system config: allow to add constraints related to asdf plugins

[xaf]

asdf can be a risk for supply chain attacks, since highly depending on plugins.

We should add a configuration option at the system-level that would:

• allow/deny list asdf plugins: this would prevent using for instance the python plugin if only the go plugin is allowed
• force repos/commits for some asdf plugins: this would for instance force using repo xxx for the python plugin, on commit yyy

Both of those should of course work together, if denying using the python plugin but allowing the python repo below, python would still not be allowed. By default, an allowed plugin would be with its default omni repo configuration unless other repos/commits specified for that plugin (i.e. allowing python would allow it with the default URL for it, if wanting to allow other URLs, they should be specified)