From 0ada870a526ae00812e7d13a46c126e4e5a373eb Mon Sep 17 00:00:00 2001
From: Hridoy Roy <roy@hashicorp.com>
Date: Fri, 4 Dec 2020 09:44:04 -0800
Subject: [PATCH] Only use entropy augmentation for root token creation
 [VAULT-670] (#10487)

* Only use entropy augmentation for root token creation

* changelog

* change wording of changelog entry
---
 changelog/10487.txt  | 3 +++
 go.mod               | 2 +-
 vault/token_store.go | 8 +++++++-
 3 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 changelog/10487.txt

diff --git a/changelog/10487.txt b/changelog/10487.txt
new file mode 100644
index 000000000..266b2f753
--- /dev/null
+++ b/changelog/10487.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core (enterprise): Limit entropy augmentation during token generation to root tokens.
+```
\ No newline at end of file
diff --git a/go.mod b/go.mod
index 55188cafb..3466efe05 100644
--- a/go.mod
+++ b/go.mod
@@ -149,7 +149,7 @@ require (
 	golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0
 	golang.org/x/net v0.0.0-20200625001655-4c5254603344
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sys v0.0.0-20200828194041-157a740278f4
+	golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a
 	golang.org/x/tools v0.0.0-20200521155704-91d71f6c2f04
 	google.golang.org/api v0.29.0
 	google.golang.org/grpc v1.29.1
diff --git a/vault/token_store.go b/vault/token_store.go
index 38964c7c1..6a65862ca 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -806,7 +806,9 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
 	}
 
 	entry.Policies = policyutil.SanitizePolicies(entry.Policies, policyutil.DoNotAddDefaultPolicy)
+	var createRootTokenFlag bool
 	if len(entry.Policies) == 1 && entry.Policies[0] == "root" {
+		createRootTokenFlag = true
 		metrics.IncrCounter([]string{"token", "create_root"}, 1)
 	}
 
@@ -820,7 +822,11 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
 		if entry.ID == "" {
 			userSelectedID = false
 			var err error
-			entry.ID, err = base62.RandomWithReader(TokenLength, ts.core.secureRandomReader)
+			if createRootTokenFlag {
+				entry.ID, err = base62.RandomWithReader(TokenLength, ts.core.secureRandomReader)
+			} else {
+				entry.ID, err = base62.Random(TokenLength)
+			}
 			if err != nil {
 				return err
 			}