Extends the permission of $CI_REGISTRY_USER to allow them
to delete tags in addition to just pushing.

https://gitlab.com/gitlab-org/gitlab-ce/issues/40096

Using the sed script from
https://gitlab.com/gitlab-org/gitlab-ce/issues/59758

Ensure correct behaviour when deploy tokens have the same username or
deploy token and user have the same username.

This new attribute is optional and used when set instead of the default
format `gitlab+deploy-token-#{id}`.

Empty usernames will be saved as null in the database.

Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/50228.

Signed-off-by: NRémy Coutable <remy@rymai.me>

Also, fixes broken specs

Also:
- Changes scopes from serializer to use boolean columns
- Fixes broken specs

- Remove extra method for authorize_admin_project
- Ensure project presence
- Rename 'read_repo' to 'read_repository' to be more verbose

- When using 'read_repo' password and project are sent, so we used both
  of them to fetch for the token
- When using 'read_registry' only the password is sent, so we only use
  that for fetching the token

This will allow to download a repo using the token from the DeployToken

[10.3] Migrate `can_push` column from `keys` to `deploy_keys_project`

See merge request gitlab/gitlabhq!2276

(cherry picked from commit f6ca52d31bac350a23938e0aebf717c767b4710c)

1f2bd3c0 Backport to 10.3

Closes #37789

full_authentication_abilities. This is fine because
we're going to check with can?(..) anyway

Remove superfluous lib: true, type: redis, service: true, models: true, services: true, no_db: true, api: true
Signed-off-by: NRémy Coutable <remy@rymai.me>

When sign-in is disabled:
 - skip password expiration checks
 - prevent password reset requests
 - don’t show Password tab in User Settings
 - don’t allow login with username/password for Git over HTTP requests
 - render 404 on requests to Profiles::PasswordsController

If internal auth is disabled and LDAP is not configured on the instance,
present the user with a message to create a personal access token if his
Git over HTTP auth attempt fails.

This is the first commit doing mainly 3 things:
1. create a new scope and allow users to use it
2. Have the JWTController respond correctly on this
3. Updates documentation to suggest usage of PATs

There is one gotcha, there will be no support for impersonation tokens, as this
seems not needed.

Fixes gitlab-org/gitlab-ce#19219

Use the EnforcedStyleForMultiline: no_comma option.
Signed-off-by: NRémy Coutable <remy@rymai.me>

- We currently support fetching code with username = 'oauth2' and
  password = <access_token>.
- Trying to _push_ code with the same credentials fails with an authentication
  error.
- There's no reason this shouldn't be enabled, especially since we allow the
  OAuth client to create deploy keys with push access:

  https://docs.gitlab.com/ce/api/deploy_keys.html#add-deploy-key

Gitlab::Auth.find_with_user_password is currently used in these places:

- resource_owner_from_credentials in config/initializers/doorkeeper.rb,
  which is used for the OAuth Resource Owner Password Credentials flow

- the /session API call in lib/api/session.rb, which is used to reveal
  the user's current authentication_token

In both cases users should only be authenticated if they're in the
active state.