Backport of 'Raise permission for test upstream endpoints'

What does this MR do and why?

This is a backport of !232113 (merged) to the 18-10-stable-ee branch. It is a security hardening fix that accompanies the read_virtual_registry custom role ability introduced in !231294 (merged).

The virtual registry test upstream endpoints (GET/POST /upstreams/:id/test and POST /groups/:id/-/upstreams/test) were previously authorized via :read_virtual_registry. These endpoints trigger outbound HTTP requests from the GitLab instance — the POST variants additionally accept user-supplied url, username, and password parameters. Once read_virtual_registry became assignable to minimal-access members (a much lower trust tier than Guest+), the population of users who could trigger these outbound requests expanded significantly beyond the intended scope.

This MR corrects the authorization on all test endpoints by raising the required ability from :read_virtual_registry to :update_virtual_registry (Maintainer+), which matches the operational intent of the test capability — it is a setup/debug tool, not a runtime package-resolution path. Read-oriented endpoints (list, show, cache reads) continue to use :read_virtual_registry and are unaffected.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• This MR is backporting a bug fix, documentation update, or spec fix, previously merged in the default branch.
• The MR that fixed the bug on the default branch has been deployed to GitLab.com (not applicable for documentation or spec changes).
• The MR title is descriptive (e.g. "Backport of 'title of default branch MR'"). This is important, since the title will be copied to the patch blog post.
• Required labels have been applied to this merge request
  • severity label and bug subtype labels (if applicable)
  • If this MR fixes a bug that affects customers, the customer label has been applied.
• This MR has been approved by a maintainer (only one approval is required).
• Ensure the e2e:test-on-omnibus-ee job has succeeded, or if it has failed, investigate the failures. If you determine the failures are unrelated, you may proceed. If you need assistance investigating, reach out to a Software Engineer in Test in #s_developer_experience.

Note to the merge request author and maintainer

If you have questions about the patch release process, please:

• Refer to the patch release runbook for engineers and maintainers for guidance.
• Ask questions on the #releases Slack channel (internal only).
• Once the backport has been merged, the commit changes will be automatically deployed to a release environment that can be used for manual validation. See after merging runbook for details.