mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix ListIssuers auth: move from public to auth-required methods

Browse Source 
ListIssuers was miscategorized as a public gRPC method, but the CA
engine handler requires CallerInfo with user role. When called without
auth (public path), the interceptor skipped token validation, so
CallerInfo was nil and the handler returned ErrUnauthorized — which
the web UI silently swallowed, showing "No issuers configured."

Security: gRPC interceptor map correction (ListIssuers requires auth)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-27 02:24:11 -07:00
parent bbe382dc10
commit 28d6f9fa1f
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/grpcserver/server.go
View File

@@ -160,7 +160,6 @@ func publicMethods() map[string]bool {
// CA read-only — public certificates and chains.
"/metacrypt.v2.CAService/GetRoot": true,
"/metacrypt.v2.CAService/GetIssuer": true,
"/metacrypt.v2.CAService/ListIssuers": true,
"/metacrypt.v2.CAService/GetChain": true,
// SSH CA — public key and key revocation list.
"/metacrypt.v2.SSHCAService/GetCAPublicKey": true,
@@ -175,6 +174,7 @@ func authRequiredMethods() map[string]bool {
"/metacrypt.v2.AuthService/Logout": true,
"/metacrypt.v2.AuthService/TokenInfo": true,
"/metacrypt.v2.EngineService/ListMounts": true,
"/metacrypt.v2.CAService/ListIssuers": true,
"/metacrypt.v2.CAService/IssueCert": true,
"/metacrypt.v2.CAService/GetCert": true,
"/metacrypt.v2.CAService/ListCerts": true,