authz: Initial implementation of Bitbucket Server ACLs

Created by: tsenart

This PR introduces an initial implementation of Bitbucket Server ACLs. It is bare-bones and unoptimised, but it works. I'm putting it out so that I can get early feedback before starting to measure and optimise things (i.e. caching) and possibly writing some E2E tests once we have the #4253 done (cc @sourcegraph/distribution).

As we learned by talking to interested customers, authentication with Bitbucket Server isn't necessary since they use SAML for the same purpose against LDAP or Active Directory. Authorization, then, relies on the constraint that the usernames in Sourcegraph user accounts are identical to those in Bitbucket Server, as they origin from the same central directory (LDAP / AD).

Part of #1108