Backport of UI: Don't show resultant-ACL banner in nested namespace if ancestor wildcard policy into release/1.16.x

[hc-github-team-secure-vault-core]

Backport

This PR is auto-generated from #27263 to be assessed for backporting due to the inclusion of the label backport/1.16.x.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@hashishaw
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/vault/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

---

This PR builds on the work from #26233. It hides the resultant-ACL banner if there are non-deny wildcard policies present for any ancestor of the current namespace. The changes in this PR are best illustrated through an example:

Example scenario
User Bob logs in at foo namespace and then navigates to namespace /foo/bar/baz. Bob has a policy with the following block:

path "bar/*" {
  capabilities = ["read", "update", "list"]
}

before, the wildcard calculation would determine the user does not have access because it was only checking a wildcard path at the user's relative root namespace (in this case, foo/). With this change, the wildcard calculation takes the current namespace foo/bar/baz and checks at each level if the Bob has wildcard access. The results are as follows:

• foo/bar/baz/ ❌ no match

• foo/bar/ ✅ match (exits loop)

• Ent tests pass

---

Overview of commits

• 83949e8

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

---

temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

---

temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[github-actions]

CI Results:
All Go tests succeeded! ✅

[hashishaw]

no more CE 1.16 planned