[BE] Restrict assignment and unassignment of security policy project for the CSP configuration

Why are we doing this work

When a group is assigned as CSP for the instance, we should restrict the reassignment or unassignment of the policy project for this group.

Changes in this group impact all projects in the instance, so we should minimize the surface area for potential performance impact on the whole instance.

Relevant links

• PoC

Implementation plan

• Add validation to ee/app/services/security/orchestration/assign_service.rb
• Add validation to ee/app/services/security/orchestration/unassign_service.rb
• Update ee/app/helpers/ee/security_orchestration_helper.rb so that can_update_security_orchestration_policy_project? returns false for a CSP group.

Verification steps

1. Verify only locally, CSP cannot be enabled on GitLab.com.
2. Enable feature flag security_policies_csp
3. Assign a group as CSP
4. Create the first policy in the group and verify that this works
5. Try to assign a different SPP for the group and verify that this is not possible
6. Try to unassign the SPP from the group and verify that this is not possible