Add a plugin-based authorization system for SP user sessions
    
    This system allows SP authentication requests to be authorized in
    Ipsilon based on SP and user data.  Authorization takes places after the
    user has been authenticated, and before a response is sent back to the
    SP.
    
    The authorization plugin execution order is defined by via the
    loginstack admin page.  Each plugin has the option to permit or deny the
    user session, or abstain from making a decision.  If all configured
    plugins abstain, or there are no configured plugins, the session is
    denied.  The first plugin to not abstain determines the result of the
    authorization process.
    
    Three plugins are included:
    - "allow" unconditionally allows all sessions, and is enabled by default
    - "deny" unconditionally denies all sessions, and can be used both for
      testing, and as a final configured plugin to deny sessions not
      explicitly permitted by other plugins
    - "spgroup" requires a user to be a member of a group that matches the
      name of the SP
    
    As a new database table is added to the adminconfig database, the
    database format version has been bumped to version 3.  The database
    upgrade test suite has been updated to test upgrades to v3.
    
    Signed-off-by: Howard Johnson <merlin@merlinthp.org>
    Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>