From 83d05cefb6cf8c95ff82d03ab8b2380cc53dce59 Mon Sep 17 00:00:00 2001
From: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Date: Fri, 23 May 2025 12:00:57 -0500
Subject: [PATCH] Exclude wrapping key from list operation (#30728)

* exclude wrapping key from list operation

* add changelog

* make delete more general
---
 builtin/logical/transit/path_keys.go | 10 ++++++++++
 changelog/30728.txt                  |  3 +++
 2 files changed, 13 insertions(+)
 create mode 100644 changelog/30728.txt

diff --git a/builtin/logical/transit/path_keys.go b/builtin/logical/transit/path_keys.go
index 72e8bed715..8e453ed4eb 100644
--- a/builtin/logical/transit/path_keys.go
+++ b/builtin/logical/transit/path_keys.go
@@ -9,6 +9,7 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@@ -179,6 +180,15 @@ func (b *backend) pathKeysList(ctx context.Context, req *logical.Request, d *fra
 		return nil, err
 	}
 
+	// filter out partial paths
+	entries = slices.DeleteFunc(entries, func(s string) bool {
+		if strings.HasSuffix(s, "/") {
+			return true
+		}
+
+		return false
+	})
+
 	return logical.ListResponse(entries), nil
 }
 
diff --git a/changelog/30728.txt b/changelog/30728.txt
new file mode 100644
index 0000000000..fb785a08f4
--- /dev/null
+++ b/changelog/30728.txt
@@ -0,0 +1,3 @@
+```release-note: improvement
+transit: Exclude the partial wrapping key path from the transit/keys LIST operation.
+```
\ No newline at end of file