Works by looking up browser sessions stored in Redis to see if the user
has any active SAML sessions for the group a resource belongs to.

When we are in a web request we use the current session.
Outside of web requests we check for background sessions.

- policies fixed
- schema updated
- Groups::UpdateService to handle params
- form added
- validate subnet, top-level group, and group presence
- ability to combine multiple IpRestriction removed
- avoid saving previous IP address in IpAddressState
- avoid user namespaces
- specs added
- license check added

Alongside specs

This adds support for project maintainers setting the value of
commit_committer_check

This change supports the editing and deleting of vulnerability feedback
dismissal comments. It also supports adding a comment if one was not
supplied during the initial dismissal. For the backend this is all done
through the update action of the vulnerability feedback controller.

Request:
```
POST /*namespace_id/:project_id/-/feature_flags_client/reset_token
```

Response:
```
{
  "token" => "new-token-value"
}
```

Adds a check to ProjectPolicy to ensure that there is an active
SAML session when SSO is being enforced.

Builds upon changes in GroupPolicy, but because so many policies
delegate to ProjectPolicy there is much more impact from this MR.

Split into separate, fine grained permissions

The policy `read_prometheus_alerts` already makes sure that the user has
at least maintainer access.

Add some missing specs to cover unprivileged access.

Stop preventing `internal` users from using quick actions and just
prevent the support bot from using them.

...instead of EEExternalAuthorizationServiceHelpers

We recently changed the permission model to disallow guests to
read Releases. The spec should be updated as well according to
the expectation.

Signed-off-by: Rémy Coutable <remy@rymai.me>

- Deletes EE html specific view
- Overrides private methods on ClusterableActions
- Add ee specific specs

This tests permissions when repository is disabled

Closes #6786

Log access to a classification label and project when External Policy
Control is enabled.

When enabling this feature without a URL, all cross project features
will remain accessible and no requests will be made.

A classification label can still be specified for projects and will be
shown on all project pages.

When this feature is enabled, users will not be able to see any cross
project references.

When a user tries to view a project we will first validate if the user
has access to the classification label assigned to the project.

When no classification label is assigned to a project, a default label
is used. This default can be defined in the settings.

Signed-off-by: Rémy Coutable <remy@rymai.me>

Renames remote_mirror_available to mirror_available to not only incorporate push mirrors but pull mirrors as well.