From d666e79a3a5a24dccf21aa3fce3c3a0ff3628f23 Mon Sep 17 00:00:00 2001
From: Mitchell Hashimoto <mitchell.hashimoto@gmail.com>
Date: Tue, 31 Mar 2015 11:45:44 -0700
Subject: [PATCH] http: /sys/seal requires a token

---
 http/sys_seal.go      | 7 ++++++-
 http/sys_seal_test.go | 8 ++------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/http/sys_seal.go b/http/sys_seal.go
index f0f6e8b98e..e3671ae047 100644
--- a/http/sys_seal.go
+++ b/http/sys_seal.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 
 	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/vault"
 )
 
@@ -17,7 +18,11 @@ func handleSysSeal(core *vault.Core) http.Handler {
 			return
 		}
 
-		if err := core.Seal(); err != nil {
+		// Get the auth for the request so we can access the token directly
+		req := requestAuth(r, &logical.Request{})
+
+		// Seal with the token above
+		if err := core.Seal(req.ClientToken); err != nil {
 			respondError(w, http.StatusInternalServerError, err)
 			return
 		}
diff --git a/http/sys_seal_test.go b/http/sys_seal_test.go
index bef3310232..7a26d48851 100644
--- a/http/sys_seal_test.go
+++ b/http/sys_seal_test.go
@@ -65,14 +65,10 @@ func TestSysSeal(t *testing.T) {
 }
 
 func TestSysSeal_unsealed(t *testing.T) {
-	core := vault.TestCore(t)
+	core, _, token := vault.TestCoreUnsealed(t)
 	ln, addr := TestServer(t, core)
 	defer ln.Close()
-
-	key, _ := vault.TestCoreInit(t, core)
-	if _, err := core.Unseal(key); err != nil {
-		t.Fatalf("err: %s", err)
-	}
+	TestServerAuth(t, addr, token)
 
 	resp := testHttpPut(t, addr+"/v1/sys/seal", nil)
 	testResponseStatus(t, resp, 204)