From 021392150cda7f581be507e4466294fe4e40cf07 Mon Sep 17 00:00:00 2001
From: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
Date: Thu, 26 May 2022 15:17:29 -0400
Subject: [PATCH] use provided namespace for wrapping lookup cubbyhole request
 (#15583)

* use provided namespace for wrapping lookup cubbyhole request

* add changelog entry
---
 changelog/15583.txt     |  3 +++
 vault/logical_system.go | 12 +++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 changelog/15583.txt

diff --git a/changelog/15583.txt b/changelog/15583.txt
new file mode 100644
index 0000000000..b6cda31682
--- /dev/null
+++ b/changelog/15583.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core (enterprise): Fix bug where wrapping token lookup does not work within namespaces.
+```
diff --git a/vault/logical_system.go b/vault/logical_system.go
index 4641a42277..63febcd89d 100644
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -3404,13 +3404,23 @@ func (b *SystemBackend) handleWrappingLookup(ctx context.Context, req *logical.R
 		return nil, errors.New("token is not a valid unwrap token")
 	}
 
+	lookupNS, err := NamespaceByID(ctx, te.NamespaceID, b.Core)
+	if err != nil {
+		return nil, err
+	}
+	if lookupNS == nil {
+		return nil, errors.New("token is not from a valid namespace")
+	}
+
+	lookupCtx := namespace.ContextWithNamespace(ctx, lookupNS)
+
 	cubbyReq := &logical.Request{
 		Operation:   logical.ReadOperation,
 		Path:        "cubbyhole/wrapinfo",
 		ClientToken: token,
 	}
 	cubbyReq.SetTokenEntry(te)
-	cubbyResp, err := b.Core.router.Route(ctx, cubbyReq)
+	cubbyResp, err := b.Core.router.Route(lookupCtx, cubbyReq)
 	if err != nil {
 		return nil, fmt.Errorf("error looking up wrapping information: %w", err)
 	}