Add read locks to LookupToken/ValidateWrappingToken (#2232)

vault/core.go

@@ -508,6 +508,15 @@ func (c *Core) LookupToken(token string) (*TokenEntry, error) {
 		return nil, fmt.Errorf("missing client token")
 	}
 
+	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
+	if c.sealed {
+		return nil, ErrSealed
+	}
+	if c.standby {
+		return nil, ErrStandby
+	}
+
 	// Many tests don't have a token store running
 	if c.tokenStore == nil {
 		return nil, nil

vault/wrapping.go

@@ -271,6 +271,15 @@ func (c *Core) ValidateWrappingToken(req *logical.Request) (bool, error) {
 		return false, fmt.Errorf("token is empty")
 	}
 
+	c.stateLock.RLock()
+	defer c.stateLock.RUnlock()
+	if c.sealed {
+		return nil, ErrSealed
+	}
+	if c.standby {
+		return nil, ErrStandby
+	}
+
 	te, err := c.tokenStore.Lookup(token)
 	if err != nil {
 		return false, err