fix(kas): populate rewrap audit log (#2861)

### Proposed Changes

1.) Populate kas rewrap audit message with attributes.
2.) Add keyID to `eventmetadata`

#### Example Nano failure
```json
{
    "time": "2025-10-30T10:13:30.270403-05:00",
    "level": "AUDIT",
    "msg": "rewrap",
    "namespace": "kas",
    "audit": {
        "object": {
            "type": "key_object",
            "id": "ff1a2fe2-a942-11f0-9751-a6a754e79d24",
            "name": "",
            "attributes": {
                "assertions": [],
                "attrs": [
                    "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger"
                ],
                "permissions": []
            }
        },
        "action": {
            "type": "rewrap",
            "result": "error"
        },
        "actor": {
            "id": "031fe452-ddbb-4d36-b82f-c6b3dd4d122a",
            "attributes": []
        },
        "eventMetaData": {
            "algorithm": "ec:secp256r1",
            "keyID": "e1",
            "policyBinding": "",
            "tdfFormat": "Nano"
        },
        "clientInfo": {
            "userAgent": "connect-go/1.18.1 (go1.24.6)",
            "platform": "kas",
            "requestIP": "None"
        },
        "original": null,
        "updated": null,
        "requestID": "d56da397-3387-4a14-9955-73681e627e37",
        "timestamp": "2025-10-30T10:13:30-05:00"
    }
}
```

#### Example ztdf success
```json
{
    "time": "2025-10-31T11:58:40.892713-05:00",
    "level": "AUDIT",
    "msg": "rewrap",
    "namespace": "kas",
    "audit": {
        "object": {
            "type": "key_object",
            "id": "cd2f0354-a942-11f0-b197-a6a754e79d24",
            "name": "",
            "attributes": {
                "assertions": [],
                "attrs": [
                    "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger"
                ],
                "permissions": []
            }
        },
        "action": {
            "type": "rewrap",
            "result": "success"
        },
        "actor": {
            "id": "031fe452-ddbb-4d36-b82f-c6b3dd4d122a",
            "attributes": []
        },
        "eventMetaData": {
            "algorithm": "rsa:2048",
            "keyID": "r1",
            "policyBinding": "YjEwNWMwZGVhMjkzYjBhZjU4MWNkOTE1MmU4N2NkNjkzNzQ2ODM5NDI0MGRjYjhmNjRiZjlhNmY0OWEzZjJlNw==",
            "tdfFormat": "tdf3"
        },
        "clientInfo": {
            "userAgent": "connect-go/1.18.1 (go1.24.6)",
            "platform": "kas",
            "requestIP": "None"
        },
        "original": null,
        "updated": null,
        "requestID": "73f131ae-cc21-490c-868d-260e58b8664d",
        "timestamp": "2025-10-31T11:58:40-05:00"
    }
}
```

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Author: c-r33d

service/kas/access/rewrap.go

@@ -83,6 +83,9 @@ type kaoResult struct {
 	// Optional: Present for EC wrapped responses
 	EphemeralPublicKey  []byte
 	RequiredObligations []string
+
+	// Only populated for Nano auditing, since policy is encrypted
+	KeyID string
 }
 
 // From policy ID to KAO ID to result
@@ -800,6 +803,7 @@ func (p *Provider) tdf3Rewrap(ctx context.Context, requests []*kaspb.UnsignedRew
 				TDFFormat:     "tdf3",
 				Algorithm:     req.GetAlgorithm(),
 				PolicyBinding: policyBinding,
+				KeyID:         kao.GetKeyAccessObject().GetKid(),
 			}
 
 			if !access {
@@ -901,6 +905,7 @@ func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*kaspb.Unsigned
 				IsSuccess: access,
 				TDFFormat: "Nano",
 				Algorithm: req.GetAlgorithm(),
+				KeyID:     kaoInfo.KeyID,
 			}
 
 			if !access {
@@ -992,8 +997,9 @@ func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *kaspb.Unsi
 			return nil, results
 		}
 		results[kao.GetKeyAccessObjectId()] = kaoResult{
-			ID:  kao.GetKeyAccessObjectId(),
-			DEK: symmetricKey,
+			ID:    kao.GetKeyAccessObjectId(),
+			DEK:   symmetricKey,
+			KeyID: kid,
 		}
 		return policy, results
 	}

service/logger/audit/logger_test.go

@@ -14,6 +14,36 @@ import (
 	"github.com/opentdf/platform/protocol/go/authorization"
 )
 
+// Params
+var rewrapAttrs = []string{
+	"https://example1.com",
+	"https://example2.com",
+}
+
+const rewrapAttrsJSON = `["https://example1.com", "https://example2.com"]`
+
+var rewrapParams = RewrapAuditEventParams{
+	Policy: KasPolicy{
+		UUID: uuid.New(),
+		Body: KasPolicyBody{
+			DataAttributes: []KasAttribute{
+				{URI: rewrapAttrs[0]},
+				{URI: rewrapAttrs[1]},
+			},
+		},
+	},
+	TDFFormat:     "test-tdf-format",
+	Algorithm:     "test-algorithm",
+	PolicyBinding: "test-policy-binding",
+	KeyID:         "r1",
+}
+
+var policyCRUDParams = PolicyEventParams{
+	ActionType: ActionTypeUpdate,
+	ObjectID:   "test-object-id",
+	ObjectType: ObjectTypeKeyObject,
+}
+
 func createTestLogger() (*Logger, *bytes.Buffer) {
 	var buf bytes.Buffer
 
@@ -66,29 +96,6 @@ func extractLogEntry(t *testing.T, logBuffer *bytes.Buffer) (logEntryStructure,
 	return entry, entryTime
 }
 
-// Params
-
-var rewrapParams = RewrapAuditEventParams{
-	Policy: KasPolicy{
-		UUID: uuid.New(),
-		Body: KasPolicyBody{
-			DataAttributes: []KasAttribute{
-				{URI: "https://example1.com"},
-				{URI: "https://example2.com"},
-			},
-		},
-	},
-	TDFFormat:     "test-tdf-format",
-	Algorithm:     "test-algorithm",
-	PolicyBinding: "test-policy-binding",
-}
-
-var policyCRUDParams = PolicyEventParams{
-	ActionType: ActionTypeUpdate,
-	ObjectID:   "test-object-id",
-	ObjectType: ObjectTypeKeyObject,
-}
-
 func TestAuditRewrapSuccess(t *testing.T) {
 	l, buf := createTestLogger()
 
@@ -104,7 +111,7 @@ func TestAuditRewrapSuccess(t *testing.T) {
 				"name": "",
 				"attributes": {
             		"assertions": [],
-            		"attrs": [],
+            		"attrs": %s,
             		"permissions": []
         		}
 			},
@@ -118,7 +125,7 @@ func TestAuditRewrapSuccess(t *testing.T) {
 			},
 			"eventMetaData": {
 			  "algorithm": "%s",
-				"keyID": "",
+				"keyID": "%s",
 				"policyBinding": "%s",
 				"tdfFormat": "%s"
 			},
@@ -134,8 +141,10 @@ func TestAuditRewrapSuccess(t *testing.T) {
 	  }
 		`,
 		rewrapParams.Policy.UUID.String(),
+		rewrapAttrsJSON,
 		TestActorID,
 		rewrapParams.Algorithm,
+		rewrapParams.KeyID,
 		rewrapParams.PolicyBinding,
 		rewrapParams.TDFFormat,
 		TestUserAgent,
@@ -168,7 +177,7 @@ func TestAuditRewrapFailure(t *testing.T) {
 				"name": "",
 				"attributes": {
             		"assertions": [],
-            		"attrs": [],
+            		"attrs": %s,
             		"permissions": []
         		}
 			},
@@ -182,7 +191,7 @@ func TestAuditRewrapFailure(t *testing.T) {
 			},
 			"eventMetaData": {
 			  "algorithm": "%s",
-				"keyID": "",
+				"keyID": "%s",
 				"policyBinding": "%s",
 				"tdfFormat": "%s"
 			},
@@ -198,8 +207,10 @@ func TestAuditRewrapFailure(t *testing.T) {
 	  }
 		`,
 		rewrapParams.Policy.UUID.String(),
+		rewrapAttrsJSON,
 		TestActorID,
 		rewrapParams.Algorithm,
+		rewrapParams.KeyID,
 		rewrapParams.PolicyBinding,
 		rewrapParams.TDFFormat,
 		TestUserAgent,

service/logger/audit/rewrap.go

@@ -25,6 +25,7 @@ type RewrapAuditEventParams struct {
 	TDFFormat     string
 	Algorithm     string
 	PolicyBinding string
+	KeyID         string
 }
 
 func CreateRewrapAuditEvent(ctx context.Context, params RewrapAuditEventParams) (*EventObject, error) {
@@ -36,14 +37,19 @@ func CreateRewrapAuditEvent(ctx context.Context, params RewrapAuditEventParams)
 		auditEventActionResult = ActionResultSuccess
 	}
 
+	attrFQNS := make([]string, len(params.Policy.Body.DataAttributes))
+	for i, attr := range params.Policy.Body.DataAttributes {
+		attrFQNS[i] = attr.URI
+	}
+
 	return &EventObject{
 		Object: auditEventObject{
 			Type: ObjectTypeKeyObject,
 			ID:   params.Policy.UUID.String(),
 			Attributes: eventObjectAttributes{
-				Assertions:  []string{},
-				Attrs:       []string{},
-				Permissions: []string{},
+				Assertions:  []string{}, // Assertions aren't passed in the rewrap policy body
+				Attrs:       attrFQNS,
+				Permissions: []string{}, // Currently always empty
 			},
 		},
 		Action: eventAction{
@@ -55,7 +61,7 @@ func CreateRewrapAuditEvent(ctx context.Context, params RewrapAuditEventParams)
 			Attributes: make([]any, 0),
 		},
 		EventMetaData: auditEventMetadata{
-			"keyID":         "", // TODO: keyID once implemented
+			"keyID":         params.KeyID,
 			"policyBinding": params.PolicyBinding,
 			"tdfFormat":     params.TDFFormat,
 			"algorithm":     params.Algorithm,

service/logger/audit/rewrap_test.go

@@ -8,12 +8,18 @@ import (
 )
 
 func TestCreateRewrapAuditEventHappyPath(t *testing.T) {
+	attrs := []string{
+		"https://example1.com",
+		"https://example2.com",
+	}
+	keyID := "r1"
+
 	kasPolicy := KasPolicy{
 		UUID: uuid.New(),
 		Body: KasPolicyBody{
 			DataAttributes: []KasAttribute{
-				{URI: "https://example1.com"},
-				{URI: "https://example2.com"},
+				{URI: attrs[0]},
+				{URI: attrs[1]},
 			},
 			Dissem: []string{"dissem1", "dissem2"},
 		},
@@ -25,6 +31,7 @@ func TestCreateRewrapAuditEventHappyPath(t *testing.T) {
 		TDFFormat:     TestTDFFormat,
 		Algorithm:     TestAlgorithm,
 		PolicyBinding: TestPolicyBinding,
+		KeyID:         keyID,
 	}
 
 	event, err := CreateRewrapAuditEvent(createTestContext(), params)
@@ -37,7 +44,7 @@ func TestCreateRewrapAuditEventHappyPath(t *testing.T) {
 		ID:   kasPolicy.UUID.String(),
 		Attributes: eventObjectAttributes{
 			Assertions:  []string{},
-			Attrs:       []string{},
+			Attrs:       attrs,
 			Permissions: []string{},
 		},
 	}
@@ -62,7 +69,7 @@ func TestCreateRewrapAuditEventHappyPath(t *testing.T) {
 	}
 
 	expectedEventMetaData := auditEventMetadata{
-		"keyID":         "",
+		"keyID":         keyID,
 		"policyBinding": TestPolicyBinding,
 		"tdfFormat":     TestTDFFormat,
 		"algorithm":     TestAlgorithm,