v1.14.6/api/logical.go - hashicorp/vault - Git at Google

 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

 package api

 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"

 	"github.com/hashicorp/errwrap"
 )

 const (
 	wrappedResponseLocation = "cubbyhole/response"
 )

 var (
 	// The default TTL that will be used with `sys/wrapping/wrap`, can be
 	// changed
 	DefaultWrappingTTL = "5m"

 	// The default function used if no other function is set. It honors the env
 	// var to set the wrap TTL. The default wrap TTL will apply when when writing
 	// to `sys/wrapping/wrap` when the env var is not set.
 	DefaultWrappingLookupFunc = func(operation, path string) string {
 		if os.Getenv(EnvVaultWrapTTL) != "" {
 			return os.Getenv(EnvVaultWrapTTL)
 		}

 		if (operation == http.MethodPut || operation == http.MethodPost) && path == "sys/wrapping/wrap" {
 			return DefaultWrappingTTL
 		}

 		return ""
 	}
 )

 // Logical is used to perform logical backend operations on Vault.
 type Logical struct {
 	c *Client
 }

 // Logical is used to return the client for logical-backend API calls.
 func (c *Client) Logical() *Logical {
 	return &Logical{c: c}
 }

 func (c *Logical) Read(path string) (*Secret, error) {
 	return c.ReadWithDataWithContext(context.Background(), path, nil)
 }

 func (c *Logical) ReadWithContext(ctx context.Context, path string) (*Secret, error) {
 	return c.ReadWithDataWithContext(ctx, path, nil)
 }

 func (c *Logical) ReadWithData(path string, data map[string][]string) (*Secret, error) {
 	return c.ReadWithDataWithContext(context.Background(), path, data)
 }

 func (c *Logical) ReadWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Secret, error) {
 	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
 	defer cancelFunc()

 	resp, err := c.readRawWithDataWithContext(ctx, path, data)
 	return c.ParseRawResponseAndCloseBody(resp, err)
 }

 // ReadRaw attempts to read the value stored at the given Vault path
 // (without '/v1/' prefix) and returns a raw *http.Response.
 //
 // Note: the raw-response functions do not respect the client-configured
 // request timeout; if a timeout is desired, please use ReadRawWithContext
 // instead and set the timeout through context.WithTimeout or context.WithDeadline.
 func (c *Logical) ReadRaw(path string) (*Response, error) {
 	return c.ReadRawWithDataWithContext(context.Background(), path, nil)
 }

 // ReadRawWithContext attempts to read the value stored at the give Vault path
 // (without '/v1/' prefix) and returns a raw *http.Response.
 //
 // Note: the raw-response functions do not respect the client-configured
 // request timeout; if a timeout is desired, please set it through
 // context.WithTimeout or context.WithDeadline.
 func (c *Logical) ReadRawWithContext(ctx context.Context, path string) (*Response, error) {
 	return c.ReadRawWithDataWithContext(ctx, path, nil)
 }

 // ReadRawWithData attempts to read the value stored at the given Vault
 // path (without '/v1/' prefix) and returns a raw *http.Response. The 'data' map
 // is added as query parameters to the request.
 //
 // Note: the raw-response functions do not respect the client-configured
 // request timeout; if a timeout is desired, please use
 // ReadRawWithDataWithContext instead and set the timeout through
 // context.WithTimeout or context.WithDeadline.
 func (c *Logical) ReadRawWithData(path string, data map[string][]string) (*Response, error) {
 	return c.ReadRawWithDataWithContext(context.Background(), path, data)
 }

 // ReadRawWithDataWithContext attempts to read the value stored at the given
 // Vault path (without '/v1/' prefix) and returns a raw *http.Response. The 'data'
 // map is added as query parameters to the request.
 //
 // Note: the raw-response functions do not respect the client-configured
 // request timeout; if a timeout is desired, please set it through
 // context.WithTimeout or context.WithDeadline.
 func (c *Logical) ReadRawWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Response, error) {
 	return c.readRawWithDataWithContext(ctx, path, data)
 }

 func (c *Logical) ParseRawResponseAndCloseBody(resp *Response, err error) (*Secret, error) {
 	if resp != nil {
 		defer resp.Body.Close()
 	}
 	if resp != nil && resp.StatusCode == 404 {
 		secret, parseErr := ParseSecret(resp.Body)
 		switch parseErr {
 		case nil:
 		case io.EOF:
 			return nil, nil
 		default:
 			return nil, parseErr
 		}
 		if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
 			return secret, nil
 		}
 		return nil, nil
 	}
 	if err != nil {
 		return nil, err
 	}

 	return ParseSecret(resp.Body)
 }

 func (c *Logical) readRawWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Response, error) {
 	r := c.c.NewRequest(http.MethodGet, "/v1/"+path)

 	var values url.Values
 	for k, v := range data {
 		if values == nil {
 			values = make(url.Values)
 		}
 		for _, val := range v {
 			values.Add(k, val)
 		}
 	}

 	if values != nil {
 		r.Params = values
 	}

 	return c.c.RawRequestWithContext(ctx, r)
 }

 func (c *Logical) List(path string) (*Secret, error) {
 	return c.ListWithContext(context.Background(), path)
 }

 func (c *Logical) ListWithContext(ctx context.Context, path string) (*Secret, error) {
 	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
 	defer cancelFunc()

 	r := c.c.NewRequest("LIST", "/v1/"+path)
 	// Set this for broader compatibility, but we use LIST above to be able to
 	// handle the wrapping lookup function
 	r.Method = http.MethodGet
 	r.Params.Set("list", "true")

 	resp, err := c.c.rawRequestWithContext(ctx, r)
 	if resp != nil {
 		defer resp.Body.Close()
 	}
 	if resp != nil && resp.StatusCode == 404 {
 		secret, parseErr := ParseSecret(resp.Body)
 		switch parseErr {
 		case nil:
 		case io.EOF:
 			return nil, nil
 		default:
 			return nil, parseErr
 		}
 		if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
 			return secret, nil
 		}
 		return nil, nil
 	}
 	if err != nil {
 		return nil, err
 	}

 	return ParseSecret(resp.Body)
 }

 func (c *Logical) Write(path string, data map[string]interface{}) (*Secret, error) {
 	return c.WriteWithContext(context.Background(), path, data)
 }

 func (c *Logical) WriteWithContext(ctx context.Context, path string, data map[string]interface{}) (*Secret, error) {
 	r := c.c.NewRequest(http.MethodPut, "/v1/"+path)
 	if err := r.SetJSONBody(data); err != nil {
 		return nil, err
 	}

 	return c.write(ctx, path, r)
 }

 func (c *Logical) JSONMergePatch(ctx context.Context, path string, data map[string]interface{}) (*Secret, error) {
 	r := c.c.NewRequest(http.MethodPatch, "/v1/"+path)
 	r.Headers.Set("Content-Type", "application/merge-patch+json")
 	if err := r.SetJSONBody(data); err != nil {
 		return nil, err
 	}

 	return c.write(ctx, path, r)
 }

 func (c *Logical) WriteBytes(path string, data []byte) (*Secret, error) {
 	return c.WriteBytesWithContext(context.Background(), path, data)
 }

 func (c *Logical) WriteBytesWithContext(ctx context.Context, path string, data []byte) (*Secret, error) {
 	r := c.c.NewRequest(http.MethodPut, "/v1/"+path)
 	r.BodyBytes = data

 	return c.write(ctx, path, r)
 }

 func (c *Logical) write(ctx context.Context, path string, request *Request) (*Secret, error) {
 	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
 	defer cancelFunc()

 	resp, err := c.c.rawRequestWithContext(ctx, request)
 	if resp != nil {
 		defer resp.Body.Close()
 	}
 	if resp != nil && resp.StatusCode == 404 {
 		secret, parseErr := ParseSecret(resp.Body)
 		switch parseErr {
 		case nil:
 		case io.EOF:
 			return nil, nil
 		default:
 			return nil, parseErr
 		}
 		if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
 			return secret, err
 		}
 	}
 	if err != nil {
 		return nil, err
 	}

 	return ParseSecret(resp.Body)
 }

 func (c *Logical) Delete(path string) (*Secret, error) {
 	return c.DeleteWithContext(context.Background(), path)
 }

 func (c *Logical) DeleteWithContext(ctx context.Context, path string) (*Secret, error) {
 	return c.DeleteWithDataWithContext(ctx, path, nil)
 }

 func (c *Logical) DeleteWithData(path string, data map[string][]string) (*Secret, error) {
 	return c.DeleteWithDataWithContext(context.Background(), path, data)
 }

 func (c *Logical) DeleteWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Secret, error) {
 	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
 	defer cancelFunc()

 	r := c.c.NewRequest(http.MethodDelete, "/v1/"+path)

 	var values url.Values
 	for k, v := range data {
 		if values == nil {
 			values = make(url.Values)
 		}
 		for _, val := range v {
 			values.Add(k, val)
 		}
 	}

 	if values != nil {
 		r.Params = values
 	}

 	resp, err := c.c.rawRequestWithContext(ctx, r)
 	if resp != nil {
 		defer resp.Body.Close()
 	}
 	if resp != nil && resp.StatusCode == 404 {
 		secret, parseErr := ParseSecret(resp.Body)
 		switch parseErr {
 		case nil:
 		case io.EOF:
 			return nil, nil
 		default:
 			return nil, parseErr
 		}
 		if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
 			return secret, err
 		}
 	}
 	if err != nil {
 		return nil, err
 	}

 	return ParseSecret(resp.Body)
 }

 func (c *Logical) Unwrap(wrappingToken string) (*Secret, error) {
 	return c.UnwrapWithContext(context.Background(), wrappingToken)
 }

 func (c *Logical) UnwrapWithContext(ctx context.Context, wrappingToken string) (*Secret, error) {
 	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
 	defer cancelFunc()

 	var data map[string]interface{}
 	wt := strings.TrimSpace(wrappingToken)
 	if wrappingToken != "" {
 		if c.c.Token() == "" {
 			c.c.SetToken(wt)
 		} else if wrappingToken != c.c.Token() {
 			data = map[string]interface{}{
 				"token": wt,
 			}
 		}
 	}

 	r := c.c.NewRequest(http.MethodPut, "/v1/sys/wrapping/unwrap")
 	if err := r.SetJSONBody(data); err != nil {
 		return nil, err
 	}

 	resp, err := c.c.rawRequestWithContext(ctx, r)
 	if resp != nil {
 		defer resp.Body.Close()
 	}
 	if resp == nil || resp.StatusCode != 404 {
 		if err != nil {
 			return nil, err
 		}
 		if resp == nil {
 			return nil, nil
 		}
 		return ParseSecret(resp.Body)
 	}

 	// In the 404 case this may actually be a wrapped 404 error
 	secret, parseErr := ParseSecret(resp.Body)
 	switch parseErr {
 	case nil:
 	case io.EOF:
 		return nil, nil
 	default:
 		return nil, parseErr
 	}
 	if secret != nil && (len(secret.Warnings) > 0 || len(secret.Data) > 0) {
 		return secret, nil
 	}

 	// Otherwise this might be an old-style wrapping token so attempt the old
 	// method
 	if wrappingToken != "" {
 		origToken := c.c.Token()
 		defer c.c.SetToken(origToken)
 		c.c.SetToken(wrappingToken)
 	}

 	secret, err = c.ReadWithContext(ctx, wrappedResponseLocation)
 	if err != nil {
 		return nil, errwrap.Wrapf(fmt.Sprintf("error reading %q: {{err}}", wrappedResponseLocation), err)
 	}
 	if secret == nil {
 		return nil, fmt.Errorf("no value found at %q", wrappedResponseLocation)
 	}
 	if secret.Data == nil {
 		return nil, fmt.Errorf("\"data\" not found in wrapping response")
 	}
 	if _, ok := secret.Data["response"]; !ok {
 		return nil, fmt.Errorf("\"response\" not found in wrapping response \"data\" map")
 	}

 	wrappedSecret := new(Secret)
 	buf := bytes.NewBufferString(secret.Data["response"].(string))
 	dec := json.NewDecoder(buf)
 	dec.UseNumber()
 	if err := dec.Decode(wrappedSecret); err != nil {
 		return nil, errwrap.Wrapf("error unmarshalling wrapped secret: {{err}}", err)
 	}

 	return wrappedSecret, nil
 }
	// Copyright (c) HashiCorp, Inc.
	// SPDX-License-Identifier: MPL-2.0

	package api

	import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"net/url"
	"os"
	"strings"

	"github.com/hashicorp/errwrap"
	)

	const (
	wrappedResponseLocation = "cubbyhole/response"
	)

	var (
	// The default TTL that will be used with `sys/wrapping/wrap`, can be
	// changed
	DefaultWrappingTTL = "5m"

	// The default function used if no other function is set. It honors the env
	// var to set the wrap TTL. The default wrap TTL will apply when when writing
	// to `sys/wrapping/wrap` when the env var is not set.
	DefaultWrappingLookupFunc = func(operation, path string) string {
	if os.Getenv(EnvVaultWrapTTL) != "" {
	return os.Getenv(EnvVaultWrapTTL)
	}

	if (operation == http.MethodPut \|\| operation == http.MethodPost) && path == "sys/wrapping/wrap" {
	return DefaultWrappingTTL
	}

	return ""
	}
	)

	// Logical is used to perform logical backend operations on Vault.
	type Logical struct {
	c *Client
	}

	// Logical is used to return the client for logical-backend API calls.
	func (c Client) Logical() Logical {
	return &Logical{c: c}
	}

	func (c Logical) Read(path string) (Secret, error) {
	return c.ReadWithDataWithContext(context.Background(), path, nil)
	}

	func (c Logical) ReadWithContext(ctx context.Context, path string) (Secret, error) {
	return c.ReadWithDataWithContext(ctx, path, nil)
	}

	func (c Logical) ReadWithData(path string, data map[string][]string) (Secret, error) {
	return c.ReadWithDataWithContext(context.Background(), path, data)
	}

	func (c Logical) ReadWithDataWithContext(ctx context.Context, path string, data map[string][]string) (Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	resp, err := c.readRawWithDataWithContext(ctx, path, data)
	return c.ParseRawResponseAndCloseBody(resp, err)
	}

	// ReadRaw attempts to read the value stored at the given Vault path
	// (without '/v1/' prefix) and returns a raw *http.Response.
	//
	// Note: the raw-response functions do not respect the client-configured
	// request timeout; if a timeout is desired, please use ReadRawWithContext
	// instead and set the timeout through context.WithTimeout or context.WithDeadline.
	func (c Logical) ReadRaw(path string) (Response, error) {
	return c.ReadRawWithDataWithContext(context.Background(), path, nil)
	}

	// ReadRawWithContext attempts to read the value stored at the give Vault path
	// (without '/v1/' prefix) and returns a raw *http.Response.
	//
	// Note: the raw-response functions do not respect the client-configured
	// request timeout; if a timeout is desired, please set it through
	// context.WithTimeout or context.WithDeadline.
	func (c Logical) ReadRawWithContext(ctx context.Context, path string) (Response, error) {
	return c.ReadRawWithDataWithContext(ctx, path, nil)
	}

	// ReadRawWithData attempts to read the value stored at the given Vault
	// path (without '/v1/' prefix) and returns a raw *http.Response. The 'data' map
	// is added as query parameters to the request.
	//
	// Note: the raw-response functions do not respect the client-configured
	// request timeout; if a timeout is desired, please use
	// ReadRawWithDataWithContext instead and set the timeout through
	// context.WithTimeout or context.WithDeadline.
	func (c Logical) ReadRawWithData(path string, data map[string][]string) (Response, error) {
	return c.ReadRawWithDataWithContext(context.Background(), path, data)
	}

	// ReadRawWithDataWithContext attempts to read the value stored at the given
	// Vault path (without '/v1/' prefix) and returns a raw *http.Response. The 'data'
	// map is added as query parameters to the request.
	//
	// Note: the raw-response functions do not respect the client-configured
	// request timeout; if a timeout is desired, please set it through
	// context.WithTimeout or context.WithDeadline.
	func (c Logical) ReadRawWithDataWithContext(ctx context.Context, path string, data map[string][]string) (Response, error) {
	return c.readRawWithDataWithContext(ctx, path, data)
	}

	func (c Logical) ParseRawResponseAndCloseBody(resp Response, err error) (*Secret, error) {
	if resp != nil {
	defer resp.Body.Close()
	}
	if resp != nil && resp.StatusCode == 404 {
	secret, parseErr := ParseSecret(resp.Body)
	switch parseErr {
	case nil:
	case io.EOF:
	return nil, nil
	default:
	return nil, parseErr
	}
	if secret != nil && (len(secret.Warnings) > 0 \|\| len(secret.Data) > 0) {
	return secret, nil
	}
	return nil, nil
	}
	if err != nil {
	return nil, err
	}

	return ParseSecret(resp.Body)
	}

	func (c Logical) readRawWithDataWithContext(ctx context.Context, path string, data map[string][]string) (Response, error) {
	r := c.c.NewRequest(http.MethodGet, "/v1/"+path)

	var values url.Values
	for k, v := range data {
	if values == nil {
	values = make(url.Values)
	}
	for _, val := range v {
	values.Add(k, val)
	}
	}

	if values != nil {
	r.Params = values
	}

	return c.c.RawRequestWithContext(ctx, r)
	}

	func (c Logical) List(path string) (Secret, error) {
	return c.ListWithContext(context.Background(), path)
	}

	func (c Logical) ListWithContext(ctx context.Context, path string) (Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest("LIST", "/v1/"+path)
	// Set this for broader compatibility, but we use LIST above to be able to
	// handle the wrapping lookup function
	r.Method = http.MethodGet
	r.Params.Set("list", "true")

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if resp != nil {
	defer resp.Body.Close()
	}
	if resp != nil && resp.StatusCode == 404 {
	secret, parseErr := ParseSecret(resp.Body)
	switch parseErr {
	case nil:
	case io.EOF:
	return nil, nil
	default:
	return nil, parseErr
	}
	if secret != nil && (len(secret.Warnings) > 0 \|\| len(secret.Data) > 0) {
	return secret, nil
	}
	return nil, nil
	}
	if err != nil {
	return nil, err
	}

	return ParseSecret(resp.Body)
	}

	func (c Logical) Write(path string, data map[string]interface{}) (Secret, error) {
	return c.WriteWithContext(context.Background(), path, data)
	}

	func (c Logical) WriteWithContext(ctx context.Context, path string, data map[string]interface{}) (Secret, error) {
	r := c.c.NewRequest(http.MethodPut, "/v1/"+path)
	if err := r.SetJSONBody(data); err != nil {
	return nil, err
	}

	return c.write(ctx, path, r)
	}

	func (c Logical) JSONMergePatch(ctx context.Context, path string, data map[string]interface{}) (Secret, error) {
	r := c.c.NewRequest(http.MethodPatch, "/v1/"+path)
	r.Headers.Set("Content-Type", "application/merge-patch+json")
	if err := r.SetJSONBody(data); err != nil {
	return nil, err
	}

	return c.write(ctx, path, r)
	}

	func (c Logical) WriteBytes(path string, data []byte) (Secret, error) {
	return c.WriteBytesWithContext(context.Background(), path, data)
	}

	func (c Logical) WriteBytesWithContext(ctx context.Context, path string, data []byte) (Secret, error) {
	r := c.c.NewRequest(http.MethodPut, "/v1/"+path)
	r.BodyBytes = data

	return c.write(ctx, path, r)
	}

	func (c Logical) write(ctx context.Context, path string, request Request) (*Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	resp, err := c.c.rawRequestWithContext(ctx, request)
	if resp != nil {
	defer resp.Body.Close()
	}
	if resp != nil && resp.StatusCode == 404 {
	secret, parseErr := ParseSecret(resp.Body)
	switch parseErr {
	case nil:
	case io.EOF:
	return nil, nil
	default:
	return nil, parseErr
	}
	if secret != nil && (len(secret.Warnings) > 0 \|\| len(secret.Data) > 0) {
	return secret, err
	}
	}
	if err != nil {
	return nil, err
	}

	return ParseSecret(resp.Body)
	}

	func (c Logical) Delete(path string) (Secret, error) {
	return c.DeleteWithContext(context.Background(), path)
	}

	func (c Logical) DeleteWithContext(ctx context.Context, path string) (Secret, error) {
	return c.DeleteWithDataWithContext(ctx, path, nil)
	}

	func (c Logical) DeleteWithData(path string, data map[string][]string) (Secret, error) {
	return c.DeleteWithDataWithContext(context.Background(), path, data)
	}

	func (c Logical) DeleteWithDataWithContext(ctx context.Context, path string, data map[string][]string) (Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	r := c.c.NewRequest(http.MethodDelete, "/v1/"+path)

	var values url.Values
	for k, v := range data {
	if values == nil {
	values = make(url.Values)
	}
	for _, val := range v {
	values.Add(k, val)
	}
	}

	if values != nil {
	r.Params = values
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if resp != nil {
	defer resp.Body.Close()
	}
	if resp != nil && resp.StatusCode == 404 {
	secret, parseErr := ParseSecret(resp.Body)
	switch parseErr {
	case nil:
	case io.EOF:
	return nil, nil
	default:
	return nil, parseErr
	}
	if secret != nil && (len(secret.Warnings) > 0 \|\| len(secret.Data) > 0) {
	return secret, err
	}
	}
	if err != nil {
	return nil, err
	}

	return ParseSecret(resp.Body)
	}

	func (c Logical) Unwrap(wrappingToken string) (Secret, error) {
	return c.UnwrapWithContext(context.Background(), wrappingToken)
	}

	func (c Logical) UnwrapWithContext(ctx context.Context, wrappingToken string) (Secret, error) {
	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
	defer cancelFunc()

	var data map[string]interface{}
	wt := strings.TrimSpace(wrappingToken)
	if wrappingToken != "" {
	if c.c.Token() == "" {
	c.c.SetToken(wt)
	} else if wrappingToken != c.c.Token() {
	data = map[string]interface{}{
	"token": wt,
	}
	}
	}

	r := c.c.NewRequest(http.MethodPut, "/v1/sys/wrapping/unwrap")
	if err := r.SetJSONBody(data); err != nil {
	return nil, err
	}

	resp, err := c.c.rawRequestWithContext(ctx, r)
	if resp != nil {
	defer resp.Body.Close()
	}
	if resp == nil \|\| resp.StatusCode != 404 {
	if err != nil {
	return nil, err
	}
	if resp == nil {
	return nil, nil
	}
	return ParseSecret(resp.Body)
	}

	// In the 404 case this may actually be a wrapped 404 error
	secret, parseErr := ParseSecret(resp.Body)
	switch parseErr {
	case nil:
	case io.EOF:
	return nil, nil
	default:
	return nil, parseErr
	}
	if secret != nil && (len(secret.Warnings) > 0 \|\| len(secret.Data) > 0) {
	return secret, nil
	}

	// Otherwise this might be an old-style wrapping token so attempt the old
	// method
	if wrappingToken != "" {
	origToken := c.c.Token()
	defer c.c.SetToken(origToken)
	c.c.SetToken(wrappingToken)
	}

	secret, err = c.ReadWithContext(ctx, wrappedResponseLocation)
	if err != nil {
	return nil, errwrap.Wrapf(fmt.Sprintf("error reading %q: {{err}}", wrappedResponseLocation), err)
	}
	if secret == nil {
	return nil, fmt.Errorf("no value found at %q", wrappedResponseLocation)
	}
	if secret.Data == nil {
	return nil, fmt.Errorf("\"data\" not found in wrapping response")
	}
	if _, ok := secret.Data["response"]; !ok {
	return nil, fmt.Errorf("\"response\" not found in wrapping response \"data\" map")
	}

	wrappedSecret := new(Secret)
	buf := bytes.NewBufferString(secret.Data["response"].(string))
	dec := json.NewDecoder(buf)
	dec.UseNumber()
	if err := dec.Decode(wrappedSecret); err != nil {
	return nil, errwrap.Wrapf("error unmarshalling wrapped secret: {{err}}", err)
	}

	return wrappedSecret, nil
	}