From 2d53854b19da3713d53be0c69c153292605ce03a Mon Sep 17 00:00:00 2001
From: Taran Pelkey <tpelkey2021@gmail.com>
Date: Tue, 28 May 2024 13:14:16 -0400
Subject: [PATCH] Restrict access keys for users and groups to not allow '=' or
 ',' (#19749)

* initial commit

* Add UTF check

---------

Co-authored-by: Harshavardhana <harsha@minio.io>
---
 cmd/admin-handlers-users.go  |   6 +
 cmd/api-errors.go            |  16 ++
 cmd/apierrorcode_string.go   | 286 ++++++++++++++++++-----------------
 cmd/iam.go                   |   8 +
 cmd/typed-errors.go          |   3 +
 internal/auth/credentials.go |   8 +
 6 files changed, 185 insertions(+), 142 deletions(-)

diff --git a/cmd/admin-handlers-users.go b/cmd/admin-handlers-users.go
index d460f07d4..8a88094fd 100644
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@@ -29,6 +29,7 @@ import (
 	"sort"
 	"strconv"
 	"time"
+	"unicode/utf8"
 
 	"github.com/klauspost/compress/zip"
 	"github.com/minio/madmin-go/v3"
@@ -474,6 +475,11 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !utf8.ValidString(accessKey) {
+		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAddUserValidUTF), r.URL)
+		return
+	}
+
 	checkDenyOnly := false
 	if accessKey == cred.AccessKey {
 		// Check that there is no explicit deny - otherwise it's allowed
diff --git a/cmd/api-errors.go b/cmd/api-errors.go
index 39846fd2e..4031b5ee5 100644
--- a/cmd/api-errors.go
+++ b/cmd/api-errors.go
@@ -287,6 +287,7 @@ const (
 	ErrAdminNoSuchGroup
 	ErrAdminGroupNotEmpty
 	ErrAdminGroupDisabled
+	ErrAdminInvalidGroupName
 	ErrAdminNoSuchJob
 	ErrAdminNoSuchPolicy
 	ErrAdminPolicyChangeAlreadyApplied
@@ -425,6 +426,7 @@ const (
 	ErrAdminProfilerNotEnabled
 	ErrInvalidDecompressedSize
 	ErrAddUserInvalidArgument
+	ErrAddUserValidUTF
 	ErrAdminResourceInvalidArgument
 	ErrAdminAccountNotEligible
 	ErrAccountNotEligible
@@ -2101,6 +2103,16 @@ var errorCodes = errorCodeMap{
 		Description:    "Expected LDAP short username but was given full DN.",
 		HTTPStatusCode: http.StatusBadRequest,
 	},
+	ErrAdminInvalidGroupName: {
+		Code:           "XMinioInvalidGroupName",
+		Description:    "The group name is invalid.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
+	ErrAddUserValidUTF: {
+		Code:           "XMinioInvalidUTF",
+		Description:    "Invalid UTF-8 character detected.",
+		HTTPStatusCode: http.StatusBadRequest,
+	},
 }
 
 // toAPIErrorCode - Converts embedded errors. Convenience
@@ -2140,6 +2152,8 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) {
 		apiErr = ErrAdminNoSuchGroup
 	case errGroupNotEmpty:
 		apiErr = ErrAdminGroupNotEmpty
+	case errGroupNameContainsReservedChars:
+		apiErr = ErrAdminInvalidGroupName
 	case errNoSuchJob:
 		apiErr = ErrAdminNoSuchJob
 	case errNoPolicyToAttachOrDetach:
@@ -2154,6 +2168,8 @@ func toAPIErrorCode(ctx context.Context, err error) (apiErr APIErrorCode) {
 		apiErr = ErrEntityTooSmall
 	case errAuthentication:
 		apiErr = ErrAccessDenied
+	case auth.ErrContainsReservedChars:
+		apiErr = ErrAdminInvalidAccessKey
 	case auth.ErrInvalidAccessKeyLength:
 		apiErr = ErrAdminInvalidAccessKey
 	case auth.ErrInvalidSecretKeyLength:
diff --git a/cmd/apierrorcode_string.go b/cmd/apierrorcode_string.go
index defe739f3..7ededb229 100644
--- a/cmd/apierrorcode_string.go
+++ b/cmd/apierrorcode_string.go
@@ -193,151 +193,153 @@ func _() {
 	_ = x[ErrAdminNoSuchGroup-182]
 	_ = x[ErrAdminGroupNotEmpty-183]
 	_ = x[ErrAdminGroupDisabled-184]
-	_ = x[ErrAdminNoSuchJob-185]
-	_ = x[ErrAdminNoSuchPolicy-186]
-	_ = x[ErrAdminPolicyChangeAlreadyApplied-187]
-	_ = x[ErrAdminInvalidArgument-188]
-	_ = x[ErrAdminInvalidAccessKey-189]
-	_ = x[ErrAdminInvalidSecretKey-190]
-	_ = x[ErrAdminConfigNoQuorum-191]
-	_ = x[ErrAdminConfigTooLarge-192]
-	_ = x[ErrAdminConfigBadJSON-193]
-	_ = x[ErrAdminNoSuchConfigTarget-194]
-	_ = x[ErrAdminConfigEnvOverridden-195]
-	_ = x[ErrAdminConfigDuplicateKeys-196]
-	_ = x[ErrAdminConfigInvalidIDPType-197]
-	_ = x[ErrAdminConfigLDAPNonDefaultConfigName-198]
-	_ = x[ErrAdminConfigLDAPValidation-199]
-	_ = x[ErrAdminConfigIDPCfgNameAlreadyExists-200]
-	_ = x[ErrAdminConfigIDPCfgNameDoesNotExist-201]
-	_ = x[ErrInsecureClientRequest-202]
-	_ = x[ErrObjectTampered-203]
-	_ = x[ErrAdminLDAPNotEnabled-204]
-	_ = x[ErrSiteReplicationInvalidRequest-205]
-	_ = x[ErrSiteReplicationPeerResp-206]
-	_ = x[ErrSiteReplicationBackendIssue-207]
-	_ = x[ErrSiteReplicationServiceAccountError-208]
-	_ = x[ErrSiteReplicationBucketConfigError-209]
-	_ = x[ErrSiteReplicationBucketMetaError-210]
-	_ = x[ErrSiteReplicationIAMError-211]
-	_ = x[ErrSiteReplicationConfigMissing-212]
-	_ = x[ErrSiteReplicationIAMConfigMismatch-213]
-	_ = x[ErrAdminRebalanceAlreadyStarted-214]
-	_ = x[ErrAdminRebalanceNotStarted-215]
-	_ = x[ErrAdminBucketQuotaExceeded-216]
-	_ = x[ErrAdminNoSuchQuotaConfiguration-217]
-	_ = x[ErrHealNotImplemented-218]
-	_ = x[ErrHealNoSuchProcess-219]
-	_ = x[ErrHealInvalidClientToken-220]
-	_ = x[ErrHealMissingBucket-221]
-	_ = x[ErrHealAlreadyRunning-222]
-	_ = x[ErrHealOverlappingPaths-223]
-	_ = x[ErrIncorrectContinuationToken-224]
-	_ = x[ErrEmptyRequestBody-225]
-	_ = x[ErrUnsupportedFunction-226]
-	_ = x[ErrInvalidExpressionType-227]
-	_ = x[ErrBusy-228]
-	_ = x[ErrUnauthorizedAccess-229]
-	_ = x[ErrExpressionTooLong-230]
-	_ = x[ErrIllegalSQLFunctionArgument-231]
-	_ = x[ErrInvalidKeyPath-232]
-	_ = x[ErrInvalidCompressionFormat-233]
-	_ = x[ErrInvalidFileHeaderInfo-234]
-	_ = x[ErrInvalidJSONType-235]
-	_ = x[ErrInvalidQuoteFields-236]
-	_ = x[ErrInvalidRequestParameter-237]
-	_ = x[ErrInvalidDataType-238]
-	_ = x[ErrInvalidTextEncoding-239]
-	_ = x[ErrInvalidDataSource-240]
-	_ = x[ErrInvalidTableAlias-241]
-	_ = x[ErrMissingRequiredParameter-242]
-	_ = x[ErrObjectSerializationConflict-243]
-	_ = x[ErrUnsupportedSQLOperation-244]
-	_ = x[ErrUnsupportedSQLStructure-245]
-	_ = x[ErrUnsupportedSyntax-246]
-	_ = x[ErrUnsupportedRangeHeader-247]
-	_ = x[ErrLexerInvalidChar-248]
-	_ = x[ErrLexerInvalidOperator-249]
-	_ = x[ErrLexerInvalidLiteral-250]
-	_ = x[ErrLexerInvalidIONLiteral-251]
-	_ = x[ErrParseExpectedDatePart-252]
-	_ = x[ErrParseExpectedKeyword-253]
-	_ = x[ErrParseExpectedTokenType-254]
-	_ = x[ErrParseExpected2TokenTypes-255]
-	_ = x[ErrParseExpectedNumber-256]
-	_ = x[ErrParseExpectedRightParenBuiltinFunctionCall-257]
-	_ = x[ErrParseExpectedTypeName-258]
-	_ = x[ErrParseExpectedWhenClause-259]
-	_ = x[ErrParseUnsupportedToken-260]
-	_ = x[ErrParseUnsupportedLiteralsGroupBy-261]
-	_ = x[ErrParseExpectedMember-262]
-	_ = x[ErrParseUnsupportedSelect-263]
-	_ = x[ErrParseUnsupportedCase-264]
-	_ = x[ErrParseUnsupportedCaseClause-265]
-	_ = x[ErrParseUnsupportedAlias-266]
-	_ = x[ErrParseUnsupportedSyntax-267]
-	_ = x[ErrParseUnknownOperator-268]
-	_ = x[ErrParseMissingIdentAfterAt-269]
-	_ = x[ErrParseUnexpectedOperator-270]
-	_ = x[ErrParseUnexpectedTerm-271]
-	_ = x[ErrParseUnexpectedToken-272]
-	_ = x[ErrParseUnexpectedKeyword-273]
-	_ = x[ErrParseExpectedExpression-274]
-	_ = x[ErrParseExpectedLeftParenAfterCast-275]
-	_ = x[ErrParseExpectedLeftParenValueConstructor-276]
-	_ = x[ErrParseExpectedLeftParenBuiltinFunctionCall-277]
-	_ = x[ErrParseExpectedArgumentDelimiter-278]
-	_ = x[ErrParseCastArity-279]
-	_ = x[ErrParseInvalidTypeParam-280]
-	_ = x[ErrParseEmptySelect-281]
-	_ = x[ErrParseSelectMissingFrom-282]
-	_ = x[ErrParseExpectedIdentForGroupName-283]
-	_ = x[ErrParseExpectedIdentForAlias-284]
-	_ = x[ErrParseUnsupportedCallWithStar-285]
-	_ = x[ErrParseNonUnaryAggregateFunctionCall-286]
-	_ = x[ErrParseMalformedJoin-287]
-	_ = x[ErrParseExpectedIdentForAt-288]
-	_ = x[ErrParseAsteriskIsNotAloneInSelectList-289]
-	_ = x[ErrParseCannotMixSqbAndWildcardInSelectList-290]
-	_ = x[ErrParseInvalidContextForWildcardInSelectList-291]
-	_ = x[ErrIncorrectSQLFunctionArgumentType-292]
-	_ = x[ErrValueParseFailure-293]
-	_ = x[ErrEvaluatorInvalidArguments-294]
-	_ = x[ErrIntegerOverflow-295]
-	_ = x[ErrLikeInvalidInputs-296]
-	_ = x[ErrCastFailed-297]
-	_ = x[ErrInvalidCast-298]
-	_ = x[ErrEvaluatorInvalidTimestampFormatPattern-299]
-	_ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbolForParsing-300]
-	_ = x[ErrEvaluatorTimestampFormatPatternDuplicateFields-301]
-	_ = x[ErrEvaluatorTimestampFormatPatternHourClockAmPmMismatch-302]
-	_ = x[ErrEvaluatorUnterminatedTimestampFormatPatternToken-303]
-	_ = x[ErrEvaluatorInvalidTimestampFormatPatternToken-304]
-	_ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbol-305]
-	_ = x[ErrEvaluatorBindingDoesNotExist-306]
-	_ = x[ErrMissingHeaders-307]
-	_ = x[ErrInvalidColumnIndex-308]
-	_ = x[ErrAdminConfigNotificationTargetsFailed-309]
-	_ = x[ErrAdminProfilerNotEnabled-310]
-	_ = x[ErrInvalidDecompressedSize-311]
-	_ = x[ErrAddUserInvalidArgument-312]
-	_ = x[ErrAdminResourceInvalidArgument-313]
-	_ = x[ErrAdminAccountNotEligible-314]
-	_ = x[ErrAccountNotEligible-315]
-	_ = x[ErrAdminServiceAccountNotFound-316]
-	_ = x[ErrPostPolicyConditionInvalidFormat-317]
-	_ = x[ErrInvalidChecksum-318]
-	_ = x[ErrLambdaARNInvalid-319]
-	_ = x[ErrLambdaARNNotFound-320]
-	_ = x[ErrInvalidAttributeName-321]
-	_ = x[ErrAdminNoAccessKey-322]
-	_ = x[ErrAdminNoSecretKey-323]
-	_ = x[apiErrCodeEnd-324]
+	_ = x[ErrAdminInvalidGroupName-185]
+	_ = x[ErrAdminNoSuchJob-186]
+	_ = x[ErrAdminNoSuchPolicy-187]
+	_ = x[ErrAdminPolicyChangeAlreadyApplied-188]
+	_ = x[ErrAdminInvalidArgument-189]
+	_ = x[ErrAdminInvalidAccessKey-190]
+	_ = x[ErrAdminInvalidSecretKey-191]
+	_ = x[ErrAdminConfigNoQuorum-192]
+	_ = x[ErrAdminConfigTooLarge-193]
+	_ = x[ErrAdminConfigBadJSON-194]
+	_ = x[ErrAdminNoSuchConfigTarget-195]
+	_ = x[ErrAdminConfigEnvOverridden-196]
+	_ = x[ErrAdminConfigDuplicateKeys-197]
+	_ = x[ErrAdminConfigInvalidIDPType-198]
+	_ = x[ErrAdminConfigLDAPNonDefaultConfigName-199]
+	_ = x[ErrAdminConfigLDAPValidation-200]
+	_ = x[ErrAdminConfigIDPCfgNameAlreadyExists-201]
+	_ = x[ErrAdminConfigIDPCfgNameDoesNotExist-202]
+	_ = x[ErrInsecureClientRequest-203]
+	_ = x[ErrObjectTampered-204]
+	_ = x[ErrAdminLDAPNotEnabled-205]
+	_ = x[ErrSiteReplicationInvalidRequest-206]
+	_ = x[ErrSiteReplicationPeerResp-207]
+	_ = x[ErrSiteReplicationBackendIssue-208]
+	_ = x[ErrSiteReplicationServiceAccountError-209]
+	_ = x[ErrSiteReplicationBucketConfigError-210]
+	_ = x[ErrSiteReplicationBucketMetaError-211]
+	_ = x[ErrSiteReplicationIAMError-212]
+	_ = x[ErrSiteReplicationConfigMissing-213]
+	_ = x[ErrSiteReplicationIAMConfigMismatch-214]
+	_ = x[ErrAdminRebalanceAlreadyStarted-215]
+	_ = x[ErrAdminRebalanceNotStarted-216]
+	_ = x[ErrAdminBucketQuotaExceeded-217]
+	_ = x[ErrAdminNoSuchQuotaConfiguration-218]
+	_ = x[ErrHealNotImplemented-219]
+	_ = x[ErrHealNoSuchProcess-220]
+	_ = x[ErrHealInvalidClientToken-221]
+	_ = x[ErrHealMissingBucket-222]
+	_ = x[ErrHealAlreadyRunning-223]
+	_ = x[ErrHealOverlappingPaths-224]
+	_ = x[ErrIncorrectContinuationToken-225]
+	_ = x[ErrEmptyRequestBody-226]
+	_ = x[ErrUnsupportedFunction-227]
+	_ = x[ErrInvalidExpressionType-228]
+	_ = x[ErrBusy-229]
+	_ = x[ErrUnauthorizedAccess-230]
+	_ = x[ErrExpressionTooLong-231]
+	_ = x[ErrIllegalSQLFunctionArgument-232]
+	_ = x[ErrInvalidKeyPath-233]
+	_ = x[ErrInvalidCompressionFormat-234]
+	_ = x[ErrInvalidFileHeaderInfo-235]
+	_ = x[ErrInvalidJSONType-236]
+	_ = x[ErrInvalidQuoteFields-237]
+	_ = x[ErrInvalidRequestParameter-238]
+	_ = x[ErrInvalidDataType-239]
+	_ = x[ErrInvalidTextEncoding-240]
+	_ = x[ErrInvalidDataSource-241]
+	_ = x[ErrInvalidTableAlias-242]
+	_ = x[ErrMissingRequiredParameter-243]
+	_ = x[ErrObjectSerializationConflict-244]
+	_ = x[ErrUnsupportedSQLOperation-245]
+	_ = x[ErrUnsupportedSQLStructure-246]
+	_ = x[ErrUnsupportedSyntax-247]
+	_ = x[ErrUnsupportedRangeHeader-248]
+	_ = x[ErrLexerInvalidChar-249]
+	_ = x[ErrLexerInvalidOperator-250]
+	_ = x[ErrLexerInvalidLiteral-251]
+	_ = x[ErrLexerInvalidIONLiteral-252]
+	_ = x[ErrParseExpectedDatePart-253]
+	_ = x[ErrParseExpectedKeyword-254]
+	_ = x[ErrParseExpectedTokenType-255]
+	_ = x[ErrParseExpected2TokenTypes-256]
+	_ = x[ErrParseExpectedNumber-257]
+	_ = x[ErrParseExpectedRightParenBuiltinFunctionCall-258]
+	_ = x[ErrParseExpectedTypeName-259]
+	_ = x[ErrParseExpectedWhenClause-260]
+	_ = x[ErrParseUnsupportedToken-261]
+	_ = x[ErrParseUnsupportedLiteralsGroupBy-262]
+	_ = x[ErrParseExpectedMember-263]
+	_ = x[ErrParseUnsupportedSelect-264]
+	_ = x[ErrParseUnsupportedCase-265]
+	_ = x[ErrParseUnsupportedCaseClause-266]
+	_ = x[ErrParseUnsupportedAlias-267]
+	_ = x[ErrParseUnsupportedSyntax-268]
+	_ = x[ErrParseUnknownOperator-269]
+	_ = x[ErrParseMissingIdentAfterAt-270]
+	_ = x[ErrParseUnexpectedOperator-271]
+	_ = x[ErrParseUnexpectedTerm-272]
+	_ = x[ErrParseUnexpectedToken-273]
+	_ = x[ErrParseUnexpectedKeyword-274]
+	_ = x[ErrParseExpectedExpression-275]
+	_ = x[ErrParseExpectedLeftParenAfterCast-276]
+	_ = x[ErrParseExpectedLeftParenValueConstructor-277]
+	_ = x[ErrParseExpectedLeftParenBuiltinFunctionCall-278]
+	_ = x[ErrParseExpectedArgumentDelimiter-279]
+	_ = x[ErrParseCastArity-280]
+	_ = x[ErrParseInvalidTypeParam-281]
+	_ = x[ErrParseEmptySelect-282]
+	_ = x[ErrParseSelectMissingFrom-283]
+	_ = x[ErrParseExpectedIdentForGroupName-284]
+	_ = x[ErrParseExpectedIdentForAlias-285]
+	_ = x[ErrParseUnsupportedCallWithStar-286]
+	_ = x[ErrParseNonUnaryAggregateFunctionCall-287]
+	_ = x[ErrParseMalformedJoin-288]
+	_ = x[ErrParseExpectedIdentForAt-289]
+	_ = x[ErrParseAsteriskIsNotAloneInSelectList-290]
+	_ = x[ErrParseCannotMixSqbAndWildcardInSelectList-291]
+	_ = x[ErrParseInvalidContextForWildcardInSelectList-292]
+	_ = x[ErrIncorrectSQLFunctionArgumentType-293]
+	_ = x[ErrValueParseFailure-294]
+	_ = x[ErrEvaluatorInvalidArguments-295]
+	_ = x[ErrIntegerOverflow-296]
+	_ = x[ErrLikeInvalidInputs-297]
+	_ = x[ErrCastFailed-298]
+	_ = x[ErrInvalidCast-299]
+	_ = x[ErrEvaluatorInvalidTimestampFormatPattern-300]
+	_ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbolForParsing-301]
+	_ = x[ErrEvaluatorTimestampFormatPatternDuplicateFields-302]
+	_ = x[ErrEvaluatorTimestampFormatPatternHourClockAmPmMismatch-303]
+	_ = x[ErrEvaluatorUnterminatedTimestampFormatPatternToken-304]
+	_ = x[ErrEvaluatorInvalidTimestampFormatPatternToken-305]
+	_ = x[ErrEvaluatorInvalidTimestampFormatPatternSymbol-306]
+	_ = x[ErrEvaluatorBindingDoesNotExist-307]
+	_ = x[ErrMissingHeaders-308]
+	_ = x[ErrInvalidColumnIndex-309]
+	_ = x[ErrAdminConfigNotificationTargetsFailed-310]
+	_ = x[ErrAdminProfilerNotEnabled-311]
+	_ = x[ErrInvalidDecompressedSize-312]
+	_ = x[ErrAddUserInvalidArgument-313]
+	_ = x[ErrAddUserValidUTF-314]
+	_ = x[ErrAdminResourceInvalidArgument-315]
+	_ = x[ErrAdminAccountNotEligible-316]
+	_ = x[ErrAccountNotEligible-317]
+	_ = x[ErrAdminServiceAccountNotFound-318]
+	_ = x[ErrPostPolicyConditionInvalidFormat-319]
+	_ = x[ErrInvalidChecksum-320]
+	_ = x[ErrLambdaARNInvalid-321]
+	_ = x[ErrLambdaARNNotFound-322]
+	_ = x[ErrInvalidAttributeName-323]
+	_ = x[ErrAdminNoAccessKey-324]
+	_ = x[ErrAdminNoSecretKey-325]
+	_ = x[apiErrCodeEnd-326]
 }
 
-const _APIErrorCode_name = "NoneAccessDeniedBadDigestEntityTooSmallEntityTooLargePolicyTooLargeIncompleteBodyInternalErrorInvalidAccessKeyIDAccessKeyDisabledInvalidArgumentInvalidBucketNameInvalidDigestInvalidRangeInvalidRangePartNumberInvalidCopyPartRangeInvalidCopyPartRangeSourceInvalidMaxKeysInvalidEncodingMethodInvalidMaxUploadsInvalidMaxPartsInvalidPartNumberMarkerInvalidPartNumberInvalidRequestBodyInvalidCopySourceInvalidMetadataDirectiveInvalidCopyDestInvalidPolicyDocumentInvalidObjectStateMalformedXMLMissingContentLengthMissingContentMD5MissingRequestBodyErrorMissingSecurityHeaderNoSuchBucketNoSuchBucketPolicyNoSuchBucketLifecycleNoSuchLifecycleConfigurationInvalidLifecycleWithObjectLockNoSuchBucketSSEConfigNoSuchCORSConfigurationNoSuchWebsiteConfigurationReplicationConfigurationNotFoundErrorRemoteDestinationNotFoundErrorReplicationDestinationMissingLockRemoteTargetNotFoundErrorReplicationRemoteConnectionErrorReplicationBandwidthLimitErrorBucketRemoteIdenticalToSourceBucketRemoteAlreadyExistsBucketRemoteLabelInUseBucketRemoteArnTypeInvalidBucketRemoteArnInvalidBucketRemoteRemoveDisallowedRemoteTargetNotVersionedErrorReplicationSourceNotVersionedErrorReplicationNeedsVersioningErrorReplicationBucketNeedsVersioningErrorReplicationDenyEditErrorRemoteTargetDenyAddErrorReplicationNoExistingObjectsReplicationValidationErrorReplicationPermissionCheckErrorObjectRestoreAlreadyInProgressNoSuchKeyNoSuchUploadInvalidVersionIDNoSuchVersionNotImplementedPreconditionFailedRequestTimeTooSkewedSignatureDoesNotMatchMethodNotAllowedInvalidPartInvalidPartOrderMissingPartAuthorizationHeaderMalformedMalformedPOSTRequestPOSTFileRequiredSignatureVersionNotSupportedBucketNotEmptyAllAccessDisabledPolicyInvalidVersionMissingFieldsMissingCredTagCredMalformedInvalidRegionInvalidServiceS3InvalidServiceSTSInvalidRequestVersionMissingSignTagMissingSignHeadersTagMalformedDateMalformedPresignedDateMalformedCredentialDateMalformedExpiresNegativeExpiresAuthHeaderEmptyExpiredPresignRequestRequestNotReadyYetUnsignedHeadersMissingDateHeaderInvalidQuerySignatureAlgoInvalidQueryParamsBucketAlreadyOwnedByYouInvalidDurationBucketAlreadyExistsMetadataTooLargeUnsupportedMetadataUnsupportedHostHeaderMaximumExpiresSlowDownReadSlowDownWriteMaxVersionsExceededInvalidPrefixMarkerBadRequestKeyTooLongErrorInvalidBucketObjectLockConfigurationObjectLockConfigurationNotFoundObjectLockConfigurationNotAllowedNoSuchObjectLockConfigurationObjectLockedInvalidRetentionDatePastObjectLockRetainDateUnknownWORMModeDirectiveBucketTaggingNotFoundObjectLockInvalidHeadersInvalidTagDirectivePolicyAlreadyAttachedPolicyNotAttachedExcessDataInvalidEncryptionMethodInvalidEncryptionKeyIDInsecureSSECustomerRequestSSEMultipartEncryptedSSEEncryptedObjectInvalidEncryptionParametersInvalidEncryptionParametersSSECInvalidSSECustomerAlgorithmInvalidSSECustomerKeyMissingSSECustomerKeyMissingSSECustomerKeyMD5SSECustomerKeyMD5MismatchInvalidSSECustomerParametersIncompatibleEncryptionMethodKMSNotConfiguredKMSKeyNotFoundExceptionKMSDefaultKeyAlreadyConfiguredNoAccessKeyInvalidTokenEventNotificationARNNotificationRegionNotificationOverlappingFilterNotificationFilterNameInvalidFilterNamePrefixFilterNameSuffixFilterValueInvalidOverlappingConfigsUnsupportedNotificationContentSHA256MismatchContentChecksumMismatchStorageFullRequestBodyParseObjectExistsAsDirectoryInvalidObjectNameInvalidObjectNamePrefixSlashInvalidResourceNameInvalidLifecycleQueryParameterServerNotInitializedBucketMetadataNotInitializedRequestTimedoutClientDisconnectedTooManyRequestsInvalidRequestTransitionStorageClassNotFoundErrorInvalidStorageClassBackendDownMalformedJSONAdminNoSuchUserAdminNoSuchUserLDAPWarnAdminLDAPExpectedLoginNameAdminNoSuchGroupAdminGroupNotEmptyAdminGroupDisabledAdminNoSuchJobAdminNoSuchPolicyAdminPolicyChangeAlreadyAppliedAdminInvalidArgumentAdminInvalidAccessKeyAdminInvalidSecretKeyAdminConfigNoQuorumAdminConfigTooLargeAdminConfigBadJSONAdminNoSuchConfigTargetAdminConfigEnvOverriddenAdminConfigDuplicateKeysAdminConfigInvalidIDPTypeAdminConfigLDAPNonDefaultConfigNameAdminConfigLDAPValidationAdminConfigIDPCfgNameAlreadyExistsAdminConfigIDPCfgNameDoesNotExistInsecureClientRequestObjectTamperedAdminLDAPNotEnabledSiteReplicationInvalidRequestSiteReplicationPeerRespSiteReplicationBackendIssueSiteReplicationServiceAccountErrorSiteReplicationBucketConfigErrorSiteReplicationBucketMetaErrorSiteReplicationIAMErrorSiteReplicationConfigMissingSiteReplicationIAMConfigMismatchAdminRebalanceAlreadyStartedAdminRebalanceNotStartedAdminBucketQuotaExceededAdminNoSuchQuotaConfigurationHealNotImplementedHealNoSuchProcessHealInvalidClientTokenHealMissingBucketHealAlreadyRunningHealOverlappingPathsIncorrectContinuationTokenEmptyRequestBodyUnsupportedFunctionInvalidExpressionTypeBusyUnauthorizedAccessExpressionTooLongIllegalSQLFunctionArgumentInvalidKeyPathInvalidCompressionFormatInvalidFileHeaderInfoInvalidJSONTypeInvalidQuoteFieldsInvalidRequestParameterInvalidDataTypeInvalidTextEncodingInvalidDataSourceInvalidTableAliasMissingRequiredParameterObjectSerializationConflictUnsupportedSQLOperationUnsupportedSQLStructureUnsupportedSyntaxUnsupportedRangeHeaderLexerInvalidCharLexerInvalidOperatorLexerInvalidLiteralLexerInvalidIONLiteralParseExpectedDatePartParseExpectedKeywordParseExpectedTokenTypeParseExpected2TokenTypesParseExpectedNumberParseExpectedRightParenBuiltinFunctionCallParseExpectedTypeNameParseExpectedWhenClauseParseUnsupportedTokenParseUnsupportedLiteralsGroupByParseExpectedMemberParseUnsupportedSelectParseUnsupportedCaseParseUnsupportedCaseClauseParseUnsupportedAliasParseUnsupportedSyntaxParseUnknownOperatorParseMissingIdentAfterAtParseUnexpectedOperatorParseUnexpectedTermParseUnexpectedTokenParseUnexpectedKeywordParseExpectedExpressionParseExpectedLeftParenAfterCastParseExpectedLeftParenValueConstructorParseExpectedLeftParenBuiltinFunctionCallParseExpectedArgumentDelimiterParseCastArityParseInvalidTypeParamParseEmptySelectParseSelectMissingFromParseExpectedIdentForGroupNameParseExpectedIdentForAliasParseUnsupportedCallWithStarParseNonUnaryAggregateFunctionCallParseMalformedJoinParseExpectedIdentForAtParseAsteriskIsNotAloneInSelectListParseCannotMixSqbAndWildcardInSelectListParseInvalidContextForWildcardInSelectListIncorrectSQLFunctionArgumentTypeValueParseFailureEvaluatorInvalidArgumentsIntegerOverflowLikeInvalidInputsCastFailedInvalidCastEvaluatorInvalidTimestampFormatPatternEvaluatorInvalidTimestampFormatPatternSymbolForParsingEvaluatorTimestampFormatPatternDuplicateFieldsEvaluatorTimestampFormatPatternHourClockAmPmMismatchEvaluatorUnterminatedTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternSymbolEvaluatorBindingDoesNotExistMissingHeadersInvalidColumnIndexAdminConfigNotificationTargetsFailedAdminProfilerNotEnabledInvalidDecompressedSizeAddUserInvalidArgumentAdminResourceInvalidArgumentAdminAccountNotEligibleAccountNotEligibleAdminServiceAccountNotFoundPostPolicyConditionInvalidFormatInvalidChecksumLambdaARNInvalidLambdaARNNotFoundInvalidAttributeNameAdminNoAccessKeyAdminNoSecretKeyapiErrCodeEnd"
+const _APIErrorCode_name = "NoneAccessDeniedBadDigestEntityTooSmallEntityTooLargePolicyTooLargeIncompleteBodyInternalErrorInvalidAccessKeyIDAccessKeyDisabledInvalidArgumentInvalidBucketNameInvalidDigestInvalidRangeInvalidRangePartNumberInvalidCopyPartRangeInvalidCopyPartRangeSourceInvalidMaxKeysInvalidEncodingMethodInvalidMaxUploadsInvalidMaxPartsInvalidPartNumberMarkerInvalidPartNumberInvalidRequestBodyInvalidCopySourceInvalidMetadataDirectiveInvalidCopyDestInvalidPolicyDocumentInvalidObjectStateMalformedXMLMissingContentLengthMissingContentMD5MissingRequestBodyErrorMissingSecurityHeaderNoSuchBucketNoSuchBucketPolicyNoSuchBucketLifecycleNoSuchLifecycleConfigurationInvalidLifecycleWithObjectLockNoSuchBucketSSEConfigNoSuchCORSConfigurationNoSuchWebsiteConfigurationReplicationConfigurationNotFoundErrorRemoteDestinationNotFoundErrorReplicationDestinationMissingLockRemoteTargetNotFoundErrorReplicationRemoteConnectionErrorReplicationBandwidthLimitErrorBucketRemoteIdenticalToSourceBucketRemoteAlreadyExistsBucketRemoteLabelInUseBucketRemoteArnTypeInvalidBucketRemoteArnInvalidBucketRemoteRemoveDisallowedRemoteTargetNotVersionedErrorReplicationSourceNotVersionedErrorReplicationNeedsVersioningErrorReplicationBucketNeedsVersioningErrorReplicationDenyEditErrorRemoteTargetDenyAddErrorReplicationNoExistingObjectsReplicationValidationErrorReplicationPermissionCheckErrorObjectRestoreAlreadyInProgressNoSuchKeyNoSuchUploadInvalidVersionIDNoSuchVersionNotImplementedPreconditionFailedRequestTimeTooSkewedSignatureDoesNotMatchMethodNotAllowedInvalidPartInvalidPartOrderMissingPartAuthorizationHeaderMalformedMalformedPOSTRequestPOSTFileRequiredSignatureVersionNotSupportedBucketNotEmptyAllAccessDisabledPolicyInvalidVersionMissingFieldsMissingCredTagCredMalformedInvalidRegionInvalidServiceS3InvalidServiceSTSInvalidRequestVersionMissingSignTagMissingSignHeadersTagMalformedDateMalformedPresignedDateMalformedCredentialDateMalformedExpiresNegativeExpiresAuthHeaderEmptyExpiredPresignRequestRequestNotReadyYetUnsignedHeadersMissingDateHeaderInvalidQuerySignatureAlgoInvalidQueryParamsBucketAlreadyOwnedByYouInvalidDurationBucketAlreadyExistsMetadataTooLargeUnsupportedMetadataUnsupportedHostHeaderMaximumExpiresSlowDownReadSlowDownWriteMaxVersionsExceededInvalidPrefixMarkerBadRequestKeyTooLongErrorInvalidBucketObjectLockConfigurationObjectLockConfigurationNotFoundObjectLockConfigurationNotAllowedNoSuchObjectLockConfigurationObjectLockedInvalidRetentionDatePastObjectLockRetainDateUnknownWORMModeDirectiveBucketTaggingNotFoundObjectLockInvalidHeadersInvalidTagDirectivePolicyAlreadyAttachedPolicyNotAttachedExcessDataInvalidEncryptionMethodInvalidEncryptionKeyIDInsecureSSECustomerRequestSSEMultipartEncryptedSSEEncryptedObjectInvalidEncryptionParametersInvalidEncryptionParametersSSECInvalidSSECustomerAlgorithmInvalidSSECustomerKeyMissingSSECustomerKeyMissingSSECustomerKeyMD5SSECustomerKeyMD5MismatchInvalidSSECustomerParametersIncompatibleEncryptionMethodKMSNotConfiguredKMSKeyNotFoundExceptionKMSDefaultKeyAlreadyConfiguredNoAccessKeyInvalidTokenEventNotificationARNNotificationRegionNotificationOverlappingFilterNotificationFilterNameInvalidFilterNamePrefixFilterNameSuffixFilterValueInvalidOverlappingConfigsUnsupportedNotificationContentSHA256MismatchContentChecksumMismatchStorageFullRequestBodyParseObjectExistsAsDirectoryInvalidObjectNameInvalidObjectNamePrefixSlashInvalidResourceNameInvalidLifecycleQueryParameterServerNotInitializedBucketMetadataNotInitializedRequestTimedoutClientDisconnectedTooManyRequestsInvalidRequestTransitionStorageClassNotFoundErrorInvalidStorageClassBackendDownMalformedJSONAdminNoSuchUserAdminNoSuchUserLDAPWarnAdminLDAPExpectedLoginNameAdminNoSuchGroupAdminGroupNotEmptyAdminGroupDisabledAdminInvalidGroupNameAdminNoSuchJobAdminNoSuchPolicyAdminPolicyChangeAlreadyAppliedAdminInvalidArgumentAdminInvalidAccessKeyAdminInvalidSecretKeyAdminConfigNoQuorumAdminConfigTooLargeAdminConfigBadJSONAdminNoSuchConfigTargetAdminConfigEnvOverriddenAdminConfigDuplicateKeysAdminConfigInvalidIDPTypeAdminConfigLDAPNonDefaultConfigNameAdminConfigLDAPValidationAdminConfigIDPCfgNameAlreadyExistsAdminConfigIDPCfgNameDoesNotExistInsecureClientRequestObjectTamperedAdminLDAPNotEnabledSiteReplicationInvalidRequestSiteReplicationPeerRespSiteReplicationBackendIssueSiteReplicationServiceAccountErrorSiteReplicationBucketConfigErrorSiteReplicationBucketMetaErrorSiteReplicationIAMErrorSiteReplicationConfigMissingSiteReplicationIAMConfigMismatchAdminRebalanceAlreadyStartedAdminRebalanceNotStartedAdminBucketQuotaExceededAdminNoSuchQuotaConfigurationHealNotImplementedHealNoSuchProcessHealInvalidClientTokenHealMissingBucketHealAlreadyRunningHealOverlappingPathsIncorrectContinuationTokenEmptyRequestBodyUnsupportedFunctionInvalidExpressionTypeBusyUnauthorizedAccessExpressionTooLongIllegalSQLFunctionArgumentInvalidKeyPathInvalidCompressionFormatInvalidFileHeaderInfoInvalidJSONTypeInvalidQuoteFieldsInvalidRequestParameterInvalidDataTypeInvalidTextEncodingInvalidDataSourceInvalidTableAliasMissingRequiredParameterObjectSerializationConflictUnsupportedSQLOperationUnsupportedSQLStructureUnsupportedSyntaxUnsupportedRangeHeaderLexerInvalidCharLexerInvalidOperatorLexerInvalidLiteralLexerInvalidIONLiteralParseExpectedDatePartParseExpectedKeywordParseExpectedTokenTypeParseExpected2TokenTypesParseExpectedNumberParseExpectedRightParenBuiltinFunctionCallParseExpectedTypeNameParseExpectedWhenClauseParseUnsupportedTokenParseUnsupportedLiteralsGroupByParseExpectedMemberParseUnsupportedSelectParseUnsupportedCaseParseUnsupportedCaseClauseParseUnsupportedAliasParseUnsupportedSyntaxParseUnknownOperatorParseMissingIdentAfterAtParseUnexpectedOperatorParseUnexpectedTermParseUnexpectedTokenParseUnexpectedKeywordParseExpectedExpressionParseExpectedLeftParenAfterCastParseExpectedLeftParenValueConstructorParseExpectedLeftParenBuiltinFunctionCallParseExpectedArgumentDelimiterParseCastArityParseInvalidTypeParamParseEmptySelectParseSelectMissingFromParseExpectedIdentForGroupNameParseExpectedIdentForAliasParseUnsupportedCallWithStarParseNonUnaryAggregateFunctionCallParseMalformedJoinParseExpectedIdentForAtParseAsteriskIsNotAloneInSelectListParseCannotMixSqbAndWildcardInSelectListParseInvalidContextForWildcardInSelectListIncorrectSQLFunctionArgumentTypeValueParseFailureEvaluatorInvalidArgumentsIntegerOverflowLikeInvalidInputsCastFailedInvalidCastEvaluatorInvalidTimestampFormatPatternEvaluatorInvalidTimestampFormatPatternSymbolForParsingEvaluatorTimestampFormatPatternDuplicateFieldsEvaluatorTimestampFormatPatternHourClockAmPmMismatchEvaluatorUnterminatedTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternTokenEvaluatorInvalidTimestampFormatPatternSymbolEvaluatorBindingDoesNotExistMissingHeadersInvalidColumnIndexAdminConfigNotificationTargetsFailedAdminProfilerNotEnabledInvalidDecompressedSizeAddUserInvalidArgumentAddUserValidUTFAdminResourceInvalidArgumentAdminAccountNotEligibleAccountNotEligibleAdminServiceAccountNotFoundPostPolicyConditionInvalidFormatInvalidChecksumLambdaARNInvalidLambdaARNNotFoundInvalidAttributeNameAdminNoAccessKeyAdminNoSecretKeyapiErrCodeEnd"
 
-var _APIErrorCode_index = [...]uint16{0, 4, 16, 25, 39, 53, 67, 81, 94, 112, 129, 144, 161, 174, 186, 208, 228, 254, 268, 289, 306, 321, 344, 361, 379, 396, 420, 435, 456, 474, 486, 506, 523, 546, 567, 579, 597, 618, 646, 676, 697, 720, 746, 783, 813, 846, 871, 903, 933, 962, 987, 1009, 1035, 1057, 1085, 1114, 1148, 1179, 1216, 1240, 1264, 1292, 1318, 1349, 1379, 1388, 1400, 1416, 1429, 1443, 1461, 1481, 1502, 1518, 1529, 1545, 1556, 1584, 1604, 1620, 1648, 1662, 1679, 1699, 1712, 1726, 1739, 1752, 1768, 1785, 1806, 1820, 1841, 1854, 1876, 1899, 1915, 1930, 1945, 1966, 1984, 1999, 2016, 2041, 2059, 2082, 2097, 2116, 2132, 2151, 2172, 2186, 2198, 2211, 2230, 2249, 2259, 2274, 2310, 2341, 2374, 2403, 2415, 2435, 2459, 2483, 2504, 2528, 2547, 2568, 2585, 2595, 2618, 2640, 2666, 2687, 2705, 2732, 2763, 2790, 2811, 2832, 2856, 2881, 2909, 2937, 2953, 2976, 3006, 3017, 3029, 3046, 3061, 3079, 3108, 3125, 3141, 3157, 3175, 3193, 3216, 3237, 3260, 3271, 3287, 3310, 3327, 3355, 3374, 3404, 3424, 3452, 3467, 3485, 3500, 3514, 3549, 3568, 3579, 3592, 3607, 3630, 3656, 3672, 3690, 3708, 3722, 3739, 3770, 3790, 3811, 3832, 3851, 3870, 3888, 3911, 3935, 3959, 3984, 4019, 4044, 4078, 4111, 4132, 4146, 4165, 4194, 4217, 4244, 4278, 4310, 4340, 4363, 4391, 4423, 4451, 4475, 4499, 4528, 4546, 4563, 4585, 4602, 4620, 4640, 4666, 4682, 4701, 4722, 4726, 4744, 4761, 4787, 4801, 4825, 4846, 4861, 4879, 4902, 4917, 4936, 4953, 4970, 4994, 5021, 5044, 5067, 5084, 5106, 5122, 5142, 5161, 5183, 5204, 5224, 5246, 5270, 5289, 5331, 5352, 5375, 5396, 5427, 5446, 5468, 5488, 5514, 5535, 5557, 5577, 5601, 5624, 5643, 5663, 5685, 5708, 5739, 5777, 5818, 5848, 5862, 5883, 5899, 5921, 5951, 5977, 6005, 6039, 6057, 6080, 6115, 6155, 6197, 6229, 6246, 6271, 6286, 6303, 6313, 6324, 6362, 6416, 6462, 6514, 6562, 6605, 6649, 6677, 6691, 6709, 6745, 6768, 6791, 6813, 6841, 6864, 6882, 6909, 6941, 6956, 6972, 6989, 7009, 7025, 7041, 7054}
+var _APIErrorCode_index = [...]uint16{0, 4, 16, 25, 39, 53, 67, 81, 94, 112, 129, 144, 161, 174, 186, 208, 228, 254, 268, 289, 306, 321, 344, 361, 379, 396, 420, 435, 456, 474, 486, 506, 523, 546, 567, 579, 597, 618, 646, 676, 697, 720, 746, 783, 813, 846, 871, 903, 933, 962, 987, 1009, 1035, 1057, 1085, 1114, 1148, 1179, 1216, 1240, 1264, 1292, 1318, 1349, 1379, 1388, 1400, 1416, 1429, 1443, 1461, 1481, 1502, 1518, 1529, 1545, 1556, 1584, 1604, 1620, 1648, 1662, 1679, 1699, 1712, 1726, 1739, 1752, 1768, 1785, 1806, 1820, 1841, 1854, 1876, 1899, 1915, 1930, 1945, 1966, 1984, 1999, 2016, 2041, 2059, 2082, 2097, 2116, 2132, 2151, 2172, 2186, 2198, 2211, 2230, 2249, 2259, 2274, 2310, 2341, 2374, 2403, 2415, 2435, 2459, 2483, 2504, 2528, 2547, 2568, 2585, 2595, 2618, 2640, 2666, 2687, 2705, 2732, 2763, 2790, 2811, 2832, 2856, 2881, 2909, 2937, 2953, 2976, 3006, 3017, 3029, 3046, 3061, 3079, 3108, 3125, 3141, 3157, 3175, 3193, 3216, 3237, 3260, 3271, 3287, 3310, 3327, 3355, 3374, 3404, 3424, 3452, 3467, 3485, 3500, 3514, 3549, 3568, 3579, 3592, 3607, 3630, 3656, 3672, 3690, 3708, 3729, 3743, 3760, 3791, 3811, 3832, 3853, 3872, 3891, 3909, 3932, 3956, 3980, 4005, 4040, 4065, 4099, 4132, 4153, 4167, 4186, 4215, 4238, 4265, 4299, 4331, 4361, 4384, 4412, 4444, 4472, 4496, 4520, 4549, 4567, 4584, 4606, 4623, 4641, 4661, 4687, 4703, 4722, 4743, 4747, 4765, 4782, 4808, 4822, 4846, 4867, 4882, 4900, 4923, 4938, 4957, 4974, 4991, 5015, 5042, 5065, 5088, 5105, 5127, 5143, 5163, 5182, 5204, 5225, 5245, 5267, 5291, 5310, 5352, 5373, 5396, 5417, 5448, 5467, 5489, 5509, 5535, 5556, 5578, 5598, 5622, 5645, 5664, 5684, 5706, 5729, 5760, 5798, 5839, 5869, 5883, 5904, 5920, 5942, 5972, 5998, 6026, 6060, 6078, 6101, 6136, 6176, 6218, 6250, 6267, 6292, 6307, 6324, 6334, 6345, 6383, 6437, 6483, 6535, 6583, 6626, 6670, 6698, 6712, 6730, 6766, 6789, 6812, 6834, 6849, 6877, 6900, 6918, 6945, 6977, 6992, 7008, 7025, 7045, 7061, 7077, 7090}
 
 func (i APIErrorCode) String() string {
 	if i < 0 || i >= APIErrorCode(len(_APIErrorCode_index)-1) {
diff --git a/cmd/iam.go b/cmd/iam.go
index 5e6173bca..8f6361e5a 100644
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1273,6 +1273,10 @@ func (sys *IAMSys) CreateUser(ctx context.Context, accessKey string, ureq madmin
 		return updatedAt, auth.ErrInvalidAccessKeyLength
 	}
 
+	if auth.ContainsReservedChars(accessKey) {
+		return updatedAt, auth.ErrContainsReservedChars
+	}
+
 	if !auth.IsSecretKeyValid(ureq.SecretKey) {
 		return updatedAt, auth.ErrInvalidSecretKeyLength
 	}
@@ -1766,6 +1770,10 @@ func (sys *IAMSys) AddUsersToGroup(ctx context.Context, group string, members []
 		return updatedAt, errServerNotInitialized
 	}
 
+	if auth.ContainsReservedChars(group) {
+		return updatedAt, errGroupNameContainsReservedChars
+	}
+
 	updatedAt, err = sys.store.AddUsersToGroup(ctx, group, members)
 	if err != nil {
 		return updatedAt, err
diff --git a/cmd/typed-errors.go b/cmd/typed-errors.go
index ea98c480d..da25c674a 100644
--- a/cmd/typed-errors.go
+++ b/cmd/typed-errors.go
@@ -125,3 +125,6 @@ var errSftpPublicKeyWithoutCert = errors.New("public key authentication without
 
 // error returned in SFTP when user used certificate which does not contain principal(s)
 var errSftpCertWithoutPrincipals = errors.New("certificates without principal(s) are not accepted")
+
+// error returned when group name contains reserved characters
+var errGroupNameContainsReservedChars = errors.New("Group name contains reserved characters '=' or ','")
diff --git a/internal/auth/credentials.go b/internal/auth/credentials.go
index 48206b606..2c8bcb05b 100644
--- a/internal/auth/credentials.go
+++ b/internal/auth/credentials.go
@@ -54,6 +54,8 @@ const (
 
 	// Total length of the alpha numeric table.
 	alphaNumericTableLen = byte(len(alphaNumericTable))
+
+	reservedChars = "=,"
 )
 
 // Common errors generated for access and secret key validation.
@@ -62,11 +64,17 @@ var (
 	ErrInvalidSecretKeyLength   = fmt.Errorf("secret key length should be between %d and %d", secretKeyMinLen, secretKeyMaxLen)
 	ErrNoAccessKeyWithSecretKey = fmt.Errorf("access key must be specified if secret key is specified")
 	ErrNoSecretKeyWithAccessKey = fmt.Errorf("secret key must be specified if access key is specified")
+	ErrContainsReservedChars    = fmt.Errorf("access key contains one of reserved characters '=' or ','")
 )
 
 // AnonymousCredentials simply points to empty credentials
 var AnonymousCredentials = Credentials{}
 
+// ContainsReservedChars - returns whether the input string contains reserved characters.
+func ContainsReservedChars(s string) bool {
+	return strings.ContainsAny(s, reservedChars)
+}
+
 // IsAccessKeyValid - validate access key for right length.
 func IsAccessKeyValid(accessKey string) bool {
 	return len(accessKey) >= accessKeyMinLen