Fixes #19612 - CVE-2017-7505 don't expose admin to taxed users

fixes #19479, #10587, #19500 - two pane notifications are visible

- notification is now inside the content div, allowing two-pane server
responses to include it.
- refactored all notifications to use notification helpers (notice,
warning and error) instead of direct flash manipulation...

Fixes #19417 - Safely check params for nested keys

Fixes #19125 - Add description to hostgroup

Fixes #19148 - Add description field to subnets

fixes #19035 - rewrite TopbarSweeper without rails-observers

Moves from the observer object into two mixins, one on the model and one
on the top-level controllers to observe creates/updates/destroys on
monitored models. Replaces rails-observers as it lacks Rails 5 support.

Fixes #18948 - correctly relogin user with SSO sessions

fixes #18476 - users have ssh keys

Fixes #18760 - Allow export to CSV

This introduces a way of exporting tables from the UI to CSV.
There are 3 steps to adding a CSV export to a table:

1. Add the CsvResponder concern to the relevant controller.
2. Add a `format.csv` block to the index controller action. This block...

fixes #18665 - call #to_h before comparing AC::Parameters to hash

Allows comparisons when ActionController::Parameters is separated from
Hash in Rails 5.0. #permit! is now called on inner hashes sent through
KeepParam (similar to rails/rails@e86524c in 5.1) so they are included...