Increase flexibility of PA blocklist formats

[aarongable]

Right now, the PA parses two different kinds of blocked names:

boulder/policy/pa.go

Lines 59 to 71 in 1958cc9

	// HighRiskBlockedNames is a list of domain names: like ExactBlockedNames
	// except that issuance is blocked for subdomains as well. (e.g.
	// BlockedNames containing `example.com` will block `www.example.com`).
	//
	// This list typically doesn't change with much regularity.
	HighRiskBlockedNames []string `yaml:"HighRiskBlockedNames"`
	// AdminBlockedNames operates the same as HighRiskBlockedNames but is
	// changed with more frequency based on administrative blocks/revocations
	// that are added over time above and beyond the high-risk domains. Managing
	// these entries separately from HighRiskBlockedNames makes it easier to vet
	// changes accurately.
	AdminBlockedNames []string `yaml:"AdminBlockedNames"`

But it treats them exactly the same:

boulder/policy/pa.go

Lines 106 to 112 in 1958cc9

	nameMap := make(map[string]bool)
	for _, v := range policy.HighRiskBlockedNames {
	nameMap[v] = true
	}
	for _, v := range policy.AdminBlockedNames {
	nameMap[v] = true
	}

And in fact, we have even more categories than that actually configured in prod; our list there is a concatenation of several other lists, maintained separately.

We should consider making this struct more general, so that it can natively support loading arbitrarily many different kinds of blocked names. However, the other categories that we load from the file (ExactBlockedNames, BlockedPrefixes) are semantically different, so this may be hard.

[mcpherrinm]

What I propose is that we allow splitting into multiple files. That maps directly to how we've got them stored internally already.

1. Add new fields to blockedIdentPolicy that have the same semantics as the existing Admin* fields, and deprecated the versions with reasons in their names

type blockedIdentsPolicy struct {
	// Existing
	ExactBlockedNames []string `yaml:"ExactBlockedNames"`

	// Deprecated
	HighRiskBlockedNames []string `yaml:"HighRiskBlockedNames"`
	AdminBlockedNames []string `yaml:"AdminBlockedNames"`
	AdminBlockedPrefixes []string `yaml:"AdminBlockedPrefixes"`

	// New, same semantics as (HighRisk)/(Admin)
	BlockedNames []string `yaml:"BlockedNames"`
	BlockedPrefixes []string `yaml:"BlockedPrefixes"`
}

2. Allow loading multiple files by adding a map in HostnamePolicyConfig

type HostnamePolicyConfig struct {
	// Deprecated
	HostnamePolicyFile string `validate:"required"`

	// HostnamePolicyFiles is a map of reason -> filename
	HostnamePolicyFiles map[string]string
}

We migrate to new files per-reason, with the new format.

Finally, Boulder can remove the deprecated fields.