Implement PAT scope enforcement for Dependency Proxy behind a feature flag

Background

Parent issue: #426887

Currently, the Dependency Proxy can be accessed with Personal Access Tokens (PATs) that don't have the required read_registry and write_registry scopes. This sub-issue focuses on implementing the enforcement of these scopes with a gradual rollout strategy.

• Implement scope logging during authentication - MR: !181756 (merged)
• Implement scope checking during authentication, behind a feature flag - MR: !182559 (merged) <-- we are here
• Create migration documentation
• Test impact on existing workflows
• Rollout the feature flag
• Cleanup the packages_dependency_proxy_containers_scope_check feature flag

Objectives

1. Add a feature flag for gradual rollout of PAT scope enforcement
2. Implement scope checking during authentication
3. Add proper error handling for insufficient scopes

Implementation Details

1. Feature Flag

• Create a new feature flag named enforce_abilities_check_for_dependency_proxy
• Default the feature flag to false
• Implement the feature flag check in the relevant authentication flow

2. Scope Checking

• During the authentication process for Dependency Proxy access:
  • If the feature flag is enabled:
    • Verify that the user has the expected authentication abilities
    • If the authentication abilities are insufficient, return forbidden

3. Error Handling

• Create a new error class for insufficient PAT scopes (e.g., InsufficientPATScopesError)
• When access is denied due to insufficient scopes:
  • Return an appropriate HTTP status code (e.g., 403 Forbidden)
  • Provide a clear error message to the user explaining the required scopes

Acceptance Criteria

• Feature flag enforce_abilities_check_for_dependency_proxy is implemented and functional
• Abilities checking is correctly implemented and only triggered when the feature flag is enabled
• Access is denied for tokens without required scopes when the feature flag is enabled
• Proper error handling is in place, with clear user feedback
• Existing functionality remains intact when the feature flag is disabled
• Unit and integration tests are added to cover the new functionality
• Service account tokens should still work (see !146012 (merged))

Notes

• Coordinate with the Product team for the gradual rollout strategy once implementation is complete

We are tracking the denied access attempts with these counters:

• Counter of logged requests from !181756 (requests that will be denied)(internal)
• Counter of all Dependency proxy requests(internal)