Audit: logging a response uses a separate 5 second timeout (#24238)

* added a 5s timeout to attempts to process nodes in the audit pipeline for logging a response

* added changelog

* ensure we supply namespace to the new context

changelog/24238.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+core/audit: Audit logging a Vault response will now use a 5 second context timeout, separate from the original request.
+```

vault/audit_broker.go

@@ -10,6 +10,8 @@ import (
 	"sync"
 	"time"
 
+	"github.com/hashicorp/vault/helper/namespace"
+
 	"github.com/hashicorp/vault/internal/observability/event"
 
 	metrics "github.com/armon/go-metrics"
@@ -297,7 +299,22 @@ func (a *AuditBroker) LogResponse(ctx context.Context, in *logical.LogInput, hea
 
 			e.Data = in
 
-			status, err := a.broker.Send(ctx, eventlogger.EventType(event.AuditType.String()), e)
+			// In cases where we are trying to audit the response, we detach
+			// ourselves from the original context (keeping only the namespace).
+			// This is so that we get a fair run at writing audit entries if Vault
+			// Took up a lot of time handling the request before audit (response)
+			// is triggered. Pipeline nodes may check for a cancelled context and
+			// refuse to process the nodes further.
+			ns, err := namespace.FromContext(ctx)
+			if err != nil {
+				retErr = multierror.Append(retErr, fmt.Errorf("namespace missing from context: %w", err))
+				return retErr.ErrorOrNil()
+			}
+
+			auditContext, auditCancel := context.WithTimeout(context.Background(), 5*time.Second)
+			defer auditCancel()
+			auditContext = namespace.ContextWithNamespace(auditContext, ns)
+			status, err := a.broker.Send(auditContext, eventlogger.EventType(event.AuditType.String()), e)
 			if err != nil {
 				retErr = multierror.Append(retErr, multierror.Append(err, status.Warnings...))
 			}