Add additional fields to LIST issuers for Web UI (#20276)

* Add additional fields to LIST issuers for Web UI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2023-04-21 14:16:16 -04:00 committed by GitHub
parent 1415d47da8
commit d7f67b8856
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 2 deletions

View File

@ -84,8 +84,28 @@ func (b *backend) pathListIssuersHandler(ctx context.Context, req *logical.Reque
responseKeys = append(responseKeys, string(identifier)) responseKeys = append(responseKeys, string(identifier))
responseInfo[string(identifier)] = map[string]interface{}{ responseInfo[string(identifier)] = map[string]interface{}{
"issuer_name": issuer.Name, "issuer_name": issuer.Name,
"is_default": identifier == config.DefaultIssuerId, "is_default": identifier == config.DefaultIssuerId,
"serial_number": issuer.SerialNumber,
// While nominally this could be considered sensitive information
// to be returned on an unauthed endpoint, there's two mitigating
// circumstances:
//
// 1. Key IDs are purely random numbers generated by Vault and
// have no relationship to the actual key material.
// 2. They also don't _do_ anything by themselves. There is no
// modification of KeyIDs allowed, you need to be authenticated
// to Vault to understand what they mean, you _essentially_
// get the same information from looking at/comparing various
// cert's SubjectPublicKeyInfo field, and there's the `default`
// reference that anyone with issuer generation capabilities
// can use even if they can't access any of the other /key/*
// endpoints.
//
// So all in all, exposing this value is not a security risk and
// is otherwise beneficial for the UI, hence its inclusion.
"key_id": issuer.KeyID,
} }
} }

3
changelog/20276.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
secrets/pki: Include CA serial number, key UUID on issuers list endpoint.
```