[Feature]: Add optional global authorize_callback for RBAC

[tjeerddie]

Currently it is not possible to add the authorize callback to existing workflows/tasks in core.

I suggest we add an optional global authorize_callback in the OrchestratorCore class.

• Add an option in OrchestratorCore to configure a global authorize_callback.
  • also add default for retry_callback?
• Update RBAC to handle the default authorize_callback
  • currently, even with the default callback, we don't have context of the workflow, since the callback (Callable[[OIDCUserModel | None], bool]) only has one param OIDCUserModel. We need to include workflow data into the authorize_callback (Callable[[OIDCUserModel | None, Workflow], bool]).
    • this could maybe be done in make_workflow wrapping the callback again, for example:

      _authorize_callback = allow if authorize_callback is None else authorize_callback
      def wrapped_callback(user: [OIDCUserModel | None]):
          return _authorize_callback(user, wrapping_function)
      wrapping_function.authorize_callback = wrapped_callback