Protected packages: Use positive logic to protected_up_to_access_level

What does this MR do and why?

• As discussed in a previous MR discussion, we see the need to rename the fields push_protected_up_to_access_level in order to apply a positive logic (instead of negative logic)
  • Field push_protected_up_to_access_level is renamed to field minimum_access_level_for_push
• The same refactoring was also applied to the feature "Protected containers" in the context of the container regsitry, see !139413 (merged)
• But, when renaming these fields, we also need to change the logic and values of the fields => hence, we need to also migrate the data; the following mapping describes the mapping, e.g. when the field push_protected_up_to_access_level is set to the access level :developer (meaning that a certain package is push protected up to the access level :developer) then we will need to set the access level to :maintainer for the field minimum_access_level_for_push (because the access level :maintainer is the lowest access level that is allowed to push a certain package).

push_protected_up_to_access_level	minimum_access_level_for_push
:developer	:maintainer
:maintainer	:owner
:owner	:admin

🛠 with ❤ at Siemens

Open Questions

• What should be the value of the field minimum_access_level_for_push when the field push_protected_up_to_access_level was previously set to :owner? => !139413 (comment 1792865139)
• Should we also allow the option :developer? => !139413 (comment 1792865163)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

MR Checklist (@gerardo-navarro)

• Changelog entry added, if necessary
• Documentation created/updated via this MR
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the merge request performance guidelines
• Conforms to the style guides
• Conforms to the javascript style guides
• Conforms to the database guides

DB queries

As part of the migration, the following SQL query is used.

UPDATE "packages_protection_rules" SET "minimum_access_level_for_push" = 60 WHERE "packages_protection_rules"."push_protected_up_to_access_level" = 50 

DB query for checking that push protection exists

As part of this MR, the model scope method .for_push_exists was refactored to apply the positive logic. This led to small changes to the resultign db queries.

Packages::Protection::Rule.for_push_exists?(access_level: 40, package_type: :npm, package_name: '@flightjs/flight-package-5')

SELECT 1 AS one FROM "packages_protection_rules" WHERE "packages_protection_rules"."package_type" = 2 AND (40 < minimum_access_level_for_push) AND ('@flightjs/flight-package-5' ILIKE REPLACE(REPLACE(REPLACE(package_name_pattern,
                        '%', '\%'),
                '_', '\_'),
        '*', '%')
) LIMIT 1

Screenshots or screen recordings

No frontend changes. This MR contains primarily changes in the backend .

How to set up and validate locally

1. Migrate your local database

rails db:migrate

2. Enable feature flag via rails c

Feature.enable(:packages_protected_packages)

3. Open the rails console (rails c) and start playing around with the new model

Packages::Protection::Rule.create(
  project: Project.find_by(name: "Flight"),
  package_name_pattern: "@flightjs/test-npm-package-*",
  package_type: :npm,
  minimum_access_level_for_push: :admin
)

4. Create a dummy project for npm package for testing publishing

# Go to a directory outside of the gitlab and gdk directory
mkdir test-npm-package && cd test-npm-package
npm init esm --yes

5. Adjust the package name in package.json and set it to "@flightjs/test-npm-package-prod" <= this should match the given package_name_pattern in step 3
6. Create or adjust file .npmrc in order to push the npm package to the GitLab registry, see https://docs.gitlab.com/ee/user/packages/npm_registry/#authenticating-via-the-npmrc
7. Publish npm test package

NPM_TOKEN=ypCa3Dzb23o5nvsixwPA npm publish

8. Pushing the package should be blocked by the Packages::Protection::Rule because you the user (with NPM_TOKEN) is a project owner and the package "@flightjs/test-npm-package-prod" can only be modified by an :admin user role 💥
9. Now, change the package name in package.json and set it to "@flightjs/test-npm-package2-prod" <= this will not match the given package_name_pattern in step 3
10. Now, try again to publish the npm package

NPM_TOKEN=ypCa3Dzb23o5nvsixwPA npm publish

11. Pushing the npm package should not be blocked by the Packages::Protection::Rule as the package name does not match 👍
12. You can also change the value of the field minimum_access_level_for_push to :owner and then it is possible to push all kind of packages 👍

Related to #416382