Allow only OWNERs to change owner-related data on registrar console

The console will have 2 different "updatable things":
- only ADMINs (GAE-admins and users in the support G-Suite group) can change the things in the "admin settings" tab (currently just the allowed TLDs)
- only OWNERs can change things from the other tabs: WHOIS info, certificates, whitelisted IPs, contacts etc.

Also, all ADMINs are now OWNERS of "non-REAL" registrars. Meaning - we're only
preventing ADMINs from editing "REAL" registrars (usually in production).

Specifically, OTE registrars on sandbox are NOT "REAL", meaning ADMINS will
still be able to update them.

This only changes the backend (registrar-settings endpoint). As-is, the console
website will still make ADMINs *think* they can change everything, but if they
try - they will get an error.

Changing the frontend will happen in the next CL - because I want to get this
out this release cycle and getting JS reviewed takes a long time :(

TESTED=deployed to alpha, and saw I can't update fields even as admin on REAL
registrars, but could change it on non-REAL registrars. Also checked that I can
update the allowed TLDs on REAL registrars

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=222698270

java/google/registry/request/auth/AuthenticatedRegistrarAccessor.java

@@ -38,9 +38,13 @@ import javax.inject.Inject;
  * <p>A user has OWNER role on a Registrar if there exists a {@link RegistrarContact} with that
  * user's gaeId and the registrar as a parent.
  *
- * <p>An admin has in addition OWNER role on {@code #registryAdminClientId}.
+ * <p>An "admin" has in addition OWNER role on {@code #registryAdminClientId} and to all non-{@code
+ * REAL} registrars (see {@link Registrar#getType}).
  *
- * <p>An admin also has ADMIN role on ALL registrars.
+ * <p>An "admin" also has ADMIN role on ALL registrars.
+ *
+ * <p>A user is an "admin" if they are a GAE-admin, or if their email is in the "Support" G-Suite
+ * group.
  */
 @Immutable
 public class AuthenticatedRegistrarAccessor {
@@ -140,6 +144,24 @@ public class AuthenticatedRegistrarAccessor {
     return roleMap;
   }
 
+  /**
+   * Returns all the roles the current user has on the given registrar.
+   *
+   * <p>This is syntactic sugar for {@code getAllClientIdWithRoles().get(clientId)}.
+   */
+  public ImmutableSet<Role> getRolesForRegistrar(String clientId) {
+    return getAllClientIdWithRoles().get(clientId);
+  }
+
+  /**
+   * Checks if we have a given role for a given registrar.
+   *
+   * <p>This is syntactic sugar for {@code getAllClientIdWithRoles().containsEntry(clientId, role)}.
+   */
+  public boolean hasRoleOnRegistrar(Role role, String clientId) {
+    return getAllClientIdWithRoles().containsEntry(clientId, role);
+  }
+
   /**
    * "Guesses" which client ID the user wants from all those they have access to.
    *
@@ -257,11 +279,17 @@ public class AuthenticatedRegistrarAccessor {
     }
 
     if (isAdmin || isSupport) {
-      // Admins and support have access to all registrars
+      // Admins and support have ADMIN access to all registrars, and OWNER access to all non-REAL
+      // registrars
       ofy()
           .load()
           .type(Registrar.class)
-          .forEach(registrar -> builder.put(registrar.getClientId(), Role.ADMIN));
+          .forEach(registrar -> {
+            if (!Registrar.Type.REAL.equals(registrar.getType())) {
+              builder.put(registrar.getClientId(), Role.OWNER);
+            }
+            builder.put(registrar.getClientId(), Role.ADMIN);
+          });
     }
 
     return builder.build();