Plugin Should Provide Ability to only Allow Projects with Mapped Policy

[marcboudreau]

Currently, any login request containing parameters that correctly refer to a running build of a project owned by the configured owner will be given a valid token. Including CircleCI projects that have not had a policy mapped to them (in those cases, the token will only have the default policy associated to it).

Out of the box, the default policy is harmless. It only grants read to auth/token/lookup-self and write to auth/token/revoke-self. However, the default could be modified to the point that the current behaviour is problematic.

In order to address this problem, the plugin should provide a configuration parameter that when enabled, requires a PolicyMap entry to exist for the project being authenticated, in order to successfully login.