_spec.rb
index 6530dc956cb..8a67d98fc4c 100644
--- a/spec/requests/api/merge_request_diffs_spec.rb
+++ b/spec/requests/api/merge_request_diffs_spec.rb
@@ -30,7 +30,7 @@ describe API::MergeRequestDiffs, 'MergeRequestDiffs' do
     end
 
     it 'returns a 404 when merge_request_iid not found' do
-      get api("/projects/#{project.id}/merge_requests/999/versions", user)
+      get api("/projects/#{project.id}/merge_requests/0/versions", user)
       expect(response).to have_gitlab_http_status(404)
     end
   end
@@ -53,7 +53,7 @@ describe API::MergeRequestDiffs, 'MergeRequestDiffs' do
     end
 
     it 'returns a 404 when merge_request version_id is not found' do
-      get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/versions/999", user)
+      get api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/versions/0", user)
       expect(response).to have_gitlab_http_status(404)
     end
 
diff --git a/spec/requests/api/merge_requests_spec.rb b/spec/requests/api/merge_requests_spec.rb
index b8426126bc6..db56739af2f 100644
--- a/spec/requests/api/merge_requests_spec.rb
+++ b/spec/requests/api/merge_requests_spec.rb
@@ -441,7 +441,7 @@ describe API::MergeRequests do
     end
 
     it "returns a 404 error if merge_request_iid not found" do
-      get api("/projects/#{project.id}/merge_requests/999", user)
+      get api("/projects/#{project.id}/merge_requests/0", user)
       expect(response).to have_gitlab_http_status(404)
     end
 
@@ -531,7 +531,7 @@ describe API::MergeRequests do
     end
 
     it 'returns a 404 when merge_request_iid not found' do
-      get api("/projects/#{project.id}/merge_requests/999/commits", user)
+      get api("/projects/#{project.id}/merge_requests/0/commits", user)
       expect(response).to have_gitlab_http_status(404)
     end
 
@@ -551,7 +551,7 @@ describe API::MergeRequests do
     end
 
     it 'returns a 404 when merge_request_iid not found' do
-      get api("/projects/#{project.id}/merge_requests/999/changes", user)
+      get api("/projects/#{project.id}/merge_requests/0/changes", user)
       expect(response).to have_gitlab_http_status(404)
     end
 
@@ -984,6 +984,21 @@ describe API::MergeRequests do
         expect(squash_commit.message).to eq(merge_request.default_squash_commit_message)
       end
     end
+
+    describe "the should_remove_source_branch param" do
+      let(:source_repository) { merge_request.source_project.repository }
+      let(:source_branch) { merge_request.source_branch }
+
+      it 'removes the source branch when set' do
+        put(
+          api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/merge", user),
+          params: { should_remove_source_branch: true }
+        )
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(source_repository.branch_exists?(source_branch)).to be_falsy
+      end
+    end
   end
 
   describe "PUT /projects/:id/merge_requests/:merge_request_iid" do
diff --git a/spec/requests/api/namespaces_spec.rb b/spec/requests/api/namespaces_spec.rb
index 145356c4df5..2e376109b42 100644
--- a/spec/requests/api/namespaces_spec.rb
+++ b/spec/requests/api/namespaces_spec.rb
@@ -149,7 +149,7 @@ describe API::Namespaces do
 
       context "when namespace doesn't exist" do
         it 'returns not-found' do
-          get api('/namespaces/9999', request_actor)
+          get api('/namespaces/0', request_actor)
 
           expect(response).to have_gitlab_http_status(404)
         end
diff --git a/spec/requests/api/project_milestones_spec.rb b/spec/requests/api/project_milestones_spec.rb
index 49b5dfb0b33..895f05a98e8 100644
--- a/spec/requests/api/project_milestones_spec.rb
+++ b/spec/requests/api/project_milestones_spec.rb
@@ -23,13 +23,13 @@ describe API::ProjectMilestones do
     end
 
     it 'returns 404 response when the project does not exists' do
-      delete api("/projects/999/milestones/#{milestone.id}", user)
+      delete api("/projects/0/milestones/#{milestone.id}", user)
 
       expect(response).to have_gitlab_http_status(404)
     end
 
     it 'returns 404 response when the milestone does not exists' do
-      delete api("/projects/#{project.id}/milestones/999", user)
+      delete api("/projects/#{project.id}/milestones/0", user)
 
       expect(response).to have_gitlab_http_status(404)
     end
@@ -49,4 +49,74 @@ describe API::ProjectMilestones do
           params: { state_event: 'close' }
     end
   end
+
+  describe 'POST /projects/:id/milestones/:milestone_id/promote' do
+    let(:group) { create(:group) }
+
+    before do
+      project.update(namespace: group)
+    end
+
+    context 'when user does not have permission to promote milestone' do
+      before do
+        group.add_guest(user)
+      end
+
+      it 'returns 403' do
+        post api("/projects/#{project.id}/milestones/#{milestone.id}/promote", user)
+
+        expect(response).to have_gitlab_http_status(403)
+      end
+    end
+
+    context 'when user has permission' do
+      before do
+        group.add_developer(user)
+      end
+
+      it 'returns 200' do
+        post api("/projects/#{project.id}/milestones/#{milestone.id}/promote", user)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(group.milestones.first.title).to eq(milestone.title)
+      end
+
+      it 'returns 200 for closed milestone' do
+        post api("/projects/#{project.id}/milestones/#{closed_milestone.id}/promote", user)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(group.milestones.first.title).to eq(closed_milestone.title)
+      end
+    end
+
+    context 'when no such resources' do
+      before do
+        group.add_developer(user)
+      end
+
+      it 'returns 404 response when the project does not exist' do
+        post api("/projects/0/milestones/#{milestone.id}/promote", user)
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+
+      it 'returns 404 response when the milestone does not exist' do
+        post api("/projects/#{project.id}/milestones/0/promote", user)
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
+    context 'when project does not belong to group' do
+      before do
+        project.update(namespace: user.namespace)
+      end
+
+      it 'returns 403' do
+        post api("/projects/#{project.id}/milestones/#{milestone.id}/promote", user)
+
+        expect(response).to have_gitlab_http_status(403)
+      end
+    end
+  end
 end
diff --git a/spec/requests/api/project_templates_spec.rb b/spec/requests/api/project_templates_spec.rb
index ab5d4de7ff7..80e5033dab4 100644
--- a/spec/requests/api/project_templates_spec.rb
+++ b/spec/requests/api/project_templates_spec.rb
@@ -92,6 +92,22 @@ describe API::ProjectTemplates do
       expect(json_response['name']).to eq('Actionscript')
     end
 
+    it 'returns C++ gitignore' do
+      get api("/projects/#{public_project.id}/templates/gitignores/C++")
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(response).to match_response_schema('public_api/v4/template')
+      expect(json_response['name']).to eq('C++')
+    end
+
+    it 'returns C++ gitignore for URL-encoded names' do
+      get api("/projects/#{public_project.id}/templates/gitignores/C%2B%2B")
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(response).to match_response_schema('public_api/v4/template')
+      expect(json_response['name']).to eq('C++')
+    end
+
     it 'returns a specific gitlab_ci_yml' do
       get api("/projects/#{public_project.id}/templates/gitlab_ci_ymls/Android")
 
@@ -125,6 +141,18 @@ describe API::ProjectTemplates do
       expect(response).to have_gitlab_http_status(200)
       expect(response).to match_response_schema('public_api/v4/license')
     end
+
+    shared_examples 'path traversal attempt' do |template_type|
+      it 'rejects invalid filenames' do
+        get api("/projects/#{public_project.id}/templates/#{template_type}/%2e%2e%2fPython%2ea")
+
+        expect(response).to have_gitlab_http_status(500)
+      end
+    end
+
+    TemplateFinder::VENDORED_TEMPLATES.each do |template_type, _|
+      it_behaves_like 'path traversal attempt', template_type
+    end
   end
 
   describe 'GET /projects/:id/templates/licenses/:key' do
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index cfa7a1a31a3..856fe1bbe89 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -4,6 +4,15 @@ require 'spec_helper'
 shared_examples 'languages and percentages JSON response' do
   let(:expected_languages) { project.repository.languages.map { |language| language.values_at(:label, :value)}.to_h }
 
+  before do
+    allow(project.repository).to receive(:languages).and_return(
+      [{ value: 66.69, label: "Ruby", color: "#701516", highlight: "#701516" },
+       { value: 22.98, label: "JavaScript", color: "#f1e05a", highlight: "#f1e05a" },
+       { value: 7.91, label: "HTML", color: "#e34c26", highlight: "#e34c26" },
+       { value: 2.42, label: "CoffeeScript", color: "#244776", highlight: "#244776" }]
+    )
+  end
+
   it 'returns expected language values' do
     get api("/projects/#{project.id}/languages", user)
 
@@ -11,6 +20,23 @@ shared_examples 'languages and percentages JSON response' do
     expect(json_response).to eq(expected_languages)
     expect(json_response.count).to be > 1
   end
+
+  context 'when the languages were detected before' do
+    before do
+      Projects::DetectRepositoryLanguagesService.new(project, project.owner).execute
+    end
+
+    it 'returns the detection from the database' do
+      # Allow this to happen once, so the expected languages can be determined
+      expect(project.repository).to receive(:languages).once
+
+      get api("/projects/#{project.id}/languages", user)
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response).to eq(expected_languages)
+      expect(json_response.count).to be > 1
+    end
+  end
 end
 
 describe API::Projects do
@@ -752,7 +778,7 @@ describe API::Projects do
     let!(:public_project) { create(:project, :public, name: 'public_project', creator_id: user4.id, namespace: user4.namespace) }
 
     it 'returns error when user not found' do
-      get api('/users/9999/projects/')
+      get api('/users/0/projects/')
 
       expect(response).to have_gitlab_http_status(404)
       expect(json_response['message']).to eq('404 User Not Found')
@@ -1359,7 +1385,7 @@ describe API::Projects do
         end
 
         it 'fails if forked_from project which does not exist' do
-          post api("/projects/#{project_fork_target.id}/fork/9999", admin)
+          post api("/projects/#{project_fork_target.id}/fork/0", admin)
           expect(response).to have_gitlab_http_status(404)
         end
 
@@ -1910,7 +1936,7 @@ describe API::Projects do
       end
 
       it 'returns not_found(404) for not existing project' do
-        get api("/projects/9999999999/languages", user)
+        get api("/projects/0/languages", user)
 
         expect(response).to have_gitlab_http_status(:not_found)
       end
@@ -1995,6 +2021,11 @@ describe API::Projects do
     let(:project) do
       create(:project, :repository, creator: user, namespace: user.namespace)
     end
+
+    let(:project2) do
+      create(:project, :repository, creator: user, namespace: user.namespace)
+    end
+
     let(:group) { create(:group) }
     let(:group2) do
       group = create(:group, name: 'group2_name')
@@ -2010,6 +2041,7 @@ describe API::Projects do
 
     before do
       project.add_reporter(user2)
+      project2.add_reporter(user2)
     end
 
     context 'when authenticated' do
@@ -2124,6 +2156,48 @@ describe API::Projects do
         expect(response).to have_gitlab_http_status(201)
         expect(json_response['namespace']['name']).to eq(group.name)
       end
+
+      it 'accepts a path for the target project' do
+        post api("/projects/#{project.id}/fork", user2), params: { path: 'foobar' }
+
+        expect(response).to have_gitlab_http_status(201)
+        expect(json_response['name']).to eq(project.name)
+        expect(json_response['path']).to eq('foobar')
+        expect(json_response['owner']['id']).to eq(user2.id)
+        expect(json_response['namespace']['id']).to eq(user2.namespace.id)
+        expect(json_response['forked_from_project']['id']).to eq(project.id)
+        expect(json_response['import_status']).to eq('scheduled')
+        expect(json_response).to include("import_error")
+      end
+
+      it 'fails to fork if path is already taken' do
+        post api("/projects/#{project.id}/fork", user2), params: { path: 'foobar' }
+        post api("/projects/#{project2.id}/fork", user2), params: { path: 'foobar' }
+
+        expect(response).to have_gitlab_http_status(409)
+        expect(json_response['message']['path']).to eq(['has already been taken'])
+      end
+
+      it 'accepts a name for the target project' do
+        post api("/projects/#{project.id}/fork", user2), params: { name: 'My Random Project' }
+
+        expect(response).to have_gitlab_http_status(201)
+        expect(json_response['name']).to eq('My Random Project')
+        expect(json_response['path']).to eq(project.path)
+        expect(json_response['owner']['id']).to eq(user2.id)
+        expect(json_response['namespace']['id']).to eq(user2.namespace.id)
+        expect(json_response['forked_from_project']['id']).to eq(project.id)
+        expect(json_response['import_status']).to eq('scheduled')
+        expect(json_response).to include("import_error")
+      end
+
+      it 'fails to fork if name is already taken' do
+        post api("/projects/#{project.id}/fork", user2), params: { name: 'My Random Project' }
+        post api("/projects/#{project2.id}/fork", user2), params: { name: 'My Random Project' }
+
+        expect(response).to have_gitlab_http_status(409)
+        expect(json_response['message']['name']).to eq(['has already been taken'])
+      end
     end
 
     context 'when unauthenticated' do
diff --git a/spec/requests/api/runner_spec.rb b/spec/requests/api/runner_spec.rb
index d7ddd97e8c8..e6c235ca26e 100644
--- a/spec/requests/api/runner_spec.rb
+++ b/spec/requests/api/runner_spec.rb
@@ -417,7 +417,9 @@ describe API::Runner, :clean_gitlab_redis_shared_state do
               'ref' => job.ref,
               'sha' => job.sha,
               'before_sha' => job.before_sha,
-              'ref_type' => 'branch' }
+              'ref_type' => 'branch',
+              'refspecs' => %w[+refs/heads/*:refs/remotes/origin/* +refs/tags/*:refs/tags/*],
+              'depth' => 0 }
           end
 
           let(:expected_steps) do
@@ -489,6 +491,29 @@ describe API::Runner, :clean_gitlab_redis_shared_state do
               expect(response).to have_gitlab_http_status(201)
               expect(json_response['git_info']['ref_type']).to eq('tag')
             end
+
+            context 'when GIT_DEPTH is specified' do
+              before do
+                create(:ci_pipeline_variable, key: 'GIT_DEPTH', value: 1, pipeline: pipeline)
+              end
+
+              it 'specifies refspecs' do
+                request_job
+
+                expect(response).to have_gitlab_http_status(201)
+                expect(json_response['git_info']['refspecs']).to include("+refs/tags/#{job.ref}:refs/tags/#{job.ref}")
+              end
+            end
+
+            context 'when GIT_DEPTH is not specified' do
+              it 'specifies refspecs' do
+                request_job
+
+                expect(response).to have_gitlab_http_status(201)
+                expect(json_response['git_info']['refspecs'])
+                  .to contain_exactly('+refs/tags/*:refs/tags/*', '+refs/heads/*:refs/remotes/origin/*')
+              end
+            end
           end
 
           context 'when job is made for branch' do
@@ -498,6 +523,55 @@ describe API::Runner, :clean_gitlab_redis_shared_state do
               expect(response).to have_gitlab_http_status(201)
               expect(json_response['git_info']['ref_type']).to eq('branch')
             end
+
+            context 'when GIT_DEPTH is specified' do
+              before do
+                create(:ci_pipeline_variable, key: 'GIT_DEPTH', value: 1, pipeline: pipeline)
+              end
+
+              it 'specifies refspecs' do
+                request_job
+
+                expect(response).to have_gitlab_http_status(201)
+                expect(json_response['git_info']['refspecs']).to include("+refs/heads/#{job.ref}:refs/remotes/origin/#{job.ref}")
+              end
+            end
+
+            context 'when GIT_DEPTH is not specified' do
+              it 'specifies refspecs' do
+                request_job
+
+                expect(response).to have_gitlab_http_status(201)
+                expect(json_response['git_info']['refspecs'])
+                  .to contain_exactly('+refs/tags/*:refs/tags/*', '+refs/heads/*:refs/remotes/origin/*')
+              end
+            end
+          end
+
+          context 'when job is made for merge request' do
+            let(:pipeline) { create(:ci_pipeline_without_jobs, source: :merge_request, project: project, ref: 'feature', merge_request: merge_request) }
+            let!(:job) { create(:ci_build, pipeline: pipeline, name: 'spinach', ref: 'feature', stage: 'test', stage_idx: 0) }
+            let(:merge_request) { create(:merge_request) }
+
+            it 'sets branch as ref_type' do
+              request_job
+
+              expect(response).to have_gitlab_http_status(201)
+              expect(json_response['git_info']['ref_type']).to eq('branch')
+            end
+
+            context 'when GIT_DEPTH is specified' do
+              before do
+                create(:ci_pipeline_variable, key: 'GIT_DEPTH', value: 1, pipeline: pipeline)
+              end
+
+              it 'returns the overwritten git depth for merge request refspecs' do
+                request_job
+
+                expect(response).to have_gitlab_http_status(201)
+                expect(json_response['git_info']['depth']).to eq(1)
+              end
+            end
           end
 
           it 'updates runner info' do
@@ -526,6 +600,15 @@ describe API::Runner, :clean_gitlab_redis_shared_state do
             expect(runner.reload.ip_address).to eq('123.222.123.222')
           end
 
+          it "handles multiple X-Forwarded-For addresses" do
+            post api('/jobs/request'),
+              params: { token: runner.token },
+              headers: { 'User-Agent' => user_agent, 'X-Forwarded-For' => '123.222.123.222, 127.0.0.1' }
+
+            expect(response).to have_gitlab_http_status 201
+            expect(runner.reload.ip_address).to eq('123.222.123.222')
+          end
+
           context 'when concurrently updating a job' do
             before do
               expect_any_instance_of(Ci::Build).to receive(:run!)
diff --git a/spec/requests/api/runners_spec.rb b/spec/requests/api/runners_spec.rb
index 7f11c8c9fe8..5ca442bc448 100644
--- a/spec/requests/api/runners_spec.rb
+++ b/spec/requests/api/runners_spec.rb
@@ -241,7 +241,7 @@ describe API::Runners do
       end
 
       it 'returns 404 if runner does not exists' do
-        get api('/runners/9999', admin)
+        get api('/runners/0', admin)
 
         expect(response).to have_gitlab_http_status(404)
       end
@@ -394,7 +394,7 @@ describe API::Runners do
       end
 
       it 'returns 404 if runner does not exists' do
-        update_runner(9999, admin, description: 'test')
+        update_runner(0, admin, description: 'test')
 
         expect(response).to have_gitlab_http_status(404)
       end
@@ -468,7 +468,7 @@ describe API::Runners do
       end
 
       it 'returns 404 if runner does not exists' do
-        delete api('/runners/9999', admin)
+        delete api('/runners/0', admin)
 
         expect(response).to have_gitlab_http_status(404)
       end
@@ -573,7 +573,7 @@ describe API::Runners do
 
       context "when runner doesn't exist" do
         it 'returns 404' do
-          get api('/runners/9999/jobs', admin)
+          get api('/runners/0/jobs', admin)
 
           expect(response).to have_gitlab_http_status(404)
         end
@@ -626,7 +626,7 @@ describe API::Runners do
 
       context "when runner doesn't exist" do
         it 'returns 404' do
-          get api('/runners/9999/jobs', user)
+          get api('/runners/0/jobs', user)
 
           expect(response).to have_gitlab_http_status(404)
         end
@@ -857,7 +857,7 @@ describe API::Runners do
       end
 
       it 'returns 404 is runner is not found' do
-        delete api("/projects/#{project.id}/runners/9999", user)
+        delete api("/projects/#{project.id}/runners/0", user)
 
         expect(response).to have_gitlab_http_status(404)
       end
diff --git a/spec/requests/api/search_spec.rb b/spec/requests/api/search_spec.rb
index 831f47debeb..c48ca832c85 100644
--- a/spec/requests/api/search_spec.rb
+++ b/spec/requests/api/search_spec.rb
@@ -126,7 +126,7 @@ describe API::Search do
 
     context 'when group does not exist' do
       it 'returns 404 error' do
-        get api('/groups/9999/search', user), params: { scope: 'issues', search: 'awesome' }
+        get api('/groups/0/search', user), params: { scope: 'issues', search: 'awesome' }
 
         expect(response).to have_gitlab_http_status(404)
       end
@@ -222,7 +222,7 @@ describe API::Search do
 
     context 'when project does not exist' do
       it 'returns 404 error' do
-        get api('/projects/9999/search', user), params: { scope: 'issues', search: 'awesome' }
+        get api('/projects/0/search', user), params: { scope: 'issues', search: 'awesome' }
 
         expect(response).to have_gitlab_http_status(404)
       end
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index b381431306d..a879426589d 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -335,7 +335,7 @@ describe API::Users do
     end
 
     it "returns a 404 error if user id not found" do
-      get api("/users/9999", user)
+      get api("/users/0", user)
 
       expect(response).to have_gitlab_http_status(404)
       expect(json_response['message']).to eq('404 User Not Found')
@@ -732,7 +732,7 @@ describe API::Users do
     end
 
     it "returns 404 for non-existing user" do
-      put api("/users/999999", admin), params: { bio: 'update should fail' }
+      put api("/users/0", admin), params: { bio: 'update should fail' }
 
       expect(response).to have_gitlab_http_status(404)
       expect(json_response['message']).to eq('404 User Not Found')
@@ -836,7 +836,7 @@ describe API::Users do
     end
 
     it "returns 400 for invalid ID" do
-      post api("/users/999999/keys", admin)
+      post api("/users/0/keys", admin)
       expect(response).to have_gitlab_http_status(400)
     end
   end
@@ -895,7 +895,7 @@ describe API::Users do
       it 'returns 404 error if user not found' do
         user.keys << key
         user.save
-        delete api("/users/999999/keys/#{key.id}", admin)
+        delete api("/users/0/keys/#{key.id}", admin)
         expect(response).to have_gitlab_http_status(404)
         expect(json_response['message']).to eq('404 User Not Found')
       end
@@ -930,7 +930,7 @@ describe API::Users do
     end
 
     it 'returns 400 for invalid ID' do
-      post api('/users/999999/gpg_keys', admin)
+      post api('/users/0/gpg_keys', admin)
 
       expect(response).to have_gitlab_http_status(400)
     end
@@ -951,7 +951,7 @@ describe API::Users do
 
     context 'when authenticated' do
       it 'returns 404 for non-existing user' do
-        get api('/users/999999/gpg_keys', admin)
+        get api('/users/0/gpg_keys', admin)
 
         expect(response).to have_gitlab_http_status(404)
         expect(json_response['message']).to eq('404 User Not Found')
@@ -1007,7 +1007,7 @@ describe API::Users do
         user.keys << key
         user.save
 
-        delete api("/users/999999/gpg_keys/#{gpg_key.id}", admin)
+        delete api("/users/0/gpg_keys/#{gpg_key.id}", admin)
 
         expect(response).to have_gitlab_http_status(404)
         expect(json_response['message']).to eq('404 User Not Found')
@@ -1051,7 +1051,7 @@ describe API::Users do
         user.gpg_keys << gpg_key
         user.save
 
-        post api("/users/999999/gpg_keys/#{gpg_key.id}/revoke", admin)
+        post api("/users/0/gpg_keys/#{gpg_key.id}/revoke", admin)
 
         expect(response).to have_gitlab_http_status(404)
         expect(json_response['message']).to eq('404 User Not Found')
@@ -1089,7 +1089,7 @@ describe API::Users do
     end
 
     it "returns a 400 for invalid ID" do
-      post api("/users/999999/emails", admin)
+      post api("/users/0/emails", admin)
 
       expect(response).to have_gitlab_http_status(400)
     end
@@ -1121,7 +1121,7 @@ describe API::Users do
 
     context 'when authenticated' do
       it 'returns 404 for non-existing user' do
-        get api('/users/999999/emails', admin)
+        get api('/users/0/emails', admin)
         expect(response).to have_gitlab_http_status(404)
         expect(json_response['message']).to eq('404 User Not Found')
       end
@@ -1177,7 +1177,7 @@ describe API::Users do
       it 'returns 404 error if user not found' do
         user.emails << email
         user.save
-        delete api("/users/999999/emails/#{email.id}", admin)
+        delete api("/users/0/emails/#{email.id}", admin)
         expect(response).to have_gitlab_http_status(404)
         expect(json_response['message']).to eq('404 User Not Found')
       end
@@ -1227,7 +1227,7 @@ describe API::Users do
     end
 
     it "returns 404 for non-existing user" do
-      perform_enqueued_jobs { delete api("/users/999999", admin) }
+      perform_enqueued_jobs { delete api("/users/0", admin) }
       expect(response).to have_gitlab_http_status(404)
       expect(json_response['message']).to eq('404 User Not Found')
     end
@@ -1778,7 +1778,7 @@ describe API::Users do
     end
 
     it 'returns a 404 error if user id not found' do
-      post api('/users/9999/block', admin)
+      post api('/users/0/block', admin)
       expect(response).to have_gitlab_http_status(404)
       expect(json_response['message']).to eq('404 User Not Found')
     end
@@ -1816,7 +1816,7 @@ describe API::Users do
     end
 
     it 'returns a 404 error if user id not found' do
-      post api('/users/9999/block', admin)
+      post api('/users/0/block', admin)
       expect(response).to have_gitlab_http_status(404)
       expect(json_response['message']).to eq('404 User Not Found')
     end