Pre forwarding authentication (#15417)

Upcoming work to instrument the rate of RPC requests by consumer (and eventually
rate limit) require that we authenticate a RPC request before forwarding. Add a
new top-level `Authenticate` method to the server and have it return an
`AuthenticatedIdentity` struct. RPC handlers will use the relevant fields of
this identity for performing authorization.

This changeset includes:
* The main implementation of `Authenticate`
* Provide a new RPC `ACL.WhoAmI` for debugging authentication. This endpoint
  returns the same `AuthenticatedIdentity` that will be used by RPC handlers. At
  some point we might want to give this an equivalent HTTP endpoint but I didn't
  want to add that to our public API until some of the other Workload Identity
  work is solidified, especially if we don't need it yet.
* A full coverage test of the `Authenticate` method. This sets up two server
  nodes with mTLS and ACLs, some tokens, and some allocations with workload
  identities.
* Wire up an example of using `Authenticate` in the `Namespace.Upsert` RPC and
  see how authorization happens after forwarding.
* A new semgrep rule for `Authenticate`, which we'll need to update once we're
  ready to wire up more RPC endpoints with authorization steps.

.semgrep/rpc_endpoint.yml

@@ -62,6 +62,12 @@ rules:
           ...
           return $A.deregister(...)
           ...
+      # Pattern used by Authenticate method.
+      # TODO: add authorization steps as well.
+      - pattern-not-inside: |
+          ...
+          ... := $A.$B.Authenticate($A.ctx, args.AuthToken)
+          ...
       - metavariable-pattern:
           metavariable: $METHOD
           patterns: