- Added saml, authentiq, cas3, and auth0
- Crowd seems to be a special case that will be handled separately.

- There was previously a test for `saml` login in `login_spec`, but this didn't
  seem to be passing. A lot of things didn't seem right here, and I suspect that
  this test hasn't been running. I'll investigate this further.

- It took almost a whole working day to figure out this line:

    OmniAuth.config.full_host = ->(request) { request['REQUEST_URI'].sub(request['REQUEST_PATH'], '') }

  As always, it's obvious in retrospect, but it took some digging to figure out
  tests were failing and returning 404s during the callback phase.

- Test all OAuth providers - github, twitter, bitbucket, gitlab, google, and facebook

- Pass a `remember_me` query parameter along with the initial OAuth request, and
  pick this parameter up during the omniauth callback from
  request.env['omniauth.params']`.

- For 2FA-based login, copy the `remember_me` param from `omniauth.params` to
  `params`, which the 2FA process will pick up.

- For non-2FA-based login, simply call the `remember_me` devise method to set
  the session cookie.

[EE] Create and use project path helpers that only need a project, no namespace

See merge request !2336

[EE] Disable RSpec/BeforeAfterAll and enable RSpec/ImplicitExpect cops

See merge request !2305

Geo: Migrated checks to SystemChecks

See merge request !2331

[ci skip]

[ci skip]

Use trigger(:click) instead of trigger to avoid a weird transient bug

Closes #2843

See merge request !2340

Environment-specific variables

Closes #2302

See merge request !2112

Revert "Merge branch '18000-remember-me-for-oauth-login-ee' into 'master'"

See merge request !2345

Add a license check for group-webhooks

Closes #2576

See merge request !2280

This reverts merge request !2175

Fix spec failure for squash in progress error handling

See merge request !2343

Fixed admin sidebar not showing all options in new navigation

See merge request !2334

Port of 32838-admin-panel-spacing to EE

See merge request !2264

Show loading icon when retrieving Geo node status

Closes #1977

See merge request !2309

Resolve EE conflicts for "Fix API Scoping"

See merge request !2338

Similar to how we check project features.

- Hide the `webhooks` link from the group-settings page
- All group-webhooks-pages render a 404
- Don't execute webhooks if the feature is disabled

EE Port: Honor the "Remember me" parameter for OAuth-based login

See merge request !2175

Signed-off-by: Rémy Coutable <remy@rymai.me>

* ee/master: (25 commits)
  Introduce namespace license checks for Push Rules (EES)
  Use a named subject in `models/ee/board_spec.rb`
  Hide the milestone variable on board when the feature is disabled
  Hide the milestone in the API when the feature is not available
  Don't update milestones on boards if the feature is not available
  Hide editing/creating milestones from the board UI
  Add `issue_board_milestone` feature to license
  Split Projects:Settings::RepositoryController into CE and EE sections
  Refactor Projects::CreateService and specs to make EE-only code clearer
  Fix EE conflicts for "Allow unauthenticated access to the `/api/v4/users` API"
  Introduce namespace license checks for merge request approvers (EES)
  Remove an unnecessary "included do ... end" block in app/models/concerns/approvable.rb
  Raise an error if an unknown feature is passed to stub_licensed_features
  Don't show Issue/MR template Setting if feature not available
  Only set MR description from template when feature available
  Only set issues template from setting if feature available
  Add Issuable Default Template feature to License
  Update CHANGELOG.md for 9.3.4
  Update CHANGELOG-EE.md for 9.3.4-ee
  Hide `Focus mode` on issue boards
  ...

- There were conflicting changes in `master` that were fixed in
  94258a65. This made rebasing the commits from gitlab-ce!12300
  problematic, due to conflicts.

- Instead, I squashed all !12300 commits into a single commit, and
  cherry-picked that onto 33580-fix-api-scoping-ee, which resulted
  in this commit.

Original commit messages below
==============================

Initial attempt at refactoring API scope declarations.

- Declaring an endpoint's scopes in a `before` block has proved to be
  unreliable. For example, if we're accessing the `API::Users` endpoint - code
  in a `before` block in `API::API` wouldn't be able to see the scopes set in
  `API::Users` since the `API::API` `before` block runs first.

- This commit moves these declarations to the class level, since they don't need
  to change once set.

Allow API scope declarations to be applied conditionally.

- Scope declarations of the form:

    allow_access_with_scope :read_user, if: -> (request) { request.get? }

  will only apply for `GET` requests

- Add a negative test to a `POST` endpoint in the `users` API to test this. Also
  test for this case in the `AccessTokenValidationService` unit tests.

Test `/users` endpoints for the `read_user` scope.

- Test `GET` endpoints to check that the scope is allowed.
- Test `POST` endpoints to check that the scope is disallowed.
- Test both `v3` and `v4` endpoints.

When verifying scopes, manually include scopes from `API::API`.

- They are not included automatically since `API::Users` does not inherit from
  `API::API`, as I initially assumed.

- Scopes declared in `API::API` are considered global (to the API), and need to
  be included in all cases.

Test OAuth token scope verification in the `API::Users` endpoint

Add CHANGELOG entry for CE MR 12300

Fix remaining spec failures for !12300.

1. Get the spec for `lib/gitlab/auth.rb` passing.

  - Make the `request` argument to `AccessTokenValidationService` optional -
  `auth.rb` doesn't need to pass in a request.

  - Pass in scopes in the format `[{ name: 'api' }]` rather than `['api']`, which
  is what `AccessTokenValidationService` now expects.

2. Get the spec for `API::V3::Users` passing

2. Get the spec for `AccessTokenValidationService` passing

Implement review comments from @dbalexandre for !12300.

Implement review comments from @DouweM for !12300.

- Use a struct for scopes, so we can call `scope.if` instead of `scope[:if]`

- Refactor the "remove scopes whose :if condition returns false" logic to use a
  `select` rather than a `reject`.

Extract a `Gitlab::Scope` class.

- To represent an authorization scope, such as `api` or `read_user`
- This is a better abstraction than the hash we were previously using.

`AccessTokenValidationService` accepts `String` or `API::Scope` scopes.

- There's no need to use `API::Scope` for scopes that don't have `if`
  conditions, such as in `lib/gitlab/auth.rb`.

Fix build for !12300.

- The `/users` and `/users/:id` APIs are now accessible without
  authentication (!12445), and so scopes are not relevant for these endpoints.

- Previously, we were testing our scope declaration against these two methods.
  This commit moves these tests to other `GET` user endpoints which still
  require authentication.

Check license for milestones on issue boards

Closes #2568

See merge request !2315

Introduce namespace license checks for Push Rules (EES)

Closes #2573

See merge request !2335

Clarify when Code Quality shows in MR widget

Closes #2782

See merge request !2298

Namespace license checks Issue & MR template

Closes #2580

See merge request !2321