We have already had support for server authentication based on custom
certificates. This change adds support for authenticating the client
based on custom client key and certificate.

* Adjust JWT and SAML fetch-and-update user to save new attributes

Before this change, JWT/SAML logins would attempt to update attributes, but never considered the first-name or
last-name attributes.

* Attempts to fix tests to prevent pulluting test users with "Unknown"

* No deleting users.

* Unit tests checking that first/last names are updated for SSO users

When an SSO user is first logged in, they might not have first_name and/or last_name keys. This is allowed, but the
names will be "Unknown" in the app-db. Subsequently, a User may log in again with SSO but have fisrt/last name
attributes, which should update the Metabase user data in the app-db.

These unit tests set up such a scenario to check that the :first_name and :last_name keys are indeed updated.

* Adjust Enterprise LDAP to also use SSO-UTILS

Trying to unify the LDAP implementation with JWT/SAML a bit here.

* Lint error

* Reverting LDAP ns changes to get the PR unstuck

This is to keep the ball rolling on SSO fixes. I'll add LDAP as an item in the Epic to address this separately.

* fix ldap requires uid to do group sync

* fix ee test

* fix failed to sync admin group

* address noah's comments and add migration script

* document for run-with-data-migration-index

* update comments

* fix name space

* adding data_migrations tests

* add docg

* make sure we don't remove admin group if sso and ldap are not configured

* fix tests for be-ee

* fix tests for oss

* misc docs updates

* remove data-migration-index

* return some newlines

* is it failling here?

* update data_migration docs

* update data_migration docs

* fix all styling comments

* make migration to run both in oss and enterprise and make sure the tests are accounted for that

* fix failed namespace checks

* Add a comment to the test

* fix per comments

* Update permissions.clj

* tweaking with the  icon

* refactor with-temporary-raw-setting-values

* update comments

* Add extension for cert file

* address Noah's comments

* Enable Postgres driver to use secrets for configuring SSL parameters

Adding secret related properties for SSL options to Postgres driver

Move `conn-props->secret-props-by-name` to secret.clj since it's needed directly there, too

Add `us-east-2-bundle.pem` to `test-resources/certificates` for testing Postgres with SSL connectivity to our RDS instance (and a README.md explaining how it differs from the existing `ssl` directory)

Updating `value->file!` to have better logic for building the error message when the existing file is not found (for better UX from the Database admin page)

Updating frontend to support the `visible-if` value being an array, in which case any value may match the current details value, in order for that field to be visible

Adding secret related properties for SSL options to Postgres driver

Updating CircleCI config.yml to refer to the RDS instance when running Postgres SSL test

Implement server side expansion of transitive visible-if dependency chain

Update shouldShowEngineProvidedField on client to consider multiple key/value pairs in the visible-if map, and only show the field if ALL are true

Adding new test to confirm transitive visible-if resolution, and cycle detection

Add Cypress test for SSL field visibility

`org.apache.sshd` requires `net.i2p.crypto/eddsa` dependency
to work with ED25519 keys.

This worked in 0.40 because `eddsa` was included as a transitive
dependency of another unrelated dependency (`buddy`) but stopped
working in 0.41 because the new version of `buddy` no longer depends
on `eddsa`. Thus, we must explicitly include the dependency.

To prevent this from breaking again, switched one of the test
keys to an ED25519 key.

* Fix some Eastwood failures

* Fix a lot of Eastwood errors now that it runs against test namespaces [ci skip]

* Run Eastwood against test namespaces [WIP]

* Bump Eastwood version to fix some errors in Eastwood itself

* Fix another lint warning

* Fix test failure

* More test fixes 

* Fix all the warnings!

* Test fix 

* Bump Eastwood GH action timeout to 20 minutes (!)

* adapt ldap test helpers to be able to test AD memberOf attribute

* fix ldap search to handle memberOf attributes with a single group

* use one-or-many instead of if statement

* fix tests

* Implement ssh tunnel reconnection

From the connection-with-timezone method of execute, check whether an ssh tunnel that should be open actually is not, and if so, mark the entire pool as invalid (thereby forcing the connection code to rebuild the source and open a new tunnel)

Fixing the create-pool! function so that the relevant ssh tunnel entries are kept (in addition to the :datasource)

Adding test in ssh-test namespace, which will test that the tunnel is reestablished (for now, running with Postgres driver)

* Responding to PR feedback from Dan

* Fixing test by adding AcceptAllForwardingFilter forwardingFilter to the mock password server instance

* Change with-driver to test-driver

* Add ssh tunnel reconnect test that can run against H2

* Implement ssh tunnel reconnection

From the connection-with-timezone method of execute, check whether an ssh tunnel that should be open actually is not, and if so, mark the entire pool as invalid (thereby forcing the connection code to rebuild the source and open a new tunnel)

Fixing the create-pool! function so that the relevant ssh tunnel entries are kept (in addition to the :datasource)

Adding test in ssh-test namespace, which will test that the tunnel is reestablished (for now, running with Postgres driver)

* Responding to PR feedback from Dan

* Fixing test by adding AcceptAllForwardingFilter forwardingFilter to the mock password server instance

* Rebase again to fix merge conflict

* Change test-driver to with-driver in hopes of making CodeCov finally happy

* Adding new multimethod to ssh namespace, called incorporate-ssh-tunnel-details, for accounting for the

Implementing incorporate-ssh-tunnel-details for h2 so update the URI string (:db key) to point to the tunnel entry point

Pulled logic for :sql-jdbc implementation of connection-with-timezone out to a new fn, so it can be called elsewhere

Updating H2 reconnection test imn light of the changes above

Added "!" suffix to name of include-ssh-tunnel to reflect the fact that it does modify global state

* Fixing NPE in incorporate-ssh-tunnel-details implementation for :h2

Moving multimethod declaration for incorporate-ssh-tunnel-details to driver namespace

* Fix :h2 implementation again

* Remove another errant extra line :(

* Rebase onto master

* Inline the private helper fn back into connection-with-timezone

* Remove dead code

* Quick sync

* Try reducing -Xmx for :ci profile a bit to prevent random test failures

* Update quick sync parameter name

* Update docstring for dataset

* Fix sync-database! schema

* Fix schema again

* Test fix 

* Fix noisy logs in tests

* Fix lint error

* Fix Google driver build [ci bigquery]

* Tweak chain filter tests

* Fix i18n tag

* Fix database sync test (maybe)

* Add u/decolorize for latest JUnit output tweak

* Fix 

* Test fix 

* Upgrade to log4j 2.13.3

Upgrades us to newer Log4j

Resolves #12719

* fixing reflection warnings

* reflection warning on test

* make tests work

took a while to figure out how to configure log4j properly
programatically - it's not as easy as log4j 1

add logging adapters for commons-logging, slf4j, liquibase, etc so that
all logging routes through log4j2 now

* appease the linters

* okay cljr-clean-ns makes this line too long, I get it

* add log4j2.xml config for Cypress tests

* update log4j configuration file documentation

update which flag is used by the backend tests

[ci all]

* update cheshire because clj-http updated

* Wire up the metabase-appender to Log4j2

This was brutal to figure out - log4j usually silently fails, so it took
finding the right combination of configuration settings and system
properties to get it to log enough to find out why the appender was
never invoked.

* Fix Slack integration

* metabase.pulse-test cleanup  

* Fixes 

* Lint fix 

This will allow the user to specify the server's certificate chain (the
public CA certs) or the server's private key if it's a self-signed cert
with no CA.

Resolves #3877

[ci mongo]

Adding SSH key support

Adding ssh key support (with passphrases)

The JSch library does not support ED25519 keys, that are the default as
of OpenSSH 7.8, but the Apache Mina SSHD library does.

Adds a end-to-end test of ssh port forwarding via a simple echo server.

[ci drivers]

Co-authored-by: Franklin Strube <thedoc8786@gmail.com>
Co-authored-by: hbc <bcxxxxxx@gmail.com>
Co-authored-by: Daniel Higginbotham <daniel@flyingmachinestudios.com>
Co-authored-by: Paul Rosenzweig <paul.a.rosenzweig@gmail.com>
Co-authored-by: Kyle Doherty <kyle.l.doherty@gmail.com>

* Metabase© Joins 2.0™ improvements  
[ci drivers]

[ci drivers]

Currently i18n'd strings that are defined at compile time only return
english text. This occurs with both system and user locale
strings. For system locale, the locale can be changed via setting, so
we can't rely on the JVM locale on startup to be correct as it may
have changed. For the user locale, it could be different for every
request.

This commit adds two new `tru` and `trs` macros that have the same
name as the `puppetlabs.i18n.core` macros (and thus will be extracted
similarly) but will return a defrecord with a `toString` method. This
delays the conversion of the english text to the translated text until
`str` is invoked. All of the code hasn't been flipped to use the new
i18n macros yet, but this gets it in place and tested for the rest of
the application to be migrated to.

Fixes #8245