Add admin duo_availability override services
Why
Part of Phase 2 (service layer) of the implementation plan for admin-locked Duo/DAP availability overrides. Closes #603246 (closed).
Admins need an authorized service-layer API to set and clear the per-namespace duo_availability override.
What
Adds two pure-EE services under ee/app/services/admin/duo_availability/:
Admin::DuoAvailability::SetNamespaceOverrideService(namespace:, current_user:, availability:)Admin::DuoAvailability::ClearNamespaceOverrideService(namespace:, current_user:)
How
Set service
- Authorizes via the
:admin_lock_duo_availabilitypolicy (added in the target branch, #603245 (closed)). - Rejects nested admin overrides if an ancestor is already admin-locked. The ancestor chain is locked with
SELECT … FOR UPDATEinside a transaction to avoid races on concurrent parent/child admin actions. - Maps the 4-state enum to
(duo_features_enabled, lock_duo_features_enabled)exactly asNamespaceSetting#duo_availability=does, including theexperiment_features_enabled = falseside-effect fornever_on. - Sets
admin_locked_duo_features_enabled = true.
Clear service
- Resets
duo_features_enabledandlock_duo_features_enabledtonil. - Sets
admin_locked_duo_features_enabled = false. - Cascade re-resolves naturally from parent/instance on next read.
Audit-event emission was moved to its own Phase 4 issue #603325 (closed), so it is intentionally out of scope here.
Specs
- Set + clear paths.
- All four enum mappings.
- Parent-already-admin-locked rejection.
experiment_features_enabledside-effect regression.- Owner / no-user forbidden paths.
Related
- Issue: #603246 (closed)
- Planning: #603135 (closed)
- Epic: &22389