From 510834527a67dfd0093679515afd22f60d1bef92 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Mon, 14 Nov 2016 12:43:46 -0500
Subject: [PATCH] Set number of pester retries to zero by default and make seal
 command return 403 if unauthorized instead of 500

---
 api/client.go    | 4 +---
 http/sys_seal.go | 9 +++++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/api/client.go b/api/client.go
index 4aee40c0a7252..c6c78ada9e29b 100644
--- a/api/client.go
+++ b/api/client.go
@@ -48,7 +48,7 @@ type Config struct {
 	redirectSetup sync.Once
 
 	// MaxRetries controls the maximum number of times to retry when a 5xx error
-	// occurs. Set to 0 or less to disable retrying.
+	// occurs. Set to 0 or less to disable retrying. Defaults to 0.
 	MaxRetries int
 }
 
@@ -99,8 +99,6 @@ func DefaultConfig() *Config {
 		config.Address = v
 	}
 
-	config.MaxRetries = pester.DefaultClient.MaxRetries
-
 	return config
 }
 
diff --git a/http/sys_seal.go b/http/sys_seal.go
index 2e02f7308ad16..53bab8b8e5c75 100644
--- a/http/sys_seal.go
+++ b/http/sys_seal.go
@@ -30,8 +30,13 @@ func handleSysSeal(core *vault.Core) http.Handler {
 
 		// Seal with the token above
 		if err := core.SealWithRequest(req); err != nil {
-			respondError(w, http.StatusInternalServerError, err)
-			return
+			if errwrap.Contains(err, logical.ErrPermissionDenied) {
+				respondError(w, http.StatusUnauthorized, err)
+				return
+			} else {
+				respondError(w, http.StatusInternalServerError, err)
+				return
+			}
 		}
 
 		respondOk(w, nil)