Breaking date values into parts should happen in the time zone expected by the user and the construction of the
truncated date should happen in the same timezone. This is especially important when the difference between the
expected timezone and UTC is not an integer number of hours and the truncation resolution is hour. (See #11149).

* Dashboard Card String Filters are now case-insensitive

This PR is a draft because while it solves the problem of string filters being case sensitive, it doesn't necessarily
do it in the best way.

This isn't necessarily
a bug, but it seems that there is no way for the frontend to set the :case-sensitive true/false option anyway.

For the purposes of this initial attempt at a solution, I have modified the endpoint
` POST "/:dashboard-id/dashcard/:dashcard-id/card/:card-id/query"` to automatically include an option map containing
:case-sensitive false.

The machinery to take this option into consideration already exists with the default :sql ->honeysql function in the `
metabase.driver.sql.query-processor` namespace. See the `like-clause` private function in particular.

Since the query processor is a bit opaque to me at present, I was unable to figure out if there is a proper way that
the frontend could send an options map (or key-value pair) all the way through the qp middleware to the query building
stage. I discovered that if you conj a map `{:case-sensitive false}` to the output of the `to-clause` function in
`metabase.driver.common.parameters.operators`, you will get the desired case-insensitive behavior. So, I modified the
to-clause function in this PR to appropriately conj an options map if one exists.

What I'd like to know:

- is there a super-simple way to pass an option in already that I just missed? (eg. I thought perhaps in the `[:field
13 nil]` that 'nil' could be an options map, but I couldn't get that to work for me)

- is there a middleware approach that I should consider?

- any other options to appropriately hanlde this?

* Revert the endpoint.

If the frontend sends an options map on an options key inside the parameter, this endpoint will pass that on, so no
change is needed.

* include parameter options in datasetQuery

Co-authored-by: Adam James <adam.vermeer2@gmail.com>

* Fix SSH tunnel leaks when testing connections

* Appease kondo =(

* Add some more NOTES

These fields hold JSON, which can contain field IDs in a few places.

Particularly nasty is the `:column_settings` subfield, which is a map
whose *keys* are JSON strings with field IDs.

See https://github.com/metabase/metabase/issues/22867 for context.

If you click "view sql" on a cached model you see the substituted query
rather than the "real" query.

The query based on cache:

```sql
SELECT "source"."login" AS "login", "source"."count" AS "count"
FROM (select "login", "count" from "metabase_cache_e449f_19"."model_4112_issue_assi") "source"
LIMIT 1048575
```

The real underlying query:

```sql
SELECT "source"."login" AS "login", "source"."count" AS "count"
FROM (SELECT "github_raw"."issue_events__issue__assignees"."login" AS "login", count(*) AS "count" FROM "github_raw"."issue_events__issue__assignees"
GROUP BY "github_raw"."issue_events__issue__assignees"."login"
ORDER BY "count" DESC, "github_raw"."issue_events__issue__assignees"."login" ASC) "source"
LIMIT 1048575
```

If you click the "convert to sql question" you will end up with a sql
question that is not based on the original question but the Metabase
managed table.

* Update hasPermissionsToMap to check for existence of dataset_query

* Add check to mapping-options fn, too

* Add repro for #24536

* Uncomment and enable the repro

Co-authored-by: Nemanja <31325167+nemanjaglumac@users.noreply.github.com>

* set CookieSpecs/STANDARD on Apache HttpClient for Snowplow

* add a comment in the code pointing to the PR

* set cookie spec via RequestConfig instead

* notes from Luiz

* refresh cache

* typo

* rewrite here...

* no bq

* thinking

* conjunction of alias thing...

* make sure we dont wanna see it

* nit

* multi-arity func

* fiddly bit on test

* add bit to see order by works right

* no default breakout true

This PR handles the other JSON-encoded MBQL snippets I was able to find.

These snippets contain `Table` and `Field` IDs, and so are not portable. These
fields are expanded during serialization and the IDs replaced with portable
references, then converted back in deserialization.

Note that the referenced field must already be loaded before it has a valid ID.
`serdes-dependencies` defines this order, therefore each entity depends on those
tables and fields referenced in its MBQL fragments.

The complete set of fields I found to convert:

- `Metric.definition`
- `Segment.definition`
- `DashboardCard.parameter_mappings`
- `Card.parameter_mappings`

* change implementation of `split-on-tags` to avoid using lookaround

* fix regex

* Remove deprecated friend library

- friend has two functions we used: bcrypt and bcrypt-verify. Easy to
lift them into our own namespace with attribution
- uses simple interop on org.mindrot.jbcrypt.BCrypt to achieve these
- also brings in other stuff we don't need

```
com.cemerick/friend 0.2.3
  X org.mindrot/jbcrypt 0.3m :use-top <- all we care about
  X org.clojure/core.cache 0.6.3 :superseded
    X org.clojure/data.priority-map 0.0.2 :parent-omitted
  . org.openid4java/openid4java-nodeps 0.9.6
    X commons-logging/commons-logging 1.1.1 :older-version
    . net.jcip/jcip-annotations 1.0
  . com.google.inject/guice 2.0
    . aopalliance/aopalliance 1.0
```

And we already declare a dependency on 0.4 of this lib

```
org.mindrot/jbcrypt 0.4
```

This means we can remove openid4, google.inject/guice, aopalliance, etc
and just keep using the same `BCrypt` java class we have been using this
whole time. Behavior and classfiles are identical. So very low risk

Want to call out a use of

```clojure
    (when-not api/*is-superuser?*
      (api/checkp (u.password/bcrypt-verify (str (:password_salt user) old_password) (:password user))
        "old_password"
        (tru "Invalid password")))
```

This has the same signature of an existing function in `u.password/verify-password`:

```clojure
(defn verify-password
  "Verify if a given unhashed password + salt matches the supplied hashed-password. Returns `true` if matched, `false`
  otherwise."
  ^Boolean [password salt hashed-password]
  ;; we wrap the friend/bcrypt-verify with this function specifically to avoid unintended exceptions getting out
  (boolean (u/ignore-exceptions
             (bcrypt-verify (str salt password) hashed-password))))
```

I did not replace it in this PR so that the diff is essentially
`creds/<fn>` -> `u.password/<fn>` and very easy to structually see what
is going on.

But totally makes sense to clean up the usages of these in another pass

* sort ns

* simple tests