ensure authenticated request bodies for Admin-API (#5984)

This commit adds a check to the server's admin-API such that it only accepts Admin-API requests with authenticated bodies. Further this commit updates the `madmin` package to always add the `X-Amz-Content-Sha256` header. This change improves the Admin-API security since the server does not accept unauthenticated request bodies anymore. After this commit `mc` must be updated to the new `madmin` api because requests over TLS connections will fail.
2025-11-20 18:06:10 -05:00 · 2018-05-30 23:49:03 +02:00
parent 5282639f3c
commit 9fb94e6aa8
6 changed files with 17 additions and 67 deletions
--- a/pkg/madmin/config-commands.go
+++ b/pkg/madmin/config-commands.go
@@ -18,7 +18,6 @@
 package madmin

 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -66,8 +65,7 @@ func (adm *AdminClient) GetConfig() ([]byte, error) {

 // SetConfig - set config supplied as config.json for the setup.
 func (adm *AdminClient) SetConfig(config io.Reader) (r SetConfigResult, err error) {
-	// No TLS?
-	if !adm.secure {
+	if !adm.secure { // No TLS?
 		return r, fmt.Errorf("credentials/configuration cannot be updated over an insecure connection")
 	}

@@ -78,10 +76,8 @@ func (adm *AdminClient) SetConfig(config io.Reader) (r SetConfigResult, err erro
 	}

 	reqData := requestData{
-		relPath:            "/v1/config",
-		contentBody:        bytes.NewReader(configBytes),
-		contentMD5Bytes:    sumMD5(configBytes),
-		contentSHA256Bytes: sum256(configBytes),
+		relPath: "/v1/config",
+		content: configBytes,
 	}

 	// Execute PUT on /minio/admin/v1/config to set config.