Refactor/declarative policy

What does this MR do?

Creates a new policy framework, DeclarativePolicy, focused on performance and extensibility (especially by EE).

Are there points in the code the reviewer needs to double check?

This MR still needs internal documentation! Let's go over what this is, how to use it, and why it's good!

Why was this MR needed?

Ability.users_that_can_read_project and friends were created because with the current (and previous) policy framework, we were focused on creating a full set of all the permissions a user could have given a subject, which could be way more expensive than we wanted. For example, when a project is public and all we're trying to do is see if a user can read it, we should be able to return immediately, but the current code spends a ton of database queries collecting information to determine a whole slew of other abilities.

This framework relies instead on static configuration through a DSL, so that given a permission, we can know exactly which conditions need to be computed, and approximate the optimal order to compute them in.

As a bonus, this also opens up the possibility of determining why a user was or wasn't able to perform an action.

Screenshots (if relevant)

Does this MR meet the acceptance criteria?

• Changelog entry added, if necessary
• Documentation created/updated
• API support added
• Tests
  • Added for this feature/bug
  • All builds are passing
• Conform by the merge request performance guides
• Conform by the style guides
• Branch has no merge conflicts with master (if it does - rebase it please)
• Squashed related commits together

What are the relevant issue numbers?