Add admin duo_availability override services

Why

Part of Phase 2 (service layer) of the implementation plan for admin-locked Duo/DAP availability overrides. Closes #603246 (closed).

Admins need an authorized service-layer API to set and clear the per-namespace duo_availability override.

What

Adds two pure-EE services under ee/app/services/admin/duo_availability/:

  • Admin::DuoAvailability::SetNamespaceOverrideService(namespace:, current_user:, availability:)
  • Admin::DuoAvailability::ClearNamespaceOverrideService(namespace:, current_user:)

How

Set service

  1. Authorizes via the :admin_lock_duo_availability policy (added in the target branch, #603245 (closed)).
  2. Rejects nested admin overrides if an ancestor is already admin-locked. The ancestor chain is locked with SELECT … FOR UPDATE inside a transaction to avoid races on concurrent parent/child admin actions.
  3. Maps the 4-state enum to (duo_features_enabled, lock_duo_features_enabled) exactly as NamespaceSetting#duo_availability= does, including the experiment_features_enabled = false side-effect for never_on.
  4. Sets admin_locked_duo_features_enabled = true.

Clear service

  • Resets duo_features_enabled and lock_duo_features_enabled to nil.
  • Sets admin_locked_duo_features_enabled = false.
  • Cascade re-resolves naturally from parent/instance on next read.

Audit-event emission was moved to its own Phase 4 issue #603325 (closed), so it is intentionally out of scope here.

Specs

  • Set + clear paths.
  • All four enum mappings.
  • Parent-already-admin-locked rejection.
  • experiment_features_enabled side-effect regression.
  • Owner / no-user forbidden paths.

Merge request reports

Loading