Spike: Prepare PoC of backend to allow excluding selected packages from MRAP policies for License Approval Rules

Time-box: 5 days

Why are we doing this work

In the scope of this spike, we want to explore how we can add functionality described in the Exclude packages from Merge Request Approval Po... (&10203 - closed) Epic.

Essentially, we want to be able to modify current License Approval Rules functionality in Merge Request Approval Rules to allow users to:

• build allowlist and denylist with licenses (refactor what we currently have in license_types and match_on_inclusion_license),
• for each license added to these lists, we want to allow users to apply package exceptions (when license found in the project matches license+package in the policy, we would ignore that license when evaluating policies). Package can consist of name, type and version.
• additionally for each license with package exceptions specified, user can provide list of groups or projects where package exceptions are not applied,

To summarize, as an expected result from this issue we need to have:

• updated schema for License Approval rule to support this functionality,
• draft MR with the backend needed to support functionality,
• iterative backend implementation plan,

To achieve this, strive for simplicity. Our current schema for License Approval rules is not ideal and we do not want to overcomplicate it, but rather modify to add optional exceptions.