[meta] Allow to extend access rules from other modules

Problem/Motivation

Webform module already has a powerful framework to define access/permissions on per-webform basis. However, right now there is no way to introduce additional operations into this framework from an external module.

We are developing a webform_score rewrite and I would love to allow access to see scores on per-webform basis. However, at the moment it is impossible for webform_score module to introduce the 2 additional operations that should be managed on per-webform basis: "see overall webform submission score" (to see an overall score a webform submission has) and "see webform element score" (to see scored points on each individual webform element).

Proposed resolution

It would be awesome if we could allow external modules to supply additional permissions that should be managed on per-webform basis. That way we get to reuse the feature-rich access logic webform has and offer it in a developer-friendly way to developers of external modules.

Remaining tasks

On Alex:

• Introduce an intermediate WebformEntityAccessRulesManager service which will encapsulate the logic of working with access rules so both WebformEntityAccessControlHandler and WebformSubmissionAccessControlHandler can use it. #2996996: Introduce service to encapsulate access rules logic therein
• Introduce the hook itself. Switch the existing codebase onto the hook. Webform::checkAccessRules() will not be affected. Webform::getDefaultAccessRules() will be affected, it should additionally merge the hardcoded array of defaults with whatever the hook invocation has collected. WebformEntitySettingsAccessForm::form() will be affected because it now has to build the form not on a static hardcoded array of known permissions, but rather collect them from outside. #2996249: Introduce a hook to collect additional webform permissions
• Extract permissions from Webform::checkAccessRules() into the hook implementation. That way we keep Webform class a little simpler and our own implementation of our hook can act an example for external developers who ever mean to impelment for their own needs. #2996549: Migrate existing access rules onto the hook
• Adapt webform_access module. Since the list of known permissions is no longer static, we need to replace the static array in WebformAccessGroupForm::form() with a dynamic list of permissions collected from the hook invocation. #2996551: Adapt webform_access module to access rules being supplied through hook
• Have a look at everything :) Make sure all important parts are covered with tests.
• Write a change record document.

User interface changes

None. It's a refactoring ticket.

API changes

A new hook is being introduced. Let's call it webform_permission_info(). It should return meta information about known permissions (operations) that can be executed on a webform/webform submission. Here's a simple PHP snippet of sample implementation:

function MY_MODULE_webform_permission_info() {
  return [
    'update_own' => [
      'title' => t('Update own submissions'),
    ],
    'update_any' => [
      'title' => t('Update any submissions'),
    ],
 // ... and so on.
  ];
}

Data model changes

Since now we are talking about unlimited amount of possible operations, we should change the data type of webform.webform.*.access from mapping to a sequence. Done.