From 3a616753ea9d69f3802ba23f74eb6469262030da Mon Sep 17 00:00:00 2001
From: Jordan Reimer <zofskeez@gmail.com>
Date: Wed, 31 May 2023 10:59:16 -0600
Subject: [PATCH 1/2] fixes issue unsealing cloud seal type cluster

---
 ui/app/controllers/vault/cluster/init.js |  3 +-
 ui/tests/acceptance/init-test.js         | 38 ++++++++++++++++--------
 2 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/ui/app/controllers/vault/cluster/init.js b/ui/app/controllers/vault/cluster/init.js
index 3ff942987306..d70c6462fb11 100644
--- a/ui/app/controllers/vault/cluster/init.js
+++ b/ui/app/controllers/vault/cluster/init.js
@@ -48,6 +48,7 @@ export default Controller.extend(DEFAULTS, {
         if (isCloudSeal) {
           data.stored_shares = 1;
           data.recovery_shares = shares;
+          delete data.secret_shares; // API will throw an error if secret_shares is passed for seal types other than shamir (transit, AWSKMS etc.)
         }
       }
       if (data.secret_threshold) {
@@ -55,6 +56,7 @@ export default Controller.extend(DEFAULTS, {
         data.secret_threshold = threshold;
         if (isCloudSeal) {
           data.recovery_threshold = threshold;
+          delete data.secret_threshold; // API will throw an error if secret_threshold is passed for seal types other than shamir (transit, AWSKMS etc.)
         }
       }
       if (!data.use_pgp) {
@@ -63,7 +65,6 @@ export default Controller.extend(DEFAULTS, {
       if (data.use_pgp && isCloudSeal) {
         data.recovery_pgp_keys = data.pgp_keys;
       }
-
       if (!data.use_pgp_for_root) {
         delete data.root_token_pgp_key;
       }
diff --git a/ui/tests/acceptance/init-test.js b/ui/tests/acceptance/init-test.js
index 327770c0284e..a10169bf1c53 100644
--- a/ui/tests/acceptance/init-test.js
+++ b/ui/tests/acceptance/init-test.js
@@ -64,6 +64,22 @@ const SEAL_STATUS_RESPONSE = {
   initialized: false,
 };
 
+const assertRequest = (req, assert, isCloud) => {
+  const json = JSON.parse(req.requestBody);
+  for (const key of ['recovery_shares', 'recovery_threshold']) {
+    assert[isCloud ? 'ok' : 'notOk'](
+      json[key],
+      `requestBody ${isCloud ? 'includes' : 'does not include'} cloud seal specific attribute: ${key}`
+    );
+  }
+  for (const key of ['secret_shares', 'secret_threshold']) {
+    assert[isCloud ? 'notOk' : 'ok'](
+      json[key],
+      `requestBody ${isCloud ? 'does not include' : 'includes'} shamir specific attribute: ${key}`
+    );
+  }
+};
+
 module('Acceptance | init', function (hooks) {
   setupApplicationTest(hooks);
 
@@ -90,36 +106,32 @@ module('Acceptance | init', function (hooks) {
   });
 
   test('cloud seal init', async function (assert) {
-    assert.expect(4);
+    assert.expect(6);
+
     setInitResponse(this.server, CLOUD_SEAL_RESPONSE);
     setStatusResponse(this.server, CLOUD_SEAL_STATUS_RESPONSE);
+
     await initPage.init(5, 3);
+
     assert.strictEqual(
       initPage.keys.length,
       CLOUD_SEAL_RESPONSE.recovery_keys.length,
       'shows all of the recovery keys'
     );
     assert.strictEqual(initPage.buttonText, 'Continue to Authenticate', 'links to authenticate');
-    let { requestBody } = this.server.handledRequests.findBy('url', '/v1/sys/init');
-    requestBody = JSON.parse(requestBody);
-    for (const attr of ['recovery_shares', 'recovery_threshold']) {
-      assert.ok(requestBody[attr], `requestBody includes cloud seal specific attribute: ${attr}`);
-    }
+    assertRequest(this.server.handledRequests.findBy('url', '/v1/sys/init'), assert, true);
   });
 
   test('shamir seal init', async function (assert) {
-    assert.expect(4);
+    assert.expect(6);
+
     setInitResponse(this.server, SEAL_RESPONSE);
     setStatusResponse(this.server, SEAL_STATUS_RESPONSE);
 
     await initPage.init(3, 2);
+
     assert.strictEqual(initPage.keys.length, SEAL_RESPONSE.keys.length, 'shows all of the recovery keys');
     assert.strictEqual(initPage.buttonText, 'Continue to Unseal', 'links to unseal');
-
-    let { requestBody } = this.server.handledRequests.findBy('url', '/v1/sys/init');
-    requestBody = JSON.parse(requestBody);
-    for (const attr of ['recovery_shares', 'recovery_threshold']) {
-      assert.notOk(requestBody[attr], `requestBody does not include cloud seal specific attribute: ${attr}`);
-    }
+    assertRequest(this.server.handledRequests.findBy('url', '/v1/sys/init'), assert, false);
   });
 });

From 29d98a183e078b6811b9f6f048c3c6ca55ca4330 Mon Sep 17 00:00:00 2001
From: Jordan Reimer <zofskeez@gmail.com>
Date: Wed, 31 May 2023 11:22:31 -0600
Subject: [PATCH 2/2] adds changelog entry

---
 changelog/20897.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/20897.txt

diff --git a/changelog/20897.txt b/changelog/20897.txt
new file mode 100644
index 000000000000..01be5ac718ca
--- /dev/null
+++ b/changelog/20897.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fixes issue unsealing cluster for seal types other than shamir
+```
\ No newline at end of file