VAULT-26466: audit - include correlation ID headers by default

[peteski22]

Summary

This PR changes the behavior of Vault such that when an audit device attempts to log an incoming request which contains the following headers:

• Correlation-ID
• X-Correlation-ID

The headers, by default will appear in the audit log without being HMAC'ed.

Docs

Docs PR: https://github.com/hashicorp/vault/pull/26778 (covers how this feature works and how to HMAC the values if required).

Manual testing

using /sys/config/auditing/request-headers/ endpoint:

No setting for x-correlation-id or correlation-id headers

Test	Expected	Result
other headers in request	nothing shown	✅
correlation-id in request	correlation-id shown in audit log raw	✅
x-correlation-id in request	x-correlation-id shown in audit log raw	✅

Setting for x-correlation-id and correlation-id headers (no HMAC setting - defaults to false)

Test	Expected	Result
other headers in request	nothing shown	✅
correlation-id in request	correlation-id shown in audit log raw	✅
x-correlation-id in request	x-correlation-id shown in audit log raw	✅

Setting for x-correlation-id and correlation-id headers (HMAC setting: true)

Test	Expected	Result
other headers in request	nothing shown	✅
correlation-id in request	correlation-id shown in audit log HMAC'ed	✅
x-correlation-id in request	x-correlation-id shown in audit log HMAC'ed	✅

Setting for x-correlation-id and correlation-id headers (HMAC setting: false)

Test	Expected	Result
other headers in request	nothing shown	✅
correlation-id in request	correlation-id shown in audit log raw	✅
x-correlation-id in request	x-correlation-id shown in audit log raw	✅

Example:

curl -H "X-Correlation-ID: 123-i-am-a-correlation-id-abc" -H "X-Vault-Token: hvs.du7qkklexGO3A4Ya1LjfLjJ9" http://127.0.0.1:8200/v1/sys/config/auditing/request-headers/x-correlation-id --data '{ "hmac": false }'

[github-actions[bot]]

CI Results: All Go tests succeeded! :white_check_mark:

[github-actions[bot]]

Build Results: All builds succeeded! :white_check_mark: