[feature] support multiple lines of matcher

[hsluoyz]

See this model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && (r.obj == p.obj || g2(r.obj, p.obj)) && r.act == p.act

The matcher can be:

m = {
    let role_match = g(r.sub, p.sub);

    let obj_direct_match = r.obj == p.obj;
    let obj_inherit_match = g2(r.obj, p.obj);
    let obj_match = obj_direct_match || obj_inherit_match;

    let act_match = r.act == p.act;

    return role_match && obj_match && act_match
}

or:

m = {
    let role_match = g(r.sub, p.sub);
    if !role_match {
        return false;
    }

    if r.act != p.act {
        return false;
    }

    if r.obj == p.obj {
        return true;
    }

    if g2(r.obj, p.obj) {
        return true;
    }

    return false;
}