Set number of pester retries to zero by default and make seal command…

api/client.go

@@ -48,7 +48,7 @@ type Config struct {
 	redirectSetup sync.Once
 
 	// MaxRetries controls the maximum number of times to retry when a 5xx error
-	// occurs. Set to 0 or less to disable retrying.
+	// occurs. Set to 0 or less to disable retrying. Defaults to 0.
 	MaxRetries int
 }
 
@@ -99,8 +99,6 @@ func DefaultConfig() *Config {
 		config.Address = v
 	}
 
-	config.MaxRetries = pester.DefaultClient.MaxRetries
-
 	return config
 }
 

http/sys_seal.go

@@ -30,8 +30,13 @@ func handleSysSeal(core *vault.Core) http.Handler {
 
 		// Seal with the token above
 		if err := core.SealWithRequest(req); err != nil {
-			respondError(w, http.StatusInternalServerError, err)
-			return
+			if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+				respondError(w, http.StatusForbidden, err)
+				return
+			} else {
+				respondError(w, http.StatusInternalServerError, err)
+				return
+			}
 		}
 
 		respondOk(w, nil)

http/sys_seal_test.go

@@ -285,7 +285,7 @@ func TestSysSeal_Permissions(t *testing.T) {
 
 	// We expect this to fail since it needs update and sudo
 	httpResp := testHttpPut(t, "child", addr+"/v1/sys/seal", nil)
-	testResponseStatus(t, httpResp, 500)
+	testResponseStatus(t, httpResp, 403)
 
 	// Now modify to add update capability
 	req = &logical.Request{
@@ -306,7 +306,7 @@ func TestSysSeal_Permissions(t *testing.T) {
 
 	// We expect this to fail since it needs sudo
 	httpResp = testHttpPut(t, "child", addr+"/v1/sys/seal", nil)
-	testResponseStatus(t, httpResp, 500)
+	testResponseStatus(t, httpResp, 403)
 
 	// Now modify to just sudo capability
 	req = &logical.Request{
@@ -327,7 +327,7 @@ func TestSysSeal_Permissions(t *testing.T) {
 
 	// We expect this to fail since it needs update
 	httpResp = testHttpPut(t, "child", addr+"/v1/sys/seal", nil)
-	testResponseStatus(t, httpResp, 500)
+	testResponseStatus(t, httpResp, 403)
 
 	// Now modify to add all needed capabilities
 	req = &logical.Request{