From b89073f7e6d09660081a0e46a43fa6ffdbeb6a8b Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeff@hashicorp.com>
Date: Wed, 24 Aug 2016 14:15:25 -0400
Subject: [PATCH] Error when an invalid (as opposed to incorrect) unseal key is
 given. (#1782)

Fixes #1777
---
 http/sys_seal.go      | 10 +++++++++-
 http/sys_seal_test.go | 28 +---------------------------
 vault/core.go         |  5 +++--
 3 files changed, 13 insertions(+), 30 deletions(-)

diff --git a/http/sys_seal.go b/http/sys_seal.go
index 066c88c27..6caf7a330 100644
--- a/http/sys_seal.go
+++ b/http/sys_seal.go
@@ -118,10 +118,18 @@ func handleSysUnseal(core *vault.Core) http.Handler {
 			if _, err := core.Unseal(key); err != nil {
 				// Ignore ErrInvalidKey because its a user error that we
 				// mask away. We just show them the seal status.
-				if !errwrap.ContainsType(err, new(vault.ErrInvalidKey)) {
+				switch {
+				case errwrap.ContainsType(err, new(vault.ErrInvalidKey)):
+				case errwrap.Contains(err, vault.ErrBarrierInvalidKey.Error()):
+				case errwrap.Contains(err, vault.ErrBarrierNotInit.Error()):
+				case errwrap.Contains(err, vault.ErrBarrierSealed.Error()):
+				case errwrap.Contains(err, vault.ErrStandby.Error()):
+				default:
 					respondError(w, http.StatusInternalServerError, err)
 					return
 				}
+				respondError(w, http.StatusBadRequest, err)
+				return
 			}
 		}
 
diff --git a/http/sys_seal_test.go b/http/sys_seal_test.go
index 92431b1c0..cc12be41d 100644
--- a/http/sys_seal_test.go
+++ b/http/sys_seal_test.go
@@ -146,33 +146,7 @@ func TestSysUnseal_badKey(t *testing.T) {
 	resp := testHttpPut(t, "", addr+"/v1/sys/unseal", map[string]interface{}{
 		"key": "0123",
 	})
-
-	var actual map[string]interface{}
-	expected := map[string]interface{}{
-		"sealed":   true,
-		"t":        json.Number("1"),
-		"n":        json.Number("1"),
-		"progress": json.Number("0"),
-	}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-	if actual["version"] == nil {
-		t.Fatalf("expected version information")
-	}
-	expected["version"] = actual["version"]
-	if actual["cluster_name"] == nil {
-		delete(expected, "cluster_name")
-	} else {
-		expected["cluster_name"] = actual["cluster_name"]
-	}
-	if actual["cluster_id"] == nil {
-		delete(expected, "cluster_id")
-	} else {
-		expected["cluster_id"] = actual["cluster_id"]
-	}
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: expected: %#v\nactual: %#v", expected, actual)
-	}
+	testResponseStatus(t, resp, 400)
 }
 
 func TestSysUnseal_Reset(t *testing.T) {
diff --git a/vault/core.go b/vault/core.go
index ca9b6ba15..65d74a2fb 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -103,8 +103,9 @@ func (e *NonFatalError) Error() string {
 	return e.Err.Error()
 }
 
-// ErrInvalidKey is returned if there is an error with a
-// provided unseal key.
+// ErrInvalidKey is returned if there is a user-based error with a provided
+// unseal key. This will be shown to the user, so should not contain
+// information that is sensitive.
 type ErrInvalidKey struct {
 	Reason string
 }