ensure authenticated request bodies for Admin-API (#5984)

This commit adds a check to the server's admin-API such that it only accepts Admin-API requests with authenticated bodies. Further this commit updates the `madmin` package to always add the `X-Amz-Content-Sha256` header. This change improves the Admin-API security since the server does not accept unauthenticated request bodies anymore. After this commit `mc` must be updated to the new `madmin` api because requests over TLS connections will fail.
2025-11-11 14:30:17 -05:00 · 2018-05-30 23:49:03 +02:00
parent 5282639f3c
commit 9fb94e6aa8
6 changed files with 17 additions and 67 deletions
--- a/pkg/madmin/generic-commands.go
+++ b/pkg/madmin/generic-commands.go
@@ -18,7 +18,6 @@
 package madmin

 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -46,11 +45,8 @@ func (adm *AdminClient) SetCredentials(access, secret string) error {

 	// Setup new request
 	reqData := requestData{
-		relPath:            "/v1/config/credential",
-		contentBody:        bytes.NewReader(body),
-		contentLength:      int64(len(body)),
-		contentMD5Bytes:    sumMD5(body),
-		contentSHA256Bytes: sum256(body),
+		relPath: "/v1/config/credential",
+		content: body,
 	}

 	// Execute GET on bucket to list objects.