Supports wildcard protected branch (#20825)

This PR introduce glob match for protected branch name. The separator is
`/` and you can use `*` matching non-separator chars and use `**` across
separator.

It also supports input an exist or non-exist branch name as matching
condition and branch name condition has high priority than glob rule.

Should fix #2529 and #15705

screenshots

<img width="1160" alt="image"
src="https://user-images.githubusercontent.com/81045/205651179-ebb5492a-4ade-4bb4-a13c-965e8c927063.png">

Co-authored-by: zeripath <art27@cantab.net>

services/repository/files/update.go

@@ -463,17 +463,18 @@ func CreateOrUpdateRepoFile(ctx context.Context, repo *repo_model.Repository, do
 
 // VerifyBranchProtection verify the branch protection for modifying the given treePath on the given branch
 func VerifyBranchProtection(ctx context.Context, repo *repo_model.Repository, doer *user_model.User, branchName, treePath string) error {
-	protectedBranch, err := git_model.GetProtectedBranchBy(ctx, repo.ID, branchName)
+	protectedBranch, err := git_model.GetFirstMatchProtectedBranchRule(ctx, repo.ID, branchName)
 	if err != nil {
 		return err
 	}
 	if protectedBranch != nil {
+		protectedBranch.Repo = repo
 		isUnprotectedFile := false
 		glob := protectedBranch.GetUnprotectedFilePatterns()
 		if len(glob) != 0 {
 			isUnprotectedFile = protectedBranch.IsUnprotectedFile(glob, treePath)
 		}
-		if !protectedBranch.CanUserPush(ctx, doer.ID) && !isUnprotectedFile {
+		if !protectedBranch.CanUserPush(ctx, doer) && !isUnprotectedFile {
 			return models.ErrUserCannotCommit{
 				UserName: doer.LowerName,
 			}