openapi: Fix logic for labeling unauthenticated/sudo paths

[averche]

The previous logic for matching unauthenticated & sudo paths in OpenAPI did not take into account the + wildcard, so some of the PKI paths were skipped.

With new logic, these are the new unauthenticated paths introduced for builtin plugins:

❱ diff unauth_before unauth_after2
27a28,30
> "/identity/oidc/provider/{name}/.well-known/keys"
> "/identity/oidc/provider/{name}/.well-known/openid-configuration"
> "/identity/oidc/provider/{name}/token"
57a61,69
> "/{pki_mount_path}/issuer/{issuer_ref}/crl"
> "/{pki_mount_path}/issuer/{issuer_ref}/crl/delta"
> "/{pki_mount_path}/issuer/{issuer_ref}/crl/delta/der"
> "/{pki_mount_path}/issuer/{issuer_ref}/crl/delta/pem"
> "/{pki_mount_path}/issuer/{issuer_ref}/crl/der"
> "/{pki_mount_path}/issuer/{issuer_ref}/crl/pem"
> "/{pki_mount_path}/issuer/{issuer_ref}/der"
> "/{pki_mount_path}/issuer/{issuer_ref}/json"
> "/{pki_mount_path}/issuer/{issuer_ref}/pem"

The list of "sudo" paths is unaffected by this PR for builtin plugins.

Resolves: #19581, VAULT-14576

[cipherboy]

Looks like I mislead you a little about PathManager potentially working for this scenario! :o

[dhuckins]

ty for the tests!

[averche]

Looks like I mislead you a little about PathManager potentially working for this scenario! :o

All good 😄, I was considering amending the PathManager to support the + wildcards but decided it might be too risky given its other uses.