[#13750] Allow policies to control sub-fields of requests

[maneac]

Summary
Introduce a dot-delimited ('.') syntax to policy parameters to allow the application of parameter restrictions to the contents of request maps. These can be applied to allowed, denied, and required parameters.

Description
The unit tests for the ACL define this behaviour in more detail, but for an overview:

• Arbitrary nesting depths are supported
  • e.g. map.top.middle.bottom
• Globs for the final section are supported
  • e.g. map.top.* will match map.top.foo and map.top.bar.baz.
• Denies override allows
  • e.g. a denied parameter of map.* will overrule an allow for map.foo.
• Behaviour of the values for nested parameters match that of "flat" parameters
  • e.g. map.foo = ["bar", "baz*"] will allow bar, baz, bazza, ...

The policy parser contains validation for the new nested parameter format.

Approach
Nested parameter values was considered as an approach. However, using a flat, delimited key format over nested values provides more flexibility when defining constraints. Their behaviour also proved more intuitive, in particular when combining denied_parameters with allowed_parameters.

Drawbacks
Any existing, "flat" parameter in a policy which contains a '.' will no longer be valid. As far as I can tell, these do not exist.

Resolves #13750.

[hashicorp-cla]

All committers have signed the CLA.

[HridoyRoy]

Hi @maneac , thanks for the contribution! The code changes in the PR looks good to me, but I'd like to get another engineer's review of it as well ( cc @hghaf099 ).

I especially would like to think through some cases to make sure these changes are backward compatible.

Thanks!

[HridoyRoy]

Could we change this to improvement?