From bb6753ddf9bb73db840606b2d628ca52681aaa9b Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Fri, 23 Jun 2017 20:52:02 -0400
Subject: [PATCH] Don't allow overriding token ID with the same token ID

Fixes #2916
---
 vault/token_store.go      | 6 ++++++
 vault/token_store_test.go | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/vault/token_store.go b/vault/token_store.go
index 34d2b692ab7a..a87414430399 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -682,6 +682,12 @@ func (ts *TokenStore) create(entry *TokenEntry) error {
 		entry.ID = entryUUID
 	}
 
+	saltedId := ts.SaltID(entry.ID)
+	exist, _ := ts.lookupSalted(saltedId, true)
+	if exist != nil {
+		return fmt.Errorf("cannot create a token with a duplicate ID")
+	}
+
 	entry.Policies = policyutil.SanitizePolicies(entry.Policies, policyutil.DoNotAddDefaultPolicy)
 
 	err := ts.createAccessor(entry)
diff --git a/vault/token_store_test.go b/vault/token_store_test.go
index 765487eb40f6..883f7cecf359 100644
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@@ -465,6 +465,9 @@ func TestTokenStore_CreateLookup_ProvidedID(t *testing.T) {
 	if ent.ID != "foobarbaz" {
 		t.Fatalf("bad: ent.ID: expected:\"foobarbaz\"\n actual:%s", ent.ID)
 	}
+	if err := ts.create(ent); err == nil {
+		t.Fatal("expected error creating token with the same ID")
+	}
 
 	out, err := ts.Lookup(ent.ID)
 	if err != nil {