UI: Fix token renewal breaking policy checks

[hellobontempo]

Description

✅ enterprise tests passed
The UI makes a lot of inferences based on the shape of the auth response we receive. The UI relies on the namespace_path from the auth response to set the user's root namespace which is then used to calculate capabilities.

vault/ui/app/adapters/capabilities.js

Lines 16 to 30 in dcdbacd

	/*
	users don't always have access to the capabilities-self endpoint in the current namespace,
	this can happen when logging in to a namespace and then navigating to a child namespace.
	adding "relativeNamespace" to the path and/or "this.namespaceService.userRootNamespace"
	to the request header ensures we are querying capabilities-self in the user's root namespace,
	which is where they are most likely to have their policy/permissions.
	*/
	_formatPath(path) {
	const { relativeNamespace } = this.namespaceService;
	if (!relativeNamespace) {
	return path;
	}
	// ensure original path doesn't have leading slash
	return `${relativeNamespace}/${sanitizeStart(path)}`;
	}

renew-self does not return namespace_path, so this PR manually adds it in the renew() method, if it exists. The auth code is challenging to parse and is prone to regressions. I double checked that this change does not affect the bug the previous PR was solving that introduced these code changes: https://github.com/hashicorp/vault/pull/24168/files

This fixes a bug where clicking Renew token would incorrectly gate navigation to resources a user does have access to. For example, the database overview page:

before token renewal

after token renewal

TODO only if you're a HashiCorp employee

• Backport Labels: If this fix needs to be backported, use the appropriate backport/ label that matches the desired release branch. Note that in the CE repo, the latest release branch will look like backport/x.x.x, but older release branches will be backport/ent/x.x.x+ent.
  • LTS: If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
• ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
  of a public function, even if that change is in a CE file, double check that
  applying the patch for this PR to the ENT repo and running tests doesn't
  break any tests. Sometimes ENT only tests rely on public functions in CE
  files.
• Jira: If this change has an associated Jira, it's referenced either
  in the PR description, commit message, or branch name.
• RFC: If this change has an associated RFC, please link it in the description.
• ENT PR: If this change has an associated ENT PR, please link it in the
  description. Also, make sure the changelog is in this PR, not in your ENT PR.

[github-actions]

Build Results:
All builds succeeded! ✅

[github-actions]

CI Results:
All Go tests succeeded! ✅

[Monkeychip]

The logic here seems solid (and easy to read, thank you). Ping when you're ready for final review.

[Monkeychip]

nice clean up work on the tests!

[Monkeychip]

totally not required, but i've found it helpful when folks have mentioned that a test is written for a specific bug to include the github pr or issue link in the comment. Matthew has done this a couple times and I've used those links for more context or additional regression testing.

[hellobontempo]

I was going to do this if it was a GitHub link! But since it's a jira link I didn't include it. I remember a while ago the company discussed that we shouldn't share internal links publicly.

[Monkeychip]

ah, yep that's the correct move then.