From eec3f9afb2e5d1f7424b81db072867945752e609 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Thu, 4 Apr 2019 17:13:09 -0400
Subject: [PATCH] Handle JWT checks with namespaced service tokens (#6536)

Some checks would fail because we considered a token with two dots a
JWT, but service tokens in namespaces also fit this bill.
---
 http/handler.go   | 13 ++++++++++---
 vault/wrapping.go |  8 ++++++--
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/http/handler.go b/http/handler.go
index 3949ff9a7..abd2ca303 100644
--- a/http/handler.go
+++ b/http/handler.go
@@ -696,10 +696,17 @@ func requestAuth(core *vault.Core, r *http.Request, req *logical.Request) (*logi
 		// Also attach the accessor if we have it. This doesn't fail if it
 		// doesn't exist because the request may be to an unauthenticated
 		// endpoint/login endpoint where a bad current token doesn't matter, or
-		// a token from a Vault version pre-accessors.
+		// a token from a Vault version pre-accessors. We ignore errors for
+		// JWTs.
 		te, err := core.LookupToken(r.Context(), token)
-		if err != nil && strings.Count(token, ".") != 2 {
-			return req, err
+		if err != nil {
+			dotCount := strings.Count(token, ".")
+			// If we have two dots but the second char is a dot it's a vault
+			// token of the form s.SOMETHING.nsid, not a JWT
+			if dotCount != 2 ||
+				dotCount == 2 && token[1] == '.' {
+				return req, err
+			}
 		}
 		if err == nil && te != nil {
 			req.ClientTokenAccessor = te.Accessor
diff --git a/vault/wrapping.go b/vault/wrapping.go
index 776af2941..e3e59c68d 100644
--- a/vault/wrapping.go
+++ b/vault/wrapping.go
@@ -333,8 +333,12 @@ func (c *Core) ValidateWrappingToken(ctx context.Context, req *logical.Request)
 	}
 
 	// Check for it being a JWT. If it is, and it is valid, we extract the
-	// internal client token from it and use that during lookup.
-	if strings.Count(token, ".") == 2 {
+	// internal client token from it and use that during lookup. The second
+	// check is a quick check to verify that we don't consider a namespaced
+	// token to be a JWT -- namespaced tokens have two dots too, but Vault
+	// token types (for now at least) begin with a letter representing a type
+	// and then a dot.
+	if strings.Count(token, ".") == 2 && token[1] != '.' {
 		// Implement the jose library way
 		parsedJWT, err := squarejwt.ParseSigned(token)
 		if err != nil {