Add additional fields to LIST issuers for Web UI (#20276)
* Add additional fields to LIST issuers for Web UI Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
parent
1415d47da8
commit
d7f67b8856
|
@ -86,6 +86,26 @@ func (b *backend) pathListIssuersHandler(ctx context.Context, req *logical.Reque
|
||||||
responseInfo[string(identifier)] = map[string]interface{}{
|
responseInfo[string(identifier)] = map[string]interface{}{
|
||||||
"issuer_name": issuer.Name,
|
"issuer_name": issuer.Name,
|
||||||
"is_default": identifier == config.DefaultIssuerId,
|
"is_default": identifier == config.DefaultIssuerId,
|
||||||
|
"serial_number": issuer.SerialNumber,
|
||||||
|
|
||||||
|
// While nominally this could be considered sensitive information
|
||||||
|
// to be returned on an unauthed endpoint, there's two mitigating
|
||||||
|
// circumstances:
|
||||||
|
//
|
||||||
|
// 1. Key IDs are purely random numbers generated by Vault and
|
||||||
|
// have no relationship to the actual key material.
|
||||||
|
// 2. They also don't _do_ anything by themselves. There is no
|
||||||
|
// modification of KeyIDs allowed, you need to be authenticated
|
||||||
|
// to Vault to understand what they mean, you _essentially_
|
||||||
|
// get the same information from looking at/comparing various
|
||||||
|
// cert's SubjectPublicKeyInfo field, and there's the `default`
|
||||||
|
// reference that anyone with issuer generation capabilities
|
||||||
|
// can use even if they can't access any of the other /key/*
|
||||||
|
// endpoints.
|
||||||
|
//
|
||||||
|
// So all in all, exposing this value is not a security risk and
|
||||||
|
// is otherwise beneficial for the UI, hence its inclusion.
|
||||||
|
"key_id": issuer.KeyID,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:improvement
|
||||||
|
secrets/pki: Include CA serial number, key UUID on issuers list endpoint.
|
||||||
|
```
|
Loading…
Reference in New Issue