SYNCOPE-1981

Split out from SYNCOPE-1978 per review: this PR adds searching by who performed the action. Matching audit events by the username of the affected entity (the actual subject of SYNCOPE-1978) will be addressed separately.

What

Adds the ability to search audit events by the principal that performed them. A new who query parameter on AuditQuery matches the AuditEvent.who column by exact value and may be repeated to match any of the given values (OR):

• single — ?who=jsmith
• multiple, OR-ed — ?who=jsmith&who=admin

It composes (AND) with the existing audit search filters (entityKey, type, category, op, outcome, before/after).

Why

There is no way to answer "what did administrator X do". This is useful to retrieve all actions performed by a given principal — in particular when that account has since been deleted and its entity key is no longer available. Syncope 3.0 allowed an approximation by abusing entityKey=<username>; the 4.0 audit refactor correctly made entityKey match only the affected entity's UUID, removing that side effect.

Implementation

The filter is threaded through AuditServiceImpl → AuditLogic → the AuditEventDAO interface and all of its implementations: JPA, Neo4j, Elasticsearch and OpenSearch.

• JPA: who IN (?, ...) with bound parameters;
• Neo4j: n.who IN $who with a bound list parameter;
• Elasticsearch / OpenSearch: a term query per value, OR-ed via bool/should.

All values are bound as query parameters (SQL/Cypher) or passed as structured term queries (Elasticsearch/OpenSearch), so there is no injection surface.

Tests

New integration tests in AuditITCase cover exact match, multiple values (OR), no-match, and that the match is exact (a * is treated literally, not as a wildcard), composed with the other filters. Manually verified end-to-end against embedded PostgreSQL and Neo4j.