hashicorp · briankassouf · Jul 5, 2019 · Apr 5, 2019 · Apr 5, 2019 · Apr 5, 2019
diff --git a/helper/consts/error.go b/helper/consts/error.go
@@ -11,6 +11,11 @@ var (
 	// No operation is expected to succeed until active.
 	ErrStandby = errors.New("Vault is in standby mode")
 
-	// Used when .. is used in a path
+	// ErrPathContainsParentReferences is returned when a path contains parent
+	// references.
 	ErrPathContainsParentReferences = errors.New("path cannot contain parent references")
+
+	// ErrInvalidWrappingToken is returned when checking for the validity of
+	// a wrapping token that turns out to be invalid.
+	ErrInvalidWrappingToken = errors.New("wrapping token is not valid or does not exist")
 )
diff --git a/http/handler.go b/http/handler.go
@@ -284,25 +284,6 @@ func WrapForwardedForHandler(h http.Handler, authorizedAddrs []*sockaddr.SockAdd
 	})
 }
 
-// A lookup on a token that is about to expire returns nil, which means by the
-// time we can validate a wrapping token lookup will return nil since it will
-// be revoked after the call. So we have to do the validation here.
-func wrappingVerificationFunc(ctx context.Context, core *vault.Core, req *logical.Request) error {
-	if req == nil {
-		return fmt.Errorf("invalid request")
-	}
-
-	valid, err := core.ValidateWrappingToken(ctx, req)
-	if err != nil {
-		return errwrap.Wrapf("error validating wrapping token: {{err}}", err)
-	}
-	if !valid {
-		return fmt.Errorf("wrapping token is not valid or does not exist")
-	}
-
-	return nil
-}
-
 // stripPrefix is a helper to strip a prefix from the path. It will
 // return false from the second return value if it the prefix doesn't exist.
 func stripPrefix(prefix, path string) (string, bool) {

diff --git a/http/logical.go b/http/logical.go
@@ -12,7 +12,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/errwrap"
-	uuid "github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/vault"
@@ -185,16 +185,9 @@ func handleLogicalInternal(core *vault.Core, injectDataIntoTopLevel bool) http.H
 				}
 			}
 			switch req.Path {
+			// Route the token wrapping request to its respective sys NS
 			case "sys/wrapping/lookup", "sys/wrapping/rewrap", "sys/wrapping/unwrap":
 				r = r.WithContext(newCtx)
-				if err := wrappingVerificationFunc(r.Context(), core, req); err != nil {
-					if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
-						respondError(w, http.StatusForbidden, err)
-					} else {
-						respondError(w, http.StatusBadRequest, err)
-					}
-					return
-				}
 
 			// The -self paths have no meaning outside of the token NS, so
 			// requests for these paths always go to the token NS

diff --git a/vault/request_handling.go b/vault/request_handling.go
@@ -578,6 +578,35 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 		return
 	}
 
+	// If this is a wrapping request that contains a wrapping token, check for
+	// token validity. We perform this before c.checkToken since wrapping token
+	// validation performs a token store lookup, and can potentially modify
+	// logical.Request's token-related fields.
+	switch req.Path {
+	case "sys/wrapping/rewrap", "sys/wrapping/unwrap":
+		valid, err := c.validateWrappingToken(ctx, req)
+
+		// Perform audit logging before returning if there's an issue with checking
+		// the wrapping token
+		if err != nil || !valid {
+			logInput := &audit.LogInput{
+				Auth:               req.Auth,
+				Request:            req,
+				NonHMACReqDataKeys: nonHMACReqDataKeys,
+			}
+			if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
+				c.logger.Error("failed to audit request", "path", req.Path, "error", err)
+			}
+		}
+
+		if err != nil {
+			return nil, nil, errwrap.Wrapf("error validating wrapping token: {{err}}", err)
+		}
+		if !valid {
+			return logical.ErrorResponse(consts.ErrInvalidWrappingToken.Error()), nil, logical.ErrInvalidRequest
+		}
+	}
+
 	// Validate the token
 	auth, te, ctErr := c.checkToken(ctx, req, false)
 	if ctErr == logical.ErrPerfStandbyPleaseForward {
@@ -901,11 +930,47 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) {
 	defer metrics.MeasureSince([]string{"core", "handle_login_request"}, time.Now())
 
-	req.Unauthenticated = true
+	var nonHMACReqDataKeys []string
+	entry := c.router.MatchingMountEntry(ctx, req.Path)
+	if entry != nil {
+		// Get and set ignored HMAC'd value.
+		if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
+			nonHMACReqDataKeys = rawVals.([]string)
+		}
+	}
 
-	var auth *logical.Auth
+	// If this is a wrapping token lookup, validate the token and produce an
+	// audit log. We perform this before c.checkToken since wrapping token
+	// validation performs a token store lookup, and can potentially modify
+	// logical.Request's token-related fields.
+	switch req.Path {
+	case "sys/wrapping/lookup":
+		valid, err := c.validateWrappingToken(ctx, req)
+		// Perform audit logging before returning if there's an issue with checking
+		// the wrapping token
+		if err != nil || !valid {
+
+			logInput := &audit.LogInput{
+				Auth:               req.Auth,
+				Request:            req,
+				NonHMACReqDataKeys: nonHMACReqDataKeys,
+			}
+			if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
+				c.logger.Error("failed to audit request", "path", req.Path, "error", err)
+			}
+		}
+		if err != nil {
+			return nil, nil, errwrap.Wrapf("error validating wrapping token: {{err}}", err)
+		}
+		if !valid {
+			return logical.ErrorResponse(consts.ErrInvalidWrappingToken.Error()), nil, logical.ErrInvalidRequest
+		}
+	}
+
+	req.Unauthenticated = true
 
 	// Do an unauth check. This will cause EGP policies to be checked
+	var auth *logical.Auth
 	var ctErr error
 	auth, _, ctErr = c.checkToken(ctx, req, true)
 	if ctErr == logical.ErrPerfStandbyPleaseForward {
@@ -922,15 +987,6 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 			errType = logical.ErrInvalidRequest
 		}
 
-		var nonHMACReqDataKeys []string
-		entry := c.router.MatchingMountEntry(ctx, req.Path)
-		if entry != nil {
-			// Get and set ignored HMAC'd value.
-			if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
-				nonHMACReqDataKeys = rawVals.([]string)
-			}
-		}
-
 		logInput := &audit.LogInput{
 			Auth:               auth,
 			Request:            req,

diff --git a/vault/wrapping.go b/vault/wrapping.go
@@ -309,16 +309,20 @@ DONELISTHANDLING:
 	return nil, nil
 }
 
-// ValidateWrappingToken checks whether a token is a wrapping token.
-func (c *Core) ValidateWrappingToken(ctx context.Context, req *logical.Request) (bool, error) {
+// validateWrappingToken checks whether a token is a wrapping token. The passed
+// in logical request can be optionally updated if the wrapping token was
+// provided within a JWT token.
+func (c *Core) validateWrappingToken(ctx context.Context, req *logical.Request) (bool, error) {
 	if req == nil {
 		return false, fmt.Errorf("invalid request")
 	}
 
 	var err error
-
 	var token string
 	var thirdParty bool
+
+	// Check if the wrapping token is coming from the request body, and if not
+	// assume that req.ClientToken is the wrapping token
 	if req.Data != nil && req.Data["token"] != nil {
 		thirdParty = true
 		if tokenStr, ok := req.Data["token"].(string); !ok {
@@ -365,6 +369,7 @@ func (c *Core) ValidateWrappingToken(ctx context.Context, req *logical.Request)
 		} else {
 			req.Data["token"] = claims.ID
 		}
+
 		token = claims.ID
 	}