Consider namespace bans for Duo root_group_ids

What does this MR do and why?

This MR considers NamespaceBans and filters root_group_ids that user belongs to, if user is banned in that root_group.

References

• See comment https://gitlab.com/gitlab-org/gitlab/-/issues/541131#note_2492855174

Database

1. PostgresAI link: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/39234/commands/120734

   Time: 0.500 ms
     - planning: 0.459 ms
     - execution: 0.041 ms
       - I/O read: 0.000 ms
       - I/O write: 0.000 ms
   
   Shared buffers:
     - hits: 5 (~40.00 KiB) from the buffer pool
     - reads: 0 from the OS file cache, including disk I/O
     - dirtied: 0
     - writes: 0

2. NamespaceBans are only for root_namespace_ids. And we are querying those for a single user.

How to set up and validate locally

1. Start the console on SaaS - .com mode with: GITLAB_SIMULATE_SAAS=1 gdk rails c

   Gitlab.com? # true
   Feature.enable(:allow_duo_base_access) # true
   
   # destroy any existing add_on_purchases for clean slate
   GitlabSubscriptions::AddOnPurchase.destroy_all
   
   # create Duo Nano add-on record if not already
   add_on = GitlabSubscriptions::AddOn.find_or_create_by!(name: "duo_core") {|e| e.description = "Test" }
   
   # get the root namespace you want to assign add-on to
   namespace = Group.where(parent_id: nil).last 
   # enable the settings
   namespace.update!(duo_core_features_enabled: true)
   
   # create add-on purchase record
   GitlabSubscriptions::AddOnPurchase.create!(add_on: add_on, started_at: Time.now, expires_on: 1.year.from_now, quantity: 10, purchase_xid: 'A-12345', namespace_id: namespace.id, organization_id: namespace.organization.id)
   
   # find a user to test that is NOT already a GROUP OWNER of namespace for testing above
   user = User.human.first(2).last # @zoe_rowe
   namespace.add_developer(user) # add the user as developer for the namespace
   
   # refresh Cache for the billable root method
   User.clear_group_with_ai_available_cache(user.id)
   # query the method
   user.billable_gitlab_duo_pro_root_group_ids
   # => [1000000]
   
   user.allowed_to_use(:duo_chat) # true
   # => #<struct Ai::UserAuthorizable::Response allowed?=true, namespace_ids=[1000000], enablement_type="add_on", authorized_by_duo_core=true>
   
   # perform the NamespaceBan
   ::Namespaces::NamespaceBan.create!(user_id: user.id, namespace_id: namespace.id)
   
   # refresh Cache for the billable root method
   User.clear_group_with_ai_available_cache(user.id)
   
   # query the method
   user.billable_gitlab_duo_pro_root_group_ids # empty array
   # => []
   user.allowed_to_use(:duo_chat) # false
   # => #<struct Ai::UserAuthorizable::Response allowed?=false, namespace_ids=[], enablement_type=nil, authorized_by_duo_core=false>

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.