From d256ae265b8a001424b7f5cc8cce15ab64db3546 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeff@hashicorp.com>
Date: Wed, 4 Jan 2017 16:52:03 -0500
Subject: [PATCH] Add read locks to LookupToken/ValidateWrappingToken (#2232)

---
 vault/core.go     | 9 +++++++++
 vault/wrapping.go | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/vault/core.go b/vault/core.go
index 7435d76054..3bd2b99343 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -508,6 +508,15 @@ func (c *Core) LookupToken(token string) (*TokenEntry, error) {
 		return nil, fmt.Errorf("missing client token")
 	}
 
+	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
+	if c.sealed {
+		return nil, ErrSealed
+	}
+	if c.standby {
+		return nil, ErrStandby
+	}
+
 	// Many tests don't have a token store running
 	if c.tokenStore == nil {
 		return nil, nil
diff --git a/vault/wrapping.go b/vault/wrapping.go
index afa29bfd6d..f3182a3e6f 100644
--- a/vault/wrapping.go
+++ b/vault/wrapping.go
@@ -271,6 +271,15 @@ func (c *Core) ValidateWrappingToken(req *logical.Request) (bool, error) {
 		return false, fmt.Errorf("token is empty")
 	}
 
+	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
+	if c.sealed {
+		return nil, ErrSealed
+	}
+	if c.standby {
+		return nil, ErrStandby
+	}
+
 	te, err := c.tokenStore.Lookup(token)
 	if err != nil {
 		return false, err