Support multiple credentials in subject extraction

[Yshayy]

Allow to extract multiple identities (or just groups(?)) per token.
The problem rises when trying to map between a single token that contain several groups such as an AD token.

We can solve this problem by using rego to build virtual document of "subjects", instead of:

package rules

default subject = { "user": null, "group": null }
subject = { "user": input.sub, "group": "default" }

we can have:

package rules

subjects[{"group":"default", "user":input.sub}] = {true}

or more complex example:

subjects[{group:group, user:input.sub}] {input.iis="some-ad-issuer"; group = input.groups[_]}

for input:

{sub: "my-user", iis: "some-ad-issuer", groups: ["group-a, group-b"]}

evaluating "subjects" will return

[
      {"group:"group-a", "user":"my-user"},
      {"group:"group-b", "user":"my-user"}
]

After that, we can evaluate the authorizer multiple time for each subject (while still maintaining backward compatibility support) and "allow" if we have one "allow" match.

It'll require changing subject extractor to support multiple subjects: https://github.com/Soluto/tweek/blob/master/services/gateway/security/subjectExtractor.go#L62
same for userInfoFromRequest: https://github.com/Soluto/tweek/blob/master/services/gateway/security/authentication.go#L81
and running authorize for each userinfo until we have true:
https://github.com/Soluto/tweek/blob/master/services/gateway/security/authorization.go#L33
And there are other changes as these objects are pass along request utils and such