Fix GraphQL pipeline findings pagination

What does this MR do and why?

Fix GraphQL pagination on the pipeline.securityReportFindings resolver.

This requires some fairly in depth reworking explained below:

Rework of SecurityFindingsFinder#limit calculation

This finder was implemented for a REST endpoint where pagination is implemented with page and per_page parameters. It uses offset pagination currently (conversion to keyset is planned). Because of this the pagination boundaries (OFFSET) always fall on equal divisions of per_page size.

                     REST pagination

      page:1 per_page:10           page:2 per_page:10
|----------------------------|-----------------------------|----
 1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 ..

The GraphQL cursor based pagination can use arbitrary offsets using first or last arguments to specify page size and before or after to determine the offset

                     GQL pagination

                         first:12 after:5
               |----------------------------------|
 1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21 ..

The Security::FindingsFinder has undergone extensive customization over time to make it perform acceptably with large data sets. To facilitate this the finder needs to know some information about the current pagination position. Previously it was using the page and per_page parameters from the REST endpoint to determine this, but with this change it has needed to be modified.

Getting pagination information from the GQL resolver

The default GraphQL connection implementation removes the pagination arguments before calling resolve, so the pagination params are not available by default. Using connection_extension: ::Gitlab::Graphql::Extensions::ExternallyPaginatedArrayExtension works around this.

Once these arguments are available they require some manipulation to read. The first and last arguments are plain integers, but before and after are base64 encoded strings. Usually they contain encoded JSON with the keyset pagination parameters, but when using offset_paginate before and after contain the base64 encoded first and last id of the returned record set.

Steps to reproduce

Ensure you have EE features and pipeline runners available on your GDK.

• git switch master
• Clone https://gitlab.com/gl-demo-ultimate-myacksmith/482983-test-group/graphql-vulnerability-findings-test into your GDK
• In rails console set the feature flag to use GraphQL instead of REST on the pipeline security tab Feature.enable(:pipeline_security_dashboard_graphql)
• Once the project's pipeline has completed, visit 'Pipeline -> Security'
• The 'Scan details' section should show a count of 164 vulnerabilities'
• Paginate through the vulnerability list. The full list of findings is not shown.
• git switch 441306-security-report-finding-pagination
• You should now be able to paginate through all of the findings.

Related to #441306 (closed)

ee/spec/requests/api/vulnerability_findings_spec.rb

@@ -63,14 +63,14 @@
 
       it 'returns all non-dismissed vulnerabilities', :aggregate_failures do
         # all findings except one that was dismissed
-        finding_count = (sast_report.findings.count + ds_report.findings.count - 1).to_s
+        finding_count = (sast_report.findings.count + ds_report.findings.count - 1)
 
         get api(project_vulnerability_findings_path, user), params: pagination
         expect(response).to have_gitlab_http_status(:ok)
-        expect(response).to include_pagination_headers
+        expect(response).to include_limited_pagination_headers
         expect(response).to match_response_schema('vulnerabilities/finding_list', dir: 'ee')
 
-        expect(response.headers['X-Total']).to eq finding_count
+        expect(json_response.count).to eq finding_count
 
         expect(json_response.map { |v| v['report_type'] }.uniq).to match_array %w[dependency_scanning sast]
       end
@@ -109,13 +109,13 @@
 
       describe 'filtering' do
         it 'returns vulnerabilities with sast report_type', :aggregate_failures do
-          finding_count = (sast_report.findings.count - 1).to_s # all SAST findings except one that was dismissed
+          finding_count = (sast_report.findings.count - 1) # all SAST findings except one that was dismissed
 
           get api(project_vulnerability_findings_path, user), params: { report_type: 'sast' }
 
           expect(response).to have_gitlab_http_status(:ok)
 
-          expect(response.headers['X-Total']).to eq finding_count
+          expect(json_response.count).to eq finding_count
 
           expect(json_response.map { |v| v['report_type'] }.uniq).to match_array %w[sast]
 
@@ -125,13 +125,13 @@
         end
 
         it 'returns vulnerabilities with dependency_scanning report_type', :aggregate_failures do
-          finding_count = ds_report.findings.count.to_s
+          finding_count = ds_report.findings.count
 
           get api(project_vulnerability_findings_path, user), params: { report_type: 'dependency_scanning' }
 
           expect(response).to have_gitlab_http_status(:ok)
 
-          expect(response.headers['X-Total']).to eq finding_count
+          expect(json_response.count).to eq finding_count
 
           expect(json_response.map { |v| v['report_type'] }.uniq).to match_array %w[dependency_scanning]
 
@@ -147,13 +147,13 @@
         end
 
         it 'returns dismissed vulnerabilities with `all` scope', :aggregate_failures do
-          finding_count = (sast_report.findings.count + ds_report.findings.count).to_s
+          finding_count = (sast_report.findings.count + ds_report.findings.count)
 
           get api(project_vulnerability_findings_path, user), params: { scope: 'all' }.merge(pagination) # rubocop:disable Performance/CollectionLiteralInLoop
 
           expect(response).to have_gitlab_http_status(:ok)
 
-          expect(response.headers['X-Total']).to eq finding_count
+          expect(json_response.count).to eq finding_count
         end
 
         it 'returns vulnerabilities with low severity', :aggregate_failures do
@@ -186,13 +186,13 @@
 
         context 'when pipeline_id is supplied' do
           it 'returns vulnerabilities from supplied pipeline', :aggregate_failures do
-            finding_count = (sast_report.findings.count + ds_report.findings.count - 1).to_s
+            finding_count = (sast_report.findings.count + ds_report.findings.count - 1)
 
             get api(project_vulnerability_findings_path, user), params: { pipeline_id: pipeline.id }.merge(pagination)
 
             expect(response).to have_gitlab_http_status(:ok)
 
-            expect(response.headers['X-Total']).to eq finding_count
+            expect(json_response.count).to eq finding_count
           end
 
           context 'pipeline has no reports' do