feat: add support for workspace app audit (#16801)

This change adds support for workspace app auditing.

To avoid audit log spam, we introduce the concept of app audit sessions.
An audit session is unique per workspace app, user, ip, user agent and
http status code. The sessions are stored in a separate table from audit
logs to allow use-case specific optimizations. Sessions are ephemeral
and the table does not function as a log.

The logic for auditing is placed in the DBTokenProvider for workspace
apps so that wsproxies are included.

This is the final change affecting the API fo #15139.

Updates #15139

testutil/rand.go

@@ -1,6 +1,8 @@
 package testutil
 
 import (
+	"crypto/rand"
+	"fmt"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -15,3 +17,18 @@ func MustRandString(t *testing.T, n int) string {
 	require.NoError(t, err)
 	return s
 }
+
+// RandomIPv6 returns a random IPv6 address in the 2001:db8::/32 range.
+// 2001:db8::/32 is reserved for documentation and example code.
+func RandomIPv6(t testing.TB) string {
+	t.Helper()
+
+	buf := make([]byte, 16)
+	_, err := rand.Read(buf)
+	require.NoError(t, err, "generate random IPv6 address")
+	return fmt.Sprintf(
+		"2001:db8:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x",
+		buf[0], buf[1], buf[2], buf[3], buf[4], buf[5],
+		buf[6], buf[7], buf[8], buf[9], buf[10], buf[11],
+	)
+}