open-vault/vault/request_handling.go

package vault

import (
	"context"
	"crypto/hmac"
	"encoding/base64"
	"errors"
	"fmt"
	"os"
	"strings"
	"time"

	"github.com/armon/go-metrics"
	"github.com/golang/protobuf/proto"
	"github.com/hashicorp/errwrap"
	"github.com/hashicorp/go-multierror"
	"github.com/hashicorp/go-secure-stdlib/strutil"
	"github.com/hashicorp/go-sockaddr"
	"github.com/hashicorp/go-uuid"
	"github.com/hashicorp/vault/helper/identity"
	"github.com/hashicorp/vault/helper/identity/mfa"
	"github.com/hashicorp/vault/helper/metricsutil"
	"github.com/hashicorp/vault/helper/namespace"
	"github.com/hashicorp/vault/internalshared/configutil"
	"github.com/hashicorp/vault/sdk/framework"
	"github.com/hashicorp/vault/sdk/helper/consts"
	"github.com/hashicorp/vault/sdk/helper/errutil"
	"github.com/hashicorp/vault/sdk/helper/jsonutil"
	"github.com/hashicorp/vault/sdk/helper/policyutil"
	"github.com/hashicorp/vault/sdk/helper/wrapping"
	"github.com/hashicorp/vault/sdk/logical"
	"github.com/hashicorp/vault/vault/quotas"
	"github.com/hashicorp/vault/vault/tokens"
	uberAtomic "go.uber.org/atomic"
)

const (
	replTimeout                           = 1 * time.Second
	EnvVaultDisableLocalAuthMountEntities = "VAULT_DISABLE_LOCAL_AUTH_MOUNT_ENTITIES"
)

var (
	// DefaultMaxRequestDuration is the amount of time we'll wait for a request
	// to complete, unless overridden on a per-handler basis
	DefaultMaxRequestDuration = 90 * time.Second

	egpDebugLogging bool

	// if this returns an error, the request should be blocked and the error
	// should be returned to the client
	enterpriseBlockRequestIfError = blockRequestIfErrorImpl
)

// HandlerProperties is used to seed configuration into a vaulthttp.Handler.
// It's in this package to avoid a circular dependency
type HandlerProperties struct {
	Core                  *Core
	ListenerConfig        *configutil.Listener
	DisablePrintableCheck bool
	RecoveryMode          bool
	RecoveryToken         *uberAtomic.String
}

// fetchEntityAndDerivedPolicies returns the entity object for the given entity
// ID. If the entity is merged into a different entity object, the entity into
// which the given entity ID is merged into will be returned. This function
// also returns the cumulative list of policies that the entity is entitled to
// if skipDeriveEntityPolicies is set to false. This list includes the policies from the
// entity itself and from all the groups in which the given entity ID is a member of.
func (c *Core) fetchEntityAndDerivedPolicies(ctx context.Context, tokenNS *namespace.Namespace, entityID string, skipDeriveEntityPolicies bool) (*identity.Entity, map[string][]string, error) {
	if entityID == "" || c.identityStore == nil {
		return nil, nil, nil
	}

	// c.logger.Debug("entity set on the token", "entity_id", te.EntityID)

	// Fetch the entity
	entity, err := c.identityStore.MemDBEntityByID(entityID, false)
	if err != nil {
		c.logger.Error("failed to lookup entity using its ID", "error", err)
		return nil, nil, err
	}

	if entity == nil {
		// If there was no corresponding entity object found, it is
		// possible that the entity got merged into another entity. Try
		// finding entity based on the merged entity index.
		entity, err = c.identityStore.MemDBEntityByMergedEntityID(entityID, false)
		if err != nil {
			c.logger.Error("failed to lookup entity in merged entity ID index", "error", err)
			return nil, nil, err
		}
	}

	policies := make(map[string][]string)
	if entity != nil && !skipDeriveEntityPolicies {
		// c.logger.Debug("entity successfully fetched; adding entity policies to token's policies to create ACL")

		// Attach the policies on the entity
		if len(entity.Policies) != 0 {
			policies[entity.NamespaceID] = append(policies[entity.NamespaceID], entity.Policies...)
		}

		groupPolicies, err := c.identityStore.groupPoliciesByEntityID(entity.ID)
		if err != nil {
			c.logger.Error("failed to fetch group policies", "error", err)
			return nil, nil, err
		}

		// Filter and add the policies to the resultant set
		for nsID, nsPolicies := range groupPolicies {
			ns, err := NamespaceByID(ctx, nsID, c)
			if err != nil {
				return nil, nil, err
			}
			if ns == nil {
				return nil, nil, namespace.ErrNoNamespace
			}
			if tokenNS.Path != ns.Path && !ns.HasParent(tokenNS) {
				continue
			}
			nsPolicies = strutil.RemoveDuplicates(nsPolicies, false)
			if len(nsPolicies) != 0 {
				policies[nsID] = append(policies[nsID], nsPolicies...)
			}
		}
	}

	return entity, policies, err
}

func (c *Core) fetchACLTokenEntryAndEntity(ctx context.Context, req *logical.Request) (*ACL, *logical.TokenEntry, *identity.Entity, map[string][]string, error) {
	defer metrics.MeasureSince([]string{"core", "fetch_acl_and_token"}, time.Now())

	// Ensure there is a client token
	if req.ClientToken == "" {
		return nil, nil, nil, nil, logical.ErrPermissionDenied
	}

	if c.tokenStore == nil {
		c.logger.Error("token store is unavailable")
		return nil, nil, nil, nil, ErrInternalError
	}

	// Resolve the token policy
	var te *logical.TokenEntry
	switch req.TokenEntry() {
	case nil:
		var err error
		te, err = c.tokenStore.Lookup(ctx, req.ClientToken)
		if err != nil {
			c.logger.Error("failed to lookup acl token", "error", err)
			return nil, nil, nil, nil, ErrInternalError
		}
		// Set the token entry here since it has not been cached yet
		req.SetTokenEntry(te)
	default:
		te = req.TokenEntry()
	}

	// Ensure the token is valid
	if te == nil {
		return nil, nil, nil, nil, logical.ErrPermissionDenied
	}

	// CIDR checks bind all tokens except non-expiring root tokens
	if te.TTL != 0 && len(te.BoundCIDRs) > 0 {
		var valid bool
		remoteSockAddr, err := sockaddr.NewSockAddr(req.Connection.RemoteAddr)
		if err != nil {
			if c.Logger().IsDebug() {
				c.Logger().Debug("could not parse remote addr into sockaddr", "error", err, "remote_addr", req.Connection.RemoteAddr)
			}
			return nil, nil, nil, nil, logical.ErrPermissionDenied
		}
		for _, cidr := range te.BoundCIDRs {
			if cidr.Contains(remoteSockAddr) {
				valid = true
				break
			}
		}
		if !valid {
			return nil, nil, nil, nil, logical.ErrPermissionDenied
		}
	}

	policyNames := make(map[string][]string)
	// Add tokens policies
	policyNames[te.NamespaceID] = append(policyNames[te.NamespaceID], te.Policies...)

	tokenNS, err := NamespaceByID(ctx, te.NamespaceID, c)
	if err != nil {
		c.logger.Error("failed to fetch token namespace", "error", err)
		return nil, nil, nil, nil, ErrInternalError
	}
	if tokenNS == nil {
		c.logger.Error("failed to fetch token namespace", "error", namespace.ErrNoNamespace)
		return nil, nil, nil, nil, ErrInternalError
	}

	// Add identity policies from all the namespaces
	entity, identityPolicies, err := c.fetchEntityAndDerivedPolicies(ctx, tokenNS, te.EntityID, te.NoIdentityPolicies)
	if err != nil {
		return nil, nil, nil, nil, ErrInternalError
	}
	for nsID, nsPolicies := range identityPolicies {
		policyNames[nsID] = append(policyNames[nsID], nsPolicies...)
	}

	// Attach token's namespace information to the context. Wrapping tokens by
	// should be able to be used anywhere, so we also special case behavior.
	var tokenCtx context.Context
	if len(policyNames) == 1 &&
		len(policyNames[te.NamespaceID]) == 1 &&
		(policyNames[te.NamespaceID][0] == responseWrappingPolicyName ||
			policyNames[te.NamespaceID][0] == controlGroupPolicyName) &&
		(strings.HasSuffix(req.Path, "sys/wrapping/unwrap") ||
			strings.HasSuffix(req.Path, "sys/wrapping/lookup") ||
			strings.HasSuffix(req.Path, "sys/wrapping/rewrap")) {
		// Use the request namespace; will find the copy of the policy for the
		// local namespace
		tokenCtx = ctx
	} else {
		// Use the token's namespace for looking up policy
		tokenCtx = namespace.ContextWithNamespace(ctx, tokenNS)
	}

	// Add the inline policy if it's set
	policies := make([]*Policy, 0)
	if te.InlinePolicy != "" {
		inlinePolicy, err := ParseACLPolicy(tokenNS, te.InlinePolicy)
		if err != nil {
			return nil, nil, nil, nil, ErrInternalError
		}
		policies = append(policies, inlinePolicy)
	}

	// Construct the corresponding ACL object. ACL construction should be
	// performed on the token's namespace.
	acl, err := c.policyStore.ACL(tokenCtx, entity, policyNames, policies...)
	if err != nil {
		if errwrap.ContainsType(err, new(TemplateError)) {
			c.logger.Warn("permission denied due to a templated policy being invalid or containing directives not satisfied by the requestor", "error", err)
			return nil, nil, nil, nil, logical.ErrPermissionDenied
		}
		c.logger.Error("failed to construct ACL", "error", err)
		return nil, nil, nil, nil, ErrInternalError
	}

	return acl, te, entity, identityPolicies, nil
}

func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool) (*logical.Auth, *logical.TokenEntry, error) {
	defer metrics.MeasureSince([]string{"core", "check_token"}, time.Now())

	var acl *ACL
	var te *logical.TokenEntry
	var entity *identity.Entity
	var identityPolicies map[string][]string
	var err error

	// Even if unauth, if a token is provided, there's little reason not to
	// gather as much info as possible for the audit log and to e.g. control
	// trace mode for EGPs.
	if !unauth || (unauth && req.ClientToken != "") {
		acl, te, entity, identityPolicies, err = c.fetchACLTokenEntryAndEntity(ctx, req)
		// In the unauth case we don't want to fail the command, since it's
		// unauth, we just have no information to attach to the request, so
		// ignore errors...this was best-effort anyways
		if err != nil && !unauth {
			return nil, te, err
		}
	}

	if entity != nil && entity.Disabled {
		c.logger.Warn("permission denied as the entity on the token is disabled")
		return nil, te, logical.ErrPermissionDenied
	}
	if te != nil && te.EntityID != "" && entity == nil {
		if c.perfStandby {
			return nil, nil, logical.ErrPerfStandbyPleaseForward
		}
		c.logger.Warn("permission denied as the entity on the token is invalid")
		return nil, te, logical.ErrPermissionDenied
	}

	// Check if this is a root protected path
	rootPath := c.router.RootPath(ctx, req.Path)

	if rootPath && unauth {
		return nil, nil, errors.New("cannot access root path in unauthenticated request")
	}

	// At this point we won't be forwarding a raw request; we should delete
	// authorization headers as appropriate
	switch req.ClientTokenSource {
	case logical.ClientTokenFromVaultHeader:
		delete(req.Headers, consts.AuthHeaderName)
	case logical.ClientTokenFromAuthzHeader:
		if headers, ok := req.Headers["Authorization"]; ok {
			retHeaders := make([]string, 0, len(headers))
			for _, v := range headers {
				if strings.HasPrefix(v, "Bearer ") {
					continue
				}
				retHeaders = append(retHeaders, v)
			}
			req.Headers["Authorization"] = retHeaders
		}
	}

	// When we receive a write of either type, rather than require clients to
	// PUT/POST and trust the operation, we ask the backend to give us the real
	// skinny -- if the backend implements an existence check, it can tell us
	// whether a particular resource exists. Then we can mark it as an update
	// or creation as appropriate.
	if req.Operation == logical.CreateOperation || req.Operation == logical.UpdateOperation {
		existsResp, checkExists, resourceExists, err := c.router.RouteExistenceCheck(ctx, req)
		switch err {
		case logical.ErrUnsupportedPath:
			// fail later via bad path to avoid confusing items in the log
			checkExists = false
		case logical.ErrRelativePath:
			return nil, te, errutil.UserError{Err: err.Error()}
		case nil:
			if existsResp != nil && existsResp.IsError() {
				return nil, te, existsResp.Error()
			}
			// Otherwise, continue on
		default:
			c.logger.Error("failed to run existence check", "error", err)
			if _, ok := err.(errutil.UserError); ok {
				return nil, te, err
			} else {
				return nil, te, ErrInternalError
			}
		}

		switch {
		case !checkExists:
			// No existence check, so always treat it as an update operation, which is how it is pre 0.5
			req.Operation = logical.UpdateOperation
		case resourceExists:
			// It exists, so force an update operation
			req.Operation = logical.UpdateOperation
		case !resourceExists:
			// It doesn't exist, force a create operation
			req.Operation = logical.CreateOperation
		default:
			panic("unreachable code")
		}
	}
	// Create the auth response
	auth := &logical.Auth{
		ClientToken: req.ClientToken,
		Accessor:    req.ClientTokenAccessor,
	}

	var clientID string
	var isTWE bool
	if te != nil {
		auth.IdentityPolicies = identityPolicies[te.NamespaceID]
		auth.TokenPolicies = te.Policies
		auth.Policies = append(te.Policies, identityPolicies[te.NamespaceID]...)
		auth.Metadata = te.Meta
		auth.DisplayName = te.DisplayName
		auth.EntityID = te.EntityID
		delete(identityPolicies, te.NamespaceID)
		auth.ExternalNamespacePolicies = identityPolicies
		// Store the entity ID in the request object
		req.EntityID = te.EntityID
		auth.TokenType = te.Type
		auth.TTL = te.TTL
		if te.CreationTime > 0 {
			auth.IssueTime = time.Unix(te.CreationTime, 0)
		}
		clientID, isTWE = te.CreateClientID()
		req.ClientID = clientID
	}

	// Check the standard non-root ACLs. Return the token entry if it's not
	// allowed so we can decrement the use count.
	authResults := c.performPolicyChecks(ctx, acl, te, req, entity, &PolicyCheckOpts{
		Unauth:            unauth,
		RootPrivsRequired: rootPath,
	})

	auth.PolicyResults = &logical.PolicyResults{
		Allowed: authResults.Allowed,
	}

	if !authResults.Allowed {
		retErr := authResults.Error

		// If we get a control group error and we are a performance standby,
		// restore the client token information to the request so that we can
		// forward this request properly to the active node.
		if retErr.ErrorOrNil() != nil && checkErrControlGroupTokenNeedsCreated(retErr) &&
			c.perfStandby && len(req.ClientToken) != 0 {
			switch req.ClientTokenSource {
			case logical.ClientTokenFromVaultHeader:
				req.Headers[consts.AuthHeaderName] = []string{req.ClientToken}
			case logical.ClientTokenFromAuthzHeader:
				req.Headers["Authorization"] = append(req.Headers["Authorization"], fmt.Sprintf("Bearer %s", req.ClientToken))
			}
			// We also return the appropriate error so that the caller can forward the
			// request to the active node
			return auth, te, logical.ErrPerfStandbyPleaseForward
		}

		if authResults.Error.ErrorOrNil() == nil || authResults.DeniedError {
			retErr = multierror.Append(retErr, logical.ErrPermissionDenied)
		}
		return auth, te, retErr
	}

	if authResults.ACLResults != nil && len(authResults.ACLResults.GrantingPolicies) > 0 {
		auth.PolicyResults.GrantingPolicies = authResults.ACLResults.GrantingPolicies
	}
	if authResults.SentinelResults != nil && len(authResults.SentinelResults.GrantingPolicies) > 0 {
		auth.PolicyResults.GrantingPolicies = append(auth.PolicyResults.GrantingPolicies, authResults.SentinelResults.GrantingPolicies...)
	}

	// If it is an authenticated ( i.e with vault token ) request, increment client count
	if !unauth && c.activityLog != nil {
		c.activityLog.HandleTokenUsage(ctx, te, clientID, isTWE)
	}
	return auth, te, nil
}

// HandleRequest is used to handle a new incoming request
func (c *Core) HandleRequest(httpCtx context.Context, req *logical.Request) (resp *logical.Response, err error) {
	return c.switchedLockHandleRequest(httpCtx, req, true)
}

func (c *Core) switchedLockHandleRequest(httpCtx context.Context, req *logical.Request, doLocking bool) (resp *logical.Response, err error) {
	if doLocking {
		c.stateLock.RLock()
		defer c.stateLock.RUnlock()
	}
	if c.Sealed() {
		return nil, consts.ErrSealed
	}
	if c.standby && !c.perfStandby {
		return nil, consts.ErrStandby
	}

	if c.activeContext == nil || c.activeContext.Err() != nil {
		return nil, errors.New("active context canceled after getting state lock")
	}

	ctx, cancel := context.WithCancel(c.activeContext)
	go func(ctx context.Context, httpCtx context.Context) {
		select {
		case <-ctx.Done():
		case <-httpCtx.Done():
			cancel()
		}
	}(ctx, httpCtx)

	ns, err := namespace.FromContext(httpCtx)
	if err != nil {
		cancel()
		return nil, fmt.Errorf("could not parse namespace from http context: %w", err)
	}

	ctx = namespace.ContextWithNamespace(ctx, ns)
	inFlightReqID, ok := httpCtx.Value(logical.CtxKeyInFlightRequestID{}).(string)
	if ok {
		ctx = context.WithValue(ctx, logical.CtxKeyInFlightRequestID{}, inFlightReqID)
	}
	resp, err = c.handleCancelableRequest(ctx, req)
	req.SetTokenEntry(nil)
	cancel()
	return resp, err
}

func (c *Core) handleCancelableRequest(ctx context.Context, req *logical.Request) (resp *logical.Response, err error) {
	// Allowing writing to a path ending in / makes it extremely difficult to
	// understand user intent for the filesystem-like backends (kv,
	// cubbyhole) -- did they want a key named foo/ or did they want to write
	// to a directory foo/ with no (or forgotten) key, or...? It also affects
	// lookup, because paths ending in / are considered prefixes by some
	// backends. Basically, it's all just terrible, so don't allow it.
	if strings.HasSuffix(req.Path, "/") &&
		(req.Operation == logical.UpdateOperation ||
			req.Operation == logical.CreateOperation ||
			req.Operation == logical.PatchOperation) {
		return logical.ErrorResponse("cannot write to a path ending in '/'"), nil
	}
	waitGroup, err := waitForReplicationState(ctx, c, req)
	if err != nil {
		return nil, err
	}

	// MountPoint will not always be set at this point, so we ensure the req contains it
	// as it is depended on by some functionality (e.g. quotas)
	req.MountPoint = c.router.MatchingMount(ctx, req.Path)

	// Decrement the wait group when our request is done
	if waitGroup != nil {
		defer waitGroup.Done()
	}

	if c.MissingRequiredState(req.RequiredState(), c.perfStandby) {
		return nil, logical.ErrMissingRequiredState
	}

	err = c.PopulateTokenEntry(ctx, req)
	if err != nil {
		return nil, err
	}

	// Always forward requests that are using a limited use count token.
	if c.perfStandby && req.ClientTokenRemainingUses > 0 {
		// Prevent forwarding on local-only requests.
		return nil, logical.ErrPerfStandbyPleaseForward
	}

	ns, err := namespace.FromContext(ctx)
	if err != nil {
		return nil, fmt.Errorf("could not parse namespace from http context: %w", err)
	}
	var requestBodyToken string
	var returnRequestAuthToken bool

	// req.Path will be relative by this point. The prefix check is first
	// to fail faster if we're not in this situation since it's a hot path
	switch {
	case strings.HasPrefix(req.Path, "sys/wrapping/"), strings.HasPrefix(req.Path, "auth/token/"):
		// Get the token ns info; if we match the paths below we want to
		// swap in the token context (but keep the relative path)
		te := req.TokenEntry()
		newCtx := ctx
		if te != nil {
			ns, err := NamespaceByID(ctx, te.NamespaceID, c)
			if err != nil {
				c.Logger().Warn("error looking up namespace from the token's namespace ID", "error", err)
				return nil, err
			}
			if ns != nil {
				newCtx = namespace.ContextWithNamespace(ctx, ns)
			}
		}
		switch req.Path {
		// Route the token wrapping request to its respective sys NS
		case "sys/wrapping/lookup", "sys/wrapping/rewrap", "sys/wrapping/unwrap":
			ctx = newCtx
			// A lookup on a token that is about to expire returns nil, which means by the
			// time we can validate a wrapping token lookup will return nil since it will
			// be revoked after the call. So we have to do the validation here.
			valid, err := c.validateWrappingToken(ctx, req)
			if err != nil {
				return nil, fmt.Errorf("error validating wrapping token: %w", err)
			}
			if !valid {
				return nil, consts.ErrInvalidWrappingToken
			}

		// The -self paths have no meaning outside of the token NS, so
		// requests for these paths always go to the token NS
		case "auth/token/lookup-self", "auth/token/renew-self", "auth/token/revoke-self":
			ctx = newCtx
			returnRequestAuthToken = true

		// For the following operations, we can set the proper namespace context
		// using the token's embedded nsID if a relative path was provided.
		// The operation will still be gated by ACLs, which are checked later.
		case "auth/token/lookup", "auth/token/renew", "auth/token/revoke", "auth/token/revoke-orphan":
			token, ok := req.Data["token"]
			// If the token is not present (e.g. a bad request), break out and let the backend
			// handle the error
			if !ok {
				// If this is a token lookup request and if the token is not
				// explicitly provided, it will use the client token so we simply set
				// the context to the client token's context.
				if req.Path == "auth/token/lookup" {
					ctx = newCtx
				}
				break
			}
			if token == nil {
				return logical.ErrorResponse("invalid token"), logical.ErrPermissionDenied
			}
			// We don't care if the token is an server side consistent token or not. Either way, we're going
			// to be returning it for these paths instead of the short token stored in vault.
			requestBodyToken = token.(string)
			if IsSSCToken(token.(string)) {
				token, err = c.CheckSSCToken(ctx, token.(string), c.isLoginRequest(ctx, req), c.perfStandby)
				if err != nil {
					return nil, fmt.Errorf("server side consistent token check failed: %w", err)
				}
				req.Data["token"] = token
			}
			_, nsID := namespace.SplitIDFromString(token.(string))
			if nsID != "" {
				ns, err := NamespaceByID(ctx, nsID, c)
				if err != nil {
					c.Logger().Warn("error looking up namespace from the token's namespace ID", "error", err)
					return nil, err
				}
				if ns != nil {
					ctx = namespace.ContextWithNamespace(ctx, ns)
				}
			}
		}

	// The following relative sys/leases/ paths handles re-routing requests
	// to the proper namespace using the lease ID on applicable paths.
	case strings.HasPrefix(req.Path, "sys/leases/"):
		switch req.Path {
		// For the following operations, we can set the proper namespace context
		// using the lease's embedded nsID if a relative path was provided.
		// The operation will still be gated by ACLs, which are checked later.
		case "sys/leases/lookup", "sys/leases/renew", "sys/leases/revoke", "sys/leases/revoke-force":
			leaseID, ok := req.Data["lease_id"]
			// If lease ID is not present, break out and let the backend handle the error
			if !ok {
				break
			}
			_, nsID := namespace.SplitIDFromString(leaseID.(string))
			if nsID != "" {
				ns, err := NamespaceByID(ctx, nsID, c)
				if err != nil {
					c.Logger().Warn("error looking up namespace from the lease's namespace ID", "error", err)
					return nil, err
				}
				if ns != nil {
					ctx = namespace.ContextWithNamespace(ctx, ns)
				}
			}
		}

	// Prevent any metrics requests to be forwarded from a standby node.
	// Instead, we return an error since we cannot be sure if we have an
	// active token store to validate the provided token.
	case strings.HasPrefix(req.Path, "sys/metrics"):
		if c.standby && !c.perfStandby {
			return nil, ErrCannotForwardLocalOnly
		}
	}

	ns, err = namespace.FromContext(ctx)
	if err != nil {
		return nil, errwrap.Wrapf("could not parse namespace from http context: {{err}}", err)
	}

	if !hasNamespaces(c) && ns.Path != "" {
		return nil, logical.CodedError(403, "namespaces feature not enabled")
	}

	walState := &logical.WALState{}
	ctx = logical.IndexStateContext(ctx, walState)
	var auth *logical.Auth
	if c.isLoginRequest(ctx, req) {
		resp, auth, err = c.handleLoginRequest(ctx, req)
	} else {
		resp, auth, err = c.handleRequest(ctx, req)
	}

	// If we saved the token in the request, we should return it in the response
	// data.
	if resp != nil && resp.Data != nil {
		if _, ok := resp.Data["error"]; !ok {
			if requestBodyToken != "" {
				resp.Data["id"] = requestBodyToken
			} else if returnRequestAuthToken && req.InboundSSCToken != "" {
				resp.Data["id"] = req.InboundSSCToken
			}
		}
	}
	if resp != nil && resp.Auth != nil && requestBodyToken != "" {
		// if a client token has already been set and the request body token's internal token
		// is equal to that value, then we can return the original request body token
		tok, _ := c.DecodeSSCToken(requestBodyToken)
		if resp.Auth.ClientToken == tok {
			resp.Auth.ClientToken = requestBodyToken
		}
	}

	// Ensure we don't leak internal data
	if resp != nil {
		if resp.Secret != nil {
			resp.Secret.InternalData = nil
		}
		if resp.Auth != nil {
			resp.Auth.InternalData = nil
		}
	}

	// We are wrapping if there is anything to wrap (not a nil response) and a
	// TTL was specified for the token. Errors on a call should be returned to
	// the caller, so wrapping is turned off if an error is hit and the error
	// is logged to the audit log.
	wrapping := resp != nil &&
		err == nil &&
		!resp.IsError() &&
		resp.WrapInfo != nil &&
		resp.WrapInfo.TTL != 0 &&
		resp.WrapInfo.Token == ""

	if wrapping {
		cubbyResp, cubbyErr := c.wrapInCubbyhole(ctx, req, resp, auth)
		// If not successful, returns either an error response from the
		// cubbyhole backend or an error; if either is set, set resp and err to
		// those and continue so that that's what we audit log. Otherwise
		// finish the wrapping and audit log that.
		if cubbyResp != nil || cubbyErr != nil {
			resp = cubbyResp
			err = cubbyErr
		} else {
			wrappingResp := &logical.Response{
				WrapInfo: resp.WrapInfo,
				Warnings: resp.Warnings,
			}
			resp = wrappingResp
		}
	}

	auditResp := resp
	// When unwrapping we want to log the actual response that will be written
	// out. We still want to return the raw value to avoid automatic updating
	// to any of it.
	if req.Path == "sys/wrapping/unwrap" &&
		resp != nil &&
		resp.Data != nil &&
		resp.Data[logical.HTTPRawBody] != nil {

		// Decode the JSON
		if resp.Data[logical.HTTPRawBodyAlreadyJSONDecoded] != nil {
			delete(resp.Data, logical.HTTPRawBodyAlreadyJSONDecoded)
		} else {
			httpResp := &logical.HTTPResponse{}
			err := jsonutil.DecodeJSON(resp.Data[logical.HTTPRawBody].([]byte), httpResp)
			if err != nil {
				c.logger.Error("failed to unmarshal wrapped HTTP response for audit logging", "error", err)
				return nil, ErrInternalError
			}

			auditResp = logical.HTTPResponseToLogicalResponse(httpResp)
		}
	}

	var nonHMACReqDataKeys []string
	var nonHMACRespDataKeys []string
	entry := c.router.MatchingMountEntry(ctx, req.Path)
	if entry != nil {
		// Get and set ignored HMAC'd value. Reset those back to empty afterwards.
		if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
			nonHMACReqDataKeys = rawVals.([]string)
		}

		// Get and set ignored HMAC'd value. Reset those back to empty afterwards.
		if auditResp != nil {
			if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_response_keys"); ok {
				nonHMACRespDataKeys = rawVals.([]string)
			}
		}
	}

	// Create an audit trail of the response
	if !isControlGroupRun(req) {
		switch req.Path {
		case "sys/replication/dr/status", "sys/replication/performance/status", "sys/replication/status":
		default:
			logInput := &logical.LogInput{
				Auth:                auth,
				Request:             req,
				Response:            auditResp,
				OuterErr:            err,
				NonHMACReqDataKeys:  nonHMACReqDataKeys,
				NonHMACRespDataKeys: nonHMACRespDataKeys,
			}
			if auditErr := c.auditBroker.LogResponse(ctx, logInput, c.auditedHeaders); auditErr != nil {
				c.logger.Error("failed to audit response", "request_path", req.Path, "error", auditErr)
				return nil, ErrInternalError
			}
		}
	}

	if walState.LocalIndex != 0 || walState.ReplicatedIndex != 0 {
		walState.ClusterID = c.clusterID.Load()
		if walState.LocalIndex == 0 {
			if c.perfStandby {
				walState.LocalIndex = LastRemoteWAL(c)
			} else {
				walState.LocalIndex = LastWAL(c)
			}
		}
		if walState.ReplicatedIndex == 0 {
			if c.perfStandby {
				walState.ReplicatedIndex = LastRemoteUpstreamWAL(c)
			} else {
				walState.ReplicatedIndex = LastRemoteWAL(c)
			}
		}

		req.SetResponseState(walState)
	}

	return
}

func isControlGroupRun(req *logical.Request) bool {
	return req.ControlGroup != nil
}

func (c *Core) doRouting(ctx context.Context, req *logical.Request) (*logical.Response, error) {
	// If we're replicating and we get a read-only error from a backend, need to forward to primary
	resp, err := c.router.Route(ctx, req)
	if shouldForward(c, resp, err) {
		return forward(ctx, c, req)
	}
	return resp, err
}

func (c *Core) isLoginRequest(ctx context.Context, req *logical.Request) bool {
	return c.router.LoginPath(ctx, req.Path)
}

func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) {
	defer metrics.MeasureSince([]string{"core", "handle_request"}, time.Now())

	var nonHMACReqDataKeys []string
	entry := c.router.MatchingMountEntry(ctx, req.Path)
	if entry != nil {
		// Set here so the audit log has it even if authorization fails
		req.MountType = entry.Type
		// Get and set ignored HMAC'd value.
		if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
			nonHMACReqDataKeys = rawVals.([]string)
		}
	}

	ns, err := namespace.FromContext(ctx)
	if err != nil {
		c.logger.Error("failed to get namespace from context", "error", err)
		retErr = multierror.Append(retErr, ErrInternalError)
		return
	}

	// Validate the token
	auth, te, ctErr := c.checkToken(ctx, req, false)
	if ctErr == logical.ErrRelativePath {
		return logical.ErrorResponse(ctErr.Error()), nil, ctErr
	}
	if ctErr == logical.ErrPerfStandbyPleaseForward {
		return nil, nil, ctErr
	}

	// Updating in-flight request data with client/entity ID
	inFlightReqID, ok := ctx.Value(logical.CtxKeyInFlightRequestID{}).(string)
	if ok && req.ClientID != "" {
		c.UpdateInFlightReqData(inFlightReqID, req.ClientID)
	}

	// We run this logic first because we want to decrement the use count even
	// in the case of an error (assuming we can successfully look up; if we
	// need to forward, we exit before now)
	if te != nil && !isControlGroupRun(req) {
		// Attempt to use the token (decrement NumUses)
		var err error
		te, err = c.tokenStore.UseToken(ctx, te)
		if err != nil {
			c.logger.Error("failed to use token", "error", err)
			retErr = multierror.Append(retErr, ErrInternalError)
			return nil, nil, retErr
		}
		if te == nil {
			// Token has been revoked by this point
			retErr = multierror.Append(retErr, logical.ErrPermissionDenied)
			return nil, nil, retErr
		}
		if te.NumUses == tokenRevocationPending {
			// We defer a revocation until after logic has run, since this is a
			// valid request (this is the token's final use). We pass the ID in
			// directly just to be safe in case something else modifies te later.
			defer func(id string) {
				nsActiveCtx := namespace.ContextWithNamespace(c.activeContext, ns)
				leaseID, err := c.expiration.CreateOrFetchRevocationLeaseByToken(nsActiveCtx, te)
				if err == nil {
					err = c.expiration.LazyRevoke(ctx, leaseID)
				}
				if err != nil {
					c.logger.Error("failed to revoke token", "error", err)
					retResp = nil
					retAuth = nil
					retErr = multierror.Append(retErr, ErrInternalError)
				}
				if retResp != nil && retResp.Secret != nil &&
					// Some backends return a TTL even without a Lease ID
					retResp.Secret.LeaseID != "" {
					retResp = logical.ErrorResponse("Secret cannot be returned; token had one use left, so leased credentials were immediately revoked.")
					return
				}
			}(te.ID)
		}
	}

	if ctErr != nil {
		newCtErr, cgResp, cgAuth, cgRetErr := checkNeedsCG(ctx, c, req, auth, ctErr, nonHMACReqDataKeys)
		switch {
		case newCtErr != nil:
			ctErr = newCtErr
		case cgResp != nil || cgAuth != nil:
			if cgRetErr != nil {
				retErr = multierror.Append(retErr, cgRetErr)
			}
			return cgResp, cgAuth, retErr
		}

		// If it is an internal error we return that, otherwise we
		// return invalid request so that the status codes can be correct
		switch {
		case ctErr == ErrInternalError,
			errwrap.Contains(ctErr, ErrInternalError.Error()),
			ctErr == logical.ErrPermissionDenied,
			errwrap.Contains(ctErr, logical.ErrPermissionDenied.Error()):
			switch ctErr.(type) {
			case *multierror.Error:
				retErr = ctErr
			default:
				retErr = multierror.Append(retErr, ctErr)
			}
		default:
			retErr = multierror.Append(retErr, logical.ErrInvalidRequest)
		}

		if !isControlGroupRun(req) {
			logInput := &logical.LogInput{
				Auth:               auth,
				Request:            req,
				OuterErr:           ctErr,
				NonHMACReqDataKeys: nonHMACReqDataKeys,
			}
			if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
				c.logger.Error("failed to audit request", "path", req.Path, "error", err)
			}
		}

		if errwrap.Contains(retErr, ErrInternalError.Error()) {
			return nil, auth, retErr
		}
		return logical.ErrorResponse(ctErr.Error()), auth, retErr
	}

	// Attach the display name
	req.DisplayName = auth.DisplayName

	// Create an audit trail of the request
	if !isControlGroupRun(req) {
		logInput := &logical.LogInput{
			Auth:               auth,
			Request:            req,
			NonHMACReqDataKeys: nonHMACReqDataKeys,
		}
		if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
			c.logger.Error("failed to audit request", "path", req.Path, "error", err)
			retErr = multierror.Append(retErr, ErrInternalError)
			return nil, auth, retErr
		}
	}

	if err := enterpriseBlockRequestIfError(c, ns.Path, req.Path); err != nil {
		return nil, nil, multierror.Append(retErr, err)
	}

	leaseGenerated := false
	quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, &quotas.Request{
		Path:          req.Path,
		MountPath:     strings.TrimPrefix(req.MountPoint, ns.Path),
		NamespacePath: ns.Path,
	})
	if quotaErr != nil {
		c.logger.Error("failed to apply quota", "path", req.Path, "error", quotaErr)
		retErr = multierror.Append(retErr, quotaErr)
		return nil, auth, retErr
	}

	if !quotaResp.Allowed {
		if c.logger.IsTrace() {
			c.logger.Trace("request rejected due to lease count quota violation", "request_path", req.Path)
		}

		retErr = multierror.Append(retErr, fmt.Errorf("request path %q: %w", req.Path, quotas.ErrLeaseCountQuotaExceeded))
		return nil, auth, retErr
	}

	defer func() {
		if quotaResp.Access != nil {
			quotaAckErr := c.ackLeaseQuota(quotaResp.Access, leaseGenerated)
			if quotaAckErr != nil {
				retErr = multierror.Append(retErr, quotaAckErr)
			}
		}
	}()

	// Route the request
	resp, routeErr := c.doRouting(ctx, req)
	if resp != nil {

		// If wrapping is used, use the shortest between the request and response
		var wrapTTL time.Duration
		var wrapFormat, creationPath string
		var sealWrap bool

		// Ensure no wrap info information is set other than, possibly, the TTL
		if resp.WrapInfo != nil {
			if resp.WrapInfo.TTL > 0 {
				wrapTTL = resp.WrapInfo.TTL
			}
			wrapFormat = resp.WrapInfo.Format
			creationPath = resp.WrapInfo.CreationPath
			sealWrap = resp.WrapInfo.SealWrap
			resp.WrapInfo = nil
		}

		if req.WrapInfo != nil {
			if req.WrapInfo.TTL > 0 {
				switch {
				case wrapTTL == 0:
					wrapTTL = req.WrapInfo.TTL
				case req.WrapInfo.TTL < wrapTTL:
					wrapTTL = req.WrapInfo.TTL
				}
			}
			// If the wrap format hasn't been set by the response, set it to
			// the request format
			if req.WrapInfo.Format != "" && wrapFormat == "" {
				wrapFormat = req.WrapInfo.Format
			}
		}

		if wrapTTL > 0 {
			resp.WrapInfo = &wrapping.ResponseWrapInfo{
				TTL:          wrapTTL,
				Format:       wrapFormat,
				CreationPath: creationPath,
				SealWrap:     sealWrap,
			}
		}
	}

	// If there is a secret, we must register it with the expiration manager.
	// We exclude renewal of a lease, since it does not need to be re-registered
	if resp != nil && resp.Secret != nil && !strings.HasPrefix(req.Path, "sys/renew") &&
		!strings.HasPrefix(req.Path, "sys/leases/renew") {
		// KV mounts should return the TTL but not register
		// for a lease as this provides a massive slowdown
		registerLease := true

		matchingMountEntry := c.router.MatchingMountEntry(ctx, req.Path)
		if matchingMountEntry == nil {
			c.logger.Error("unable to retrieve kv mount entry from router")
			retErr = multierror.Append(retErr, ErrInternalError)
			return nil, auth, retErr
		}

		switch matchingMountEntry.Type {
		case "kv", "generic":
			// If we are kv type, first see if we are an older passthrough
			// backend, and otherwise check the mount entry options.
			matchingBackend := c.router.MatchingBackend(ctx, req.Path)
			if matchingBackend == nil {
				c.logger.Error("unable to retrieve kv backend from router")
				retErr = multierror.Append(retErr, ErrInternalError)
				return nil, auth, retErr
			}

			if ptbe, ok := matchingBackend.(*PassthroughBackend); ok {
				if !ptbe.GeneratesLeases() {
					registerLease = false
					resp.Secret.Renewable = false
				}
			} else if matchingMountEntry.Options == nil || matchingMountEntry.Options["leased_passthrough"] != "true" {
				registerLease = false
				resp.Secret.Renewable = false
			}

		case "plugin":
			// If we are a plugin type and the plugin name is "kv" check the
			// mount entry options.
			if matchingMountEntry.Config.PluginName == "kv" && (matchingMountEntry.Options == nil || matchingMountEntry.Options["leased_passthrough"] != "true") {
				registerLease = false
				resp.Secret.Renewable = false
			}
		}

		if registerLease {
			sysView := c.router.MatchingSystemView(ctx, req.Path)
			if sysView == nil {
				c.logger.Error("unable to look up sys view for login path", "request_path", req.Path)
				return nil, nil, ErrInternalError
			}

			ttl, warnings, err := framework.CalculateTTL(sysView, 0, resp.Secret.TTL, 0, resp.Secret.MaxTTL, 0, time.Time{})
			if err != nil {
				return nil, nil, err
			}
			for _, warning := range warnings {
				resp.AddWarning(warning)
			}
			resp.Secret.TTL = ttl

			registerFunc, funcGetErr := getLeaseRegisterFunc(c)
			if funcGetErr != nil {
				retErr = multierror.Append(retErr, funcGetErr)
				return nil, auth, retErr
			}

			leaseID, err := registerFunc(ctx, req, resp)
			if err != nil {
				c.logger.Error("failed to register lease", "request_path", req.Path, "error", err)
				retErr = multierror.Append(retErr, ErrInternalError)
				return nil, auth, retErr
			}
			leaseGenerated = true
			resp.Secret.LeaseID = leaseID

			// Count the lease creation
			ttl_label := metricsutil.TTLBucket(resp.Secret.TTL)
			mountPointWithoutNs := ns.TrimmedPath(req.MountPoint)
			c.MetricSink().IncrCounterWithLabels(
				[]string{"secret", "lease", "creation"},
				1,
				[]metrics.Label{
					metricsutil.NamespaceLabel(ns),
					{"secret_engine", req.MountType},
					{"mount_point", mountPointWithoutNs},
					{"creation_ttl", ttl_label},
				},
			)
		}
	}

	// Only the token store is allowed to return an auth block, for any
	// other request this is an internal error.
	if resp != nil && resp.Auth != nil {
		if !strings.HasPrefix(req.Path, "auth/token/") {
			c.logger.Error("unexpected Auth response for non-token backend", "request_path", req.Path)
			retErr = multierror.Append(retErr, ErrInternalError)
			return nil, auth, retErr
		}

		// Fetch the namespace to which the token belongs
		tokenNS, err := NamespaceByID(ctx, te.NamespaceID, c)
		if err != nil {
			c.logger.Error("failed to fetch token's namespace", "error", err)
			retErr = multierror.Append(retErr, err)
			return nil, auth, retErr
		}
		if tokenNS == nil {
			c.logger.Error(namespace.ErrNoNamespace.Error())
			retErr = multierror.Append(retErr, namespace.ErrNoNamespace)
			return nil, auth, retErr
		}

		_, identityPolicies, err := c.fetchEntityAndDerivedPolicies(ctx, tokenNS, resp.Auth.EntityID, false)
		if err != nil {
			// Best-effort clean up on error, so we log the cleanup error as a
			// warning but still return as internal error.
			if err := c.tokenStore.revokeOrphan(ctx, resp.Auth.ClientToken); err != nil {
				c.logger.Warn("failed to clean up token lease from entity and policy lookup failure", "request_path", req.Path, "error", err)
			}
			return nil, nil, ErrInternalError
		}

		// We skip expiration manager registration for token renewal since it
		// does not need to be re-registered
		if strings.HasPrefix(req.Path, "auth/token/renew") {
			// We build the "policies" list to be returned by starting with
			// token policies, and add identity policies right after this
			// conditional
			tok, _ := c.DecodeSSCToken(req.InboundSSCToken)
			if resp.Auth.ClientToken == tok {
				resp.Auth.ClientToken = req.InboundSSCToken
			}
			resp.Auth.Policies = policyutil.SanitizePolicies(resp.Auth.TokenPolicies, policyutil.DoNotAddDefaultPolicy)
		} else {
			resp.Auth.TokenPolicies = policyutil.SanitizePolicies(resp.Auth.Policies, policyutil.DoNotAddDefaultPolicy)

			switch resp.Auth.TokenType {
			case logical.TokenTypeBatch:
			case logical.TokenTypeService:
				registeredTokenEntry := &logical.TokenEntry{
					TTL:         auth.TTL,
					Policies:    auth.TokenPolicies,
					Path:        resp.Auth.CreationPath,
					NamespaceID: ns.ID,
				}
				if err := c.expiration.RegisterAuth(ctx, registeredTokenEntry, resp.Auth); err != nil {
					// Best-effort clean up on error, so we log the cleanup error as
					// a warning but still return as internal error.
					if err := c.tokenStore.revokeOrphan(ctx, resp.Auth.ClientToken); err != nil {
						c.logger.Warn("failed to clean up token lease during auth/token/ request", "request_path", req.Path, "error", err)
					}
					c.logger.Error("failed to register token lease during auth/token/ request", "request_path", req.Path, "error", err)
					retErr = multierror.Append(retErr, ErrInternalError)
					return nil, auth, retErr
				}
				if registeredTokenEntry.ExternalID != "" {
					resp.Auth.ClientToken = registeredTokenEntry.ExternalID
				}
				leaseGenerated = true
			}
		}

		// We do these later since it's not meaningful for backends/expmgr to
		// have what is purely a snapshot of current identity policies, and
		// plugins can be confused if they are checking contents of
		// Auth.Policies instead of Auth.TokenPolicies
		resp.Auth.Policies = policyutil.SanitizePolicies(append(resp.Auth.Policies, identityPolicies[te.NamespaceID]...), policyutil.DoNotAddDefaultPolicy)
		resp.Auth.IdentityPolicies = policyutil.SanitizePolicies(identityPolicies[te.NamespaceID], policyutil.DoNotAddDefaultPolicy)
		delete(identityPolicies, te.NamespaceID)
		resp.Auth.ExternalNamespacePolicies = identityPolicies
	}

	if resp != nil &&
		req.Path == "cubbyhole/response" &&
		len(te.Policies) == 1 &&
		te.Policies[0] == responseWrappingPolicyName {
		resp.AddWarning("Reading from 'cubbyhole/response' is deprecated. Please use sys/wrapping/unwrap to unwrap responses, as it provides additional security checks and other benefits.")
	}

	// Return the response and error
	if routeErr != nil {
		retErr = multierror.Append(retErr, routeErr)
	}

	return resp, auth, retErr
}

// handleLoginRequest is used to handle a login request, which is an
// unauthenticated request to the backend.
func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) {
	defer metrics.MeasureSince([]string{"core", "handle_login_request"}, time.Now())

	req.Unauthenticated = true

	var nonHMACReqDataKeys []string
	entry := c.router.MatchingMountEntry(ctx, req.Path)
	if entry != nil {
		// Set here so the audit log has it even if authorization fails
		req.MountType = entry.Type
		// Get and set ignored HMAC'd value.
		if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
			nonHMACReqDataKeys = rawVals.([]string)
		}
	}

	// Do an unauth check. This will cause EGP policies to be checked
	var auth *logical.Auth
	var ctErr error
	auth, _, ctErr = c.checkToken(ctx, req, true)
	if ctErr == logical.ErrPerfStandbyPleaseForward {
		return nil, nil, ctErr
	}

	// Updating in-flight request data with client/entity ID
	inFlightReqID, ok := ctx.Value(logical.CtxKeyInFlightRequestID{}).(string)
	if ok && req.ClientID != "" {
		c.UpdateInFlightReqData(inFlightReqID, req.ClientID)
	}

	if ctErr != nil {
		// If it is an internal error we return that, otherwise we
		// return invalid request so that the status codes can be correct
		var errType error
		switch ctErr {
		case ErrInternalError, logical.ErrPermissionDenied:
			errType = ctErr
		default:
			errType = logical.ErrInvalidRequest
		}

		logInput := &logical.LogInput{
			Auth:               auth,
			Request:            req,
			OuterErr:           ctErr,
			NonHMACReqDataKeys: nonHMACReqDataKeys,
		}
		if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
			c.logger.Error("failed to audit request", "path", req.Path, "error", err)
			return nil, nil, ErrInternalError
		}

		if errType != nil {
			retErr = multierror.Append(retErr, errType)
		}
		if ctErr == ErrInternalError {
			return nil, auth, retErr
		}
		return logical.ErrorResponse(ctErr.Error()), auth, retErr
	}

	switch req.Path {
	case "sys/replication/dr/status", "sys/replication/performance/status", "sys/replication/status":
	default:
		// Create an audit trail of the request. Attach auth if it was returned,
		// e.g. if a token was provided.
		logInput := &logical.LogInput{
			Auth:               auth,
			Request:            req,
			NonHMACReqDataKeys: nonHMACReqDataKeys,
		}
		if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
			c.logger.Error("failed to audit request", "path", req.Path, "error", err)
			return nil, nil, ErrInternalError
		}
	}

	// The token store uses authentication even when creating a new token,
	// so it's handled in handleRequest. It should not be reached here.
	if strings.HasPrefix(req.Path, "auth/token/") {
		c.logger.Error("unexpected login request for token backend", "request_path", req.Path)
		return nil, nil, ErrInternalError
	}

	// Route the request
	resp, routeErr := c.doRouting(ctx, req)
	if resp != nil {
		// If wrapping is used, use the shortest between the request and response
		var wrapTTL time.Duration
		var wrapFormat, creationPath string
		var sealWrap bool

		// Ensure no wrap info information is set other than, possibly, the TTL
		if resp.WrapInfo != nil {
			if resp.WrapInfo.TTL > 0 {
				wrapTTL = resp.WrapInfo.TTL
			}
			wrapFormat = resp.WrapInfo.Format
			creationPath = resp.WrapInfo.CreationPath
			sealWrap = resp.WrapInfo.SealWrap
			resp.WrapInfo = nil
		}

		if req.WrapInfo != nil {
			if req.WrapInfo.TTL > 0 {
				switch {
				case wrapTTL == 0:
					wrapTTL = req.WrapInfo.TTL
				case req.WrapInfo.TTL < wrapTTL:
					wrapTTL = req.WrapInfo.TTL
				}
			}
			if req.WrapInfo.Format != "" && wrapFormat == "" {
				wrapFormat = req.WrapInfo.Format
			}
		}

		if wrapTTL > 0 {
			resp.WrapInfo = &wrapping.ResponseWrapInfo{
				TTL:          wrapTTL,
				Format:       wrapFormat,
				CreationPath: creationPath,
				SealWrap:     sealWrap,
			}
		}
	}

	// A login request should never return a secret!
	if resp != nil && resp.Secret != nil {
		c.logger.Error("unexpected Secret response for login path", "request_path", req.Path)
		return nil, nil, ErrInternalError
	}

	ns, err := namespace.FromContext(ctx)
	if err != nil {
		c.logger.Error("failed to get namespace from context", "error", err)
		retErr = multierror.Append(retErr, ErrInternalError)
		return
	}
	// If the response generated an authentication, then generate the token
	if resp != nil && resp.Auth != nil && req.Path != "sys/mfa/validate" {
		leaseGenerated := false

		// by placing this after the authorization check, we don't leak
		// information about locked namespaces to unauthenticated clients.
		if err := enterpriseBlockRequestIfError(c, ns.Path, req.Path); err != nil {
			retErr = multierror.Append(retErr, err)
			return
		}

		// The request successfully authenticated itself. Run the quota checks
		// before creating lease.
		quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, &quotas.Request{
			Path:          req.Path,
			MountPath:     strings.TrimPrefix(req.MountPoint, ns.Path),
			NamespacePath: ns.Path,
		})

		if quotaErr != nil {
			c.logger.Error("failed to apply quota", "path", req.Path, "error", quotaErr)
			retErr = multierror.Append(retErr, quotaErr)
			return
		}

		if !quotaResp.Allowed {
			if c.logger.IsTrace() {
				c.logger.Trace("request rejected due to lease count quota violation", "request_path", req.Path)
			}

			retErr = multierror.Append(retErr, fmt.Errorf("request path %q: %w", req.Path, quotas.ErrLeaseCountQuotaExceeded))
			return
		}

		defer func() {
			if quotaResp.Access != nil {
				quotaAckErr := c.ackLeaseQuota(quotaResp.Access, leaseGenerated)
				if quotaAckErr != nil {
					retErr = multierror.Append(retErr, quotaAckErr)
				}
			}
		}()

		var entity *identity.Entity
		auth = resp.Auth

		mEntry := c.router.MatchingMountEntry(ctx, req.Path)

		if auth.Alias != nil &&
			mEntry != nil &&
			c.identityStore != nil {

			if mEntry.Local && os.Getenv(EnvVaultDisableLocalAuthMountEntities) != "" {
				goto CREATE_TOKEN
			}

			// Overwrite the mount type and mount path in the alias
			// information
			auth.Alias.MountType = req.MountType
			auth.Alias.MountAccessor = req.MountAccessor
			auth.Alias.Local = mEntry.Local

			if auth.Alias.Name == "" {
				return nil, nil, fmt.Errorf("missing name in alias")
			}

			var err error
			// Fetch the entity for the alias, or create an entity if one
			// doesn't exist.
			entity, entityCreated, err := c.identityStore.CreateOrFetchEntity(ctx, auth.Alias)
			if err != nil {
				switch auth.Alias.Local {
				case true:
					entity, err = possiblyForwardEntityCreation(ctx, c, err, auth, entity)
					if err != nil && strings.Contains(err.Error(), errCreateEntityUnimplemented) {
						resp.AddWarning("primary cluster doesn't yet issue entities for local auth mounts; falling back to not issuing entities for local auth mounts")
						goto CREATE_TOKEN
					}
					// If the entity creation via forwarding was successful, update the bool flag
					if entity != nil && err == nil {
						entityCreated = true
					}
				default:
					entity, entityCreated, err = possiblyForwardAliasCreation(ctx, c, err, auth, entity)
				}
			}
			if err != nil {
				return nil, nil, err
			}
			if entity == nil {
				return nil, nil, fmt.Errorf("failed to create an entity for the authenticated alias")
			}

			if entity.Disabled {
				return nil, nil, logical.ErrPermissionDenied
			}

			auth.EntityID = entity.ID
			auth.EntityCreated = entityCreated
			validAliases, err := c.identityStore.refreshExternalGroupMembershipsByEntityID(ctx, auth.EntityID, auth.GroupAliases, req.MountAccessor)
			if err != nil {
				return nil, nil, err
			}
			auth.GroupAliases = validAliases
		}

	CREATE_TOKEN:
		// Determine the source of the login
		source := c.router.MatchingMount(ctx, req.Path)

		// Login MFA
		entity, _, err := c.fetchEntityAndDerivedPolicies(ctx, ns, auth.EntityID, false)
		if err != nil {
			return nil, nil, ErrInternalError
		}
		// finding the MFAEnforcementConfig that matches the ns and either of
		// entityID, MountAccessor, GroupID, or Auth type.
		matchedMfaEnforcementList, err := c.buildMFAEnforcementConfigList(ctx, entity, req.Path)
		if err != nil {
			return nil, nil, fmt.Errorf("failed to find MFAEnforcement configuration, error: %v", err)
		}

		// (for the context, a response warning above says: "primary cluster
		// doesn't yet issue entities for local auth mounts; falling back
		// to not issuing entities for local auth mounts")
		// based on the above, if the entity is nil, check if MFAEnforcementConfig
		// is configured or not. If not, continue as usual, but if there
		// is something, then report an error indicating that the user is not
		// allowed to login because there is no entity associated with it.
		// This is because an entity is needed to enforce MFA.
		if entity == nil && len(matchedMfaEnforcementList) > 0 {
			// this logic means that an MFAEnforcementConfig was configured with
			// only mount type or mount accessor
			return nil, nil, logical.ErrPermissionDenied
		}

		// The resp.Auth has been populated with the information that is required for MFA validation
		// This is why, the MFA check is placed at this point. The resp.Auth is going to be fully cached
		// in memory so that it would be used to return to the user upon MFA validation is completed.
		if entity != nil {
			if len(matchedMfaEnforcementList) == 0 && len(req.MFACreds) > 0 {
				resp.AddWarning("Found MFA header but failed to find MFA Enforcement Config")
			}

			// If X-Vault-MFA header is supplied to the login request,
			// run single-phase login MFA check, else run two-phase login MFA check
			if len(matchedMfaEnforcementList) > 0 && len(req.MFACreds) > 0 {
				for _, eConfig := range matchedMfaEnforcementList {
					err = c.validateLoginMFA(ctx, eConfig, entity, req.Connection.RemoteAddr, req.MFACreds)
					if err != nil {
						return nil, nil, logical.ErrPermissionDenied
					}
				}
			} else if len(matchedMfaEnforcementList) > 0 && len(req.MFACreds) == 0 {
				mfaRequestID, err := uuid.GenerateUUID()
				if err != nil {
					return nil, nil, err
				}
				// sending back the MFARequirement config
				mfaRequirement := &logical.MFARequirement{
					MFARequestID:   mfaRequestID,
					MFAConstraints: make(map[string]*logical.MFAConstraintAny),
				}
				for _, eConfig := range matchedMfaEnforcementList {
					mfaAny, err := c.buildMfaEnforcementResponse(eConfig)
					if err != nil {
						return nil, nil, err
					}
					mfaRequirement.MFAConstraints[eConfig.Name] = mfaAny
				}

				// for two phased MFA enforcement, we should not return the regular auth
				// response. This flag is indicate to store the auth response for later
				// and return MFARequirement only
				respAuth := &MFACachedAuthResponse{
					CachedAuth:            resp.Auth,
					RequestPath:           req.Path,
					RequestNSID:           ns.ID,
					RequestNSPath:         ns.Path,
					RequestConnRemoteAddr: req.Connection.RemoteAddr, // this is needed for the DUO method
					TimeOfStorage:         time.Now(),
					RequestID:             mfaRequestID,
				}
				err = possiblyForwardSaveCachedAuthResponse(ctx, c, respAuth)
				if err != nil {
					return nil, nil, err
				}
				auth = nil
				resp.Auth = &logical.Auth{
					MFARequirement: mfaRequirement,
				}
				resp.AddWarning("A login request was issued that is subject to MFA validation. Please make sure to validate the login by sending another request to mfa/validate endpoint.")
				// going to return early before generating the token
				// the user receives the mfaRequirement, and need to use the
				// login MFA validate endpoint to get the token
				return resp, auth, nil
			}
		}

		// Attach the display name, might be used by audit backends
		req.DisplayName = auth.DisplayName

		leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, req.Path, source, resp)
		leaseGenerated = leaseGen
		if errCreateToken != nil {
			return respTokenCreate, nil, errCreateToken
		}
		resp = respTokenCreate
	}

	// if we were already going to return some error from this login, do that.
	// if not, we will then check if the API is locked for the requesting
	// namespace, to avoid leaking locked namespaces to unauthenticated clients.
	if resp != nil && resp.Data != nil {
		if _, ok := resp.Data["error"]; ok {
			return resp, auth, routeErr
		}
	}
	if routeErr != nil {
		return resp, auth, routeErr
	}

	// this check handles the bad login credential case
	if err := enterpriseBlockRequestIfError(c, ns.Path, req.Path); err != nil {
		return nil, nil, multierror.Append(retErr, err)
	}

	return resp, auth, routeErr
}

// LoginCreateToken creates a token as a result of a login request.
// If MFA is enforced, mfa/validate endpoint calls this functions
// after successful MFA validation to generate the token.
func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, reqPath, mountPoint string, resp *logical.Response) (bool, *logical.Response, error) {
	auth := resp.Auth

	source := strings.TrimPrefix(mountPoint, credentialRoutePrefix)
	source = strings.Replace(source, "/", "-", -1)

	// Prepend the source to the display name
	auth.DisplayName = strings.TrimSuffix(source+auth.DisplayName, "-")

	// Determine mount type
	mountEntry := c.router.MatchingMountEntry(ctx, reqPath)
	if mountEntry == nil {
		return false, nil, fmt.Errorf("failed to find a matching mount")
	}

	sysView := c.router.MatchingSystemView(ctx, reqPath)
	if sysView == nil {
		c.logger.Error("unable to look up sys view for login path", "request_path", reqPath)
		return false, nil, ErrInternalError
	}

	tokenTTL, warnings, err := framework.CalculateTTL(sysView, 0, auth.TTL, auth.Period, auth.MaxTTL, auth.ExplicitMaxTTL, time.Time{})
	if err != nil {
		return false, nil, err
	}
	for _, warning := range warnings {
		resp.AddWarning(warning)
	}

	_, identityPolicies, err := c.fetchEntityAndDerivedPolicies(ctx, ns, auth.EntityID, false)
	if err != nil {
		return false, nil, ErrInternalError
	}

	auth.TokenPolicies = policyutil.SanitizePolicies(auth.Policies, !auth.NoDefaultPolicy)
	allPolicies := policyutil.SanitizePolicies(append(auth.TokenPolicies, identityPolicies[ns.ID]...), policyutil.DoNotAddDefaultPolicy)

	// Prevent internal policies from being assigned to tokens. We check
	// this on auth.Policies including derived ones from Identity before
	// actually making the token.
	for _, policy := range allPolicies {
		if policy == "root" {
			return false, logical.ErrorResponse("auth methods cannot create root tokens"), logical.ErrInvalidRequest
		}
		if strutil.StrListContains(nonAssignablePolicies, policy) {
			return false, logical.ErrorResponse(fmt.Sprintf("cannot assign policy %q", policy)), logical.ErrInvalidRequest
		}
	}

	var registerFunc RegisterAuthFunc
	var funcGetErr error
	// Batch tokens should not be forwarded to perf standby
	if auth.TokenType == logical.TokenTypeBatch {
		registerFunc = c.RegisterAuth
	} else {
		registerFunc, funcGetErr = getAuthRegisterFunc(c)
	}
	if funcGetErr != nil {
		return false, nil, funcGetErr
	}

	leaseGenerated := false
	err = registerFunc(ctx, tokenTTL, reqPath, auth)
	switch {
	case err == nil:
		if auth.TokenType != logical.TokenTypeBatch {
			leaseGenerated = true
		}
	case err == ErrInternalError:
		return false, nil, err
	default:
		return false, logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
	}

	auth.IdentityPolicies = policyutil.SanitizePolicies(identityPolicies[ns.ID], policyutil.DoNotAddDefaultPolicy)
	delete(identityPolicies, ns.ID)
	auth.ExternalNamespacePolicies = identityPolicies
	auth.Policies = allPolicies

	// Count the successful token creation
	ttl_label := metricsutil.TTLBucket(tokenTTL)
	// Do not include namespace path in mount point; already present as separate label.
	mountPointWithoutNs := ns.TrimmedPath(mountPoint)
	c.metricSink.IncrCounterWithLabels(
		[]string{"token", "creation"},
		1,
		[]metrics.Label{
			metricsutil.NamespaceLabel(ns),
			{"auth_method", mountEntry.Type},
			{"mount_point", mountPointWithoutNs},
			{"creation_ttl", ttl_label},
			{"token_type", auth.TokenType.String()},
		},
	)

	return leaseGenerated, resp, nil
}

func (c *Core) buildMfaEnforcementResponse(eConfig *mfa.MFAEnforcementConfig) (*logical.MFAConstraintAny, error) {
	mfaAny := &logical.MFAConstraintAny{
		Any: []*logical.MFAMethodID{},
	}
	for _, methodID := range eConfig.MFAMethodIDs {
		mConfig, err := c.loginMFABackend.MemDBMFAConfigByID(methodID)
		if err != nil {
			return nil, fmt.Errorf("failed to get methodID %s from MFA config table, error: %v", methodID, err)
		}
		var duoUsePasscode bool
		if mConfig.Type == mfaMethodTypeDuo {
			duoConf, ok := mConfig.Config.(*mfa.Config_DuoConfig)
			if !ok {
				return nil, fmt.Errorf("invalid MFA configuration type")
			}
			duoUsePasscode = duoConf.DuoConfig.UsePasscode
		}
		mfaMethod := &logical.MFAMethodID{
			Type:         mConfig.Type,
			ID:           methodID,
			UsesPasscode: mConfig.Type == mfaMethodTypeTOTP || duoUsePasscode,
		}
		mfaAny.Any = append(mfaAny.Any, mfaMethod)
	}
	return mfaAny, nil
}

func blockRequestIfErrorImpl(_ *Core, _, _ string) error { return nil }

// RegisterAuth uses a logical.Auth object to create a token entry in the token
// store, and registers a corresponding token lease to the expiration manager.
func (c *Core) RegisterAuth(ctx context.Context, tokenTTL time.Duration, path string, auth *logical.Auth) error {
	// We first assign token policies to what was returned from the backend
	// via auth.Policies. Then, we get the full set of policies into
	// auth.Policies from the backend + entity information -- this is not
	// stored in the token, but we perform sanity checks on it and return
	// that information to the user.

	// Generate a token
	ns, err := namespace.FromContext(ctx)
	if err != nil {
		return err
	}
	te := logical.TokenEntry{
		Path:           path,
		Meta:           auth.Metadata,
		DisplayName:    auth.DisplayName,
		CreationTime:   time.Now().Unix(),
		TTL:            tokenTTL,
		NumUses:        auth.NumUses,
		EntityID:       auth.EntityID,
		BoundCIDRs:     auth.BoundCIDRs,
		Policies:       auth.TokenPolicies,
		NamespaceID:    ns.ID,
		ExplicitMaxTTL: auth.ExplicitMaxTTL,
		Period:         auth.Period,
		Type:           auth.TokenType,
	}

	if te.TTL == 0 && (len(te.Policies) != 1 || te.Policies[0] != "root") {
		c.logger.Error("refusing to create a non-root zero TTL token")
		return ErrInternalError
	}

	if err := c.tokenStore.create(ctx, &te); err != nil {
		c.logger.Error("failed to create token", "error", err)
		return ErrInternalError
	}

	// Populate the client token, accessor, and TTL
	auth.ClientToken = te.ID
	auth.Accessor = te.Accessor
	auth.TTL = te.TTL
	auth.Orphan = te.Parent == ""

	switch auth.TokenType {
	case logical.TokenTypeBatch:
		// Ensure it's not marked renewable since it isn't
		auth.Renewable = false
	case logical.TokenTypeService:
		// Register with the expiration manager
		if err := c.expiration.RegisterAuth(ctx, &te, auth); err != nil {
			if err := c.tokenStore.revokeOrphan(ctx, te.ID); err != nil {
				c.logger.Warn("failed to clean up token lease during login request", "request_path", path, "error", err)
			}
			c.logger.Error("failed to register token lease during login request", "request_path", path, "error", err)
			return ErrInternalError
		}
		if te.ExternalID != "" {
			auth.ClientToken = te.ExternalID
		}
	}

	return nil
}

// PopulateTokenEntry looks up req.ClientToken in the token store and uses
// it to set other fields in req.  Does nothing if ClientToken is empty
// or a JWT token, or for service tokens that don't exist in the token store.
// Should be called with read stateLock held.
func (c *Core) PopulateTokenEntry(ctx context.Context, req *logical.Request) error {
	if req.ClientToken == "" {
		return nil
	}

	// Also attach the accessor if we have it. This doesn't fail if it
	// doesn't exist because the request may be to an unauthenticated
	// endpoint/login endpoint where a bad current token doesn't matter, or
	// a token from a Vault version pre-accessors. We ignore errors for
	// JWTs.
	token := req.ClientToken
	var err error
	req.InboundSSCToken = token
	if IsSSCToken(token) {
		token, err = c.CheckSSCToken(ctx, token, c.isLoginRequest(ctx, req), c.perfStandby)
		if err != nil {
			return err
		}
	}
	req.ClientToken = token
	te, err := c.LookupToken(ctx, token)
	if err != nil {
		// If we have two dots but the second char is a dot it's a vault
		// token of the form s.SOMETHING.nsid, not a JWT
		if !IsJWT(token) {
			return fmt.Errorf("error performing token check: %w", err)
		}
	}
	if err == nil && te != nil {
		req.ClientTokenAccessor = te.Accessor
		req.ClientTokenRemainingUses = te.NumUses
		req.SetTokenEntry(te)
	}
	return nil
}

func (c *Core) CheckSSCToken(ctx context.Context, token string, unauth bool, isPerfStandby bool) (string, error) {
	if unauth && token != "" {
		// This token shouldn't really be here, but alas it was sent along with the request
		// Since we're already knee deep in the token checking code pre-existing token checking
		// code, we have to deal with this token whether we like it or not. So, we'll just try
		// to get the inner token, and if that fails, return the token as-is. We intentionally
		// will skip any token checks, because this is an unauthenticated paths and the token
		// is just a nuisance rather than a means of auth.

		// We cannot return whatever we like here, because if we do then CheckToken, which looks up
		// the corresponding lease, will not find the token entry and lease. There are unauth'ed
		// endpoints that use the token entry (such as sys/ui/mounts/internal) to do custom token
		// checks, which would then fail. Therefore, we must try to get whatever thing is tied to
		// token entries, but we must explicitly not do any SSC Token checks.
		tok, err := c.DecodeSSCToken(token)
		if err != nil || tok == "" {
			return token, nil
		}
		return tok, nil
	}
	return c.checkSSCTokenInternal(ctx, token, isPerfStandby)
}

// DecodeSSCToken returns the random part of an SSCToken without
// performing any signature or WAL checks.
func (c *Core) DecodeSSCToken(token string) (string, error) {
	// Skip batch and old style service tokens. These can have the prefix "b.",
	// "s." (for old tokens) or "hvb."
	if !IsSSCToken(token) {
		return token, nil
	}
	tok, err := c.DecodeSSCTokenInternal(token)
	if err != nil {
		return "", err
	}
	return tok.Random, nil
}

// DecodeSSCTokenInternal is a helper used to get the inner part of a SSC token without
// checking the token signature or the WAL index.
func (c *Core) DecodeSSCTokenInternal(token string) (*tokens.Token, error) {
	signedToken := &tokens.SignedToken{}

	// Skip batch and old style service tokens. These can have the prefix "b.",
	// "s." (for old tokens) or "hvb."
	if !strings.HasPrefix(token, consts.ServiceTokenPrefix) {
		return nil, fmt.Errorf("not service token")
	}

	// Consider the suffix of the token only when unmarshalling
	suffixToken := token[4:]

	tokenBytes, err := base64.RawURLEncoding.DecodeString(suffixToken)
	if err != nil {
		return nil, fmt.Errorf("can't decode token")
	}

	err = proto.Unmarshal(tokenBytes, signedToken)
	if err != nil {
		return nil, err
	}
	plainToken := &tokens.Token{}
	err2 := proto.Unmarshal([]byte(signedToken.Token), plainToken)
	if err2 != nil {
		return nil, err2
	}
	return plainToken, nil
}

func (c *Core) checkSSCTokenInternal(ctx context.Context, token string, isPerfStandby bool) (string, error) {
	signedToken := &tokens.SignedToken{}

	// Skip batch and old style service tokens. These can have the prefix "b.",
	// "s." (for old tokens) or "hvb."
	if !strings.HasPrefix(token, consts.ServiceTokenPrefix) {
		return token, nil
	}

	// Check token length to guess if this is an server side consistent token or not.
	// Note that even when the DisableSSCTokens flag is set, index
	// bearing tokens that have already been given out may still be used.
	if !IsSSCToken(token) {
		return token, nil
	}

	// Consider the suffix of the token only when unmarshalling
	suffixToken := token[4:]

	tokenBytes, err := base64.RawURLEncoding.DecodeString(suffixToken)
	if err != nil {
		c.logger.Warn("cannot decode token", "error", err)
		return token, nil
	}

	err = proto.Unmarshal(tokenBytes, signedToken)
	if err != nil {
		return "", fmt.Errorf("error occurred when unmarshalling ssc token: %w", err)
	}
	hm, err := c.tokenStore.CalculateSignedTokenHMAC(signedToken.Token)
	if !hmac.Equal(hm, signedToken.Hmac) {
		return "", fmt.Errorf("token mac for %+v is incorrect: err %w", signedToken, err)
	}
	plainToken := &tokens.Token{}
	err = proto.Unmarshal([]byte(signedToken.Token), plainToken)
	if err != nil {
		return "", err
	}

	// Disregard SSCT on perf-standbys for non-raft storage
	if c.perfStandby && c.getRaftBackend() == nil {
		return plainToken.Random, nil
	}

	ep := int(plainToken.IndexEpoch)
	if ep < c.tokenStore.GetSSCTokensGenerationCounter() {
		return plainToken.Random, nil
	}

	requiredWalState := &logical.WALState{ClusterID: c.clusterID.Load(), LocalIndex: plainToken.LocalIndex, ReplicatedIndex: 0}
	if c.HasWALState(requiredWalState, isPerfStandby) {
		return plainToken.Random, nil
	}
	// Make sure to forward the request instead of checking the token if the flag
	// is set and we're on a perf standby
	if c.ForwardToActive() == ForwardSSCTokenToActive && isPerfStandby {
		return "", logical.ErrPerfStandbyPleaseForward
	}
	// In this case, the server side consistent token cannot be used on this node. We return the appropriate
	// status code.
	return "", logical.ErrMissingRequiredState
}