Add `saml-configured`, `jwt-configured` and `google-auth-configured` settings, and some general setting refactor (#26045)

* general sso configured/enabled setings refactor

* fix ts type error and update be tests

* Add created_at to Collection

* Simplified migrations [ci skip]

* Add SQL for H2 and MySQL; add tests

* Sort namespaces

* Test fixes 

* Test fixes

* Test fixes 

* Make sure MySQL/MariaDB Liquibase generator sets the current timestamp function for ADD COLUMN

Previously, some automatic behavior was causing problems in serdes.
(The worst example is generating an `entity_id` on insert while
deserializing an entity we don't own - if deserialized again it would be
duplicated.)

A whole cascade of design choices fell out of this problem:
- `insert!` would generate `entity_id`s, so use `simple-insert!`
- But `simple-insert!` doesn't convert eg. MBQL `:definition` maps back
  into JSON strings
- We got the maps as Clojure data and not JSON strings because `select`
  and `simple-select` both run `post-select` and parse the JSON.
- So we ended up with a raw query on the select side and `simple-insert!`
  on the storage side.

This change unwinds that whole stack, and instead uses a dynamic
var to suppress the few pieces of `pre-insert` and `pre-update` logic
that causes problems.

The end result is much cleaner, and much more consistent with the rest
of Metabase's backend logic.

* [Apps] Remove emitters

Emitters were created when we thought that we would be adding actions to
multiple places in metabase. Instead we've coalesced to actions being a
core feature of data-apps and are executed from within them. Attaching
actions to models, as a form of re-use rather than a form of execution,
means that actions can still be executed directly from a model, if we
want to allow that in the future.

* Fix lint errors

* Move perform-action! tests out of the api.

Since we want to keep the implicit bulk functionality but remove those
endpoints move the tests to the actions namespace.

* Fix linter

* Change driver test to use function instead of endpoint

* Revert "Use "apps" collection namespace for app collections (#25963)"

This reverts commit a1894202.

* Revert "Implement EE/Pro app permissions (#25764)"

This reverts commit cf9b1bf5.

* Revert "Implement global app permissions for the "All Users" group (#25679)"

This reverts commit 63e950f2.

* Revert "Require data permissions for executing actions (#25784)"

This reverts commit 732bf6b1.

* Revert "Prevent modifying app permissions via the collection endpoint (#25684)"

This reverts commit 5d3f8279.

* Revert "Implement DB specific execution permissions (#25629)"

This reverts commit 141a13ce.

* Revert "Introduce /execution/ permission (#25529)"

This reverts commit 57cbb921.

* Keep the app permission revision table

This reverts commit 23666516.

* Create app collections in the "apps" collection namespace

* Add test macro for setting global app permissions for "All Users"

* Introduce app permission audit table

Fixes #22519.

* Move subset of parameter-values utils to metabase-lib

* Move parameter mbql utils to metabase-lib

* Create some small target utils

* Move template tag utils to metabase-lib

* Move target/field logic to metabase-lib

* Remove eslint-enable

* Add CLI SerDes command for seeding entity IDs (#25655)

* Remove stray comment

* Fix Kondo error

* Fix Eastwood error

* Update identity-hash-fields to multimethod for ModelAction

* Fix identity-hash-fields for Dimension and DashboardCardSeries

These changes resulted from the effort to serialize and deserialize some
collections from our internal Stats instance, which did not
(de)serialize correctly out of the box.

The main improvement is more robust "escape" analysis - making sure that
all dashboards, cards, models, etc. required by the curated collections
actually belong to those curated collections. (Many cards on Stats were
actually in people's personal collections and publicly readable - that
doesn't work with the curated git workflow.)

This adds some new tests, trying to capture some complex MBQL queries
and make sure they're correctly (de)serialized.

* fix serialization test by not hardcoding tmp directory

* clean imports

* cleanup

* change approach

* Implement per group and per db app permissions

The value is reconstructed on the deserialization side based on the
time of deserialization.

For the git workflow, `updated_at` makes for a lot of diffs of unrelated files.

* Remove unused `underscore` imports from `.ts` files

* Remove unused `underscore` imports from `.tsx` files

* Remove unused `underscore` imports from `.jsx` files

* Remove unused `underscore` imports from `.js` files

* Reset changes and go thru everything again to make sure it makes sense

* Test fixes 

* `POST /api.ee/serialization/serialize/data-model` endpoint

* Sort namespaces

* Don't use `tru` for endpoint params validation

* Implement DB specific execution permissions

Separate execution permissions from data permissions as a new dimension
like application features. Create a new endpoint for getting and setting
these permissions.

* Substitute persisted queries in parameter card references

```sql
select o.total, o.quantity, model_p.category, model_p.title
from orders o
left join {{#14-pg-products}} model_p -- reference to products model
on o.product_id = model_p.id
limit 4
```

Testing:

I'm unhappy with how verbose the test is. At some point we're going to
need a better, standardized way to test persistence. But the test makes
a persisted table of the test-data.categories
table (test/metabase/test/data/dataset_definitions/test-data.edn). It
runs some sql to update the values in the table to turn `"Winery"` ->
`"Winery from cached table"`, joins the two tables together to have both
at once.

There's a lot of moving pieces and the setup is a bit verbose. There's
also no obvious place where these types of tests should go. We'll need
to consolidate them in the future (and extend them).

* persisted macro

* docstring for `persisted-info-native-query`

* alignments and small nits

* Reuse persistence macro

* clj-kondo cleanups

* remove clj-kondo change before rebase

* Introduce /execution/ permission

* 347 errors, 34 warnings

* 89 errors, 66 warnings

* 63 errors, 39 warnings

* 52 errors, 33 warnings

* 23 errors, 22 warnings

* 13 errors, 4 warnings

* Fix the last few errors.

* Sort Kondo config

* wip changes

* new endpoint

* fix test

* more test fixes

* add test for EE settings permissions

* try to fix another BE test

* address ngoc's comment

* fix cypress test

* fix another cypress test to hit new settings endpoint

* Don't use persisted model tables for segmented users

This actually isn't a bug, but due to very subtle and arbitrary reasons.

For background about why we need to ensure this never happens, we cannot
use persisted models when sandboxing is at play. A simple example is as
follows: make a model on a products table that does not select the
category. Have a sandbox on category such that someone can only see
products of category "Gizmo". the model lacks the category column but we
insert a where clause that still works. When the model is persisted,
there is no category column in the underlying table so sandboxing cannot
possibly work: the data necessary to filter is no longer associated with
the rest of the data in the model.

The fix for this is quite simple: in
`metabase.query-processor.middleware.fetch-source-query` we only splice
in the persisted query if the user is not a segmented user (product name
for sandboxing).

```clojure
(and persisted-info/*allow-persisted-substitution*
     (not (segmented-user?))  ;; <----- new check
     (:active card)
     (:definition card)
     (:query_hash card)
     (= (:query_hash card) (persisted-info/query-hash (:dataset_query card)))
     (= (:definition card) (persisted-info/metadata->definition (:result_metadata card)
                                                                (:table_name card)))
     (= (:state card) "persisted"))
```

Technical details about why this bug did not manifest

When swapping out a card__<id> to a source query, if its a model we will
see if it is persisted, and if so, we will use the native sql to select
from the persisted table. It does this by adding the native sql at a key
called `:persisted-info/native` and a middleware
`#'qp.persistence/substitute-persisted-query` walks the query replacing
the query with the native:

```clojure
;; metabase.query-processor.middleware.persistence

    (mbql.u/replace query
      (x :guard (every-pred map? :persisted-info/native))
      {:native (:persisted-info/native x)})
```

There is also a middleware that walks through the query looking for
tables with gtaps on them and replacing them. By change, the sandboxing
middleware runs immediately before the substitute-persisted middleware!

```clojure
   ;; literally the previous middleware
   (resolve 'ee.sandbox.rows/apply-sandboxing)
   #'qp.persistence/substitute-persisted-query
```

If you swap the order of these two sandboxing is broken. As is, it
"works" but not by design, just by happenstance. The sandboxing
middleware just did not know that the `:persisted-info/native` key meant
that a native query was to be substituted. In the reverse order, the
native query is already substituted and there is no change for the
sandboxing to occur.

The obvious fix is to ensure that we never even attempt to use the
persisted tables and that is what this PR does.

* Eastwood doesn't like shadowing like this

* Rearrange check order for tests

`segmented-user?` throws if there is no bound user. A test in
`fetch-source-query-test` was failing because there was no user bound,
but it wasn't attempting to swap out a persisted table, it just didn't
expect to need a user.

Moving it lower lets it short circuit on other bits that are bound to
fail (definition, query_hash, etc) requiring persistence before we check
for a bound user

* first pass at LDAP setup improvements

* fix lint errors

* fix LDAP api tests

* WIP test for new setting setter

* fix setting test

* set ldap-enabled to true in ldap server macro

* try to fix java11 tests

* Update src/metabase/integrations/ldap.clj

Co-authored-by: metamben <103100869+metamben@users.noreply.github.com>

* add transaction

* remove ldap-ever-enabled? setting and revert some of the logic that is no longer necessary

* set ldap-enabled via the ldap api and add tests

* fix tests and lint

* fix error on settings save

* fix cypress test

* actually fix cypress

Co-authored-by: metamben <103100869+metamben@users.noreply.github.com>

Cards can depend on other Cards as their `:source-table`, but the code
to extract `serdes-dependencies` from the MBQL query did not
capture that case.

Many entities have `creator_id` and similar fields. `User`s are not
serialized. Foreign keys to users are serialized as email addresses.

During deserialization in a different instance (eg. a local dev instance
importing a dump from a prod instance) many such users may not exist.
This change creates new `User` entities on the fly with empty names,
generated passwords, and the email set.

The YAML file names have an optional `:label` portion that becomes the
latter part of the filename. Reconstructed paths (eg. from
`serdes-dependencies`) don't have those labels.

This change makes the YAML ingestion code able to find a file with a
human-readable label even if the request didn't include it.
No ambiguity results because the file names are always based on the
unique serdes `:id`, usually an `entity_id`.

- Limit the scanning of directories and files to those named after
  models; don't try to ingest `.git`, `README.md`, etc.
- `table_id` and `collection_id` are optional on Cards
- Deserialization was not resolving some deeply nested `:field`s inside MBQL
  queries.

Pass `--collections 123,456,789` to dump only these collections and
their transitive `serdes-descendants`.

* enforce import order

* reorder all imports

* more import updates

* Rename DashboardCard `sizeX` and `sizeY` to `size_x` and `size_y` (#16344)

* Fix migration

* Fix MySQL/MariaDB

This is a simple expedient: convert our entities to a `(sorted-map)` before
passing them to the YAML writer!
This gives a consistent, platform-agnostic order between dumps.
(It might have already been fine, since it's based on Clojure's `hash`?)

* Add `serdes-descendants` for "containment" to serialize a subtree

This allows naming eg. a Collection and will recursively serialize: all
dashboards, cards and dashcards it contains directly, plus all child
collections and everything they contain.

Currently this words on Collection, Dashboard, DashboardCard, and Card.

* lint

* Switch to plural `extract-subtrees` with a list of `targets`

* use login-attributes when hash advanced field-values if sandbox use native query

* add a e2e test

* Add repro for #24966

Co-authored-by: Nemanja <31325167+nemanjaglumac@users.noreply.github.com>