Add support for structured provenance patterns

Introduces the provenance_label and provenance_label_value fields to the pattern object schema, which provide a structured mechanism to express a match for a particular x-provenance <label>=<value> pair.

Similar to the existing support for query parameter match, the details of correctly matching a single pair in a multi-valued context is delegated to hiddenparma (rather than being the responsibility of the operator, in contrast to using a generic header match).

While doing so, the existing logic for ipblock match based on x-provenance is updated to use the same translation strategy, thus making it compatible with multi-valued x-provenance as well.

Points of note:

• Since provenance_label_value is logically exact-match, but in practice must be implemented in terms of regexp match in both varnish and haproxy, the value is escaped at translation time.
• Because x-provenance match handling is unified between the pattern and ipblock match cases, and supports multi-valued x-provenance from day 1, this MR is not a no-op for existing ipblock match expressions.

Bug: T401430