Step-up auth: Add development seed file for testing

What does this MR do and why?

Creates a seed file that generates a group and project structure for testing step-up authentication scenarios. The seeder creates a hierarchy that covers different step-up auth configurations to facilitate manual testing and development.

Structure created:

• step-up-auth-testing (public root group)
  • no-step-up-auth-subgroup (private, no step-up auth)
    • test-project-without-step-up
  • step-up-auth-enabled-subgroup (private, step-up auth enabled)
    • inherited-no-step-up-auth-subgroup (inherits from parent)
      • test-project-with-inherited-step-up
  • step-up-auth-two-projects (private, step-up auth enabled)
    • test-project-alpha
    • test-project-beta

The seed validates that the openid_connect provider is configured with step-up auth for namespace scope before proceeding, and will raise an error with setup instructions if not configured.

Implementation details:

• Follows best practices from existing seed files in db/fixtures/development/
• Uses Gitlab::Seeder.log_message for consistent logging
• Requires SEED_STEP_UP_AUTH=1 environment variable to execute, ensuring this seed file is not executed during regular bundle exec rake db:seed_fu runs
• Supports CLEAN_STEP_UP_AUTH=1 to destroy and recreate all resources

🛠️ with ❤️ at Siemens

References

• Related to #556943

Screenshots or screen recordings

No UI changes

How to set up and validate locally

• Ensure your OIDC provider is configured with step-up auth for namespace scope in gitlab.yml:

  omniauth:
    providers:
      - name: 'openid_connect'
        args:
          step_up_auth:
            namespace:
              id_token:
                required:
                  acr: 'your-acr-value'

• Run the seed file:

  FILTER=local_seed_step_up_authentication SEED_STEP_UP_AUTH=1 bundle exec rake db:seed_fu

• Navigate to the step-up-auth-testing group in the UI
• Verify the group structure was created correctly
• Test step-up auth behavior on the protected subgroups
• To clean and reseed:

  FILTER=local_seed_step_up_authentication SEED_STEP_UP_AUTH=1 CLEAN_STEP_UP_AUTH=1 bundle exec rake db:seed_fu

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

MR Checklist (@gerardo-navarro)

• Changelog entry added, if necessary
• Documentation created/updated via this MR
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the style guides
• Conforms to the javascript style guides
• Conforms to the database guides
• Conforms to the merge request performance guidelines
• Seed file follows existing patterns in db/fixtures/development/
• Uses Gitlab::Seeder.log_message for consistent logging
• Protected by environment variable to prevent accidental execution