clean up console_api endpoints

[davepacheco]

This change cleans up a few things in console_api.rs:

• Renames the endpoint functions with a consistent naming scheme. I found "login", "spoof_login", "consume_credentials", "login_redirect", etc. really confusing. Now, we have:
  • login_spoof_begin (gets the "spoof" login page) / login_spoof (accepts "spoof" creds and logs you in)
  • login_saml_begin (gets the SAML login page) / login_saml (accepts SAML creds and logs you in)
  • a future PR will add login_password_begin / login_password
  • login_redirect became login_begin. (All of these endpoints provide login-related redirects.)
• Most of the places where we were returning Response<Body>, we're now returning a more specific dropshot response type. We had to use Response<Body> previously because dropshot didn't have response types that supported setting headers or any of the 300-level status codes. Modern dropshot does have header support and add response types for various 300-level response codes dropshot#451 adds support for 300-level status codes. This in turn fixes a bunch of things:
  • The OpenAPI spec says what these endpoints return on success.
  • I was able to remove some TODOs and uncomment some of the oximeter metric stuff that had been commented out because it didn't work with returning Response<Body>.
  • We were previously returning 401 responses constructed by hand rather than automatically. This meant they could be generated differently than other 401s -- and they were. We currently expect (and verify in the test suite) that all 400-level and 500-level responses return a JSON error object with a known schema. These errors weren't doing that. That broke the test suite if you tried to call them.
• login_spoof now has the same success return code as login_saml (was 200 with no body, now 303 "See Other" redirecting to "/").
• logout used to return a 200 with no content. That's now a 204.
• We were using "302 Found" to respond to a POST when we want the client to GET the redirect URL. That's not right -- "303 See Other" is for this. (TIL)
• I added oximeter metrics to a bunch of endpoints that didn't have them before.

Some notes:

• In a few places, we were previously clearing the cookie in an error case (returning a 401) and now aren't. I talked this over with @david-crespo and we couldn't think of a reason this should be necessary. (This change is currently necessary because dropshot doesn't support setting headers on error responses.)
• The 302s that remain here should probably be 307s, per the same doc linked above. This didn't seem worth breaking the console or other clients.

Heads up @karencfv @david-crespo @zephraph because of the breaking changes here:

• OpenAPI operation names have changed.
• Successful POST to the login endpoints now returns 307, not 302 or 200.

Open tasks:

• blocked on add response types for various 300-level response codes dropshot#451
• update workspace-level Cargo.toml to remove local dropshot patch and update omicron-nexus's dropshot dependency

[davepacheco]

The dropshot change is ready to land, so this is now ready for review. (Leaving it "draft" so I don't accidentally merge it.)

[ahl]

This is great; thanks for doing this.

[davepacheco]

CC @david-crespo

[david-crespo]

Looks great, thanks