Add additional fields to LIST issuers for Web UI (#20276)
* Add additional fields to LIST issuers for Web UI Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
parent
1415d47da8
commit
d7f67b8856
|
@ -86,6 +86,26 @@ func (b *backend) pathListIssuersHandler(ctx context.Context, req *logical.Reque
|
|||
responseInfo[string(identifier)] = map[string]interface{}{
|
||||
"issuer_name": issuer.Name,
|
||||
"is_default": identifier == config.DefaultIssuerId,
|
||||
"serial_number": issuer.SerialNumber,
|
||||
|
||||
// While nominally this could be considered sensitive information
|
||||
// to be returned on an unauthed endpoint, there's two mitigating
|
||||
// circumstances:
|
||||
//
|
||||
// 1. Key IDs are purely random numbers generated by Vault and
|
||||
// have no relationship to the actual key material.
|
||||
// 2. They also don't _do_ anything by themselves. There is no
|
||||
// modification of KeyIDs allowed, you need to be authenticated
|
||||
// to Vault to understand what they mean, you _essentially_
|
||||
// get the same information from looking at/comparing various
|
||||
// cert's SubjectPublicKeyInfo field, and there's the `default`
|
||||
// reference that anyone with issuer generation capabilities
|
||||
// can use even if they can't access any of the other /key/*
|
||||
// endpoints.
|
||||
//
|
||||
// So all in all, exposing this value is not a security risk and
|
||||
// is otherwise beneficial for the UI, hence its inclusion.
|
||||
"key_id": issuer.KeyID,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
secrets/pki: Include CA serial number, key UUID on issuers list endpoint.
|
||||
```
|
Loading…
Reference in New Issue